Synapse Data Model - Forms
Forms
Forms are derived from types, or base types. Forms represent node types in the graph.
auth:access
An instance of using creds to access a resource.
The base type for the form can be found at auth:access.
Properties:
- :creds / auth:access:creds
The credentials used to attempt access.
The property type is auth:creds.
- :time / auth:access:time
The time of the access attempt.
The property type is time.
- :success / auth:access:success
Set to true if the access was successful.
The property type is bool.
- :person / auth:access:person
The person who attempted access.
The property type is ps:person.
auth:creds
A unique set of credentials used to access a resource.
The base type for the form can be found at auth:creds.
Properties:
- :email / auth:creds:email
The email address used to identify the user.
The property type is inet:email.
- :user / auth:creds:user
The user name used to identify the user.
The property type is inet:user.
- :phone / auth:creds:phone
The phone number used to identify the user.
The property type is tel:phone.
- :passwd / auth:creds:passwd
The password used to authenticate.
The property type is inet:passwd.
- :passwdhash / auth:creds:passwdhash
The password hash used to authenticate.
The property type is it:auth:passwdhash.
- :account / auth:creds:account
The account that the creds allow access to.
The property type is it:account.
- :website / auth:creds:website
The base URL of the website that the credentials allow access to.
The property type is inet:url.
- :host / auth:creds:host
The host that the credentials allow access to.
The property type is it:host.
- :wifi:ssid / auth:creds:wifi:ssid
The WiFi SSID that the credentials allow access to.
The property type is inet:wifi:ssid.
- :web:acct / auth:creds:web:acct
The web account that the credentials allow access to.
The property type is inet:web:acct.
biz:bundle
Instances of a specific product offered for a price.
The base type for the form can be found at biz:bundle.
Properties:
- :count / biz:bundle:count
The number of instances of the product included in the bundle.
The property type is int.
- :price / biz:bundle:price
The price of the bundle.
The property type is econ:price.
- :product / biz:bundle:product
The product included in the bundle.
The property type is biz:product.
- :deal / biz:bundle:deal
The deal which includes this bundle.
The property type is biz:deal.
- :purchase / biz:bundle:purchase
The purchase which includes this bundle.
The property type is econ:purchase.
biz:deal
A sales or procurement effort in pursuit of a purchase.
The base type for the form can be found at biz:deal.
Properties:
- :title / biz:deal:title
A title for the deal.
The property type is str.
- :type / biz:deal:type
The type of deal. It has the following property options set:
disp:
{'hint': 'taxonomy'}
The property type is biz:dealtype.
- :status / biz:deal:status
The status of the deal. It has the following property options set:
disp:
{'hint': 'taxonomy'}
The property type is biz:dealstatus.
- :updated / biz:deal:updated
The last time the deal had a significant update.
The property type is time.
- :contacted / biz:deal:contacted
The last time the contacts communicated about the deal.
The property type is time.
- :rfp / biz:deal:rfp
The RFP that the deal is in response to.
The property type is biz:rfp.
- :buyer / biz:deal:buyer
The primary contact information for the buyer.
The property type is ps:contact.
- :buyer:org / biz:deal:buyer:org
The buyer org.
The property type is ou:org.
- :buyer:orgname / biz:deal:buyer:orgname
The reported ou:name of the buyer org.
The property type is ou:name.
- :buyer:orgfqdn / biz:deal:buyer:orgfqdn
The reported inet:fqdn of the buyer org.
The property type is inet:fqdn.
- :seller / biz:deal:seller
The primary contact information for the seller.
The property type is ps:contact.
- :seller:org / biz:deal:seller:org
The seller org.
The property type is ou:org.
- :seller:orgname / biz:deal:seller:orgname
The reported ou:name of the seller org.
The property type is ou:name.
- :seller:orgfqdn / biz:deal:seller:orgfqdn
The reported inet:fqdn of the seller org.
The property type is inet:fqdn.
- :currency / biz:deal:currency
The currency of econ:price values associated with the deal.
The property type is econ:currency.
- :buyer:budget / biz:deal:buyer:budget
The buyers budget for the eventual purchase.
The property type is econ:price.
- :buyer:deadline / biz:deal:buyer:deadline
When the buyer intends to make a decision.
The property type is time.
- :offer:price / biz:deal:offer:price
The total price of the offered products.
The property type is econ:price.
- :offer:expires / biz:deal:offer:expires
When the offer expires.
The property type is time.
- :purchase / biz:deal:purchase
Records a purchase resulting from the deal.
The property type is econ:purchase.
biz:dealstatus
A deal/rfp status taxonomy.
The base type for the form can be found at biz:dealstatus.
Properties:
- :title / biz:dealstatus:title
A brief title of the definition.
The property type is str.
- :summary / biz:dealstatus:summary
A summary of the definition. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :sort / biz:dealstatus:sort
A display sort order for siblings.
The property type is int.
- :base / biz:dealstatus:base
The base taxon. It has the following property options set:
Read Only:
True
The property type is taxon.
- :depth / biz:dealstatus:depth
The depth indexed from 0. It has the following property options set:
Read Only:
True
The property type is int.
- :parent / biz:dealstatus:parent
The taxonomy parent. It has the following property options set:
Read Only:
True
The property type is biz:dealstatus.
biz:dealtype
A deal type taxonomy.
The base type for the form can be found at biz:dealtype.
Properties:
- :title / biz:dealtype:title
A brief title of the definition.
The property type is str.
- :summary / biz:dealtype:summary
A summary of the definition. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :sort / biz:dealtype:sort
A display sort order for siblings.
The property type is int.
- :base / biz:dealtype:base
The base taxon. It has the following property options set:
Read Only:
True
The property type is taxon.
- :depth / biz:dealtype:depth
The depth indexed from 0. It has the following property options set:
Read Only:
True
The property type is int.
- :parent / biz:dealtype:parent
The taxonomy parent. It has the following property options set:
Read Only:
True
The property type is biz:dealtype.
biz:prodtype
A product type taxonomy.
The base type for the form can be found at biz:prodtype.
Properties:
- :title / biz:prodtype:title
A brief title of the definition.
The property type is str.
- :summary / biz:prodtype:summary
A summary of the definition. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :sort / biz:prodtype:sort
A display sort order for siblings.
The property type is int.
- :base / biz:prodtype:base
The base taxon. It has the following property options set:
Read Only:
True
The property type is taxon.
- :depth / biz:prodtype:depth
The depth indexed from 0. It has the following property options set:
Read Only:
True
The property type is int.
- :parent / biz:prodtype:parent
The taxonomy parent. It has the following property options set:
Read Only:
True
The property type is biz:prodtype.
biz:product
A product which is available for purchase.
The base type for the form can be found at biz:product.
Properties:
- :name / biz:product:name
The name of the product.
The property type is str.
- :type / biz:product:type
The type of product. It has the following property options set:
disp:
{'hint': 'taxonomy'}
The property type is biz:prodtype.
- :summary / biz:product:summary
A brief summary of the product. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :madeby:org / biz:product:madeby:org
The product manufacturer.
The property type is ou:org.
- :madeby:orgname / biz:product:madeby:orgname
The reported ou:name of the product manufacturer.
The property type is ou:name.
- :madeby:orgfqdn / biz:product:madeby:orgfqdn
The reported inet:fqdn of the product manufacturer.
The property type is inet:fqdn.
- :price:retail / biz:product:price:retail
The MSRP price of the product.
The property type is econ:price.
- :price:bottom / biz:product:price:bottom
The minimum offered or observed price of the product.
The property type is econ:price.
- :bundles / biz:product:bundles
An array of bundles included with the product.
The property type is array. Its type has the following options set:
type:
biz:bundleuniq:
Truesorted:
True
biz:rfp
An RFP (Request for Proposal) soliciting proposals.
The base type for the form can be found at biz:rfp.
Properties:
- :ext:id / biz:rfp:ext:id
An externally specified identifier for the RFP.
The property type is str.
- :title / biz:rfp:title
The title of the RFP.
The property type is str.
- :summary / biz:rfp:summary
A brief summary of the RFP. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :status / biz:rfp:status
The status of the RFP. It has the following property options set:
disp:
{'hint': 'enum'}
The property type is biz:dealstatus.
- :url / biz:rfp:url
The official URL for the RFP.
The property type is inet:url.
- :file / biz:rfp:file
The RFP document.
The property type is file:bytes.
- :posted / biz:rfp:posted
The date/time that the RFP was posted.
The property type is time.
- :quesdue / biz:rfp:quesdue
The date/time that questions are due.
The property type is time.
- :propdue / biz:rfp:propdue
The date/time that proposals are due.
The property type is time.
- :contact / biz:rfp:contact
The contact information given for the org requesting offers.
The property type is ps:contact.
- :purchases / biz:rfp:purchases
Any known purchases that resulted from the RFP.
The property type is array. Its type has the following options set:
type:
econ:purchaseuniq:
Truesorted:
True
- :requirements / biz:rfp:requirements
A typed array which indexes each field.
The property type is array. Its type has the following options set:
type:
ou:goaluniq:
Truesorted:
True
biz:stake
A stake or partial ownership in a company.
The base type for the form can be found at biz:stake.
Properties:
- :vitals / biz:stake:vitals
The ou:vitals snapshot this stake is part of.
The property type is ou:vitals.
- :org / biz:stake:org
The resolved org.
The property type is ou:org.
- :orgname / biz:stake:orgname
The org name as reported by the source of the vitals.
The property type is ou:name.
- :orgfqdn / biz:stake:orgfqdn
The org FQDN as reported by the source of the vitals.
The property type is inet:fqdn.
- :name / biz:stake:name
An arbitrary name for this stake. Can be non-contact like “pool”.
The property type is str.
- :asof / biz:stake:asof
The time the stake is being measured. Likely as part of an ou:vitals.
The property type is time.
- :shares / biz:stake:shares
The number of shares represented by the stake.
The property type is int.
- :invested / biz:stake:invested
The amount of money invested in the cap table iteration.
The property type is econ:price.
- :value / biz:stake:value
The monetary value of the stake.
The property type is econ:price.
- :percent / biz:stake:percent
The percentage ownership represented by this stake.
The property type is hugenum.
- :owner / biz:stake:owner
Contact information of the owner of the stake.
The property type is ps:contact.
- :purchase / biz:stake:purchase
The purchase event for the stake.
The property type is econ:purchase.
crypto:algorithm
A cryptographic algorithm name.
The base type for the form can be found at crypto:algorithm.
An example of crypto:algorithm:
aes256
Properties:
crypto:currency:address
An individual crypto currency address.
The base type for the form can be found at crypto:currency:address.
An example of crypto:currency:address:
btc/1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2
Properties:
- :coin / crypto:currency:address:coin
The crypto coin to which the address belongs. It has the following property options set:
Read Only:
True
The property type is crypto:currency:coin.
- :seed / crypto:currency:address:seed
The cryptographic key and or password used to generate the address.
The property type is crypto:key.
- :iden / crypto:currency:address:iden
The coin specific address identifier. It has the following property options set:
Read Only:
True
The property type is str.
- :desc / crypto:currency:address:desc
A free-form description of the address.
The property type is str.
- :contact / crypto:currency:address:contact
Contact information associated with the address.
The property type is ps:contact.
crypto:currency:block
An individual crypto currency block record on the blockchain.
The base type for the form can be found at crypto:currency:block.
Properties:
- :coin / crypto:currency:block:coin
The coin/blockchain this block resides on. It has the following property options set:
Read Only:
True
The property type is crypto:currency:coin.
- :offset / crypto:currency:block:offset
The index of this block. It has the following property options set:
Read Only:
True
The property type is int.
- :hash / crypto:currency:block:hash
The unique hash for the block.
The property type is hex.
- :minedby / crypto:currency:block:minedby
The address which mined the block.
The property type is crypto:currency:address.
- :time / crypto:currency:block:time
Time timestamp embedded in the block by the miner.
The property type is time.
crypto:currency:client
A fused node representing a crypto currency address used by an Internet client.
The base type for the form can be found at crypto:currency:client.
An example of crypto:currency:client:
(1.2.3.4, (btc, 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2))
Properties:
- :inetaddr / crypto:currency:client:inetaddr
The Internet client address observed using the crypto currency address. It has the following property options set:
Read Only:
True
The property type is inet:client.
- :coinaddr / crypto:currency:client:coinaddr
The crypto currency address observed in use the the Internet client. It has the following property options set:
Read Only:
True
The property type is crypto:currency:address.
crypto:currency:coin
An individual crypto currency type.
The base type for the form can be found at crypto:currency:coin.
An example of crypto:currency:coin:
btc
Properties:
- :name / crypto:currency:coin:name
The full name of the crypto coin.
The property type is str.
crypto:currency:transaction
An individual crypto currency transaction recorded on the blockchain.
The base type for the form can be found at crypto:currency:transaction.
Properties:
- :hash / crypto:currency:transaction:hash
The unique transaction hash for the transaction.
The property type is hex.
- :desc / crypto:currency:transaction:desc
An analyst specified description of the transaction.
The property type is str.
- :block / crypto:currency:transaction:block
The block which records the transaction.
The property type is crypto:currency:block.
- :block:coin / crypto:currency:transaction:block:coin
The coin/blockchain of the block which records this transaction.
The property type is crypto:currency:coin.
- :block:offset / crypto:currency:transaction:block:offset
The offset of the block which records this transaction.
The property type is int.
- :success / crypto:currency:transaction:success
Set to true if the transaction was successfully executed and recorded.
The property type is bool.
- :status:code / crypto:currency:transaction:status:code
A coin specific status code which may represent an error reason.
The property type is int.
- :status:message / crypto:currency:transaction:status:message
A coin specific status message which may contain an error reason.
The property type is str.
- :to / crypto:currency:transaction:to
The destination address of the transaction.
The property type is crypto:currency:address.
- :from / crypto:currency:transaction:from
The source address of the transaction.
The property type is crypto:currency:address.
- :inputs / crypto:currency:transaction:inputs
Deprecated. Please use crypto:payment:input:transaction. It has the following property options set:
deprecated:
True
The property type is array. Its type has the following options set:
type:
crypto:payment:inputsorted:
Trueuniq:
True
- :outputs / crypto:currency:transaction:outputs
Deprecated. Please use crypto:payment:output:transaction. It has the following property options set:
deprecated:
True
The property type is array. Its type has the following options set:
type:
crypto:payment:outputsorted:
Trueuniq:
True
- :fee / crypto:currency:transaction:fee
The total fee paid to execute the transaction.
The property type is econ:price.
- :value / crypto:currency:transaction:value
The total value of the transaction.
The property type is econ:price.
- :time / crypto:currency:transaction:time
The time this transaction was initiated.
The property type is time.
- :eth:gasused / crypto:currency:transaction:eth:gasused
The amount of gas used to execute this transaction.
The property type is int.
- :eth:gaslimit / crypto:currency:transaction:eth:gaslimit
The ETH gas limit specified for this transaction.
The property type is int.
- :eth:gasprice / crypto:currency:transaction:eth:gasprice
The gas price (in ETH) specified for this transaction.
The property type is econ:price.
- :contract:input / crypto:currency:transaction:contract:input
Input value to a smart contract call.
The property type is file:bytes.
- :contract:output / crypto:currency:transaction:contract:output
Output value of a smart contract call.
The property type is file:bytes.
crypto:key
A cryptographic key and algorithm.
The base type for the form can be found at crypto:key.
Properties:
- :algorithm / crypto:key:algorithm
The cryptographic algorithm which uses the key material. It has the following property options set:
Example:
aes256
The property type is crypto:algorithm.
- :public / crypto:key:public
The hex encoded public key material if the algorithm has a public/private key pair.
The property type is hex.
- :private / crypto:key:private
The hex encoded private key material. All symmetric keys are private.
The property type is hex.
- :seed:passwd / crypto:key:seed:passwd
The seed password used to generate the key material.
The property type is inet:passwd.
- :seed:algorithm / crypto:key:seed:algorithm
The algorithm used to generate the key from the seed password. It has the following property options set:
Example:
pbkdf2
The property type is crypto:algorithm.
crypto:payment:input
A payment made into a transaction.
The base type for the form can be found at crypto:payment:input.
Properties:
- :transaction / crypto:payment:input:transaction
The transaction the payment was input to.
The property type is crypto:currency:transaction.
- :address / crypto:payment:input:address
The address which paid into the transaction.
The property type is crypto:currency:address.
- :value / crypto:payment:input:value
The value of the currency paid into the transaction.
The property type is econ:price.
crypto:payment:output
A payment received from a transaction.
The base type for the form can be found at crypto:payment:output.
Properties:
- :transaction / crypto:payment:output:transaction
The transaction the payment was output from.
The property type is crypto:currency:transaction.
- :address / crypto:payment:output:address
The address which received payment from the transaction.
The property type is crypto:currency:address.
- :value / crypto:payment:output:value
The value of the currency recieved from the transaction.
The property type is econ:price.
crypto:smart:contract
A smart contract.
The base type for the form can be found at crypto:smart:contract.
Properties:
- :transaction / crypto:smart:contract:transaction
The transaction which created the contract.
The property type is crypto:currency:transaction.
- :address / crypto:smart:contract:address
The address of the contract.
The property type is crypto:currency:address.
- :bytecode / crypto:smart:contract:bytecode
The bytecode which implements the contract.
The property type is file:bytes.
- :token:name / crypto:smart:contract:token:name
The ERC-20 token name.
The property type is str.
- :token:symbol / crypto:smart:contract:token:symbol
The ERC-20 token symbol.
The property type is str.
- :token:totalsupply / crypto:smart:contract:token:totalsupply
The ERC-20 totalSupply value.
The property type is hugenum.
crypto:smart:effect:edittokensupply
A smart contract effect which increases or decreases the supply of a fungible token.
The base type for the form can be found at crypto:smart:effect:edittokensupply.
Properties:
- :transaction / crypto:smart:effect:edittokensupply:transaction
The transaction where the smart contract was called.
The property type is crypto:currency:transaction.
- :contract / crypto:smart:effect:edittokensupply:contract
The contract which defines the tokens.
The property type is crypto:smart:contract.
- :amount / crypto:smart:effect:edittokensupply:amount
The number of tokens added or removed if negative.
The property type is hugenum.
- :totalsupply / crypto:smart:effect:edittokensupply:totalsupply
The total supply of tokens after this modification.
The property type is hugenum.
crypto:smart:effect:transfertoken
A smart contract effect which transfers ownership of a non-fungible token.
The base type for the form can be found at crypto:smart:effect:transfertoken.
Properties:
- :transaction / crypto:smart:effect:transfertoken:transaction
The transaction where the smart contract was called.
The property type is crypto:currency:transaction.
- :token / crypto:smart:effect:transfertoken:token
The non-fungible token that was transferred.
The property type is crypto:smart:token.
- :from / crypto:smart:effect:transfertoken:from
The address the NFT was transferred from.
The property type is crypto:currency:address.
- :to / crypto:smart:effect:transfertoken:to
The address the NFT was transferred to.
The property type is crypto:currency:address.
crypto:smart:effect:transfertokens
A smart contract effect which transfers fungible tokens.
The base type for the form can be found at crypto:smart:effect:transfertokens.
Properties:
- :transaction / crypto:smart:effect:transfertokens:transaction
The transaction where the smart contract was called.
The property type is crypto:currency:transaction.
- :contract / crypto:smart:effect:transfertokens:contract
The contract which defines the tokens.
The property type is crypto:smart:contract.
- :from / crypto:smart:effect:transfertokens:from
The address the NFT was transferred from.
The property type is crypto:currency:address.
- :to / crypto:smart:effect:transfertokens:to
The address the NFT was transferred to.
The property type is crypto:currency:address.
- :amount / crypto:smart:effect:transfertokens:amount
The number of tokens transferred.
The property type is hugenum.
crypto:smart:token
A token managed by a smart contract.
The base type for the form can be found at crypto:smart:token.
Properties:
- :contract / crypto:smart:token:contract
The smart contract which defines and manages the token. It has the following property options set:
Read Only:
True
The property type is crypto:smart:contract.
- :tokenid / crypto:smart:token:tokenid
The token ID. It has the following property options set:
Read Only:
True
The property type is hugenum.
- :owner / crypto:smart:token:owner
The address which currently owns the token.
The property type is crypto:currency:address.
- :nft:url / crypto:smart:token:nft:url
The URL which hosts the NFT metadata.
The property type is inet:url.
- :nft:meta / crypto:smart:token:nft:meta
The raw NFT metadata.
The property type is data.
- :nft:meta:name / crypto:smart:token:nft:meta:name
The name field from the NFT metadata.
The property type is str.
- :nft:meta:description / crypto:smart:token:nft:meta:description
The description field from the NFT metadata. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :nft:meta:image / crypto:smart:token:nft:meta:image
The image URL from the NFT metadata.
The property type is inet:url.
crypto:x509:cert
A unique X.509 certificate.
The base type for the form can be found at crypto:x509:cert.
Properties:
- :file / crypto:x509:cert:file
The file that the certificate metadata was parsed from.
The property type is file:bytes.
- :subject / crypto:x509:cert:subject
The subject identifier, commonly in X.500/LDAP format, to which the certificate was issued.
The property type is str.
- :issuer / crypto:x509:cert:issuer
The Distinguished Name (DN) of the Certificate Authority (CA) which issued the certificate.
The property type is str.
- :issuer:cert / crypto:x509:cert:issuer:cert
The certificate used by the issuer to sign this certificate.
The property type is crypto:x509:cert.
- :serial / crypto:x509:cert:serial
The serial number string in the certificate.
The property type is str.
- :version / crypto:x509:cert:version
The version integer in the certificate. (ex. 2 == v3 ).
The property type is int. Its type has the following options set:
enums:
((0, 'v1'), (2, 'v3'))
- :validity:notbefore / crypto:x509:cert:validity:notbefore
The timestamp for the beginning of the certificate validity period.
The property type is time.
- :validity:notafter / crypto:x509:cert:validity:notafter
The timestamp for the end of the certificate validity period.
The property type is time.
- :md5 / crypto:x509:cert:md5
The MD5 fingerprint for the certificate.
The property type is hash:md5.
- :sha1 / crypto:x509:cert:sha1
The SHA1 fingerprint for the certificate.
The property type is hash:sha1.
- :sha256 / crypto:x509:cert:sha256
The SHA256 fingerprint for the certificate.
The property type is hash:sha256.
- :rsa:key / crypto:x509:cert:rsa:key
The optional RSA public key associated with the certificate.
The property type is rsa:key.
- :algo / crypto:x509:cert:algo
The X.509 signature algorithm OID.
The property type is iso:oid.
- :signature / crypto:x509:cert:signature
The hexadecimal representation of the digital signature.
The property type is hex.
- :ext:sans / crypto:x509:cert:ext:sans
The Subject Alternate Names (SANs) listed in the certficate.
The property type is array. Its type has the following options set:
type:
crypto:x509:sanuniq:
Truesorted:
True
- :ext:crls / crypto:x509:cert:ext:crls
A list of Subject Alternate Names (SANs) for Distribution Points.
The property type is array. Its type has the following options set:
type:
crypto:x509:sanuniq:
Truesorted:
True
- :identities:fqdns / crypto:x509:cert:identities:fqdns
The fused list of FQDNs identified by the cert CN and SANs.
The property type is array. Its type has the following options set:
type:
inet:fqdnuniq:
Truesorted:
True
- :identities:emails / crypto:x509:cert:identities:emails
The fused list of e-mail addresses identified by the cert CN and SANs.
The property type is array. Its type has the following options set:
type:
inet:emailuniq:
Truesorted:
True
- :identities:ipv4s / crypto:x509:cert:identities:ipv4s
The fused list of IPv4 addresses identified by the cert CN and SANs.
The property type is array. Its type has the following options set:
type:
inet:ipv4uniq:
Truesorted:
True
- :identities:ipv6s / crypto:x509:cert:identities:ipv6s
The fused list of IPv6 addresses identified by the cert CN and SANs.
The property type is array. Its type has the following options set:
type:
inet:ipv6uniq:
Truesorted:
True
- :identities:urls / crypto:x509:cert:identities:urls
The fused list of URLs identified by the cert CN and SANs.
The property type is array. Its type has the following options set:
type:
inet:urluniq:
Truesorted:
True
- :crl:urls / crypto:x509:cert:crl:urls
The extracted URL values from the CRLs extension.
The property type is array. Its type has the following options set:
type:
inet:urluniq:
Truesorted:
True
- :selfsigned / crypto:x509:cert:selfsigned
Whether this is a self-signed certificate.
The property type is bool.
crypto:x509:crl
A unique X.509 Certificate Revocation List.
The base type for the form can be found at crypto:x509:crl.
Properties:
- :file / crypto:x509:crl:file
The file containing the CRL.
The property type is file:bytes.
- :url / crypto:x509:crl:url
The URL where the CRL was published.
The property type is inet:url.
crypto:x509:revoked
A revocation relationship between a CRL and an X.509 certificate.
The base type for the form can be found at crypto:x509:revoked.
Properties:
- :crl / crypto:x509:revoked:crl
The CRL which revoked the certificate. It has the following property options set:
Read Only:
True
The property type is crypto:x509:crl.
- :cert / crypto:x509:revoked:cert
The certificate revoked by the CRL. It has the following property options set:
Read Only:
True
The property type is crypto:x509:cert.
crypto:x509:signedfile
A digital signature relationship between an X.509 certificate and a file.
The base type for the form can be found at crypto:x509:signedfile.
Properties:
- :cert / crypto:x509:signedfile:cert
The certificate for the key which signed the file. It has the following property options set:
Read Only:
True
The property type is crypto:x509:cert.
- :file / crypto:x509:signedfile:file
The file which was signed by the certificates key. It has the following property options set:
Read Only:
True
The property type is file:bytes.
econ:acct:balance
A snapshot of the balance of an account at a point in time.
The base type for the form can be found at econ:acct:balance.
Properties:
- :time / econ:acct:balance:time
The time the balance was recorded.
The property type is time.
- :pay:card / econ:acct:balance:pay:card
The payment card holding the balance.
The property type is econ:pay:card.
- :crypto:address / econ:acct:balance:crypto:address
The crypto currency address holding the balance.
The property type is crypto:currency:address.
- :amount / econ:acct:balance:amount
The account balance at the time.
The property type is econ:price.
- :currency / econ:acct:balance:currency
The currency of the balance amount.
The property type is econ:currency.
- :delta / econ:acct:balance:delta
The change since last regular sample.
The property type is econ:price.
econ:acct:payment
A payment or crypto currency transaction.
The base type for the form can be found at econ:acct:payment.
Properties:
- :txnid / econ:acct:payment:txnid
A payment processor specific transaction id.
The property type is str. Its type has the following options set:
strip:
True
- :fee / econ:acct:payment:fee
The transaction fee paid by the recipient to the payment processor.
The property type is econ:price.
- :from:pay:card / econ:acct:payment:from:pay:card
The payment card making the payment.
The property type is econ:pay:card.
- :from:contract / econ:acct:payment:from:contract
A contract used as an aggregate payment source.
The property type is ou:contract.
- :from:coinaddr / econ:acct:payment:from:coinaddr
The crypto currency address making the payment.
The property type is crypto:currency:address.
- :from:contact / econ:acct:payment:from:contact
Contact information for the person/org being paid.
The property type is ps:contact.
- :to:coinaddr / econ:acct:payment:to:coinaddr
The crypto currency address receiving the payment.
The property type is crypto:currency:address.
- :to:contact / econ:acct:payment:to:contact
Contact information for the person/org being paid.
The property type is ps:contact.
- :to:contract / econ:acct:payment:to:contract
A contract used as an aggregate payment destination.
The property type is ou:contract.
- :time / econ:acct:payment:time
The time the payment was processed.
The property type is time.
- :purchase / econ:acct:payment:purchase
The purchase which the payment was paying for.
The property type is econ:purchase.
- :amount / econ:acct:payment:amount
The amount of money transferred in the payment.
The property type is econ:price.
- :currency / econ:acct:payment:currency
The currency of the payment.
The property type is econ:currency.
- :memo / econ:acct:payment:memo
A small note specified by the payer common in financial transactions.
The property type is str.
- :crypto:transaction / econ:acct:payment:crypto:transaction
A crypto currency transaction that initiated the payment.
The property type is crypto:currency:transaction.
econ:acquired
A relationship between a purchase event and a purchased item.
The base type for the form can be found at econ:acquired.
Properties:
- :purchase / econ:acquired:purchase
The purchase event which acquired an item. It has the following property options set:
Read Only:
True
The property type is econ:purchase.
- :item / econ:acquired:item
A reference to the item that was acquired. It has the following property options set:
Read Only:
True
The property type is ndef.
- :item:form / econ:acquired:item:form
The form of item purchased.
The property type is str.
econ:fin:bar
A sample of the open, close, high, low prices of a security in a specific time window.
The base type for the form can be found at econ:fin:bar.
Properties:
- :security / econ:fin:bar:security
The security measured by the bar.
The property type is econ:fin:security.
- :ival / econ:fin:bar:ival
The interval of measurement.
The property type is ival.
- :price:open / econ:fin:bar:price:open
The opening price of the security.
The property type is econ:price.
- :price:close / econ:fin:bar:price:close
The closing price of the security.
The property type is econ:price.
- :price:low / econ:fin:bar:price:low
The low price of the security.
The property type is econ:price.
- :price:high / econ:fin:bar:price:high
The high price of the security.
The property type is econ:price.
econ:fin:exchange
A financial exchange where securities are traded.
The base type for the form can be found at econ:fin:exchange.
Properties:
- :name / econ:fin:exchange:name
A simple name for the exchange. It has the following property options set:
Example:
nasdaq
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :org / econ:fin:exchange:org
The organization that operates the exchange.
The property type is ou:org.
- :currency / econ:fin:exchange:currency
The currency used for all transactions in the exchange. It has the following property options set:
Example:
usd
The property type is econ:currency.
econ:fin:security
A financial security which is typically traded on an exchange.
The base type for the form can be found at econ:fin:security.
Properties:
- :exchange / econ:fin:security:exchange
The exchange on which the security is traded.
The property type is econ:fin:exchange.
- :ticker / econ:fin:security:ticker
The identifier for this security within the exchange.
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :type / econ:fin:security:type
A user defined type such as stock, bond, option, future, or forex.
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :price / econ:fin:security:price
The last known/available price of the security.
The property type is econ:price.
- :time / econ:fin:security:time
The time of the last know price sample.
The property type is time.
econ:fin:tick
A sample of the price of a security at a single moment in time.
The base type for the form can be found at econ:fin:tick.
Properties:
- :security / econ:fin:tick:security
The security measured by the tick.
The property type is econ:fin:security.
- :time / econ:fin:tick:time
The time the price was sampled.
The property type is time.
- :price / econ:fin:tick:price
The price of the security at the time.
The property type is econ:price.
econ:pay:card
A single payment card.
The base type for the form can be found at econ:pay:card.
Properties:
- :pan / econ:pay:card:pan
The payment card number.
The property type is econ:pay:pan.
- :pan:mii / econ:pay:card:pan:mii
The payment card MII.
The property type is econ:pay:mii.
- :pan:iin / econ:pay:card:pan:iin
The payment card IIN.
The property type is econ:pay:iin.
- :name / econ:pay:card:name
The name as it appears on the card.
The property type is ps:name.
- :expr / econ:pay:card:expr
The expiration date for the card.
The property type is time.
- :cvv / econ:pay:card:cvv
The Card Verification Value on the card.
The property type is econ:pay:cvv.
- :pin / econ:pay:card:pin
The Personal Identification Number on the card.
The property type is econ:pay:pin.
econ:pay:iin
An Issuer Id Number (IIN).
The base type for the form can be found at econ:pay:iin.
Properties:
econ:purchase
A purchase event.
The base type for the form can be found at econ:purchase.
Properties:
- :by:contact / econ:purchase:by:contact
The contact information used to make the purchase.
The property type is ps:contact.
- :from:contact / econ:purchase:from:contact
The contact information used to sell the item.
The property type is ps:contact.
- :time / econ:purchase:time
The time of the purchase.
The property type is time.
- :place / econ:purchase:place
The place where the purchase took place.
The property type is geo:place.
- :paid / econ:purchase:paid
Set to True if the purchase has been paid in full.
The property type is bool.
- :paid:time / econ:purchase:paid:time
The point in time where the purchase was paid in full.
The property type is time.
- :settled / econ:purchase:settled
The point in time where the purchase was settled.
The property type is time.
- :campaign / econ:purchase:campaign
The campaign that the purchase was in support of.
The property type is ou:campaign.
- :price / econ:purchase:price
The econ:price of the purchase.
The property type is econ:price.
- :currency / econ:purchase:currency
The econ:price of the purchase.
The property type is econ:currency.
edge:has
A digraph edge which records that N1 has N2.
The base type for the form can be found at edge:has.
Properties:
- :n1 / edge:has:n1
The node definition type for a (form,valu) compound field. It has the following property options set:
Read Only:
True
The property type is ndef.
- :n1:form / edge:has:n1:form
The base string type. It has the following property options set:
Read Only:
True
The property type is str.
- :n2 / edge:has:n2
The node definition type for a (form,valu) compound field. It has the following property options set:
Read Only:
True
The property type is ndef.
- :n2:form / edge:has:n2:form
The base string type. It has the following property options set:
Read Only:
True
The property type is str.
edge:refs
A digraph edge which records that N1 refers to or contains N2.
The base type for the form can be found at edge:refs.
Properties:
- :n1 / edge:refs:n1
The node definition type for a (form,valu) compound field. It has the following property options set:
Read Only:
True
The property type is ndef.
- :n1:form / edge:refs:n1:form
The base string type. It has the following property options set:
Read Only:
True
The property type is str.
- :n2 / edge:refs:n2
The node definition type for a (form,valu) compound field. It has the following property options set:
Read Only:
True
The property type is ndef.
- :n2:form / edge:refs:n2:form
The base string type. It has the following property options set:
Read Only:
True
The property type is str.
edge:wentto
A digraph edge which records that N1 went to N2 at a specific time.
The base type for the form can be found at edge:wentto.
Properties:
- :n1 / edge:wentto:n1
The node definition type for a (form,valu) compound field. It has the following property options set:
Read Only:
True
The property type is ndef.
- :n1:form / edge:wentto:n1:form
The base string type. It has the following property options set:
Read Only:
True
The property type is str.
- :n2 / edge:wentto:n2
The node definition type for a (form,valu) compound field. It has the following property options set:
Read Only:
True
The property type is ndef.
- :n2:form / edge:wentto:n2:form
The base string type. It has the following property options set:
Read Only:
True
The property type is str.
- :time / edge:wentto:time
A date/time value. It has the following property options set:
Read Only:
True
The property type is time.
edu:class
An instance of an edu:course taught at a given time.
The base type for the form can be found at edu:class.
Properties:
- :course / edu:class:course
The course being taught in the class.
The property type is edu:course.
- :instructor / edu:class:instructor
The primary instructor for the class.
The property type is ps:contact.
- :assistants / edu:class:assistants
An array of assistant/co-instructor contacts.
The property type is array. Its type has the following options set:
type:
ps:contactuniq:
Truesorted:
True
- :date:first / edu:class:date:first
The date of the first day of class.
The property type is time.
- :date:last / edu:class:date:last
The date of the last day of class.
The property type is time.
- :isvirtual / edu:class:isvirtual
Set if the class is known to be virtual.
The property type is bool.
- :virtual:url / edu:class:virtual:url
The URL a student would use to attend the virtual class.
The property type is inet:url.
- :virtual:provider / edu:class:virtual:provider
Contact info for the virtual infrastructure provider.
The property type is ps:contact.
- :place / edu:class:place
The place that the class is held.
The property type is geo:place.
edu:course
A course of study taught by an org.
The base type for the form can be found at edu:course.
Properties:
- :name / edu:course:name
The name of the course. It has the following property options set:
Example:
organic chemistry for beginners
The property type is str. Its type has the following options set:
lower:
Trueonespace:
True
- :desc / edu:course:desc
A brief course description.
The property type is str.
- :code / edu:course:code
The course catalog number or designator. It has the following property options set:
Example:
chem101
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :institution / edu:course:institution
The org or department which teaches the course.
The property type is ps:contact.
- :prereqs / edu:course:prereqs
The pre-requisite courses for taking this course.
The property type is array. Its type has the following options set:
type:
edu:courseuniq:
Truesorted:
True
file:base
A file name with no path.
The base type for the form can be found at file:base.
An example of file:base:
woot.exe
Properties:
- :ext / file:base:ext
The file extension (if any). It has the following property options set:
Read Only:
True
The property type is str.
file:bytes
The file bytes type with SHA256 based primary property.
The base type for the form can be found at file:bytes.
Properties:
- :size / file:bytes:size
The file size in bytes.
The property type is int.
- :md5 / file:bytes:md5
The md5 hash of the file.
The property type is hash:md5.
- :sha1 / file:bytes:sha1
The sha1 hash of the file.
The property type is hash:sha1.
- :sha256 / file:bytes:sha256
The sha256 hash of the file.
The property type is hash:sha256.
- :sha512 / file:bytes:sha512
The sha512 hash of the file.
The property type is hash:sha512.
- :name / file:bytes:name
The best known base name for the file.
The property type is file:base.
- :mime / file:bytes:mime
The “best” mime type name for the file.
The property type is file:mime.
- :mime:x509:cn / file:bytes:mime:x509:cn
The Common Name (CN) attribute of the x509 Subject.
The property type is str.
- :mime:pe:size / file:bytes:mime:pe:size
The size of the executable file according to the PE file header.
The property type is int.
- :mime:pe:imphash / file:bytes:mime:pe:imphash
The PE import hash of the file as calculated by pefile; https://github.com/erocarrera/pefile .
The property type is guid.
- :mime:pe:compiled / file:bytes:mime:pe:compiled
The compile time of the file according to the PE header.
The property type is time.
- :mime:pe:pdbpath / file:bytes:mime:pe:pdbpath
The PDB string according to the PE.
The property type is file:path.
- :mime:pe:exports:time / file:bytes:mime:pe:exports:time
The export time of the file according to the PE.
The property type is time.
- :mime:pe:exports:libname / file:bytes:mime:pe:exports:libname
The export library name according to the PE.
The property type is str.
- :mime:pe:richhdr / file:bytes:mime:pe:richhdr
The sha256 hash of the rich header bytes.
The property type is hash:sha256.
file:filepath
The fused knowledge of the association of a file:bytes node and a file:path.
The base type for the form can be found at file:filepath.
Properties:
- :file / file:filepath:file
The file seen at a path. It has the following property options set:
Read Only:
True
The property type is file:bytes.
- :path / file:filepath:path
The path a file was seen at. It has the following property options set:
Read Only:
True
The property type is file:path.
- :path:dir / file:filepath:path:dir
The parent directory. It has the following property options set:
Read Only:
True
The property type is file:path.
- :path:base / file:filepath:path:base
The name of the file. It has the following property options set:
Read Only:
True
The property type is file:base.
- :path:base:ext / file:filepath:path:base:ext
The extension of the file name. It has the following property options set:
Read Only:
True
The property type is str.
file:ismime
Records one, of potentially multiple, mime types for a given file.
The base type for the form can be found at file:ismime.
Properties:
- :file / file:ismime:file
The file node that is an instance of the named mime type. It has the following property options set:
Read Only:
True
The property type is file:bytes.
- :mime / file:ismime:mime
The mime type of the file. It has the following property options set:
Read Only:
True
The property type is file:mime.
file:mime
A file mime name string.
The base type for the form can be found at file:mime.
An example of file:mime:
text/plain
Properties:
file:mime:gif
The GUID of a set of mime metadata for a .gif file.
The base type for the form can be found at file:mime:gif.
Properties:
- :desc / file:mime:gif:desc
MIME specific description field extracted from metadata.
The property type is str.
- :comment / file:mime:gif:comment
MIME specific comment field extracted from metadata.
The property type is str.
- :created / file:mime:gif:created
MIME specific creation timestamp extracted from metadata.
The property type is time.
- :imageid / file:mime:gif:imageid
MIME specific unique identifier extracted from metadata.
The property type is str.
- :author / file:mime:gif:author
MIME specific contact information extracted from metadata.
The property type is ps:contact.
- :latlong / file:mime:gif:latlong
MIME specific lat/long information extracted from metadata.
The property type is geo:latlong.
- :altitude / file:mime:gif:altitude
MIME specific altitude information extracted from metadata.
The property type is geo:altitude.
- :file / file:mime:gif:file
The file that the mime info was parsed from.
The property type is file:bytes.
- :file:offs / file:mime:gif:file:offs
The optional offset where the mime info was parsed from.
The property type is int.
- :file:data / file:mime:gif:file:data
A mime specific arbitrary data structure for non-indexed data.
The property type is data.
file:mime:jpg
The GUID of a set of mime metadata for a .jpg file.
The base type for the form can be found at file:mime:jpg.
Properties:
- :desc / file:mime:jpg:desc
MIME specific description field extracted from metadata.
The property type is str.
- :comment / file:mime:jpg:comment
MIME specific comment field extracted from metadata.
The property type is str.
- :created / file:mime:jpg:created
MIME specific creation timestamp extracted from metadata.
The property type is time.
- :imageid / file:mime:jpg:imageid
MIME specific unique identifier extracted from metadata.
The property type is str.
- :author / file:mime:jpg:author
MIME specific contact information extracted from metadata.
The property type is ps:contact.
- :latlong / file:mime:jpg:latlong
MIME specific lat/long information extracted from metadata.
The property type is geo:latlong.
- :altitude / file:mime:jpg:altitude
MIME specific altitude information extracted from metadata.
The property type is geo:altitude.
- :file / file:mime:jpg:file
The file that the mime info was parsed from.
The property type is file:bytes.
- :file:offs / file:mime:jpg:file:offs
The optional offset where the mime info was parsed from.
The property type is int.
- :file:data / file:mime:jpg:file:data
A mime specific arbitrary data structure for non-indexed data.
The property type is data.
file:mime:macho:loadcmd
A generic load command pulled from the Mach-O headers.
The base type for the form can be found at file:mime:macho:loadcmd.
Properties:
- :file / file:mime:macho:loadcmd:file
The Mach-O file containing the load command.
The property type is file:bytes.
- :type / file:mime:macho:loadcmd:type
The type of the load command.
The property type is int. Its type has the following options set:
enums:
((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))
- :size / file:mime:macho:loadcmd:size
The size of the load command structure in bytes.
The property type is int.
file:mime:macho:section
A section inside a Mach-O binary denoting a named region of bytes inside a segment.
The base type for the form can be found at file:mime:macho:section.
Properties:
- :segment / file:mime:macho:section:segment
The Mach-O segment that contains this section.
The property type is file:mime:macho:segment.
- :name / file:mime:macho:section:name
Name of the section.
The property type is str.
- :size / file:mime:macho:section:size
Size of the section in bytes.
The property type is int.
- :type / file:mime:macho:section:type
The type of the section.
The property type is int. Its type has the following options set:
enums:
((0, 'regular'), (1, 'zero fill on demand'), (2, 'only literal C strings'), (3, 'only 4 byte literals'), (4, 'only 8 byte literals'), (5, 'only pointers to literals'), (6, 'only non-lazy symbol pointers'), (7, 'only lazy symbol pointers'), (8, 'only symbol stubs'), (9, 'only function pointers for init'), (10, 'only function pointers for fini'), (11, 'contains symbols to be coalesced'), (12, 'zero fill on deman (greater than 4gb)'), (13, 'only pairs of function pointers for interposing'), (14, 'only 16 byte literals'), (15, 'dtrace object format'), (16, 'only lazy symbols pointers to lazy dynamic libraries'))
- :sha256 / file:mime:macho:section:sha256
The sha256 hash of the bytes of the Mach-O section.
The property type is hash:sha256.
- :offset / file:mime:macho:section:offset
The file offset to the begining of the section.
The property type is int.
file:mime:macho:segment
A named region of bytes inside a Mach-O binary.
The base type for the form can be found at file:mime:macho:segment.
Properties:
- :name / file:mime:macho:segment:name
The name of the Mach-O segment.
The property type is str.
- :memsize / file:mime:macho:segment:memsize
The size of the segment in bytes, when resident in memory, according to the load command structure.
The property type is int.
- :disksize / file:mime:macho:segment:disksize
The size of the segment in bytes, when on disk, according to the load command structure.
The property type is int.
- :sha256 / file:mime:macho:segment:sha256
The sha256 hash of the bytes of the segment.
The property type is hash:sha256.
- :offset / file:mime:macho:segment:offset
The file offset to the begining of the segment.
The property type is int.
- :file / file:mime:macho:segment:file
The Mach-O file containing the load command.
The property type is file:bytes.
- :type / file:mime:macho:segment:type
The type of the load command.
The property type is int. Its type has the following options set:
enums:
((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))
- :size / file:mime:macho:segment:size
The size of the load command structure in bytes.
The property type is int.
file:mime:macho:uuid
A specific load command denoting a UUID used to uniquely identify the Mach-O binary.
The base type for the form can be found at file:mime:macho:uuid.
Properties:
- :uuid / file:mime:macho:uuid:uuid
The UUID of the Mach-O application (as defined in an LC_UUID load command).
The property type is guid.
- :file / file:mime:macho:uuid:file
The Mach-O file containing the load command.
The property type is file:bytes.
- :type / file:mime:macho:uuid:type
The type of the load command.
The property type is int. Its type has the following options set:
enums:
((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))
- :size / file:mime:macho:uuid:size
The size of the load command structure in bytes.
The property type is int.
file:mime:macho:version
A specific load command used to denote the version of the source used to build the Mach-O binary.
The base type for the form can be found at file:mime:macho:version.
Properties:
- :version / file:mime:macho:version:version
The version of the Mach-O file encoded in an LC_VERSION load command.
The property type is str.
- :file / file:mime:macho:version:file
The Mach-O file containing the load command.
The property type is file:bytes.
- :type / file:mime:macho:version:type
The type of the load command.
The property type is int. Its type has the following options set:
enums:
((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))
- :size / file:mime:macho:version:size
The size of the load command structure in bytes.
The property type is int.
file:mime:msdoc
The GUID of a set of mime metadata for a Microsoft Word file.
The base type for the form can be found at file:mime:msdoc.
Properties:
- :title / file:mime:msdoc:title
The title extracted from Microsoft Office metadata.
The property type is str.
- :author / file:mime:msdoc:author
The author extracted from Microsoft Office metadata.
The property type is str.
- :subject / file:mime:msdoc:subject
The subject extracted from Microsoft Office metadata.
The property type is str.
- :application / file:mime:msdoc:application
The creating_application extracted from Microsoft Office metadata.
The property type is str.
- :created / file:mime:msdoc:created
The create_time extracted from Microsoft Office metadata.
The property type is time.
- :lastsaved / file:mime:msdoc:lastsaved
The last_saved_time extracted from Microsoft Office metadata.
The property type is time.
- :file / file:mime:msdoc:file
The file that the mime info was parsed from.
The property type is file:bytes.
- :file:offs / file:mime:msdoc:file:offs
The optional offset where the mime info was parsed from.
The property type is int.
- :file:data / file:mime:msdoc:file:data
A mime specific arbitrary data structure for non-indexed data.
The property type is data.
file:mime:msppt
The GUID of a set of mime metadata for a Microsoft Powerpoint file.
The base type for the form can be found at file:mime:msppt.
Properties:
- :title / file:mime:msppt:title
The title extracted from Microsoft Office metadata.
The property type is str.
- :author / file:mime:msppt:author
The author extracted from Microsoft Office metadata.
The property type is str.
- :subject / file:mime:msppt:subject
The subject extracted from Microsoft Office metadata.
The property type is str.
- :application / file:mime:msppt:application
The creating_application extracted from Microsoft Office metadata.
The property type is str.
- :created / file:mime:msppt:created
The create_time extracted from Microsoft Office metadata.
The property type is time.
- :lastsaved / file:mime:msppt:lastsaved
The last_saved_time extracted from Microsoft Office metadata.
The property type is time.
- :file / file:mime:msppt:file
The file that the mime info was parsed from.
The property type is file:bytes.
- :file:offs / file:mime:msppt:file:offs
The optional offset where the mime info was parsed from.
The property type is int.
- :file:data / file:mime:msppt:file:data
A mime specific arbitrary data structure for non-indexed data.
The property type is data.
file:mime:msxls
The GUID of a set of mime metadata for a Microsoft Excel file.
The base type for the form can be found at file:mime:msxls.
Properties:
- :title / file:mime:msxls:title
The title extracted from Microsoft Office metadata.
The property type is str.
- :author / file:mime:msxls:author
The author extracted from Microsoft Office metadata.
The property type is str.
- :subject / file:mime:msxls:subject
The subject extracted from Microsoft Office metadata.
The property type is str.
- :application / file:mime:msxls:application
The creating_application extracted from Microsoft Office metadata.
The property type is str.
- :created / file:mime:msxls:created
The create_time extracted from Microsoft Office metadata.
The property type is time.
- :lastsaved / file:mime:msxls:lastsaved
The last_saved_time extracted from Microsoft Office metadata.
The property type is time.
- :file / file:mime:msxls:file
The file that the mime info was parsed from.
The property type is file:bytes.
- :file:offs / file:mime:msxls:file:offs
The optional offset where the mime info was parsed from.
The property type is int.
- :file:data / file:mime:msxls:file:data
A mime specific arbitrary data structure for non-indexed data.
The property type is data.
file:mime:pe:export
The fused knowledge of a file:bytes node containing a pe named export.
The base type for the form can be found at file:mime:pe:export.
Properties:
- :file / file:mime:pe:export:file
The file containing the export. It has the following property options set:
Read Only:
True
The property type is file:bytes.
- :name / file:mime:pe:export:name
The name of the export in the file. It has the following property options set:
Read Only:
True
The property type is str.
file:mime:pe:resource
The fused knowledge of a file:bytes node containing a pe resource.
The base type for the form can be found at file:mime:pe:resource.
Properties:
- :file / file:mime:pe:resource:file
The file containing the resource. It has the following property options set:
Read Only:
True
The property type is file:bytes.
- :type / file:mime:pe:resource:type
The typecode for the resource. It has the following property options set:
Read Only:
True
The property type is pe:resource:type.
- :langid / file:mime:pe:resource:langid
The language code for the resource. It has the following property options set:
Read Only:
True
The property type is pe:langid.
- :resource / file:mime:pe:resource:resource
The sha256 hash of the resource bytes. It has the following property options set:
Read Only:
True
The property type is file:bytes.
file:mime:pe:section
The fused knowledge a file:bytes node containing a pe section.
The base type for the form can be found at file:mime:pe:section.
Properties:
- :file / file:mime:pe:section:file
The file containing the section. It has the following property options set:
Read Only:
True
The property type is file:bytes.
- :name / file:mime:pe:section:name
The textual name of the section. It has the following property options set:
Read Only:
True
The property type is str.
- :sha256 / file:mime:pe:section:sha256
The sha256 hash of the section. Relocations must be zeroed before hashing. It has the following property options set:
Read Only:
True
The property type is hash:sha256.
file:mime:pe:vsvers:info
knowledge of a file:bytes node containing vsvers info.
The base type for the form can be found at file:mime:pe:vsvers:info.
Properties:
- :file / file:mime:pe:vsvers:info:file
The file containing the vsversion keyval pair. It has the following property options set:
Read Only:
True
The property type is file:bytes.
- :keyval / file:mime:pe:vsvers:info:keyval
The vsversion info keyval in this file:bytes node. It has the following property options set:
Read Only:
True
The property type is file:mime:pe:vsvers:keyval.
file:mime:pe:vsvers:keyval
A key value pair found in a PE vsversion info structure.
The base type for the form can be found at file:mime:pe:vsvers:keyval.
Properties:
- :name / file:mime:pe:vsvers:keyval:name
The key for the vsversion keyval pair. It has the following property options set:
Read Only:
True
The property type is str.
- :value / file:mime:pe:vsvers:keyval:value
The value for the vsversion keyval pair. It has the following property options set:
Read Only:
True
The property type is str.
file:mime:png
The GUID of a set of mime metadata for a .png file.
The base type for the form can be found at file:mime:png.
Properties:
- :desc / file:mime:png:desc
MIME specific description field extracted from metadata.
The property type is str.
- :comment / file:mime:png:comment
MIME specific comment field extracted from metadata.
The property type is str.
- :created / file:mime:png:created
MIME specific creation timestamp extracted from metadata.
The property type is time.
- :imageid / file:mime:png:imageid
MIME specific unique identifier extracted from metadata.
The property type is str.
- :author / file:mime:png:author
MIME specific contact information extracted from metadata.
The property type is ps:contact.
- :latlong / file:mime:png:latlong
MIME specific lat/long information extracted from metadata.
The property type is geo:latlong.
- :altitude / file:mime:png:altitude
MIME specific altitude information extracted from metadata.
The property type is geo:altitude.
- :file / file:mime:png:file
The file that the mime info was parsed from.
The property type is file:bytes.
- :file:offs / file:mime:png:file:offs
The optional offset where the mime info was parsed from.
The property type is int.
- :file:data / file:mime:png:file:data
A mime specific arbitrary data structure for non-indexed data.
The property type is data.
file:mime:rtf
The GUID of a set of mime metadata for a .rtf file.
The base type for the form can be found at file:mime:rtf.
Properties:
- :guid / file:mime:rtf:guid
The parsed GUID embedded in the .rtf file.
The property type is guid.
- :file / file:mime:rtf:file
The file that the mime info was parsed from.
The property type is file:bytes.
- :file:offs / file:mime:rtf:file:offs
The optional offset where the mime info was parsed from.
The property type is int.
- :file:data / file:mime:rtf:file:data
A mime specific arbitrary data structure for non-indexed data.
The property type is data.
file:mime:tif
The GUID of a set of mime metadata for a .tif file.
The base type for the form can be found at file:mime:tif.
Properties:
- :desc / file:mime:tif:desc
MIME specific description field extracted from metadata.
The property type is str.
- :comment / file:mime:tif:comment
MIME specific comment field extracted from metadata.
The property type is str.
- :created / file:mime:tif:created
MIME specific creation timestamp extracted from metadata.
The property type is time.
- :imageid / file:mime:tif:imageid
MIME specific unique identifier extracted from metadata.
The property type is str.
- :author / file:mime:tif:author
MIME specific contact information extracted from metadata.
The property type is ps:contact.
- :latlong / file:mime:tif:latlong
MIME specific lat/long information extracted from metadata.
The property type is geo:latlong.
- :altitude / file:mime:tif:altitude
MIME specific altitude information extracted from metadata.
The property type is geo:altitude.
- :file / file:mime:tif:file
The file that the mime info was parsed from.
The property type is file:bytes.
- :file:offs / file:mime:tif:file:offs
The optional offset where the mime info was parsed from.
The property type is int.
- :file:data / file:mime:tif:file:data
A mime specific arbitrary data structure for non-indexed data.
The property type is data.
file:path
A normalized file path.
The base type for the form can be found at file:path.
An example of file:path:
c:/windows/system32/calc.exe
Properties:
- :dir / file:path:dir
The parent directory. It has the following property options set:
Read Only:
True
The property type is file:path.
- :base / file:path:base
The file base name. It has the following property options set:
Read Only:
True
The property type is file:base.
- :base:ext / file:path:base:ext
The file extension. It has the following property options set:
Read Only:
True
The property type is str.
file:string
Deprecated. Please use the edge -(refs)> it:dev:str.
The base type for the form can be found at file:string.
Properties:
- :file / file:string:file
The file containing the string. It has the following property options set:
Read Only:
True
The property type is file:bytes.
- :string / file:string:string
The string contained in this file:bytes node. It has the following property options set:
Read Only:
True
The property type is str.
file:subfile
A parent file that fully contains the specified child file.
The base type for the form can be found at file:subfile.
Properties:
- :parent / file:subfile:parent
The parent file containing the child file. It has the following property options set:
Read Only:
True
The property type is file:bytes.
- :child / file:subfile:child
The child file contained in the parent file. It has the following property options set:
Read Only:
True
The property type is file:bytes.
- :name / file:subfile:name
Deprecated, please use the :path property. It has the following property options set:
deprecated:
True
The property type is file:base.
- :path / file:subfile:path
The path that the parent uses to refer to the child file.
The property type is file:path.
geo:name
An unstructured place name or address.
The base type for the form can be found at geo:name.
Properties:
geo:nloc
Records a node latitude/longitude in space-time.
The base type for the form can be found at geo:nloc.
Properties:
- :ndef / geo:nloc:ndef
The node with location in geospace and time. It has the following property options set:
Read Only:
True
The property type is ndef.
- :ndef:form / geo:nloc:ndef:form
The form of node referenced by the ndef. It has the following property options set:
Read Only:
True
The property type is str.
- :latlong / geo:nloc:latlong
The latitude/longitude the node was observed. It has the following property options set:
Read Only:
True
The property type is geo:latlong.
- :time / geo:nloc:time
The time the node was observed at location. It has the following property options set:
Read Only:
True
The property type is time.
- :place / geo:nloc:place
The place corresponding to the latlong property.
The property type is geo:place.
- :loc / geo:nloc:loc
The geo-political location string for the node.
The property type is loc.
geo:place
A GUID for a geographic place.
The base type for the form can be found at geo:place.
Properties:
- :name / geo:place:name
The name of the place.
The property type is geo:name.
- :names / geo:place:names
An array of alternative place names.
The property type is array. Its type has the following options set:
type:
geo:namesorted:
Trueuniq:
True
- :parent / geo:place:parent
A parent place, possibly from reverse geocoding.
The property type is geo:place.
- :desc / geo:place:desc
A long form description of the place.
The property type is str.
- :loc / geo:place:loc
The geo-political location string for the node.
The property type is loc.
- :address / geo:place:address
The street/mailing address for the place.
The property type is geo:address.
- :geojson / geo:place:geojson
A GeoJSON representation of the place.
The property type is geo:json.
- :latlong / geo:place:latlong
The lat/long position for the place.
The property type is geo:latlong.
- :bbox / geo:place:bbox
A bounding box which encompases the place.
The property type is geo:bbox.
- :radius / geo:place:radius
An approximate radius to use for bounding box calculation.
The property type is geo:dist.
- :photo / geo:place:photo
The image file to use as the primary image of the place.
The property type is file:bytes.
gov:cn:icp
A Chinese Internet Content Provider ID.
The base type for the form can be found at gov:cn:icp.
Properties:
- :org / gov:cn:icp:org
The org with the Internet Content Provider ID.
The property type is ou:org.
gov:cn:mucd
A Chinese PLA MUCD.
The base type for the form can be found at gov:cn:mucd.
Properties:
gov:us:cage
A Commercial and Government Entity (CAGE) code.
The base type for the form can be found at gov:us:cage.
Properties:
- :name0 / gov:us:cage:name0
The name of the organization.
The property type is ou:name.
- :name1 / gov:us:cage:name1
Name Part 1.
The property type is str. Its type has the following options set:
lower:
True
- :street / gov:us:cage:street
The base string type.
The property type is str. Its type has the following options set:
lower:
True
- :city / gov:us:cage:city
The base string type.
The property type is str. Its type has the following options set:
lower:
True
- :state / gov:us:cage:state
The base string type.
The property type is str. Its type has the following options set:
lower:
True
- :zip / gov:us:cage:zip
A US Postal Zip Code.
The property type is gov:us:zip.
- :cc / gov:us:cage:cc
The 2 digit ISO country code.
The property type is pol:iso2.
- :country / gov:us:cage:country
The base string type.
The property type is str. Its type has the following options set:
lower:
True
- :phone0 / gov:us:cage:phone0
A phone number.
The property type is tel:phone.
- :phone1 / gov:us:cage:phone1
A phone number.
The property type is tel:phone.
gov:us:ssn
A US Social Security Number (SSN).
The base type for the form can be found at gov:us:ssn.
Properties:
gov:us:zip
A US Postal Zip Code.
The base type for the form can be found at gov:us:zip.
Properties:
graph:cluster
A generic node, used in conjunction with Edge types, to cluster arbitrary nodes to a single node in the model.
The base type for the form can be found at graph:cluster.
Properties:
- :name / graph:cluster:name
A human friendly name for the cluster.
The property type is str. Its type has the following options set:
lower:
True
- :desc / graph:cluster:desc
A human friendly long form description for the cluster.
The property type is str. Its type has the following options set:
lower:
True
- :type / graph:cluster:type
An optional type field used to group clusters.
The property type is str. Its type has the following options set:
lower:
True
graph:edge
A generic digraph edge to show relationships outside the model.
The base type for the form can be found at graph:edge.
Properties:
- :n1 / graph:edge:n1
The node definition type for a (form,valu) compound field. It has the following property options set:
Read Only:
True
The property type is ndef.
- :n1:form / graph:edge:n1:form
The base string type. It has the following property options set:
Read Only:
True
The property type is str.
- :n2 / graph:edge:n2
The node definition type for a (form,valu) compound field. It has the following property options set:
Read Only:
True
The property type is ndef.
- :n2:form / graph:edge:n2:form
The base string type. It has the following property options set:
Read Only:
True
The property type is str.
graph:event
A generic event node to represent events outside the model.
The base type for the form can be found at graph:event.
Properties:
- :time / graph:event:time
The time of the event.
The property type is time.
- :type / graph:event:type
A arbitrary type string for the event.
The property type is str.
- :name / graph:event:name
A name for the event.
The property type is str.
- :data / graph:event:data
Aribtrary non-indexed msgpack data attached to the event.
The property type is data.
graph:node
A generic node used to represent objects outside the model.
The base type for the form can be found at graph:node.
Properties:
graph:timeedge
A generic digraph time edge to show relationships outside the model.
The base type for the form can be found at graph:timeedge.
Properties:
- :time / graph:timeedge:time
A date/time value. It has the following property options set:
Read Only:
True
The property type is time.
- :n1 / graph:timeedge:n1
The node definition type for a (form,valu) compound field. It has the following property options set:
Read Only:
True
The property type is ndef.
- :n1:form / graph:timeedge:n1:form
The base string type. It has the following property options set:
Read Only:
True
The property type is str.
- :n2 / graph:timeedge:n2
The node definition type for a (form,valu) compound field. It has the following property options set:
Read Only:
True
The property type is ndef.
- :n2:form / graph:timeedge:n2:form
The base string type. It has the following property options set:
Read Only:
True
The property type is str.
hash:md5
A hex encoded MD5 hash.
The base type for the form can be found at hash:md5.
An example of hash:md5:
d41d8cd98f00b204e9800998ecf8427e
Properties:
hash:sha1
A hex encoded SHA1 hash.
The base type for the form can be found at hash:sha1.
An example of hash:sha1:
da39a3ee5e6b4b0d3255bfef95601890afd80709
Properties:
hash:sha256
A hex encoded SHA256 hash.
The base type for the form can be found at hash:sha256.
An example of hash:sha256:
ad9f4fe922b61e674a09530831759843b1880381de686a43460a76864ca0340c
Properties:
hash:sha384
A hex encoded SHA384 hash.
The base type for the form can be found at hash:sha384.
An example of hash:sha384:
d425f1394e418ce01ed1579069a8bfaa1da8f32cf823982113ccbef531fa36bda9987f389c5af05b5e28035242efab6c
Properties:
hash:sha512
A hex encoded SHA512 hash.
The base type for the form can be found at hash:sha512.
An example of hash:sha512:
ca74fe2ff2d03b29339ad7d08ba21d192077fece1715291c7b43c20c9136cd132788239189f3441a87eb23ce2660aa243f334295902c904b5520f6e80ab91f11
Properties:
inet:asn
An Autonomous System Number (ASN).
The base type for the form can be found at inet:asn.
Properties:
inet:asnet4
An Autonomous System Number (ASN) and its associated IPv4 address range.
The base type for the form can be found at inet:asnet4.
An example of inet:asnet4:
(54959, (1.2.3.4, 1.2.3.20))
Properties:
- :asn / inet:asnet4:asn
The Autonomous System Number (ASN) of the netblock. It has the following property options set:
Read Only:
True
The property type is inet:asn.
- :net4 / inet:asnet4:net4
The IPv4 address range assigned to the ASN. It has the following property options set:
Read Only:
True
The property type is inet:net4.
- :net4:min / inet:asnet4:net4:min
The first IPv4 in the range assigned to the ASN. It has the following property options set:
Read Only:
True
The property type is inet:ipv4.
- :net4:max / inet:asnet4:net4:max
The last IPv4 in the range assigned to the ASN. It has the following property options set:
Read Only:
True
The property type is inet:ipv4.
inet:asnet6
An Autonomous System Number (ASN) and its associated IPv6 address range.
The base type for the form can be found at inet:asnet6.
An example of inet:asnet6:
(54959, (ff::00, ff::02))
Properties:
- :asn / inet:asnet6:asn
The Autonomous System Number (ASN) of the netblock. It has the following property options set:
Read Only:
True
The property type is inet:asn.
- :net6 / inet:asnet6:net6
The IPv6 address range assigned to the ASN. It has the following property options set:
Read Only:
True
The property type is inet:net6.
- :net6:min / inet:asnet6:net6:min
The first IPv6 in the range assigned to the ASN. It has the following property options set:
Read Only:
True
The property type is inet:ipv6.
- :net6:max / inet:asnet6:net6:max
The last IPv6 in the range assigned to the ASN. It has the following property options set:
Read Only:
True
The property type is inet:ipv6.
inet:cidr4
An IPv4 address block in Classless Inter-Domain Routing (CIDR) notation.
The base type for the form can be found at inet:cidr4.
An example of inet:cidr4:
1.2.3.0/24
Properties:
- :broadcast / inet:cidr4:broadcast
The broadcast IP address from the CIDR notation. It has the following property options set:
Read Only:
True
The property type is inet:ipv4.
- :mask / inet:cidr4:mask
The mask from the CIDR notation. It has the following property options set:
Read Only:
True
The property type is int.
- :network / inet:cidr4:network
The network IP address from the CIDR notation. It has the following property options set:
Read Only:
True
The property type is inet:ipv4.
inet:cidr6
An IPv6 address block in Classless Inter-Domain Routing (CIDR) notation.
The base type for the form can be found at inet:cidr6.
An example of inet:cidr6:
2001:db8::/101
Properties:
- :broadcast / inet:cidr6:broadcast
The broadcast IP address from the CIDR notation. It has the following property options set:
Read Only:
True
The property type is inet:ipv6.
- :mask / inet:cidr6:mask
The mask from the CIDR notation. It has the following property options set:
Read Only:
True
The property type is int.
- :network / inet:cidr6:network
The network IP address from the CIDR notation. It has the following property options set:
Read Only:
True
The property type is inet:ipv6.
inet:client
A network client address.
The base type for the form can be found at inet:client.
An example of inet:client:
tcp://1.2.3.4:80
Properties:
- :proto / inet:client:proto
The network protocol of the client. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
True
- :ipv4 / inet:client:ipv4
The IPv4 of the client. It has the following property options set:
Read Only:
True
The property type is inet:ipv4.
- :ipv6 / inet:client:ipv6
The IPv6 of the client. It has the following property options set:
Read Only:
True
The property type is inet:ipv6.
- :host / inet:client:host
The it:host node for the client. It has the following property options set:
Read Only:
True
The property type is it:host.
- :port / inet:client:port
The client tcp/udp port.
The property type is inet:port.
inet:dns:a
The result of a DNS A record lookup.
The base type for the form can be found at inet:dns:a.
An example of inet:dns:a:
(vertex.link,1.2.3.4)
Properties:
- :fqdn / inet:dns:a:fqdn
The domain queried for its DNS A record. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
- :ipv4 / inet:dns:a:ipv4
The IPv4 address returned in the A record. It has the following property options set:
Read Only:
True
The property type is inet:ipv4.
inet:dns:aaaa
The result of a DNS AAAA record lookup.
The base type for the form can be found at inet:dns:aaaa.
An example of inet:dns:aaaa:
(vertex.link,2607:f8b0:4004:809::200e)
Properties:
- :fqdn / inet:dns:aaaa:fqdn
The domain queried for its DNS AAAA record. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
- :ipv6 / inet:dns:aaaa:ipv6
The IPv6 address returned in the AAAA record. It has the following property options set:
Read Only:
True
The property type is inet:ipv6.
inet:dns:answer
A single answer from within a DNS reply.
The base type for the form can be found at inet:dns:answer.
Properties:
- :ttl / inet:dns:answer:ttl
The base 64 bit signed integer type.
The property type is int.
- :request / inet:dns:answer:request
A single instance of a DNS resolver request and optional reply info.
The property type is inet:dns:request.
- :a / inet:dns:answer:a
The DNS A record returned by the lookup. It has the following property options set:
Read Only:
True
The property type is inet:dns:a.
- :ns / inet:dns:answer:ns
The DNS NS record returned by the lookup. It has the following property options set:
Read Only:
True
The property type is inet:dns:ns.
- :rev / inet:dns:answer:rev
The DNS PTR record returned by the lookup. It has the following property options set:
Read Only:
True
The property type is inet:dns:rev.
- :aaaa / inet:dns:answer:aaaa
The DNS AAAA record returned by the lookup. It has the following property options set:
Read Only:
True
The property type is inet:dns:aaaa.
- :rev6 / inet:dns:answer:rev6
The DNS PTR record returned by the lookup of an IPv6 address. It has the following property options set:
Read Only:
True
The property type is inet:dns:rev6.
- :cname / inet:dns:answer:cname
The DNS CNAME record returned by the lookup. It has the following property options set:
Read Only:
True
The property type is inet:dns:cname.
- :mx / inet:dns:answer:mx
The DNS MX record returned by the lookup. It has the following property options set:
Read Only:
True
The property type is inet:dns:mx.
- :soa / inet:dns:answer:soa
The domain queried for its SOA record. It has the following property options set:
Read Only:
True
The property type is inet:dns:soa.
- :txt / inet:dns:answer:txt
The DNS TXT record returned by the lookup. It has the following property options set:
Read Only:
True
The property type is inet:dns:txt.
inet:dns:cname
The result of a DNS CNAME record lookup.
The base type for the form can be found at inet:dns:cname.
An example of inet:dns:cname:
(foo.vertex.link,vertex.link)
Properties:
- :fqdn / inet:dns:cname:fqdn
The domain queried for its CNAME record. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
- :cname / inet:dns:cname:cname
The domain returned in the CNAME record. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
inet:dns:mx
The result of a DNS MX record lookup.
The base type for the form can be found at inet:dns:mx.
An example of inet:dns:mx:
(vertex.link,mail.vertex.link)
Properties:
- :fqdn / inet:dns:mx:fqdn
The domain queried for its MX record. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
- :mx / inet:dns:mx:mx
The domain returned in the MX record. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
inet:dns:ns
The result of a DNS NS record lookup.
The base type for the form can be found at inet:dns:ns.
An example of inet:dns:ns:
(vertex.link,ns.dnshost.com)
Properties:
- :zone / inet:dns:ns:zone
The domain queried for its DNS NS record. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
- :ns / inet:dns:ns:ns
The domain returned in the NS record. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
inet:dns:query
A DNS query unique to a given client.
The base type for the form can be found at inet:dns:query.
An example of inet:dns:query:
(1.2.3.4, woot.com, 1)
Properties:
- :client / inet:dns:query:client
A network client address. It has the following property options set:
Read Only:
True
The property type is inet:client.
- :name / inet:dns:query:name
A DNS query name string. Likely an FQDN but not always. It has the following property options set:
Read Only:
True
The property type is inet:dns:name.
- :name:ipv4 / inet:dns:query:name:ipv4
An IPv4 address.
The property type is inet:ipv4.
- :name:ipv6 / inet:dns:query:name:ipv6
An IPv6 address.
The property type is inet:ipv6.
- :name:fqdn / inet:dns:query:name:fqdn
A Fully Qualified Domain Name (FQDN).
The property type is inet:fqdn.
- :type / inet:dns:query:type
The base 64 bit signed integer type. It has the following property options set:
Read Only:
True
The property type is int.
inet:dns:request
A single instance of a DNS resolver request and optional reply info.
The base type for the form can be found at inet:dns:request.
Properties:
- :time / inet:dns:request:time
A date/time value.
The property type is time.
- :query / inet:dns:request:query
A DNS query unique to a given client.
The property type is inet:dns:query.
- :query:name / inet:dns:request:query:name
A DNS query name string. Likely an FQDN but not always.
The property type is inet:dns:name.
- :query:name:ipv4 / inet:dns:request:query:name:ipv4
An IPv4 address.
The property type is inet:ipv4.
- :query:name:ipv6 / inet:dns:request:query:name:ipv6
An IPv6 address.
The property type is inet:ipv6.
- :query:name:fqdn / inet:dns:request:query:name:fqdn
A Fully Qualified Domain Name (FQDN).
The property type is inet:fqdn.
- :query:type / inet:dns:request:query:type
The base 64 bit signed integer type.
The property type is int.
- :server / inet:dns:request:server
A network server address.
The property type is inet:server.
- :reply:code / inet:dns:request:reply:code
The DNS server response code.
The property type is int.
- :exe / inet:dns:request:exe
The file containing the code that attempted the DNS lookup.
The property type is file:bytes.
- :proc / inet:dns:request:proc
The process that attempted the DNS lookup.
The property type is it:exec:proc.
- :host / inet:dns:request:host
The host that attempted the DNS lookup.
The property type is it:host.
- :sandbox:file / inet:dns:request:sandbox:file
The initial sample given to a sandbox environment to analyze.
The property type is file:bytes.
inet:dns:rev
The transformed result of a DNS PTR record lookup.
The base type for the form can be found at inet:dns:rev.
An example of inet:dns:rev:
(1.2.3.4,vertex.link)
Properties:
- :ipv4 / inet:dns:rev:ipv4
The IPv4 address queried for its DNS PTR record. It has the following property options set:
Read Only:
True
The property type is inet:ipv4.
- :fqdn / inet:dns:rev:fqdn
The domain returned in the PTR record. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
inet:dns:rev6
The transformed result of a DNS PTR record for an IPv6 address.
The base type for the form can be found at inet:dns:rev6.
An example of inet:dns:rev6:
(2607:f8b0:4004:809::200e,vertex.link)
Properties:
- :ipv6 / inet:dns:rev6:ipv6
The IPv6 address queried for its DNS PTR record. It has the following property options set:
Read Only:
True
The property type is inet:ipv6.
- :fqdn / inet:dns:rev6:fqdn
The domain returned in the PTR record. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
inet:dns:soa
The result of a DNS SOA record lookup.
The base type for the form can be found at inet:dns:soa.
Properties:
- :fqdn / inet:dns:soa:fqdn
The domain queried for its SOA record. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
- :ns / inet:dns:soa:ns
The domain (MNAME) returned in the SOA record. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
- :email / inet:dns:soa:email
The email address (RNAME) returned in the SOA record. It has the following property options set:
Read Only:
True
The property type is inet:email.
inet:dns:txt
The result of a DNS MX record lookup.
The base type for the form can be found at inet:dns:txt.
An example of inet:dns:txt:
(hehe.vertex.link,"fancy TXT record")
Properties:
- :fqdn / inet:dns:txt:fqdn
The domain queried for its TXT record. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
- :txt / inet:dns:txt:txt
The string returned in the TXT record. It has the following property options set:
Read Only:
True
The property type is str.
inet:dns:wild:a
A DNS A wild card record and the IPv4 it resolves to.
The base type for the form can be found at inet:dns:wild:a.
Properties:
- :fqdn / inet:dns:wild:a:fqdn
The domain containing a wild card record. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
- :ipv4 / inet:dns:wild:a:ipv4
The IPv4 address returned by wild card resolutions. It has the following property options set:
Read Only:
True
The property type is inet:ipv4.
inet:dns:wild:aaaa
A DNS AAAA wild card record and the IPv6 it resolves to.
The base type for the form can be found at inet:dns:wild:aaaa.
Properties:
- :fqdn / inet:dns:wild:aaaa:fqdn
The domain containing a wild card record. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
- :ipv6 / inet:dns:wild:aaaa:ipv6
The IPv6 address returned by wild card resolutions. It has the following property options set:
Read Only:
True
The property type is inet:ipv6.
inet:download
An instance of a file downloaded from a server.
The base type for the form can be found at inet:download.
Properties:
- :time / inet:download:time
The time the file was downloaded.
The property type is time.
- :fqdn / inet:download:fqdn
The FQDN used to resolve the server.
The property type is inet:fqdn.
- :file / inet:download:file
The file that was downloaded.
The property type is file:bytes.
- :server / inet:download:server
The inet:addr of the server.
The property type is inet:server.
- :server:host / inet:download:server:host
The it:host node for the server.
The property type is it:host.
- :server:ipv4 / inet:download:server:ipv4
The IPv4 of the server.
The property type is inet:ipv4.
- :server:ipv6 / inet:download:server:ipv6
The IPv6 of the server.
The property type is inet:ipv6.
- :server:port / inet:download:server:port
The server tcp/udp port.
The property type is inet:port.
- :server:proto / inet:download:server:proto
The server network layer protocol.
The property type is str. Its type has the following options set:
lower:
True
- :client / inet:download:client
The inet:addr of the client.
The property type is inet:client.
- :client:host / inet:download:client:host
The it:host node for the client.
The property type is it:host.
- :client:ipv4 / inet:download:client:ipv4
The IPv4 of the client.
The property type is inet:ipv4.
- :client:ipv6 / inet:download:client:ipv6
The IPv6 of the client.
The property type is inet:ipv6.
- :client:port / inet:download:client:port
The client tcp/udp port.
The property type is inet:port.
- :client:proto / inet:download:client:proto
The client network layer protocol.
The property type is str. Its type has the following options set:
lower:
True
inet:email
An e-mail address.
The base type for the form can be found at inet:email.
Properties:
inet:email:header
A unique email message header.
The base type for the form can be found at inet:email:header.
Properties:
- :name / inet:email:header:name
The name of the email header. It has the following property options set:
Read Only:
True
The property type is inet:email:header:name.
- :value / inet:email:header:value
The value of the email header. It has the following property options set:
Read Only:
True
The property type is str.
inet:email:message
A unique email message.
The base type for the form can be found at inet:email:message.
Properties:
- :to / inet:email:message:to
The email address of the recipient.
The property type is inet:email.
- :from / inet:email:message:from
The email address of the sender.
The property type is inet:email.
- :replyto / inet:email:message:replyto
The email address from the reply-to header.
The property type is inet:email.
- :subject / inet:email:message:subject
The email message subject line.
The property type is str.
- :body / inet:email:message:body
The body of the email message. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :date / inet:email:message:date
The time the email message was received.
The property type is time.
- :bytes / inet:email:message:bytes
The file bytes which contain the email message.
The property type is file:bytes.
- :headers / inet:email:message:headers
An array of email headers from the message.
The property type is array. Its type has the following options set:
type:
inet:email:header
inet:email:message:attachment
A file which was attached to an email message.
The base type for the form can be found at inet:email:message:attachment.
Properties:
- :message / inet:email:message:attachment:message
The message containing the attached file. It has the following property options set:
Read Only:
True
The property type is inet:email:message.
- :file / inet:email:message:attachment:file
The attached file. It has the following property options set:
Read Only:
True
The property type is file:bytes.
- :name / inet:email:message:attachment:name
The name of the attached file.
The property type is file:base.
inet:email:message:link
A url/link embedded in an email message.
The base type for the form can be found at inet:email:message:link.
Properties:
- :message / inet:email:message:link:message
The message containing the embedded link. It has the following property options set:
Read Only:
True
The property type is inet:email:message.
- :url / inet:email:message:link:url
The url contained within the email message. It has the following property options set:
Read Only:
True
The property type is inet:url.
inet:flow
An individual network connection between a given source and destination.
The base type for the form can be found at inet:flow.
Properties:
- :time / inet:flow:time
The time the network connection was initiated.
The property type is time.
- :duration / inet:flow:duration
The duration of the flow in seconds.
The property type is int.
- :from / inet:flow:from
The ingest source file/iden. Used for reparsing.
The property type is guid.
- :dst / inet:flow:dst
The destination address / port for a connection.
The property type is inet:server.
- :dst:ipv4 / inet:flow:dst:ipv4
The destination IPv4 address.
The property type is inet:ipv4.
- :dst:ipv6 / inet:flow:dst:ipv6
The destination IPv6 address.
The property type is inet:ipv6.
- :dst:port / inet:flow:dst:port
The destination port.
The property type is inet:port.
- :dst:proto / inet:flow:dst:proto
The destination protocol.
The property type is str. Its type has the following options set:
lower:
True
- :dst:host / inet:flow:dst:host
The guid of the destination host.
The property type is it:host.
- :dst:proc / inet:flow:dst:proc
The guid of the destination process.
The property type is it:exec:proc.
- :dst:exe / inet:flow:dst:exe
The file (executable) that received the connection.
The property type is file:bytes.
- :dst:txcount / inet:flow:dst:txcount
The number of packets sent by the destination host.
The property type is int.
- :dst:txbytes / inet:flow:dst:txbytes
The number of bytes sent by the destination host.
The property type is int.
- :dst:handshake / inet:flow:dst:handshake
A text representation of the initial handshake sent by the server. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :src / inet:flow:src
The source address / port for a connection.
The property type is inet:client.
- :src:ipv4 / inet:flow:src:ipv4
The source IPv4 address.
The property type is inet:ipv4.
- :src:ipv6 / inet:flow:src:ipv6
The source IPv6 address.
The property type is inet:ipv6.
- :src:port / inet:flow:src:port
The source port.
The property type is inet:port.
- :src:proto / inet:flow:src:proto
The source protocol.
The property type is str. Its type has the following options set:
lower:
True
- :src:host / inet:flow:src:host
The guid of the source host.
The property type is it:host.
- :src:proc / inet:flow:src:proc
The guid of the source process.
The property type is it:exec:proc.
- :src:exe / inet:flow:src:exe
The file (executable) that created the connection.
The property type is file:bytes.
- :src:txcount / inet:flow:src:txcount
The number of packets sent by the source host.
The property type is int.
- :src:txbytes / inet:flow:src:txbytes
The number of bytes sent by the source host.
The property type is int.
- :tot:txcount / inet:flow:tot:txcount
The number of packets sent in both directions.
The property type is int.
- :tot:txbytes / inet:flow:tot:txbytes
The number of bytes sent in both directions.
The property type is int.
- :src:handshake / inet:flow:src:handshake
A text representation of the initial handshake sent by the client. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :dst:cpes / inet:flow:dst:cpes
An array of NIST CPEs identified on the destination host.
The property type is array. Its type has the following options set:
type:
it:sec:cpeuniq:
Truesorted:
True
- :dst:softnames / inet:flow:dst:softnames
An array of software names identified on the destination host.
The property type is array. Its type has the following options set:
type:
it:dev:struniq:
Truesorted:
True
- :src:cpes / inet:flow:src:cpes
An array of NIST CPEs identified on the source host.
The property type is array. Its type has the following options set:
type:
it:sec:cpeuniq:
Truesorted:
True
- :src:softnames / inet:flow:src:softnames
An array of software names identified on the source host.
The property type is array. Its type has the following options set:
type:
it:dev:struniq:
Truesorted:
True
- :ip:proto / inet:flow:ip:proto
The IP protocol number of the flow.
The property type is int. Its type has the following options set:
min:
0max:
255
- :ip:tcp:flags / inet:flow:ip:tcp:flags
An aggregation of observed TCP flags commonly provided by flow APIs.
The property type is int. Its type has the following options set:
min:
0max:
255
- :sandbox:file / inet:flow:sandbox:file
The initial sample given to a sandbox environment to analyze.
The property type is file:bytes.
inet:fqdn
A Fully Qualified Domain Name (FQDN).
The base type for the form can be found at inet:fqdn.
An example of inet:fqdn:
vertex.link
Properties:
- :domain / inet:fqdn:domain
The parent domain for the FQDN. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
- :host / inet:fqdn:host
The host part of the FQDN. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
True
- :issuffix / inet:fqdn:issuffix
True if the FQDN is considered a suffix.
The property type is bool.
- :iszone / inet:fqdn:iszone
True if the FQDN is considered a zone.
The property type is bool.
- :zone / inet:fqdn:zone
The zone level parent for this FQDN.
The property type is inet:fqdn.
inet:group
A group name string.
The base type for the form can be found at inet:group.
Properties:
inet:http:param
An HTTP request path query parameter.
The base type for the form can be found at inet:http:param.
Properties:
- :name / inet:http:param:name
The name of the HTTP query parameter. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
True
- :value / inet:http:param:value
The value of the HTTP query parameter. It has the following property options set:
Read Only:
True
The property type is str.
inet:http:request
A single HTTP request.
The base type for the form can be found at inet:http:request.
Properties:
- :method / inet:http:request:method
The HTTP request method string.
The property type is str.
- :path / inet:http:request:path
The requested HTTP path (without query parameters).
The property type is str.
- :url / inet:http:request:url
The reconstructed URL for the request if known.
The property type is inet:url.
- :query / inet:http:request:query
The HTTP query string which optionally follows the path.
The property type is str.
- :headers / inet:http:request:headers
An array of HTTP headers from the request.
The property type is array. Its type has the following options set:
type:
inet:http:request:header
- :body / inet:http:request:body
The body of the HTTP request.
The property type is file:bytes.
- :response:time / inet:http:request:response:time
A date/time value.
The property type is time.
- :response:code / inet:http:request:response:code
The base 64 bit signed integer type.
The property type is int.
- :response:reason / inet:http:request:response:reason
The base string type.
The property type is str.
- :response:headers / inet:http:request:response:headers
An array of HTTP headers from the response.
The property type is array. Its type has the following options set:
type:
inet:http:response:header
- :response:body / inet:http:request:response:body
The file bytes type with SHA256 based primary property.
The property type is file:bytes.
- :session / inet:http:request:session
The HTTP session this request was part of.
The property type is inet:http:session.
- :flow / inet:http:request:flow
The raw inet:flow containing the request.
The property type is inet:flow.
- :client / inet:http:request:client
The inet:addr of the client.
The property type is inet:client.
- :client:ipv4 / inet:http:request:client:ipv4
The server IPv4 address that the request was sent from.
The property type is inet:ipv4.
- :client:ipv6 / inet:http:request:client:ipv6
The server IPv6 address that the request was sent from.
The property type is inet:ipv6.
- :client:host / inet:http:request:client:host
The host that the request was sent from.
The property type is it:host.
- :server / inet:http:request:server
The inet:addr of the server.
The property type is inet:server.
- :server:ipv4 / inet:http:request:server:ipv4
The server IPv4 address that the request was sent to.
The property type is inet:ipv4.
- :server:ipv6 / inet:http:request:server:ipv6
The server IPv6 address that the request was sent to.
The property type is inet:ipv6.
- :server:port / inet:http:request:server:port
The server port that the request was sent to.
The property type is inet:port.
- :server:host / inet:http:request:server:host
The host that the request was sent to.
The property type is it:host.
- :exe / inet:http:request:exe
The executable file which caused the activity.
The property type is file:bytes.
- :proc / inet:http:request:proc
The host process which caused the activity.
The property type is it:exec:proc.
- :thread / inet:http:request:thread
The host thread which caused the activity.
The property type is it:exec:thread.
- :host / inet:http:request:host
The host on which the activity occurred.
The property type is it:host.
- :time / inet:http:request:time
The time that the activity started.
The property type is time.
- :sandbox:file / inet:http:request:sandbox:file
The initial sample given to a sandbox environment to analyze.
The property type is file:bytes.
inet:http:request:header
An HTTP request header.
The base type for the form can be found at inet:http:request:header.
Properties:
- :name / inet:http:request:header:name
The name of the HTTP request header. It has the following property options set:
Read Only:
True
The property type is inet:http:header:name.
- :value / inet:http:request:header:value
The value of the HTTP request header. It has the following property options set:
Read Only:
True
The property type is str.
inet:http:response:header
An HTTP response header.
The base type for the form can be found at inet:http:response:header.
Properties:
- :name / inet:http:response:header:name
The name of the HTTP response header. It has the following property options set:
Read Only:
True
The property type is inet:http:header:name.
- :value / inet:http:response:header:value
The value of the HTTP response header. It has the following property options set:
Read Only:
True
The property type is str.
inet:http:session
An HTTP session.
The base type for the form can be found at inet:http:session.
Properties:
- :contact / inet:http:session:contact
The ps:contact which owns the session.
The property type is ps:contact.
inet:iface
A network interface with a set of associated protocol addresses.
The base type for the form can be found at inet:iface.
Properties:
- :host / inet:iface:host
The guid of the host the interface is associated with.
The property type is it:host.
- :network / inet:iface:network
The guid of the it:network the interface connected to.
The property type is it:network.
- :type / inet:iface:type
The free-form interface type.
The property type is str. Its type has the following options set:
lower:
True
- :mac / inet:iface:mac
The ethernet (MAC) address of the interface.
The property type is inet:mac.
- :ipv4 / inet:iface:ipv4
The IPv4 address of the interface.
The property type is inet:ipv4.
- :ipv6 / inet:iface:ipv6
The IPv6 address of the interface.
The property type is inet:ipv6.
- :phone / inet:iface:phone
The telephone number of the interface.
The property type is tel:phone.
- :wifi:ssid / inet:iface:wifi:ssid
The wifi SSID of the interface.
The property type is inet:wifi:ssid.
- :wifi:bssid / inet:iface:wifi:bssid
The wifi BSSID of the interface.
The property type is inet:mac.
- :adid / inet:iface:adid
An advertising ID associated with the interface.
The property type is it:adid.
- :mob:imei / inet:iface:mob:imei
The IMEI of the interface.
The property type is tel:mob:imei.
- :mob:imsi / inet:iface:mob:imsi
The IMSI of the interface.
The property type is tel:mob:imsi.
inet:ipv4
An IPv4 address.
The base type for the form can be found at inet:ipv4.
An example of inet:ipv4:
1.2.3.4
Properties:
- :asn / inet:ipv4:asn
The ASN to which the IPv4 address is currently assigned.
The property type is inet:asn.
- :latlong / inet:ipv4:latlong
The best known latitude/longitude for the node.
The property type is geo:latlong.
- :loc / inet:ipv4:loc
The geo-political location string for the IPv4.
The property type is loc.
- :place / inet:ipv4:place
The geo:place associated with the latlong property.
The property type is geo:place.
- :type / inet:ipv4:type
The type of IP address (e.g., private, multicast, etc.).
The property type is str.
- :dns:rev / inet:ipv4:dns:rev
The most current DNS reverse lookup for the IPv4.
The property type is inet:fqdn.
inet:ipv6
An IPv6 address.
The base type for the form can be found at inet:ipv6.
An example of inet:ipv6:
2607:f8b0:4004:809::200e
Properties:
- :asn / inet:ipv6:asn
The ASN to which the IPv6 address is currently assigned.
The property type is inet:asn.
- :ipv4 / inet:ipv6:ipv4
The mapped ipv4.
The property type is inet:ipv4.
- :latlong / inet:ipv6:latlong
The last known latitude/longitude for the node.
The property type is geo:latlong.
- :place / inet:ipv6:place
The geo:place associated with the latlong property.
The property type is geo:place.
- :dns:rev / inet:ipv6:dns:rev
The most current DNS reverse lookup for the IPv6.
The property type is inet:fqdn.
- :loc / inet:ipv6:loc
The geo-political location string for the IPv6.
The property type is loc.
inet:mac
A 48-bit Media Access Control (MAC) address.
The base type for the form can be found at inet:mac.
An example of inet:mac:
aa:bb:cc:dd:ee:ff
Properties:
- :vendor / inet:mac:vendor
The vendor associated with the 24-bit prefix of a MAC address.
The property type is str.
inet:passwd
A password string.
The base type for the form can be found at inet:passwd.
Properties:
- :md5 / inet:passwd:md5
The MD5 hash of the password. It has the following property options set:
Read Only:
True
The property type is hash:md5.
- :sha1 / inet:passwd:sha1
The SHA1 hash of the password. It has the following property options set:
Read Only:
True
The property type is hash:sha1.
- :sha256 / inet:passwd:sha256
The SHA256 hash of the password. It has the following property options set:
Read Only:
True
The property type is hash:sha256.
inet:rfc2822:addr
An RFC 2822 Address field.
The base type for the form can be found at inet:rfc2822:addr.
An example of inet:rfc2822:addr:
"Visi Kenshoto" <visi@vertex.link>
Properties:
- :name / inet:rfc2822:addr:name
The name field parsed from an RFC 2822 address string. It has the following property options set:
Read Only:
True
The property type is ps:name.
- :email / inet:rfc2822:addr:email
The email field parsed from an RFC 2822 address string. It has the following property options set:
Read Only:
True
The property type is inet:email.
inet:search:query
An instance of a search query issued to a search engine.
The base type for the form can be found at inet:search:query.
Properties:
- :text / inet:search:query:text
The search query text. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :time / inet:search:query:time
The time the web search was issued.
The property type is time.
- :acct / inet:search:query:acct
The account that the query was issued as.
The property type is inet:web:acct.
- :host / inet:search:query:host
The host that issued the query.
The property type is it:host.
- :engine / inet:search:query:engine
A simple name for the search engine used. It has the following property options set:
Example:
google
The property type is str. Its type has the following options set:
lower:
True
inet:search:result
A single result from a web search.
The base type for the form can be found at inet:search:result.
Properties:
- :query / inet:search:result:query
The search query that produced the result.
The property type is inet:search:query.
- :title / inet:search:result:title
The title of the matching web page.
The property type is str. Its type has the following options set:
lower:
True
- :rank / inet:search:result:rank
The rank/order of the query result.
The property type is int.
- :url / inet:search:result:url
The URL hosting the matching content.
The property type is inet:url.
- :text / inet:search:result:text
Extracted/matched text from the matched content.
The property type is str. Its type has the following options set:
lower:
True
inet:server
A network server address.
The base type for the form can be found at inet:server.
An example of inet:server:
tcp://1.2.3.4:80
Properties:
- :proto / inet:server:proto
The network protocol of the server. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
True
- :ipv4 / inet:server:ipv4
The IPv4 of the server. It has the following property options set:
Read Only:
True
The property type is inet:ipv4.
- :ipv6 / inet:server:ipv6
The IPv6 of the server. It has the following property options set:
Read Only:
True
The property type is inet:ipv6.
- :host / inet:server:host
The it:host node for the server. It has the following property options set:
Read Only:
True
The property type is it:host.
- :port / inet:server:port
The server tcp/udp port.
The property type is inet:port.
inet:servfile
A file hosted on a server for access over a network protocol.
The base type for the form can be found at inet:servfile.
Properties:
- :file / inet:servfile:file
The file hosted by the server. It has the following property options set:
Read Only:
True
The property type is file:bytes.
- :server / inet:servfile:server
The inet:addr of the server. It has the following property options set:
Read Only:
True
The property type is inet:server.
- :server:proto / inet:servfile:server:proto
The network protocol of the server. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
True
- :server:ipv4 / inet:servfile:server:ipv4
The IPv4 of the server. It has the following property options set:
Read Only:
True
The property type is inet:ipv4.
- :server:ipv6 / inet:servfile:server:ipv6
The IPv6 of the server. It has the following property options set:
Read Only:
True
The property type is inet:ipv6.
- :server:host / inet:servfile:server:host
The it:host node for the server. It has the following property options set:
Read Only:
True
The property type is it:host.
- :server:port / inet:servfile:server:port
The server tcp/udp port.
The property type is inet:port.
inet:ssl:cert
An SSL certificate file served by a server.
The base type for the form can be found at inet:ssl:cert.
An example of inet:ssl:cert:
(1.2.3.4:443, guid:d41d8cd98f00b204e9800998ecf8427e)
Properties:
- :file / inet:ssl:cert:file
The file bytes for the SSL certificate. It has the following property options set:
Read Only:
True
The property type is file:bytes.
- :server / inet:ssl:cert:server
The server that presented the SSL certificate. It has the following property options set:
Read Only:
True
The property type is inet:server.
- :server:ipv4 / inet:ssl:cert:server:ipv4
The SSL server IPv4 address. It has the following property options set:
Read Only:
True
The property type is inet:ipv4.
- :server:ipv6 / inet:ssl:cert:server:ipv6
The SSL server IPv6 address. It has the following property options set:
Read Only:
True
The property type is inet:ipv6.
- :server:port / inet:ssl:cert:server:port
The SSL server listening port. It has the following property options set:
Read Only:
True
The property type is inet:port.
inet:ssl:jarmhash
A TLS JARM fingerprint hash.
The base type for the form can be found at inet:ssl:jarmhash.
Properties:
- :ciphers / inet:ssl:jarmhash:ciphers
The encoded cipher and TLS version of the server. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
Truestrip:
Trueregex:
^[0-9a-f]{30}$
- :extensions / inet:ssl:jarmhash:extensions
The truncated SHA256 of the TLS server extensions. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
Truestrip:
Trueregex:
^[0-9a-f]{32}$
inet:ssl:jarmsample
A JARM hash sample taken from a server.
The base type for the form can be found at inet:ssl:jarmsample.
Properties:
- :jarmhash / inet:ssl:jarmsample:jarmhash
The JARM hash computed from the server responses. It has the following property options set:
Read Only:
True
The property type is inet:ssl:jarmhash.
- :server / inet:ssl:jarmsample:server
The server that was sampled to compute the JARM hash. It has the following property options set:
Read Only:
True
The property type is inet:server.
inet:url
A Universal Resource Locator (URL).
The base type for the form can be found at inet:url.
An example of inet:url:
http://www.woot.com/files/index.html
Properties:
- :fqdn / inet:url:fqdn
The fqdn used in the URL (e.g., http://www.woot.com/page.html). It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
- :ipv4 / inet:url:ipv4
The IPv4 address used in the URL (e.g., http://1.2.3.4/page.html). It has the following property options set:
Read Only:
True
The property type is inet:ipv4.
- :ipv6 / inet:url:ipv6
The IPv6 address used in the URL. It has the following property options set:
Read Only:
True
The property type is inet:ipv6.
- :passwd / inet:url:passwd
The optional password used to access the URL. It has the following property options set:
Read Only:
True
The property type is inet:passwd.
- :base / inet:url:base
The base scheme, user/pass, fqdn, port and path w/o parameters. It has the following property options set:
Read Only:
True
The property type is str.
- :path / inet:url:path
The path in the URL w/o parameters. It has the following property options set:
Read Only:
True
The property type is str.
- :params / inet:url:params
The URL parameter string. It has the following property options set:
Read Only:
True
The property type is str.
- :port / inet:url:port
The port of the URL. URLs prefixed with http will be set to port 80 and URLs prefixed with https will be set to port 443 unless otherwise specified. It has the following property options set:
Read Only:
True
The property type is inet:port.
- :proto / inet:url:proto
The protocol in the URL. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
True
- :user / inet:url:user
The optional username used to access the URL. It has the following property options set:
Read Only:
True
The property type is inet:user.
inet:url:mirror
A URL mirror site.
The base type for the form can be found at inet:url:mirror.
Properties:
inet:urlfile
A file hosted at a specific Universal Resource Locator (URL).
The base type for the form can be found at inet:urlfile.
Properties:
- :url / inet:urlfile:url
The URL where the file was hosted. It has the following property options set:
Read Only:
True
The property type is inet:url.
- :file / inet:urlfile:file
The file that was hosted at the URL. It has the following property options set:
Read Only:
True
The property type is file:bytes.
inet:urlredir
A URL that redirects to another URL, such as via a URL shortening service or an HTTP 302 response.
The base type for the form can be found at inet:urlredir.
An example of inet:urlredir:
(http://foo.com/,http://bar.com/)
Properties:
- :src / inet:urlredir:src
The original/source URL before redirect. It has the following property options set:
Read Only:
True
The property type is inet:url.
- :src:fqdn / inet:urlredir:src:fqdn
The FQDN within the src URL (if present). It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
- :dst / inet:urlredir:dst
The redirected/destination URL. It has the following property options set:
Read Only:
True
The property type is inet:url.
- :dst:fqdn / inet:urlredir:dst:fqdn
The FQDN within the dst URL (if present). It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
inet:user
A username string.
The base type for the form can be found at inet:user.
Properties:
inet:web:acct
An account with a given Internet-based site or service.
The base type for the form can be found at inet:web:acct.
An example of inet:web:acct:
twitter.com/invisig0th
Properties:
- :avatar / inet:web:acct:avatar
The file representing the avatar (e.g., profile picture) for the account.
The property type is file:bytes.
- :dob / inet:web:acct:dob
A self-declared date of birth for the account (if the account belongs to a person).
The property type is time.
- :email / inet:web:acct:email
The email address associated with the account.
The property type is inet:email.
- :linked:accts / inet:web:acct:linked:accts
Linked accounts specified in the account profile.
The property type is array. Its type has the following options set:
type:
inet:web:acctuniq:
Truesorted:
True
- :latlong / inet:web:acct:latlong
The last known latitude/longitude for the node.
The property type is geo:latlong.
- :place / inet:web:acct:place
The geo:place associated with the latlong property.
The property type is geo:place.
- :loc / inet:web:acct:loc
A self-declared location for the account.
The property type is loc.
- :name / inet:web:acct:name
The localized name associated with the account (may be different from the account identifier, e.g., a display name).
The property type is inet:user.
- :name:en / inet:web:acct:name:en
The English version of the name associated with the (may be different from the account identifier, e.g., a display name).
The property type is inet:user.
- :aliases / inet:web:acct:aliases
An array of alternate names for the user.
The property type is array. Its type has the following options set:
type:
inet:useruniq:
Truesorted:
True
- :occupation / inet:web:acct:occupation
A self-declared occupation for the account.
The property type is str. Its type has the following options set:
lower:
True
- :passwd / inet:web:acct:passwd
The current password for the account.
The property type is inet:passwd.
- :phone / inet:web:acct:phone
The phone number associated with the account.
The property type is tel:phone.
- :realname / inet:web:acct:realname
The localized version of the real name of the account owner / registrant.
The property type is ps:name.
- :realname:en / inet:web:acct:realname:en
The English version of the real name of the account owner / registrant.
The property type is ps:name.
- :signup / inet:web:acct:signup
The date and time the account was registered.
The property type is time.
- :signup:client / inet:web:acct:signup:client
The client address used to sign up for the account.
The property type is inet:client.
- :signup:client:ipv4 / inet:web:acct:signup:client:ipv4
The IPv4 address used to sign up for the account.
The property type is inet:ipv4.
- :signup:client:ipv6 / inet:web:acct:signup:client:ipv6
The IPv6 address used to sign up for the account.
The property type is inet:ipv6.
- :site / inet:web:acct:site
The site or service associated with the account. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
- :tagline / inet:web:acct:tagline
The text of the account status or tag line.
The property type is str.
- :url / inet:web:acct:url
The service provider URL where the account is hosted.
The property type is inet:url.
- :user / inet:web:acct:user
The unique identifier for the account (may be different from the common name or display name). It has the following property options set:
Read Only:
True
The property type is inet:user.
- :webpage / inet:web:acct:webpage
A related URL specified by the account (e.g., a personal or company web page, blog, etc.).
The property type is inet:url.
- :recovery:email / inet:web:acct:recovery:email
An email address registered as a recovery email address for the account.
The property type is inet:email.
inet:web:action
An instance of an account performing an action at an Internet-based site or service.
The base type for the form can be found at inet:web:action.
Properties:
- :act / inet:web:action:act
The action performed by the account.
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :acct / inet:web:action:acct
The web account associated with the action.
The property type is inet:web:acct.
- :acct:site / inet:web:action:acct:site
The site or service associated with the account.
The property type is inet:fqdn.
- :acct:user / inet:web:action:acct:user
The unique identifier for the account.
The property type is inet:user.
- :time / inet:web:action:time
The date and time the account performed the action.
The property type is time.
- :client / inet:web:action:client
The source client address of the action.
The property type is inet:client.
- :client:ipv4 / inet:web:action:client:ipv4
The source IPv4 address of the action.
The property type is inet:ipv4.
- :client:ipv6 / inet:web:action:client:ipv6
The source IPv6 address of the action.
The property type is inet:ipv6.
- :loc / inet:web:action:loc
The location of the user executing the web action.
The property type is loc.
- :latlong / inet:web:action:latlong
The latlong of the user when executing the web action.
The property type is geo:latlong.
- :place / inet:web:action:place
The geo:place of the user when executing the web action.
The property type is geo:place.
inet:web:channel
A channel within a web service or instance such as slack or discord.
The base type for the form can be found at inet:web:channel.
Properties:
- :url / inet:web:channel:url
The primary URL used to identify the channel. It has the following property options set:
Example:
https://app.slack.com/client/T2XK1223Y/C2XHHNDS7
The property type is inet:url.
- :id / inet:web:channel:id
The operator specified ID of this channel. It has the following property options set:
Example:
C2XHHNDS7
The property type is str. Its type has the following options set:
strip:
True
- :instance / inet:web:channel:instance
The instance which contains the channel.
The property type is inet:web:instance.
- :name / inet:web:channel:name
The visible name of the channel. It has the following property options set:
Example:
general
The property type is str. Its type has the following options set:
strip:
True
- :topic / inet:web:channel:topic
The visible topic of the channel. It has the following property options set:
Example:
Synapse Discussion - Feel free to invite others!
The property type is str. Its type has the following options set:
strip:
True
- :created / inet:web:channel:created
The time the channel was created.
The property type is time.
- :creator / inet:web:channel:creator
The account which created the channel.
The property type is inet:web:acct.
inet:web:chprofile
A change to a web account. Used to capture historical properties associated with an account, as opposed to current data in the inet:web:acct node.
The base type for the form can be found at inet:web:chprofile.
Properties:
- :acct / inet:web:chprofile:acct
The web account associated with the change.
The property type is inet:web:acct.
- :acct:site / inet:web:chprofile:acct:site
The site or service associated with the account.
The property type is inet:fqdn.
- :acct:user / inet:web:chprofile:acct:user
The unique identifier for the account.
The property type is inet:user.
- :client / inet:web:chprofile:client
The source address used to make the account change.
The property type is inet:client.
- :client:ipv4 / inet:web:chprofile:client:ipv4
The source IPv4 address used to make the account change.
The property type is inet:ipv4.
- :client:ipv6 / inet:web:chprofile:client:ipv6
The source IPv6 address used to make the account change.
The property type is inet:ipv6.
- :time / inet:web:chprofile:time
The date and time when the account change occurred.
The property type is time.
- :pv / inet:web:chprofile:pv
The prop=valu of the account property that was changed. Valu should be the old / original value, while the new value should be updated on the inet:web:acct form.
The property type is nodeprop.
- :pv:prop / inet:web:chprofile:pv:prop
The property that was changed.
The property type is str.
inet:web:file
A file posted by a web account.
The base type for the form can be found at inet:web:file.
Properties:
- :acct / inet:web:file:acct
The account that owns or is associated with the file. It has the following property options set:
Read Only:
True
The property type is inet:web:acct.
- :acct:site / inet:web:file:acct:site
The site or service associated with the account. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
- :acct:user / inet:web:file:acct:user
The unique identifier for the account. It has the following property options set:
Read Only:
True
The property type is inet:user.
- :file / inet:web:file:file
The file owned by or associated with the account. It has the following property options set:
Read Only:
True
The property type is file:bytes.
- :name / inet:web:file:name
The name of the file owned by or associated with the account.
The property type is file:base.
- :posted / inet:web:file:posted
The date and time the file was posted / submitted.
The property type is time.
- :client / inet:web:file:client
The source client address used to post or submit the file.
The property type is inet:client.
- :client:ipv4 / inet:web:file:client:ipv4
The source IPv4 address used to post or submit the file.
The property type is inet:ipv4.
- :client:ipv6 / inet:web:file:client:ipv6
The source IPv6 address used to post or submit the file.
The property type is inet:ipv6.
inet:web:follows
A web account follows or is connected to another web account.
The base type for the form can be found at inet:web:follows.
Properties:
- :follower / inet:web:follows:follower
The account following an account. It has the following property options set:
Read Only:
True
The property type is inet:web:acct.
- :followee / inet:web:follows:followee
The account followed by an account. It has the following property options set:
Read Only:
True
The property type is inet:web:acct.
inet:web:group
A group hosted within or registered with a given Internet-based site or service.
The base type for the form can be found at inet:web:group.
An example of inet:web:group:
somesite.com/mycoolgroup
Properties:
- :site / inet:web:group:site
The site or service associated with the group. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
- :id / inet:web:group:id
The site-specific unique identifier for the group (may be different from the common name or display name). It has the following property options set:
Read Only:
True
The property type is inet:group.
- :name / inet:web:group:name
The localized name associated with the group (may be different from the account identifier, e.g., a display name).
The property type is inet:group.
- :aliases / inet:web:group:aliases
An array of alternate names for the group.
The property type is array. Its type has the following options set:
type:
inet:groupuniq:
Truesorted:
True
- :name:en / inet:web:group:name:en
The English version of the name associated with the group (may be different from the localized name).
The property type is inet:group.
- :url / inet:web:group:url
The service provider URL where the group is hosted.
The property type is inet:url.
- :avatar / inet:web:group:avatar
The file representing the avatar (e.g., profile picture) for the group.
The property type is file:bytes.
- :desc / inet:web:group:desc
The text of the description of the group.
The property type is str.
- :webpage / inet:web:group:webpage
A related URL specified by the group (e.g., primary web site, etc.).
The property type is inet:url.
- :loc / inet:web:group:loc
A self-declared location for the group.
The property type is str. Its type has the following options set:
lower:
True
- :latlong / inet:web:group:latlong
The last known latitude/longitude for the node.
The property type is geo:latlong.
- :place / inet:web:group:place
The geo:place associated with the latlong property.
The property type is geo:place.
- :signup / inet:web:group:signup
The date and time the group was created on the site.
The property type is time.
- :signup:client / inet:web:group:signup:client
The client address used to create the group.
The property type is inet:client.
- :signup:client:ipv4 / inet:web:group:signup:client:ipv4
The IPv4 address used to create the group.
The property type is inet:ipv4.
- :signup:client:ipv6 / inet:web:group:signup:client:ipv6
The IPv6 address used to create the group.
The property type is inet:ipv6.
inet:web:hashtag
A hashtag used in a web post.
The base type for the form can be found at inet:web:hashtag.
Properties:
inet:web:instance
An instance of a web service such as slack or discord.
The base type for the form can be found at inet:web:instance.
Properties:
- :url / inet:web:instance:url
The primary URL used to identify the instance. It has the following property options set:
Example:
https://app.slack.com/client/T2XK1223Y
The property type is inet:url.
- :id / inet:web:instance:id
The operator specified ID of this instance. It has the following property options set:
Example:
T2XK1223Y
The property type is str. Its type has the following options set:
strip:
True
- :name / inet:web:instance:name
The visible name of the instance. It has the following property options set:
Example:
vertex synapse
The property type is str. Its type has the following options set:
strip:
True
- :created / inet:web:instance:created
The time the instance was created.
The property type is time.
- :creator / inet:web:instance:creator
The account which created the instance.
The property type is inet:web:acct.
- :owner / inet:web:instance:owner
The organization which created the instance.
The property type is ou:org.
- :owner:fqdn / inet:web:instance:owner:fqdn
The FQDN of the organization which created the instance. Used for entity resolution. It has the following property options set:
Example:
vertex.link
The property type is inet:fqdn.
- :owner:name / inet:web:instance:owner:name
The name of the organization which created the instance. Used for entity resolution. It has the following property options set:
Example:
the vertex project, llc.
The property type is ou:name.
- :operator / inet:web:instance:operator
The organization which operates the instance.
The property type is ou:org.
- :operator:name / inet:web:instance:operator:name
The name of the organization which operates the instance. Used for entity resolution. It has the following property options set:
Example:
slack
The property type is ou:name.
- :operator:fqdn / inet:web:instance:operator:fqdn
The FQDN of the organization which operates the instance. Used for entity resolution. It has the following property options set:
Example:
slack.com
The property type is inet:fqdn.
inet:web:logon
An instance of an account authenticating to an Internet-based site or service.
The base type for the form can be found at inet:web:logon.
Properties:
- :acct / inet:web:logon:acct
The web account associated with the logon event. It has the following property options set:
Read Only:
True
The property type is inet:web:acct.
- :acct:site / inet:web:logon:acct:site
The site or service associated with the account. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
- :acct:user / inet:web:logon:acct:user
The unique identifier for the account. It has the following property options set:
Read Only:
True
The property type is inet:user.
- :time / inet:web:logon:time
The date and time the account logged into the service. It has the following property options set:
Read Only:
True
The property type is time.
- :client / inet:web:logon:client
The source address of the logon.
The property type is inet:client.
- :client:ipv4 / inet:web:logon:client:ipv4
The source IPv4 address of the logon.
The property type is inet:ipv4.
- :client:ipv6 / inet:web:logon:client:ipv6
The source IPv6 address of the logon.
The property type is inet:ipv6.
- :logout / inet:web:logon:logout
The date and time the account logged out of the service. It has the following property options set:
Read Only:
True
The property type is time.
- :loc / inet:web:logon:loc
The location of the user executing the logon.
The property type is loc.
- :latlong / inet:web:logon:latlong
The latlong of the user executing the logon.
The property type is geo:latlong.
- :place / inet:web:logon:place
The geo:place of the user executing the logon.
The property type is geo:place.
inet:web:memb
A web account that is a member of a web group.
The base type for the form can be found at inet:web:memb.
Properties:
- :acct / inet:web:memb:acct
The account that is a member of the group. It has the following property options set:
Read Only:
True
The property type is inet:web:acct.
- :group / inet:web:memb:group
The group that the account is a member of. It has the following property options set:
Read Only:
True
The property type is inet:web:group.
- :title / inet:web:memb:title
The title or status of the member (e.g., admin, new member, etc.).
The property type is str. Its type has the following options set:
lower:
True
- :joined / inet:web:memb:joined
The date / time the account joined the group.
The property type is time.
inet:web:mesg
A message sent from one web account to another web account.
The base type for the form can be found at inet:web:mesg.
An example of inet:web:mesg:
((twitter.com, invisig0th), (twitter.com, gobbles), 20041012130220)
Properties:
- :from / inet:web:mesg:from
The web account that sent the message. It has the following property options set:
Read Only:
True
The property type is inet:web:acct.
- :to / inet:web:mesg:to
The web account that received the message. It has the following property options set:
Read Only:
True
The property type is inet:web:acct.
- :client / inet:web:mesg:client
The source address of the message.
The property type is inet:client.
- :client:ipv4 / inet:web:mesg:client:ipv4
The source IPv4 address of the message.
The property type is inet:ipv4.
- :client:ipv6 / inet:web:mesg:client:ipv6
The source IPv6 address of the message.
The property type is inet:ipv6.
- :time / inet:web:mesg:time
The date and time at which the message was sent. It has the following property options set:
Read Only:
True
The property type is time.
- :url / inet:web:mesg:url
The URL where the message is posted / visible.
The property type is inet:url.
- :text / inet:web:mesg:text
The text of the message. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :file / inet:web:mesg:file
The file attached to or sent with the message.
The property type is file:bytes.
- :place / inet:web:mesg:place
The place that the message was reportedly sent from.
The property type is geo:place.
- :place:name / inet:web:mesg:place:name
The name of the place that the message was reportedly sent from. Used for entity resolution.
The property type is geo:name.
- :instance / inet:web:mesg:instance
The instance where the message was sent.
The property type is inet:web:instance.
inet:web:post
A post made by a web account.
The base type for the form can be found at inet:web:post.
Properties:
- :acct / inet:web:post:acct
The web account that made the post.
The property type is inet:web:acct.
- :acct:site / inet:web:post:acct:site
The site or service associated with the account.
The property type is inet:fqdn.
- :client / inet:web:post:client
The source address of the post.
The property type is inet:client.
- :client:ipv4 / inet:web:post:client:ipv4
The source IPv4 address of the post.
The property type is inet:ipv4.
- :client:ipv6 / inet:web:post:client:ipv6
The source IPv6 address of the post.
The property type is inet:ipv6.
- :acct:user / inet:web:post:acct:user
The unique identifier for the account.
The property type is inet:user.
- :text / inet:web:post:text
The text of the post. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :time / inet:web:post:time
The date and time that the post was made.
The property type is time.
- :deleted / inet:web:post:deleted
The message was deleted by the poster.
The property type is bool.
- :url / inet:web:post:url
The URL where the post is published / visible.
The property type is inet:url.
- :file / inet:web:post:file
The file that was attached to the post.
The property type is file:bytes.
- :replyto / inet:web:post:replyto
The post that this post is in reply to.
The property type is inet:web:post.
- :repost / inet:web:post:repost
The original post that this is a repost of.
The property type is inet:web:post.
- :hashtags / inet:web:post:hashtags
Hashtags mentioned within the post.
The property type is array. Its type has the following options set:
type:
inet:web:hashtaguniq:
Truesorted:
Truesplit:
,
- :mentions:users / inet:web:post:mentions:users
Accounts mentioned within the post.
The property type is array. Its type has the following options set:
type:
inet:web:acctuniq:
Truesorted:
Truesplit:
,
- :mentions:groups / inet:web:post:mentions:groups
Groups mentioned within the post.
The property type is array. Its type has the following options set:
type:
inet:web:groupuniq:
Truesorted:
Truesplit:
,
- :loc / inet:web:post:loc
The location that the post was reportedly sent from.
The property type is loc.
- :place / inet:web:post:place
The place that the post was reportedly sent from.
The property type is geo:place.
- :place:name / inet:web:post:place:name
The name of the place that the post was reportedly sent from. Used for entity resolution.
The property type is geo:name.
- :latlong / inet:web:post:latlong
The place that the post was reportedly sent from.
The property type is geo:latlong.
- :channel / inet:web:post:channel
The channel where the post was made.
The property type is inet:web:channel.
inet:whois:contact
An individual contact from a domain whois record.
The base type for the form can be found at inet:whois:contact.
Properties:
- :rec / inet:whois:contact:rec
The whois record containing the contact data. It has the following property options set:
Read Only:
True
The property type is inet:whois:rec.
- :rec:fqdn / inet:whois:contact:rec:fqdn
The domain associated with the whois record. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
- :rec:asof / inet:whois:contact:rec:asof
The date of the whois record. It has the following property options set:
Read Only:
True
The property type is time.
- :type / inet:whois:contact:type
The contact type (e.g., registrar, registrant, admin, billing, tech, etc.). It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
True
- :id / inet:whois:contact:id
The ID associated with the contact.
The property type is str. Its type has the following options set:
lower:
True
- :name / inet:whois:contact:name
The name of the contact.
The property type is str. Its type has the following options set:
lower:
True
- :email / inet:whois:contact:email
The email address of the contact.
The property type is inet:email.
- :orgname / inet:whois:contact:orgname
The name of the contact organization.
The property type is ou:name.
- :address / inet:whois:contact:address
The content of the street address field(s) of the contact.
The property type is str. Its type has the following options set:
lower:
True
- :city / inet:whois:contact:city
The content of the city field of the contact.
The property type is str. Its type has the following options set:
lower:
True
- :state / inet:whois:contact:state
The content of the state field of the contact.
The property type is str. Its type has the following options set:
lower:
True
- :country / inet:whois:contact:country
The two-letter country code of the contact.
The property type is str. Its type has the following options set:
lower:
True
- :phone / inet:whois:contact:phone
The content of the phone field of the contact.
The property type is tel:phone.
- :fax / inet:whois:contact:fax
The content of the fax field of the contact.
The property type is tel:phone.
- :url / inet:whois:contact:url
The URL specified for the contact.
The property type is inet:url.
- :whois:fqdn / inet:whois:contact:whois:fqdn
The whois server FQDN for the given contact (most likely a registrar).
The property type is inet:fqdn.
inet:whois:email
An email address associated with an FQDN via whois registration text.
The base type for the form can be found at inet:whois:email.
Properties:
- :fqdn / inet:whois:email:fqdn
The domain with a whois record containing the email address. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
- :email / inet:whois:email:email
The email address associated with the domain whois record. It has the following property options set:
Read Only:
True
The property type is inet:email.
inet:whois:ipcontact
An individual contact from an IP block record.
The base type for the form can be found at inet:whois:ipcontact.
Properties:
- :contact / inet:whois:ipcontact:contact
Contact information associated with a registration.
The property type is ps:contact.
- :asof / inet:whois:ipcontact:asof
The date of the record.
The property type is time.
- :created / inet:whois:ipcontact:created
The “created” time from the record.
The property type is time.
- :updated / inet:whois:ipcontact:updated
The “last updated” time from the record.
The property type is time.
- :role / inet:whois:ipcontact:role
The primary role for the contact.
The property type is str. Its type has the following options set:
lower:
True
- :roles / inet:whois:ipcontact:roles
Additional roles assigned to the contact.
The property type is array. Its type has the following options set:
type:
struniq:
Truesorted:
True
- :asn / inet:whois:ipcontact:asn
The associated Autonomous System Number (ASN).
The property type is inet:asn.
- :id / inet:whois:ipcontact:id
The registry unique identifier (e.g. NET-74-0-0-0-1).
The property type is inet:whois:regid.
- :links / inet:whois:ipcontact:links
URLs provided with the record.
The property type is array. Its type has the following options set:
type:
inet:urluniq:
Truesorted:
True
- :status / inet:whois:ipcontact:status
The state of the registered contact (e.g. validated, obscured).
The property type is str. Its type has the following options set:
lower:
True
- :contacts / inet:whois:ipcontact:contacts
Additional contacts referenced by this contact.
The property type is array. Its type has the following options set:
type:
inet:whois:ipcontactuniq:
Truesorted:
True
inet:whois:ipquery
Query details used to retrieve an IP record.
The base type for the form can be found at inet:whois:ipquery.
Properties:
- :time / inet:whois:ipquery:time
The time the request was made.
The property type is time.
- :url / inet:whois:ipquery:url
The query URL when using the HTTP RDAP Protocol.
The property type is inet:url.
- :fqdn / inet:whois:ipquery:fqdn
The FQDN of the host server when using the legacy WHOIS Protocol.
The property type is inet:fqdn.
- :ipv4 / inet:whois:ipquery:ipv4
The IPv4 address queried.
The property type is inet:ipv4.
- :ipv6 / inet:whois:ipquery:ipv6
The IPv6 address queried.
The property type is inet:ipv6.
- :success / inet:whois:ipquery:success
Whether the host returned a valid response for the query.
The property type is bool.
- :rec / inet:whois:ipquery:rec
The resulting record from the query.
The property type is inet:whois:iprec.
inet:whois:iprec
An IPv4/IPv6 block registration record.
The base type for the form can be found at inet:whois:iprec.
Properties:
- :net4 / inet:whois:iprec:net4
The IPv4 address range assigned.
The property type is inet:net4.
- :net4:min / inet:whois:iprec:net4:min
The first IPv4 in the range assigned.
The property type is inet:ipv4.
- :net4:max / inet:whois:iprec:net4:max
The last IPv4 in the range assigned.
The property type is inet:ipv4.
- :net6 / inet:whois:iprec:net6
The IPv6 address range assigned.
The property type is inet:net6.
- :net6:min / inet:whois:iprec:net6:min
The first IPv6 in the range assigned.
The property type is inet:ipv6.
- :net6:max / inet:whois:iprec:net6:max
The last IPv6 in the range assigned.
The property type is inet:ipv6.
- :asof / inet:whois:iprec:asof
The date of the record.
The property type is time.
- :created / inet:whois:iprec:created
The “created” time from the record.
The property type is time.
- :updated / inet:whois:iprec:updated
The “last updated” time from the record.
The property type is time.
- :text / inet:whois:iprec:text
The full text of the record. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str. Its type has the following options set:
lower:
True
- :desc / inet:whois:iprec:desc
Notes concerning the record. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str. Its type has the following options set:
lower:
True
- :asn / inet:whois:iprec:asn
The associated Autonomous System Number (ASN).
The property type is inet:asn.
- :id / inet:whois:iprec:id
The registry unique identifier (e.g. NET-74-0-0-0-1).
The property type is inet:whois:regid.
- :name / inet:whois:iprec:name
The name assigned to the network by the registrant.
The property type is str.
- :parentid / inet:whois:iprec:parentid
The registry unique identifier of the parent whois record (e.g. NET-74-0-0-0-0).
The property type is inet:whois:regid.
- :registrant / inet:whois:iprec:registrant
The registrant contact from the record.
The property type is inet:whois:ipcontact.
- :contacts / inet:whois:iprec:contacts
Additional contacts from the record.
The property type is array. Its type has the following options set:
type:
inet:whois:ipcontactuniq:
Truesorted:
True
- :country / inet:whois:iprec:country
The two-letter ISO 3166 country code.
The property type is str. Its type has the following options set:
lower:
Trueregex:
^[a-z]{2}$
- :status / inet:whois:iprec:status
The state of the registered network.
The property type is str. Its type has the following options set:
lower:
True
- :type / inet:whois:iprec:type
The classification of the registered network (e.g. direct allocation).
The property type is str. Its type has the following options set:
lower:
True
- :links / inet:whois:iprec:links
URLs provided with the record.
The property type is array. Its type has the following options set:
type:
inet:urluniq:
Truesorted:
True
inet:whois:rar
A domain registrar.
The base type for the form can be found at inet:whois:rar.
An example of inet:whois:rar:
godaddy, inc.
Properties:
inet:whois:rec
A domain whois record.
The base type for the form can be found at inet:whois:rec.
Properties:
- :fqdn / inet:whois:rec:fqdn
The domain associated with the whois record. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
- :asof / inet:whois:rec:asof
The date of the whois record. It has the following property options set:
Read Only:
True
The property type is time.
- :text / inet:whois:rec:text
The full text of the whois record. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str. Its type has the following options set:
lower:
True
- :created / inet:whois:rec:created
The “created” time from the whois record.
The property type is time.
- :updated / inet:whois:rec:updated
The “last updated” time from the whois record.
The property type is time.
- :expires / inet:whois:rec:expires
The “expires” time from the whois record.
The property type is time.
- :registrar / inet:whois:rec:registrar
The registrar name from the whois record.
The property type is inet:whois:rar.
- :registrant / inet:whois:rec:registrant
The registrant name from the whois record.
The property type is inet:whois:reg.
inet:whois:recns
A nameserver associated with a domain whois record.
The base type for the form can be found at inet:whois:recns.
Properties:
- :ns / inet:whois:recns:ns
A nameserver for a domain as listed in the domain whois record. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
- :rec / inet:whois:recns:rec
The whois record containing the nameserver data. It has the following property options set:
Read Only:
True
The property type is inet:whois:rec.
- :rec:fqdn / inet:whois:recns:rec:fqdn
The domain associated with the whois record. It has the following property options set:
Read Only:
True
The property type is inet:fqdn.
- :rec:asof / inet:whois:recns:rec:asof
The date of the whois record. It has the following property options set:
Read Only:
True
The property type is time.
inet:whois:reg
A domain registrant.
The base type for the form can be found at inet:whois:reg.
An example of inet:whois:reg:
woot hostmaster
Properties:
inet:whois:regid
The registry unique identifier of the registration record.
The base type for the form can be found at inet:whois:regid.
An example of inet:whois:regid:
NET-10-0-0-0-1
Properties:
inet:wifi:ap
An SSID/MAC address combination for a wireless access point.
The base type for the form can be found at inet:wifi:ap.
Properties:
- :ssid / inet:wifi:ap:ssid
The SSID for the wireless access point. It has the following property options set:
Read Only:
True
The property type is inet:wifi:ssid.
- :bssid / inet:wifi:ap:bssid
The MAC address for the wireless access point. It has the following property options set:
Read Only:
True
The property type is inet:mac.
- :latlong / inet:wifi:ap:latlong
The best known latitude/longitude for the wireless access point.
The property type is geo:latlong.
- :accuracy / inet:wifi:ap:accuracy
The reported accuracy of the latlong telemetry reading.
The property type is geo:dist.
- :channel / inet:wifi:ap:channel
The WIFI channel that the AP was last observed operating on.
The property type is int.
- :encryption / inet:wifi:ap:encryption
The type of encryption used by the WIFI AP such as “wpa2”.
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :place / inet:wifi:ap:place
The geo:place associated with the latlong property.
The property type is geo:place.
- :loc / inet:wifi:ap:loc
The geo-political location string for the wireless access point.
The property type is loc.
- :org / inet:wifi:ap:org
The organization that owns/operates the access point.
The property type is ou:org.
inet:wifi:ssid
A WiFi service set identifier (SSID) name.
The base type for the form can be found at inet:wifi:ssid.
An example of inet:wifi:ssid:
The Vertex Project
Properties:
iso:oid
An ISO Object Identifier string.
The base type for the form can be found at iso:oid.
Properties:
it:account
A GUID that represents an account on a host or network.
The base type for the form can be found at it:account.
Properties:
- :user / it:account:user
The username associated with the account.
The property type is inet:user.
- :contact / it:account:contact
Additional contact information associated with this account.
The property type is ps:contact.
- :host / it:account:host
The host where the account is registered.
The property type is it:host.
- :domain / it:account:domain
The authentication domain where the account is registered.
The property type is it:domain.
- :posix:uid / it:account:posix:uid
The user ID of the account. It has the following property options set:
Example:
1001
The property type is int.
- :posix:gid / it:account:posix:gid
The primary group ID of the account. It has the following property options set:
Example:
1001
The property type is int.
- :posix:gecos / it:account:posix:gecos
The GECOS field for the POSIX account.
The property type is int.
- :posix:home / it:account:posix:home
The path to the POSIX account’s home directory. It has the following property options set:
Example:
/home/visi
The property type is file:path.
- :posix:shell / it:account:posix:shell
The path to the POSIX account’s default shell. It has the following property options set:
Example:
/bin/bash
The property type is file:path.
- :windows:sid / it:account:windows:sid
The Microsoft Windows Security Identifier of the account.
The property type is it:os:windows:sid.
- :groups / it:account:groups
An array of groups that the account is a member of.
The property type is array. Its type has the following options set:
type:
it:groupuniq:
Truesorted:
True
it:adid
An advertising identification string.
The base type for the form can be found at it:adid.
Properties:
it:app:snort:hit
An instance of a snort rule hit.
The base type for the form can be found at it:app:snort:hit.
Properties:
- :rule / it:app:snort:hit:rule
The snort rule that matched the file.
The property type is it:app:snort:rule.
- :flow / it:app:snort:hit:flow
The inet:flow that matched the snort rule.
The property type is inet:flow.
- :src / it:app:snort:hit:src
The source address of flow that caused the hit.
The property type is inet:addr.
- :src:ipv4 / it:app:snort:hit:src:ipv4
The source IPv4 address of the flow that caused the hit.
The property type is inet:ipv4.
- :src:ipv6 / it:app:snort:hit:src:ipv6
The source IPv6 address of the flow that caused the hit.
The property type is inet:ipv6.
- :src:port / it:app:snort:hit:src:port
The source port of the flow that caused the hit.
The property type is inet:port.
- :dst / it:app:snort:hit:dst
The destination address of the trigger.
The property type is inet:addr.
- :dst:ipv4 / it:app:snort:hit:dst:ipv4
The destination IPv4 address of the flow that caused the hit.
The property type is inet:ipv4.
- :dst:ipv6 / it:app:snort:hit:dst:ipv6
The destination IPv4 address of the flow that caused the hit.
The property type is inet:ipv6.
- :dst:port / it:app:snort:hit:dst:port
The destination port of the flow that caused the hit.
The property type is inet:port.
- :time / it:app:snort:hit:time
The time of the network flow that caused the hit.
The property type is time.
- :sensor / it:app:snort:hit:sensor
The sensor host node that produced the hit.
The property type is it:host.
- :version / it:app:snort:hit:version
The version of the rule at the time of match.
The property type is it:semver.
it:app:snort:rule
A snort rule unique identifier.
The base type for the form can be found at it:app:snort:rule.
Properties:
- :text / it:app:snort:rule:text
The snort rule text. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :name / it:app:snort:rule:name
The name of the snort rule.
The property type is str.
- :version / it:app:snort:rule:version
The current version of the rule.
The property type is it:semver.
it:app:yara:match
A YARA rule match to a file.
The base type for the form can be found at it:app:yara:match.
Properties:
- :rule / it:app:yara:match:rule
The YARA rule that matched the file. It has the following property options set:
Read Only:
True
The property type is it:app:yara:rule.
- :file / it:app:yara:match:file
The file that matched the YARA rule. It has the following property options set:
Read Only:
True
The property type is file:bytes.
- :version / it:app:yara:match:version
The most recent version of the rule evaluated as a match.
The property type is it:semver.
it:app:yara:procmatch
An instance of a YARA rule match to a process.
The base type for the form can be found at it:app:yara:procmatch.
Properties:
- :rule / it:app:yara:procmatch:rule
The YARA rule that matched the file.
The property type is it:app:yara:rule.
- :proc / it:app:yara:procmatch:proc
The process that matched the YARA rule.
The property type is it:exec:proc.
- :time / it:app:yara:procmatch:time
The time that the YARA engine matched the process to the rule.
The property type is time.
- :version / it:app:yara:procmatch:version
The most recent version of the rule evaluated as a match.
The property type is it:semver.
it:app:yara:rule
A YARA rule unique identifier.
The base type for the form can be found at it:app:yara:rule.
Properties:
- :text / it:app:yara:rule:text
The YARA rule text. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :name / it:app:yara:rule:name
The name of the YARA rule.
The property type is str.
- :author / it:app:yara:rule:author
Contact info for the author of the YARA rule.
The property type is ps:contact.
- :version / it:app:yara:rule:version
The current version of the rule.
The property type is it:semver.
- :created / it:app:yara:rule:created
The time the YARA rule was initially created.
The property type is time.
- :updated / it:app:yara:rule:updated
The time the YARA rule was most recently modified.
The property type is time.
- :enabled / it:app:yara:rule:enabled
The rule enabled status to be used for YARA evaluation engines.
The property type is bool.
- :family / it:app:yara:rule:family
The name of the software family the rule is designed to detect.
The property type is it:prod:softname.
it:auth:passwdhash
An instance of a password hash.
The base type for the form can be found at it:auth:passwdhash.
Properties:
- :salt / it:auth:passwdhash:salt
The (optional) hex encoded salt value used to calculate the password hash.
The property type is hex.
- :hash:md5 / it:auth:passwdhash:hash:md5
The MD5 password hash value.
The property type is hash:md5.
- :hash:sha1 / it:auth:passwdhash:hash:sha1
The SHA1 password hash value.
The property type is hash:sha1.
- :hash:sha256 / it:auth:passwdhash:hash:sha256
The SHA256 password hash value.
The property type is hash:sha256.
- :hash:sha512 / it:auth:passwdhash:hash:sha512
The SHA512 password hash value.
The property type is hash:sha512.
- :hash:lm / it:auth:passwdhash:hash:lm
The LM password hash value.
The property type is hash:lm.
- :hash:ntlm / it:auth:passwdhash:hash:ntlm
The NTLM password hash value.
The property type is hash:ntlm.
- :passwd / it:auth:passwdhash:passwd
The (optional) clear text password for this password hash.
The property type is inet:passwd.
it:av:filehit
A file that triggered an alert on a specific antivirus signature.
The base type for the form can be found at it:av:filehit.
Properties:
- :file / it:av:filehit:file
The file that triggered the signature hit. It has the following property options set:
Read Only:
True
The property type is file:bytes.
- :sig / it:av:filehit:sig
The signature that the file triggered on. It has the following property options set:
Read Only:
True
The property type is it:av:sig.
- :sig:name / it:av:filehit:sig:name
The signature name. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
True
- :sig:soft / it:av:filehit:sig:soft
The anti-virus product which contains the signature. It has the following property options set:
Read Only:
True
The property type is it:prod:soft.
it:av:prochit
An instance of a process triggering an alert on a specific antivirus signature.
The base type for the form can be found at it:av:prochit.
Properties:
- :proc / it:av:prochit:proc
The file that triggered the signature hit.
The property type is it:exec:proc.
- :sig / it:av:prochit:sig
The signature that the file triggered on.
The property type is it:av:sig.
- :time / it:av:prochit:time
The time that the AV engine detected the signature.
The property type is time.
it:av:sig
A signature name within the namespace of an antivirus engine name.
The base type for the form can be found at it:av:sig.
Properties:
- :soft / it:av:sig:soft
The anti-virus product which contains the signature. It has the following property options set:
Read Only:
True
The property type is it:prod:soft.
- :name / it:av:sig:name
The signature name. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
True
- :desc / it:av:sig:desc
A free-form description of the signature. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :url / it:av:sig:url
A reference URL for information about the signature.
The property type is inet:url.
it:cmd
A unique command-line string.
The base type for the form can be found at it:cmd.
An example of it:cmd:
foo.exe --dostuff bar
Properties:
it:dev:int
A developer selected integer constant.
The base type for the form can be found at it:dev:int.
Properties:
it:dev:mutex
A string representing a mutex.
The base type for the form can be found at it:dev:mutex.
Properties:
it:dev:pipe
A string representing a named pipe.
The base type for the form can be found at it:dev:pipe.
Properties:
it:dev:regkey
A Windows registry key.
The base type for the form can be found at it:dev:regkey.
An example of it:dev:regkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Properties:
it:dev:regval
A Windows registry key/value pair.
The base type for the form can be found at it:dev:regval.
Properties:
- :key / it:dev:regval:key
The Windows registry key.
The property type is it:dev:regkey.
- :str / it:dev:regval:str
The value of the registry key, if the value is a string.
The property type is it:dev:str.
- :int / it:dev:regval:int
The value of the registry key, if the value is an integer.
The property type is it:dev:int.
- :bytes / it:dev:regval:bytes
The file representing the value of the registry key, if the value is binary data.
The property type is file:bytes.
it:dev:str
A developer-selected string.
The base type for the form can be found at it:dev:str.
Properties:
- :norm / it:dev:str:norm
Lower case normalized version of the it:dev:str.
The property type is str. Its type has the following options set:
lower:
True
it:domain
A logical boundary of authentication and configuration such as a windows domain.
The base type for the form can be found at it:domain.
Properties:
- :name / it:domain:name
The name of the domain.
The property type is str. Its type has the following options set:
lower:
Trueonespace:
True
- :desc / it:domain:desc
A brief description of the domain.
The property type is str.
- :org / it:domain:org
The org that operates the given domain.
The property type is ou:org.
it:exec:bind
An instance of a host binding a listening port.
The base type for the form can be found at it:exec:bind.
Properties:
- :proc / it:exec:bind:proc
The main process executing code that bound the listening port.
The property type is it:exec:proc.
- :host / it:exec:bind:host
The host running the process that bound the listening port. Typically the same host referenced in :proc, if present.
The property type is it:host.
- :exe / it:exec:bind:exe
The specific file containing code that bound the listening port. May or may not be the same :exe specified in :proc, if present.
The property type is file:bytes.
- :time / it:exec:bind:time
The time the port was bound.
The property type is time.
- :server / it:exec:bind:server
The inet:addr of the server when binding the port.
The property type is inet:server.
- :server:ipv4 / it:exec:bind:server:ipv4
The IPv4 address specified to bind().
The property type is inet:ipv4.
- :server:ipv6 / it:exec:bind:server:ipv6
The IPv6 address specified to bind().
The property type is inet:ipv6.
- :server:port / it:exec:bind:server:port
The bound (listening) TCP port.
The property type is inet:port.
- :sandbox:file / it:exec:bind:sandbox:file
The initial sample given to a sandbox environment to analyze.
The property type is file:bytes.
it:exec:file:add
An instance of a host adding a file to a filesystem.
The base type for the form can be found at it:exec:file:add.
Properties:
- :proc / it:exec:file:add:proc
The main process executing code that created the new file.
The property type is it:exec:proc.
- :host / it:exec:file:add:host
The host running the process that created the new file. Typically the same host referenced in :proc, if present.
The property type is it:host.
- :exe / it:exec:file:add:exe
The specific file containing code that created the new file. May or may not be the same :exe specified in :proc, if present.
The property type is file:bytes.
- :time / it:exec:file:add:time
The time the file was created.
The property type is time.
- :path / it:exec:file:add:path
The path where the file was created.
The property type is file:path.
- :path:dir / it:exec:file:add:path:dir
The parent directory of the file path (parsed from :path). It has the following property options set:
Read Only:
True
The property type is file:path.
- :path:ext / it:exec:file:add:path:ext
The file extension of the file name (parsed from :path). It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :path:base / it:exec:file:add:path:base
The final component of the file path (parsed from :path). It has the following property options set:
Read Only:
True
The property type is file:base.
- :file / it:exec:file:add:file
The file that was created.
The property type is file:bytes.
- :sandbox:file / it:exec:file:add:sandbox:file
The initial sample given to a sandbox environment to analyze.
The property type is file:bytes.
it:exec:file:del
An instance of a host deleting a file from a filesystem.
The base type for the form can be found at it:exec:file:del.
Properties:
- :proc / it:exec:file:del:proc
The main process executing code that deleted the file.
The property type is it:exec:proc.
- :host / it:exec:file:del:host
The host running the process that deleted the file. Typically the same host referenced in :proc, if present.
The property type is it:host.
- :exe / it:exec:file:del:exe
The specific file containing code that deleted the file. May or may not be the same :exe specified in :proc, if present.
The property type is file:bytes.
- :time / it:exec:file:del:time
The time the file was deleted.
The property type is time.
- :path / it:exec:file:del:path
The path where the file was deleted.
The property type is file:path.
- :path:dir / it:exec:file:del:path:dir
The parent directory of the file path (parsed from :path). It has the following property options set:
Read Only:
True
The property type is file:path.
- :path:ext / it:exec:file:del:path:ext
The file extension of the file name (parsed from :path). It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :path:base / it:exec:file:del:path:base
The final component of the file path (parsed from :path). It has the following property options set:
Read Only:
True
The property type is file:base.
- :file / it:exec:file:del:file
The file that was deleted.
The property type is file:bytes.
- :sandbox:file / it:exec:file:del:sandbox:file
The initial sample given to a sandbox environment to analyze.
The property type is file:bytes.
it:exec:file:read
An instance of a host reading a file from a filesystem.
The base type for the form can be found at it:exec:file:read.
Properties:
- :proc / it:exec:file:read:proc
The main process executing code that read the file.
The property type is it:exec:proc.
- :host / it:exec:file:read:host
The host running the process that read the file. Typically the same host referenced in :proc, if present.
The property type is it:host.
- :exe / it:exec:file:read:exe
The specific file containing code that read the file. May or may not be the same :exe specified in :proc, if present.
The property type is file:bytes.
- :time / it:exec:file:read:time
The time the file was read.
The property type is time.
- :path / it:exec:file:read:path
The path where the file was read.
The property type is file:path.
- :path:dir / it:exec:file:read:path:dir
The parent directory of the file path (parsed from :path). It has the following property options set:
Read Only:
True
The property type is file:path.
- :path:ext / it:exec:file:read:path:ext
The file extension of the file name (parsed from :path). It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :path:base / it:exec:file:read:path:base
The final component of the file path (parsed from :path). It has the following property options set:
Read Only:
True
The property type is file:base.
- :file / it:exec:file:read:file
The file that was read.
The property type is file:bytes.
- :sandbox:file / it:exec:file:read:sandbox:file
The initial sample given to a sandbox environment to analyze.
The property type is file:bytes.
it:exec:file:write
An instance of a host writing a file to a filesystem.
The base type for the form can be found at it:exec:file:write.
Properties:
- :proc / it:exec:file:write:proc
The main process executing code that wrote to / modified the existing file.
The property type is it:exec:proc.
- :host / it:exec:file:write:host
The host running the process that wrote to the file. Typically the same host referenced in :proc, if present.
The property type is it:host.
- :exe / it:exec:file:write:exe
The specific file containing code that wrote to the file. May or may not be the same :exe specified in :proc, if present.
The property type is file:bytes.
- :time / it:exec:file:write:time
The time the file was written to/modified.
The property type is time.
- :path / it:exec:file:write:path
The path where the file was written to/modified.
The property type is file:path.
- :path:dir / it:exec:file:write:path:dir
The parent directory of the file path (parsed from :path). It has the following property options set:
Read Only:
True
The property type is file:path.
- :path:ext / it:exec:file:write:path:ext
The file extension of the file name (parsed from :path). It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :path:base / it:exec:file:write:path:base
The final component of the file path (parsed from :path). It has the following property options set:
Read Only:
True
The property type is file:base.
- :file / it:exec:file:write:file
The file that was modified.
The property type is file:bytes.
- :sandbox:file / it:exec:file:write:sandbox:file
The initial sample given to a sandbox environment to analyze.
The property type is file:bytes.
it:exec:loadlib
A library load event in a process.
The base type for the form can be found at it:exec:loadlib.
Properties:
- :proc / it:exec:loadlib:proc
The process where the library was loaded.
The property type is it:exec:proc.
- :va / it:exec:loadlib:va
The base memory address where the library was loaded in the process.
The property type is int.
- :loaded / it:exec:loadlib:loaded
The time the library was loaded.
The property type is time.
- :unloaded / it:exec:loadlib:unloaded
The time the library was unloaded.
The property type is time.
- :path / it:exec:loadlib:path
The path that the library was loaded from.
The property type is file:path.
- :file / it:exec:loadlib:file
The library file that was loaded.
The property type is file:bytes.
- :sandbox:file / it:exec:loadlib:sandbox:file
The initial sample given to a sandbox environment to analyze.
The property type is file:bytes.
it:exec:mmap
A memory mapped segment located in a process.
The base type for the form can be found at it:exec:mmap.
Properties:
- :proc / it:exec:mmap:proc
The process where the memory was mapped.
The property type is it:exec:proc.
- :va / it:exec:mmap:va
The base memory address where the map was created in the process.
The property type is int.
- :size / it:exec:mmap:size
The size of the memory map in bytes.
The property type is int.
- :perms:read / it:exec:mmap:perms:read
True if the mmap is mapped with read permissions.
The property type is bool.
- :perms:write / it:exec:mmap:perms:write
True if the mmap is mapped with write permissions.
The property type is bool.
- :perms:execute / it:exec:mmap:perms:execute
True if the mmap is mapped with execute permissions.
The property type is bool.
- :created / it:exec:mmap:created
The time the memory map was created.
The property type is time.
- :deleted / it:exec:mmap:deleted
The time the memory map was deleted.
The property type is time.
- :path / it:exec:mmap:path
The file path if the mmap is a mapped view of a file.
The property type is file:path.
- :hash:sha256 / it:exec:mmap:hash:sha256
A SHA256 hash of the memory map. Bytes may optionally be present in the axon.
The property type is hash:sha256.
- :sandbox:file / it:exec:mmap:sandbox:file
The initial sample given to a sandbox environment to analyze.
The property type is file:bytes.
it:exec:mutex
A mutex created by a process at runtime.
The base type for the form can be found at it:exec:mutex.
Properties:
- :proc / it:exec:mutex:proc
The main process executing code that created the mutex.
The property type is it:exec:proc.
- :host / it:exec:mutex:host
The host running the process that created the mutex. Typically the same host referenced in :proc, if present.
The property type is it:host.
- :exe / it:exec:mutex:exe
The specific file containing code that created the mutex. May or may not be the same :exe specified in :proc, if present.
The property type is file:bytes.
- :time / it:exec:mutex:time
The time the mutex was created.
The property type is time.
- :name / it:exec:mutex:name
The mutex string.
The property type is it:dev:mutex.
- :sandbox:file / it:exec:mutex:sandbox:file
The initial sample given to a sandbox environment to analyze.
The property type is file:bytes.
it:exec:pipe
A named pipe created by a process at runtime.
The base type for the form can be found at it:exec:pipe.
Properties:
- :proc / it:exec:pipe:proc
The main process executing code that created the named pipe.
The property type is it:exec:proc.
- :host / it:exec:pipe:host
The host running the process that created the named pipe. Typically the same host referenced in :proc, if present.
The property type is it:host.
- :exe / it:exec:pipe:exe
The specific file containing code that created the named pipe. May or may not be the same :exe specified in :proc, if present.
The property type is file:bytes.
- :time / it:exec:pipe:time
The time the named pipe was created.
The property type is time.
- :name / it:exec:pipe:name
The named pipe string.
The property type is it:dev:pipe.
- :sandbox:file / it:exec:pipe:sandbox:file
The initial sample given to a sandbox environment to analyze.
The property type is file:bytes.
it:exec:proc
A process executing on a host. May be an actual (e.g., endpoint) or virtual (e.g., malware sandbox) host.
The base type for the form can be found at it:exec:proc.
Properties:
- :host / it:exec:proc:host
The host that executed the process. May be an actual or a virtual / notional host.
The property type is it:host.
- :exe / it:exec:proc:exe
The file considered the “main” executable for the process. For example, rundll32.exe may be considered the “main” executable for DLLs loaded by that program.
The property type is file:bytes.
- :cmd / it:exec:proc:cmd
The command string used to launch the process, including any command line parameters. It has the following property options set:
disp:
{'hint': 'text'}
The property type is it:cmd.
- :pid / it:exec:proc:pid
The process ID.
The property type is int.
- :time / it:exec:proc:time
The start time for the process.
The property type is time.
- :exited / it:exec:proc:exited
The time the process exited.
The property type is time.
- :exitcode / it:exec:proc:exitcode
The exit code for the process.
The property type is int.
- :user / it:exec:proc:user
The user name of the process owner. It has the following property options set:
deprecated:
True
The property type is inet:user.
- :account / it:exec:proc:account
The account of the process owner.
The property type is it:account.
- :path / it:exec:proc:path
The path to the executable of the process.
The property type is file:path.
- :src:exe / it:exec:proc:src:exe
The path to the executable which started the process.
The property type is file:path.
- :src:proc / it:exec:proc:src:proc
The process which created the process.
The property type is it:exec:proc.
- :killedby / it:exec:proc:killedby
The process which killed this process.
The property type is it:exec:proc.
- :sandbox:file / it:exec:proc:sandbox:file
The initial sample given to a sandbox environment to analyze.
The property type is file:bytes.
it:exec:reg:del
An instance of a host deleting a registry key.
The base type for the form can be found at it:exec:reg:del.
Properties:
- :proc / it:exec:reg:del:proc
The main process executing code that deleted data from the registry.
The property type is it:exec:proc.
- :host / it:exec:reg:del:host
The host running the process that deleted data from the registry. Typically the same host referenced in :proc, if present.
The property type is it:host.
- :exe / it:exec:reg:del:exe
The specific file containing code that deleted data from the registry. May or may not be the same :exe referenced in :proc, if present.
The property type is file:bytes.
- :time / it:exec:reg:del:time
The time the data from the registry was deleted.
The property type is time.
- :reg / it:exec:reg:del:reg
The registry key or value that was deleted.
The property type is it:dev:regval.
- :sandbox:file / it:exec:reg:del:sandbox:file
The initial sample given to a sandbox environment to analyze.
The property type is file:bytes.
it:exec:reg:get
An instance of a host getting a registry key.
The base type for the form can be found at it:exec:reg:get.
Properties:
- :proc / it:exec:reg:get:proc
The main process executing code that read the registry.
The property type is it:exec:proc.
- :host / it:exec:reg:get:host
The host running the process that read the registry. Typically the same host referenced in :proc, if present.
The property type is it:host.
- :exe / it:exec:reg:get:exe
The specific file containing code that read the registry. May or may not be the same :exe referenced in :proc, if present.
The property type is file:bytes.
- :time / it:exec:reg:get:time
The time the registry was read.
The property type is time.
- :reg / it:exec:reg:get:reg
The registry key or value that was read.
The property type is it:dev:regval.
- :sandbox:file / it:exec:reg:get:sandbox:file
The initial sample given to a sandbox environment to analyze.
The property type is file:bytes.
it:exec:reg:set
An instance of a host creating or setting a registry key.
The base type for the form can be found at it:exec:reg:set.
Properties:
- :proc / it:exec:reg:set:proc
The main process executing code that wrote to the registry.
The property type is it:exec:proc.
- :host / it:exec:reg:set:host
The host running the process that wrote to the registry. Typically the same host referenced in :proc, if present.
The property type is it:host.
- :exe / it:exec:reg:set:exe
The specific file containing code that wrote to the registry. May or may not be the same :exe referenced in :proc, if present.
The property type is file:bytes.
- :time / it:exec:reg:set:time
The time the registry was written to.
The property type is time.
- :reg / it:exec:reg:set:reg
The registry key or value that was written to.
The property type is it:dev:regval.
- :sandbox:file / it:exec:reg:set:sandbox:file
The initial sample given to a sandbox environment to analyze.
The property type is file:bytes.
it:exec:thread
A thread executing in a process.
The base type for the form can be found at it:exec:thread.
Properties:
- :proc / it:exec:thread:proc
The process which contains the thread.
The property type is it:exec:proc.
- :created / it:exec:thread:created
The time the thread was created.
The property type is time.
- :exited / it:exec:thread:exited
The time the thread exited.
The property type is time.
- :exitcode / it:exec:thread:exitcode
The exit code or return value for the thread.
The property type is int.
- :src:proc / it:exec:thread:src:proc
An external process which created the thread.
The property type is it:exec:proc.
- :src:thread / it:exec:thread:src:thread
The thread which created this thread.
The property type is it:exec:thread.
- :sandbox:file / it:exec:thread:sandbox:file
The initial sample given to a sandbox environment to analyze.
The property type is file:bytes.
it:exec:url
An instance of a host requesting a URL.
The base type for the form can be found at it:exec:url.
Properties:
- :proc / it:exec:url:proc
The main process executing code that requested the URL.
The property type is it:exec:proc.
- :browser / it:exec:url:browser
The software version of the browser.
The property type is it:prod:softver.
- :host / it:exec:url:host
The host running the process that requested the URL. Typically the same host referenced in :proc, if present.
The property type is it:host.
- :exe / it:exec:url:exe
The specific file containing code that requested the URL. May or may not be the same :exe specified in :proc, if present.
The property type is file:bytes.
- :time / it:exec:url:time
The time the URL was requested.
The property type is time.
- :url / it:exec:url:url
The URL that was requested.
The property type is inet:url.
- :page:pdf / it:exec:url:page:pdf
The rendered DOM saved as a PDF file.
The property type is file:bytes.
- :page:html / it:exec:url:page:html
The rendered DOM saved as an HTML file.
The property type is file:bytes.
- :page:image / it:exec:url:page:image
The rendered DOM saved as an image.
The property type is file:bytes.
- :http:request / it:exec:url:http:request
The HTTP request made to retrieve the intial URL contents.
The property type is inet:http:request.
- :client / it:exec:url:client
The address of the client during the URL retrieval.
The property type is inet:client.
- :client:ipv4 / it:exec:url:client:ipv4
The IPv4 of the client during the URL retrieval..
The property type is inet:ipv4.
- :client:ipv6 / it:exec:url:client:ipv6
The IPv6 of the client during the URL retrieval..
The property type is inet:ipv6.
- :client:port / it:exec:url:client:port
The client port during the URL retrieval..
The property type is inet:port.
- :sandbox:file / it:exec:url:sandbox:file
The initial sample given to a sandbox environment to analyze.
The property type is file:bytes.
it:fs:file
A file on a host.
The base type for the form can be found at it:fs:file.
Properties:
- :host / it:fs:file:host
The host containing the file.
The property type is it:host.
- :path / it:fs:file:path
The path for the file.
The property type is file:path.
- :path:dir / it:fs:file:path:dir
The parent directory of the file path (parsed from :path). It has the following property options set:
Read Only:
True
The property type is file:path.
- :path:ext / it:fs:file:path:ext
The file extension of the file name (parsed from :path). It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :path:base / it:fs:file:path:base
The final component of the file path (parsed from :path). It has the following property options set:
Read Only:
True
The property type is file:base.
- :file / it:fs:file:file
The file on the host.
The property type is file:bytes.
- :ctime / it:fs:file:ctime
The file creation time.
The property type is time.
- :mtime / it:fs:file:mtime
The file modification time.
The property type is time.
- :atime / it:fs:file:atime
The file access time.
The property type is time.
- :user / it:fs:file:user
The owner of the file.
The property type is inet:user.
- :group / it:fs:file:group
The group owner of the file.
The property type is inet:user.
it:group
A GUID that represents a group on a host or network.
The base type for the form can be found at it:group.
Properties:
- :name / it:group:name
The name of the group.
The property type is str. Its type has the following options set:
lower:
Trueonespace:
True
- :desc / it:group:desc
A brief description of the group.
The property type is str.
- :host / it:group:host
The host where the group is registered.
The property type is it:host.
- :domain / it:group:domain
The authentication domain where the group is registered.
The property type is it:domain.
- :groups / it:group:groups
Groups that are a member of this group.
The property type is array. Its type has the following options set:
type:
it:groupuniq:
Truesorted:
True
- :posix:gid / it:group:posix:gid
The primary group ID of the account. It has the following property options set:
Example:
1001
The property type is int.
- :windows:sid / it:group:windows:sid
The Microsoft Windows Security Identifier of the group.
The property type is it:os:windows:sid.
it:host
A GUID that represents a host or system.
The base type for the form can be found at it:host.
Properties:
- :name / it:host:name
The name of the host or system.
The property type is it:hostname.
- :desc / it:host:desc
A free-form description of the host.
The property type is str.
- :domain / it:host:domain
The authentication domain that the host is a member of.
The property type is it:domain.
- :ipv4 / it:host:ipv4
The last known ipv4 address for the host.
The property type is inet:ipv4.
- :latlong / it:host:latlong
The last known location for the host.
The property type is geo:latlong.
- :place / it:host:place
The place where the host resides.
The property type is geo:place.
- :loc / it:host:loc
The geo-political location string for the node.
The property type is loc.
- :os / it:host:os
The operating system of the host.
The property type is it:prod:softver.
- :os:name / it:host:os:name
A software product name for the host operating system. Used for entity resolution.
The property type is it:prod:softname.
- :hardware / it:host:hardware
The hardware specification for this host.
The property type is it:prod:hardware.
- :manu / it:host:manu
Please use :hardware:make. It has the following property options set:
deprecated:
True
The property type is str.
- :model / it:host:model
Please use :hardware:model. It has the following property options set:
deprecated:
True
The property type is str.
- :serial / it:host:serial
The serial number of the host.
The property type is str.
- :operator / it:host:operator
The operator of the host.
The property type is ps:contact.
- :org / it:host:org
The org that operates the given host.
The property type is ou:org.
it:hostname
The name of a host or system.
The base type for the form can be found at it:hostname.
Properties:
it:hostsoft
A version of a software product which is present on a given host.
The base type for the form can be found at it:hostsoft.
Properties:
- :host / it:hostsoft:host
Host with the software. It has the following property options set:
Read Only:
True
The property type is it:host.
- :softver / it:hostsoft:softver
Software on the host. It has the following property options set:
Read Only:
True
The property type is it:prod:softver.
it:hosturl
A url hosted on or served by a host or system.
The base type for the form can be found at it:hosturl.
Properties:
it:log:event
A GUID representing an individual log event.
The base type for the form can be found at it:log:event.
Properties:
- :mesg / it:log:event:mesg
The log messsage text.
The property type is str.
- :severity / it:log:event:severity
A log level integer that increases with severity.
The property type is int. Its type has the following options set:
enums:
((10, 'debug'), (20, 'info'), (30, 'notice'), (40, 'warning'), (50, 'err'), (60, 'crit'), (70, 'alert'), (80, 'emerg'))
- :data / it:log:event:data
A raw JSON record of the log event.
The property type is data.
- :exe / it:log:event:exe
The executable file which caused the activity.
The property type is file:bytes.
- :proc / it:log:event:proc
The host process which caused the activity.
The property type is it:exec:proc.
- :thread / it:log:event:thread
The host thread which caused the activity.
The property type is it:exec:thread.
- :host / it:log:event:host
The host on which the activity occurred.
The property type is it:host.
- :time / it:log:event:time
The time that the activity started.
The property type is time.
- :sandbox:file / it:log:event:sandbox:file
The initial sample given to a sandbox environment to analyze.
The property type is file:bytes.
it:logon
A GUID that represents an individual logon/logoff event.
The base type for the form can be found at it:logon.
Properties:
- :time / it:logon:time
The time the logon occured.
The property type is time.
- :success / it:logon:success
Set to false to indicate an unsuccessful logon attempt.
The property type is bool.
- :logoff:time / it:logon:logoff:time
The time the logon session ended.
The property type is time.
- :host / it:logon:host
The host that the account logged in to.
The property type is it:host.
- :account / it:logon:account
The account that logged in.
The property type is it:account.
- :creds / it:logon:creds
The credentials that were used for the logon.
The property type is auth:creds.
- :duration / it:logon:duration
The duration of the logon session.
The property type is duration.
- :client:host / it:logon:client:host
The host where the logon originated.
The property type is it:host.
- :client:ipv4 / it:logon:client:ipv4
The IPv4 where the logon originated.
The property type is inet:ipv4.
- :client:ipv6 / it:logon:client:ipv6
The IPv6 where the logon originated.
The property type is inet:ipv6.
it:mitre:attack:group
A Mitre ATT&CK Group ID.
The base type for the form can be found at it:mitre:attack:group.
An example of it:mitre:attack:group:
G0100
Properties:
- :org / it:mitre:attack:group:org
Used to map an ATT&CK group to a synapse ou:org.
The property type is ou:org.
- :name / it:mitre:attack:group:name
The primary name for the ATT&CK group.
The property type is ou:name.
- :names / it:mitre:attack:group:names
An array of alternate names for the ATT&CK group.
The property type is array. Its type has the following options set:
type:
ou:nameuniq:
Truesorted:
True
- :desc / it:mitre:attack:group:desc
A description of the ATT&CK group. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :url / it:mitre:attack:group:url
The URL that documents the ATT&CK group.
The property type is inet:url.
- :tag / it:mitre:attack:group:tag
The synapse tag used to annotate nodes included in this ATT&CK group ID. It has the following property options set:
Example:
cno.mitre.g0100
The property type is syn:tag.
- :references / it:mitre:attack:group:references
An array of URLs that document the ATT&CK group.
The property type is array. Its type has the following options set:
type:
inet:urluniq:
True
- :techniques / it:mitre:attack:group:techniques
An array of ATT&CK technique IDs used by the group.
The property type is array. Its type has the following options set:
type:
it:mitre:attack:techniqueuniq:
Truesorted:
Truesplit:
,
- :software / it:mitre:attack:group:software
An array of ATT&CK software IDs used by the group.
The property type is array. Its type has the following options set:
type:
it:mitre:attack:softwareuniq:
Truesorted:
Truesplit:
,
it:mitre:attack:mitigation
A Mitre ATT&CK Mitigation ID.
The base type for the form can be found at it:mitre:attack:mitigation.
An example of it:mitre:attack:mitigation:
M1036
Properties:
- :name / it:mitre:attack:mitigation:name
The primary name for the ATT&CK mitigation.
The property type is str. Its type has the following options set:
strip:
True
- :desc / it:mitre:attack:mitigation:desc
A description of the ATT&CK mitigation. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str. Its type has the following options set:
strip:
True
- :url / it:mitre:attack:mitigation:url
The URL that documents the ATT&CK mitigation.
The property type is inet:url.
- :tag / it:mitre:attack:mitigation:tag
The synapse tag used to annotate nodes included in this ATT&CK mitigation. It has the following property options set:
Example:
cno.mitre.m0100
The property type is syn:tag.
- :references / it:mitre:attack:mitigation:references
An array of URLs that document the ATT&CK mitigation.
The property type is array. Its type has the following options set:
type:
inet:urluniq:
True
- :addresses / it:mitre:attack:mitigation:addresses
An array of ATT&CK technique IDs addressed by the mitigation.
The property type is array. Its type has the following options set:
type:
it:mitre:attack:techniqueuniq:
Truesorted:
Truesplit:
,
it:mitre:attack:software
A Mitre ATT&CK Software ID.
The base type for the form can be found at it:mitre:attack:software.
An example of it:mitre:attack:software:
S0154
Properties:
- :software / it:mitre:attack:software:software
Used to map an ATT&CK software to a synapse it:prod:soft.
The property type is it:prod:soft.
- :name / it:mitre:attack:software:name
The primary name for the ATT&CK software.
The property type is it:prod:softname.
- :names / it:mitre:attack:software:names
Associated names for the ATT&CK software.
The property type is array. Its type has the following options set:
type:
it:prod:softnameuniq:
Truesorted:
True
- :desc / it:mitre:attack:software:desc
A description of the ATT&CK software. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str. Its type has the following options set:
strip:
True
- :url / it:mitre:attack:software:url
The URL that documents the ATT&CK software.
The property type is inet:url.
- :tag / it:mitre:attack:software:tag
The synapse tag used to annotate nodes included in this ATT&CK software. It has the following property options set:
Example:
cno.mitre.s0100
The property type is syn:tag.
- :references / it:mitre:attack:software:references
An array of URLs that document the ATT&CK software.
The property type is array. Its type has the following options set:
type:
inet:urluniq:
True
- :techniques / it:mitre:attack:software:techniques
An array of techniques used by the software.
The property type is array. Its type has the following options set:
type:
it:mitre:attack:techniqueuniq:
Truesorted:
Truesplit:
,
it:mitre:attack:tactic
A Mitre ATT&CK Tactic ID.
The base type for the form can be found at it:mitre:attack:tactic.
An example of it:mitre:attack:tactic:
TA0040
Properties:
- :name / it:mitre:attack:tactic:name
The primary name for the ATT&CK tactic.
The property type is str. Its type has the following options set:
strip:
True
- :desc / it:mitre:attack:tactic:desc
A description of the ATT&CK tactic. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :url / it:mitre:attack:tactic:url
The URL that documents the ATT&CK tactic.
The property type is inet:url.
- :tag / it:mitre:attack:tactic:tag
The synapse tag used to annotate nodes included in this ATT&CK tactic. It has the following property options set:
Example:
cno.mitre.ta0100
The property type is syn:tag.
- :references / it:mitre:attack:tactic:references
An array of URLs that document the ATT&CK tactic.
The property type is array. Its type has the following options set:
type:
inet:urluniq:
True
it:mitre:attack:technique
A Mitre ATT&CK Technique ID.
The base type for the form can be found at it:mitre:attack:technique.
An example of it:mitre:attack:technique:
T1548
Properties:
- :name / it:mitre:attack:technique:name
The primary name for the ATT&CK technique.
The property type is str. Its type has the following options set:
strip:
True
- :status / it:mitre:attack:technique:status
The status of this ATT&CK technique.
The property type is it:mitre:attack:status.
- :isnow / it:mitre:attack:technique:isnow
If deprecated, this field may contain the current value for the technique.
The property type is it:mitre:attack:technique.
- :desc / it:mitre:attack:technique:desc
A description of the ATT&CK technique. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str. Its type has the following options set:
strip:
True
- :url / it:mitre:attack:technique:url
The URL that documents the ATT&CK technique.
The property type is inet:url.
- :tag / it:mitre:attack:technique:tag
The synapse tag used to annotate nodes included in this ATT&CK technique. It has the following property options set:
Example:
cno.mitre.t0100
The property type is syn:tag.
- :references / it:mitre:attack:technique:references
An array of URLs that document the ATT&CK technique.
The property type is array. Its type has the following options set:
type:
inet:urluniq:
True
- :parent / it:mitre:attack:technique:parent
The parent ATT&CK technique on this sub-technique.
The property type is it:mitre:attack:technique.
- :tactics / it:mitre:attack:technique:tactics
An array of ATT&CK tactics that include this technique.
The property type is array. Its type has the following options set:
type:
it:mitre:attack:tacticuniq:
Truesorted:
Truesplit:
,
it:network
A GUID that represents a logical network.
The base type for the form can be found at it:network.
Properties:
- :name / it:network:name
The name of the network.
The property type is str. Its type has the following options set:
lower:
Trueonespace:
True
- :desc / it:network:desc
A brief description of the network.
The property type is str.
- :org / it:network:org
The org that owns/operates the network.
The property type is ou:org.
- :net4 / it:network:net4
The optional contiguous IPv4 address range of this network.
The property type is inet:net4.
- :net6 / it:network:net6
The optional contiguous IPv6 address range of this network.
The property type is inet:net6.
it:os:android:aaid
An android advertising identification string.
The base type for the form can be found at it:os:android:aaid.
Properties:
it:os:android:ibroadcast
The given software broadcasts the given Android intent.
The base type for the form can be found at it:os:android:ibroadcast.
Properties:
- :app / it:os:android:ibroadcast:app
The app software which broadcasts the android intent. It has the following property options set:
Read Only:
True
The property type is it:prod:softver.
- :intent / it:os:android:ibroadcast:intent
The android intent which is broadcast by the app. It has the following property options set:
Read Only:
True
The property type is it:os:android:intent.
it:os:android:ilisten
The given software listens for an android intent.
The base type for the form can be found at it:os:android:ilisten.
Properties:
- :app / it:os:android:ilisten:app
The app software which listens for the android intent. It has the following property options set:
Read Only:
True
The property type is it:prod:softver.
- :intent / it:os:android:ilisten:intent
The android intent which is listened for by the app. It has the following property options set:
Read Only:
True
The property type is it:os:android:intent.
it:os:android:intent
An android intent string.
The base type for the form can be found at it:os:android:intent.
Properties:
it:os:android:perm
An android permission string.
The base type for the form can be found at it:os:android:perm.
Properties:
it:os:android:reqperm
The given software requests the android permission.
The base type for the form can be found at it:os:android:reqperm.
Properties:
- :app / it:os:android:reqperm:app
The android app which requests the permission. It has the following property options set:
Read Only:
True
The property type is it:prod:softver.
- :perm / it:os:android:reqperm:perm
The android permission requested by the app. It has the following property options set:
Read Only:
True
The property type is it:os:android:perm.
it:os:ios:idfa
An iOS advertising identification string.
The base type for the form can be found at it:os:ios:idfa.
Properties:
it:prod:component
A specific instance of an it:prod:hardware most often as part of an it:host.
The base type for the form can be found at it:prod:component.
Properties:
- :hardware / it:prod:component:hardware
The hardware specification of this component.
The property type is it:prod:hardware.
- :serial / it:prod:component:serial
The serial number of this componenent.
The property type is str.
- :host / it:prod:component:host
The it:host which has this component installed.
The property type is it:host.
it:prod:hardware
A specification for a piece of IT hardware.
The base type for the form can be found at it:prod:hardware.
Properties:
- :name / it:prod:hardware:name
The display name for this hardware specification.
The property type is str. Its type has the following options set:
lower:
Trueonespace:
True
- :type / it:prod:hardware:type
The type of hardware.
The property type is it:prod:hardwaretype.
- :desc / it:prod:hardware:desc
A brief description of the hardware. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :cpe / it:prod:hardware:cpe
The NIST CPE 2.3 string specifying this hardware.
The property type is it:sec:cpe.
- :make / it:prod:hardware:make
The name of the organization which manufactures this hardware.
The property type is ou:name.
- :model / it:prod:hardware:model
The model name or number for this hardware specification.
The property type is str. Its type has the following options set:
lower:
Trueonespace:
True
- :version / it:prod:hardware:version
Version string associated with this hardware specification.
The property type is str. Its type has the following options set:
lower:
Trueonespace:
True
- :released / it:prod:hardware:released
The initial release date for this hardware.
The property type is time.
- :parts / it:prod:hardware:parts
An array of it:prod:hadware parts included in this hardware specification.
The property type is array. Its type has the following options set:
type:
it:prod:hardwareuniq:
Truesorted:
True
it:prod:hardwaretype
An IT hardware type taxonomy.
The base type for the form can be found at it:prod:hardwaretype.
Properties:
- :title / it:prod:hardwaretype:title
A brief title of the definition.
The property type is str.
- :summary / it:prod:hardwaretype:summary
A summary of the definition. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :sort / it:prod:hardwaretype:sort
A display sort order for siblings.
The property type is int.
- :base / it:prod:hardwaretype:base
The base taxon. It has the following property options set:
Read Only:
True
The property type is taxon.
- :depth / it:prod:hardwaretype:depth
The depth indexed from 0. It has the following property options set:
Read Only:
True
The property type is int.
- :parent / it:prod:hardwaretype:parent
The taxonomy parent. It has the following property options set:
Read Only:
True
The property type is it:prod:hardwaretype.
it:prod:soft
A software product.
The base type for the form can be found at it:prod:soft.
Properties:
- :name / it:prod:soft:name
Name of the software.
The property type is it:prod:softname.
- :names / it:prod:soft:names
Observed/variant names for this software.
The property type is array. Its type has the following options set:
type:
it:prod:softnameuniq:
Truesorted:
True
- :desc / it:prod:soft:desc
A description of the software. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :desc:short / it:prod:soft:desc:short
A short description of the software.
The property type is str. Its type has the following options set:
lower:
True
- :cpe / it:prod:soft:cpe
The NIST CPE 2.3 string specifying this software.
The property type is it:sec:cpe.
- :author / it:prod:soft:author
The contact information of the org or person who authored the software.
The property type is ps:contact.
- :author:org / it:prod:soft:author:org
Organization which authored the software. It has the following property options set:
deprecated:
True
The property type is ou:org.
- :author:acct / it:prod:soft:author:acct
Web account of the software author. It has the following property options set:
deprecated:
True
The property type is inet:web:acct.
- :author:email / it:prod:soft:author:email
Email address of the sofware author. It has the following property options set:
deprecated:
True
The property type is inet:email.
- :author:person / it:prod:soft:author:person
Person who authored the software. It has the following property options set:
deprecated:
True
The property type is ps:person.
- :url / it:prod:soft:url
URL relevant for the software.
The property type is inet:url.
- :isos / it:prod:soft:isos
Set to True if the software is an operating system.
The property type is bool.
- :islib / it:prod:soft:islib
Set to True if the software is a library.
The property type is bool.
it:prod:softfile
A file is distributed by a specific software version.
The base type for the form can be found at it:prod:softfile.
Properties:
- :soft / it:prod:softfile:soft
The software which distributes the file. It has the following property options set:
Read Only:
True
The property type is it:prod:softver.
- :file / it:prod:softfile:file
The file distributed by the software. It has the following property options set:
Read Only:
True
The property type is file:bytes.
- :path / it:prod:softfile:path
The default installation path of the file.
The property type is file:path.
it:prod:softlib
A software version contains a library software version.
The base type for the form can be found at it:prod:softlib.
Properties:
- :soft / it:prod:softlib:soft
The software version that contains the library. It has the following property options set:
Read Only:
True
The property type is it:prod:softver.
- :lib / it:prod:softlib:lib
The library software version. It has the following property options set:
Read Only:
True
The property type is it:prod:softver.
it:prod:softname
A software product name.
The base type for the form can be found at it:prod:softname.
Properties:
it:prod:softos
The software version is known to be compatible with the given os software version.
The base type for the form can be found at it:prod:softos.
Properties:
- :soft / it:prod:softos:soft
The software which can run on the operating system. It has the following property options set:
Read Only:
True
The property type is it:prod:softver.
- :os / it:prod:softos:os
The operating system which the software can run on. It has the following property options set:
Read Only:
True
The property type is it:prod:softver.
it:prod:softver
A specific version of a software product.
The base type for the form can be found at it:prod:softver.
Properties:
- :software / it:prod:softver:software
Software associated with this version instance.
The property type is it:prod:soft.
- :software:name / it:prod:softver:software:name
Deprecated. Please use it:prod:softver:name. It has the following property options set:
deprecated:
True
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :name / it:prod:softver:name
Name of the software version.
The property type is it:prod:softname.
- :names / it:prod:softver:names
Observed/variant names for this software version.
The property type is array. Its type has the following options set:
type:
it:prod:softnameuniq:
Truesorted:
True
- :desc / it:prod:softver:desc
A description of the software. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :cpe / it:prod:softver:cpe
The NIST CPE 2.3 string specifying this software version.
The property type is it:sec:cpe.
- :cves / it:prod:softver:cves
A list of CVEs that apply to this software version.
The property type is array. Its type has the following options set:
type:
it:sec:cveuniq:
Truesorted:
True
- :vers / it:prod:softver:vers
Version string associated with this version instance.
The property type is it:dev:str.
- :vers:norm / it:prod:softver:vers:norm
Normalized version of the version string.
The property type is str. Its type has the following options set:
lower:
True
- :arch / it:prod:softver:arch
Software architecture.
The property type is it:dev:str.
- :released / it:prod:softver:released
Timestamp for when this version of the software was released.
The property type is time.
- :semver / it:prod:softver:semver
System normalized semantic version number.
The property type is it:semver.
- :semver:major / it:prod:softver:semver:major
Version major number.
The property type is int.
- :semver:minor / it:prod:softver:semver:minor
Version minor number.
The property type is int.
- :semver:patch / it:prod:softver:semver:patch
Version patch number.
The property type is int.
- :semver:pre / it:prod:softver:semver:pre
Semver prerelease string.
The property type is str.
- :semver:build / it:prod:softver:semver:build
Semver build string.
The property type is str.
- :url / it:prod:softver:url
URL where a specific version of the software is available from.
The property type is inet:url.
it:reveng:filefunc
An instance of a function in an executable.
The base type for the form can be found at it:reveng:filefunc.
Properties:
- :function / it:reveng:filefunc:function
The guid matching the function. It has the following property options set:
Read Only:
True
The property type is it:reveng:function.
- :file / it:reveng:filefunc:file
The file that contains the function. It has the following property options set:
Read Only:
True
The property type is file:bytes.
- :va / it:reveng:filefunc:va
The virtual address of the first codeblock of the function.
The property type is int.
- :rank / it:reveng:filefunc:rank
The function rank score used to evaluate if it exhibits interesting behavior.
The property type is int.
- :complexity / it:reveng:filefunc:complexity
The complexity of the function.
The property type is int.
- :funccalls / it:reveng:filefunc:funccalls
Other function calls within the scope of the function.
The property type is array. Its type has the following options set:
type:
it:reveng:filefuncuniq:
Truesorted:
True
it:reveng:funcstr
A reference to a string inside a function.
The base type for the form can be found at it:reveng:funcstr.
Properties:
- :function / it:reveng:funcstr:function
The guid matching the function. It has the following property options set:
Read Only:
True
The property type is it:reveng:function.
- :string / it:reveng:funcstr:string
The string that the function references. It has the following property options set:
Read Only:
True
The property type is str.
it:reveng:function
A function inside an executable.
The base type for the form can be found at it:reveng:function.
Properties:
- :name / it:reveng:function:name
The name of the function.
The property type is str.
- :description / it:reveng:function:description
Notes concerning the function.
The property type is str.
- :impcalls / it:reveng:function:impcalls
Calls to imported library functions within the scope of the function.
The property type is array. Its type has the following options set:
type:
it:reveng:impfuncuniq:
Truesorted:
True
- :strings / it:reveng:function:strings
An array of strings referenced within the function.
The property type is array. Its type has the following options set:
type:
it:dev:struniq:
True
it:reveng:impfunc
A function from an imported library.
The base type for the form can be found at it:reveng:impfunc.
Properties:
it:screenshot
A screenshot of a host.
The base type for the form can be found at it:screenshot.
Properties:
- :image / it:screenshot:image
The image file.
The property type is file:bytes.
- :desc / it:screenshot:desc
A brief description of the screenshot. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :exe / it:screenshot:exe
The executable file which caused the activity.
The property type is file:bytes.
- :proc / it:screenshot:proc
The host process which caused the activity.
The property type is it:exec:proc.
- :thread / it:screenshot:thread
The host thread which caused the activity.
The property type is it:exec:thread.
- :host / it:screenshot:host
The host on which the activity occurred.
The property type is it:host.
- :time / it:screenshot:time
The time that the activity started.
The property type is time.
- :sandbox:file / it:screenshot:sandbox:file
The initial sample given to a sandbox environment to analyze.
The property type is file:bytes.
it:sec:c2:config
An extracted C2 config from an executable.
The base type for the form can be found at it:sec:c2:config.
Properties:
- :family / it:sec:c2:config:family
The name of the software family which uses the config.
The property type is it:prod:softname.
- :file / it:sec:c2:config:file
The file that the C2 config was extracted from.
The property type is file:bytes.
- :servers / it:sec:c2:config:servers
An array of connection URLs built from host/port/passwd combinations.
The property type is array. Its type has the following options set:
type:
inet:url
- :mutex / it:sec:c2:config:mutex
The mutex that the software uses to prevent multiple-installations.
The property type is it:dev:mutex.
- :campaigncode / it:sec:c2:config:campaigncode
The operator selected string used to identify the campaign or group of targets.
The property type is it:dev:str.
- :crypto:key / it:sec:c2:config:crypto:key
Static key material used to encrypt C2 communications.
The property type is crypto:key.
- :connect:delay / it:sec:c2:config:connect:delay
The time delay from first execution to connecting to the C2 server.
The property type is duration.
- :connect:interval / it:sec:c2:config:connect:interval
The configured duration to sleep between connections to the C2 server.
The property type is duration.
- :raw / it:sec:c2:config:raw
A JSON blob containing the raw config extracted from the binary.
The property type is data.
it:sec:cpe
A NIST CPE 2.3 Formatted String.
The base type for the form can be found at it:sec:cpe.
Properties:
- :v2_2 / it:sec:cpe:v2_2
The CPE 2.2 string which is equivalent to the primary property.
The property type is it:sec:cpe:v2_2.
- :part / it:sec:cpe:part
The “part” field from the CPE 2.3 string. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :vendor / it:sec:cpe:vendor
The “vendor” field from the CPE 2.3 string. It has the following property options set:
Read Only:
True
The property type is ou:name.
- :product / it:sec:cpe:product
The “product” field from the CPE 2.3 string. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :version / it:sec:cpe:version
The “version” field from the CPE 2.3 string. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :update / it:sec:cpe:update
The “update” field from the CPE 2.3 string. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :edition / it:sec:cpe:edition
The “edition” field from the CPE 2.3 string. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :language / it:sec:cpe:language
The “language” field from the CPE 2.3 string. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :sw_edition / it:sec:cpe:sw_edition
The “sw_edition” field from the CPE 2.3 string. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :target_sw / it:sec:cpe:target_sw
The “target_sw” field from the CPE 2.3 string. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :target_hw / it:sec:cpe:target_hw
The “target_hw” field from the CPE 2.3 string. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :other / it:sec:cpe:other
The “other” field from the CPE 2.3 string. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
it:sec:cve
A vulnerability as designated by a Common Vulnerabilities and Exposures (CVE) number.
The base type for the form can be found at it:sec:cve.
An example of it:sec:cve:
cve-2012-0158
Properties:
- :desc / it:sec:cve:desc
A free-form description of the CVE vulnerability. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :url / it:sec:cve:url
A URL linking this CVE to a full description.
The property type is inet:url.
- :references / it:sec:cve:references
An array of URLs that document the CVE ID.
The property type is array. Its type has the following options set:
type:
inet:urluniq:
Truesorted:
True
it:sec:cwe
NIST NVD Common Weaknesses Enumeration Specification.
The base type for the form can be found at it:sec:cwe.
An example of it:sec:cwe:
CWE-120
Properties:
- :name / it:sec:cwe:name
The CWE description field. It has the following property options set:
Example:
Buffer Copy without Checking Size of Input (Classic Buffer Overflow)
The property type is str.
- :desc / it:sec:cwe:desc
The CWE description field. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :url / it:sec:cwe:url
A URL linking this CWE to a full description.
The property type is inet:url.
- :parents / it:sec:cwe:parents
An array of ChildOf CWE Relationships.
The property type is array. Its type has the following options set:
type:
it:sec:cweuniq:
Truesorted:
Truesplit:
,
lang:idiom
Deprecated. Please use lang:translation.
The base type for the form can be found at lang:idiom.
Properties:
lang:trans
Deprecated. Please use lang:translation.
The base type for the form can be found at lang:trans.
Properties:
lang:translation
A translation of text from one language to another.
The base type for the form can be found at lang:translation.
Properties:
- :input / lang:translation:input
The input text. It has the following property options set:
Example:
hola
The property type is str.
- :input:lang / lang:translation:input:lang
The input language code.
The property type is lang:code.
- :output / lang:translation:output
The output text. It has the following property options set:
Example:
hi
The property type is str.
- :output:lang / lang:translation:output:lang
The output language code.
The property type is lang:code.
- :desc / lang:translation:desc
A description of the meaning of the output. It has the following property options set:
Example:
A standard greeting
The property type is str.
- :engine / lang:translation:engine
The translation engine version used.
The property type is it:prod:softver.
mat:item
A GUID assigned to a material object.
The base type for the form can be found at mat:item.
Properties:
- :name / mat:item:name
The human readable name of the material item.
The property type is str. Its type has the following options set:
lower:
True
- :spec / mat:item:spec
The mat:spec of which this item is an instance.
The property type is mat:spec.
- :place / mat:item:place
The most recent place the item is known to reside.
The property type is geo:place.
- :latlong / mat:item:latlong
The last known lat/long location of the node.
The property type is geo:latlong.
- :loc / mat:item:loc
The geo-political location string for the node.
The property type is loc.
mat:itemimage
The base type for compound node fields.
The base type for the form can be found at mat:itemimage.
Properties:
- :item / mat:itemimage:item
The item contained within the image file. It has the following property options set:
Read Only:
True
The property type is mat:item.
- :file / mat:itemimage:file
The file containing an image of the item. It has the following property options set:
Read Only:
True
The property type is file:bytes.
mat:spec
A GUID assigned to a material specification.
The base type for the form can be found at mat:spec.
Properties:
- :name / mat:spec:name
The human readable name of the material spec.
The property type is str. Its type has the following options set:
lower:
True
mat:specimage
The base type for compound node fields.
The base type for the form can be found at mat:specimage.
Properties:
- :spec / mat:specimage:spec
The spec contained within the image file. It has the following property options set:
Read Only:
True
The property type is mat:spec.
- :file / mat:specimage:file
The file containing an image of the spec. It has the following property options set:
Read Only:
True
The property type is file:bytes.
media:news
A GUID for a news article or report.
The base type for the form can be found at media:news.
Properties:
- :url / media:news:url
The (optional) URL where the news was published. It has the following property options set:
Example:
http://cnn.com/news/mars-lander.html
The property type is inet:url.
- :url:fqdn / media:news:url:fqdn
The FQDN within the news URL. It has the following property options set:
Example:
cnn.com
The property type is inet:fqdn.
- :file / media:news:file
The (optional) file blob containing or published as the news.
The property type is file:bytes.
- :title / media:news:title
Title/Headline for the news. It has the following property options set:
Example:
mars lander reaches marsdisp:
{'hint': 'text'}
The property type is str. Its type has the following options set:
lower:
True
- :summary / media:news:summary
A brief summary of the news item. It has the following property options set:
Example:
lorum ipsumdisp:
{'hint': 'text'}
The property type is str.
- :published / media:news:published
The date the news item was published. It has the following property options set:
Example:
20161201180433
The property type is time.
- :org / media:news:org
The org alias which published the news. It has the following property options set:
Example:
microsoft
The property type is ou:alias.
- :author / media:news:author
The free-form author of the news. It has the following property options set:
deprecated:
TrueExample:
stark,anthony
The property type is ps:name.
- :authors / media:news:authors
An array of authors of the news item.
The property type is array. Its type has the following options set:
type:
ps:contactsplit:
,uniq:
Truesorted:
True
- :rss:feed / media:news:rss:feed
The RSS feed that published the news.
The property type is inet:url.
meta:event
An analytically relevant event in a curated timeline.
The base type for the form can be found at meta:event.
Properties:
- :timeline / meta:event:timeline
The timeline containing the event.
The property type is meta:timeline.
- :title / meta:event:title
A title for the event.
The property type is str.
- :summary / meta:event:summary
A prose summary of the event. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :time / meta:event:time
The time that the event occurred.
The property type is time.
- :duration / meta:event:duration
The duration of the event.
The property type is duration.
- :type / meta:event:type
Type of event.
The property type is meta:event:taxonomy.
meta:event:taxonomy
A taxonomy of event types for meta:event nodes.
The base type for the form can be found at meta:event:taxonomy.
Properties:
- :title / meta:event:taxonomy:title
A brief title of the definition.
The property type is str.
- :summary / meta:event:taxonomy:summary
A summary of the definition. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :sort / meta:event:taxonomy:sort
A display sort order for siblings.
The property type is int.
- :base / meta:event:taxonomy:base
The base taxon. It has the following property options set:
Read Only:
True
The property type is taxon.
- :depth / meta:event:taxonomy:depth
The depth indexed from 0. It has the following property options set:
Read Only:
True
The property type is int.
- :parent / meta:event:taxonomy:parent
The taxonomy parent. It has the following property options set:
Read Only:
True
The property type is meta:event:taxonomy.
meta:note
An analyst note about nodes linked with -(about)> edges.
The base type for the form can be found at meta:note.
Properties:
- :text / meta:note:text
The analyst authored note text. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :author / meta:note:author
The contact information of the author.
The property type is ps:contact.
- :creator / meta:note:creator
The synapse user who authored the note.
The property type is syn:user.
- :created / meta:note:created
The time the note was created.
The property type is time.
meta:rule
A generic rule linked to matches with -(matches)> edges.
The base type for the form can be found at meta:rule.
Properties:
- :name / meta:rule:name
A name for the rule.
The property type is str. Its type has the following options set:
lower:
Trueonespace:
True
- :desc / meta:rule:desc
A description of the rule. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :text / meta:rule:text
The text of the rule logic. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :author / meta:rule:author
The contact information of the rule author.
The property type is ps:contact.
- :created / meta:rule:created
The time the rule was initially created.
The property type is time.
- :updated / meta:rule:updated
The time the rule was most recently modified.
The property type is time.
meta:ruleset
A set of rules linked with -(has)> edges.
The base type for the form can be found at meta:ruleset.
Properties:
- :name / meta:ruleset:name
A name for the ruleset.
The property type is str. Its type has the following options set:
lower:
Trueonespace:
True
- :desc / meta:ruleset:desc
A description of the ruleset. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :author / meta:ruleset:author
The contact information of the ruleset author.
The property type is ps:contact.
- :created / meta:ruleset:created
The time the ruleset was initially created.
The property type is time.
- :updated / meta:ruleset:updated
The time the ruleset was most recently modified.
The property type is time.
meta:seen
Annotates that the data in a node was obtained from or observed by a given source.
The base type for the form can be found at meta:seen.
Properties:
- :source / meta:seen:source
The source which observed or provided the node. It has the following property options set:
Read Only:
True
The property type is meta:source.
- :node / meta:seen:node
The node which was observed by or received from the source. It has the following property options set:
Read Only:
True
The property type is ndef.
meta:source
A data source unique identifier.
The base type for the form can be found at meta:source.
Properties:
meta:timeline
A curated timeline of analytically relevant events.
The base type for the form can be found at meta:timeline.
Properties:
- :title / meta:timeline:title
A title for the timeline. It has the following property options set:
Example:
The history of the Vertex Project
The property type is str.
- :summary / meta:timeline:summary
A prose summary of the timeline. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :type / meta:timeline:type
The type of timeline.
The property type is meta:timeline:taxonomy.
meta:timeline:taxonomy
A taxonomy of timeline types for meta:timeline nodes.
The base type for the form can be found at meta:timeline:taxonomy.
Properties:
- :title / meta:timeline:taxonomy:title
A brief title of the definition.
The property type is str.
- :summary / meta:timeline:taxonomy:summary
A summary of the definition. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :sort / meta:timeline:taxonomy:sort
A display sort order for siblings.
The property type is int.
- :base / meta:timeline:taxonomy:base
The base taxon. It has the following property options set:
Read Only:
True
The property type is taxon.
- :depth / meta:timeline:taxonomy:depth
The depth indexed from 0. It has the following property options set:
Read Only:
True
The property type is int.
- :parent / meta:timeline:taxonomy:parent
The taxonomy parent. It has the following property options set:
Read Only:
True
The property type is meta:timeline:taxonomy.
ou:attendee
A node representing a person attending a meeting, conference, or event.
The base type for the form can be found at ou:attendee.
Properties:
- :person / ou:attendee:person
The contact information for the person who attended the event.
The property type is ps:contact.
- :arrived / ou:attendee:arrived
The time when the person arrived.
The property type is time.
- :departed / ou:attendee:departed
The time when the person departed.
The property type is time.
- :roles / ou:attendee:roles
List of the roles the person had at the event.
The property type is array. Its type has the following options set:
type:
ou:rolesplit:
,uniq:
Truesorted:
True
- :meet / ou:attendee:meet
The meeting that the person attended.
The property type is ou:meet.
- :conference / ou:attendee:conference
The conference that the person attended.
The property type is ou:conference.
- :conference:event / ou:attendee:conference:event
The conference event that the person attended.
The property type is ou:conference:event.
- :contest / ou:attendee:contest
The contest that the person attended.
The property type is ou:contest.
- :preso / ou:attendee:preso
The presentation that the person attended.
The property type is ou:preso.
ou:award
An award issued by an organization.
The base type for the form can be found at ou:award.
Properties:
- :name / ou:award:name
The name of the award. It has the following property options set:
Example:
Bachelors of Science
The property type is str. Its type has the following options set:
lower:
Trueonespace:
True
- :type / ou:award:type
The type of award. It has the following property options set:
Example:
certification
The property type is str. Its type has the following options set:
lower:
Trueonespace:
True
- :org / ou:award:org
The organization which issues the award.
The property type is ou:org.
ou:campaign
Represents an orgs activity in pursuit of a goal.
The base type for the form can be found at ou:campaign.
Properties:
- :org / ou:campaign:org
The org carrying out the campaign.
The property type is ou:org.
- :org:name / ou:campaign:org:name
The name of the org responsible for the campaign. Used for entity resolution.
The property type is ou:name.
- :org:fqdn / ou:campaign:org:fqdn
The FQDN of the org responsible for the campaign. Used for entity resolution.
The property type is inet:fqdn.
- :goal / ou:campaign:goal
The assessed primary goal of the campaign.
The property type is ou:goal.
- :actors / ou:campaign:actors
Actors who participated in the campaign.
The property type is array. Its type has the following options set:
type:
ps:contactsplit:
,uniq:
Truesorted:
True
- :goals / ou:campaign:goals
Additional assessed goals of the campaign.
The property type is array. Its type has the following options set:
type:
ou:goalsplit:
,uniq:
Truesorted:
True
- :success / ou:campaign:success
Records the success/failure status of the campaign if known.
The property type is bool.
- :name / ou:campaign:name
A terse name of the campaign.
The property type is str.
- :type / ou:campaign:type
Deprecated. Use the :camptype taxonomy. It has the following property options set:
deprecated:
True
The property type is str.
- :camptype / ou:campaign:camptype
The campaign type taxonomy. It has the following property options set:
disp:
{'hint': 'taxonomy'}
The property type is ou:camptype.
- :desc / ou:campaign:desc
A description of the campaign. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :period / ou:campaign:period
A time window/interval.
The property type is ival.
- :currency / ou:campaign:currency
The name of a system of money in general use.
The property type is econ:currency.
- :cost / ou:campaign:cost
The amount of money expected, required, or given in payment for something.
The property type is econ:price.
- :budget / ou:campaign:budget
The amount of money expected, required, or given in payment for something.
The property type is econ:price.
- :goal:revenue / ou:campaign:goal:revenue
The amount of money expected, required, or given in payment for something.
The property type is econ:price.
- :result:revenue / ou:campaign:result:revenue
The amount of money expected, required, or given in payment for something.
The property type is econ:price.
- :goal:pop / ou:campaign:goal:pop
The base 64 bit signed integer type.
The property type is int.
- :result:pop / ou:campaign:result:pop
The base 64 bit signed integer type.
The property type is int.
- :team / ou:campaign:team
The org team responsible for carrying out the campaign.
The property type is ou:team.
ou:camptype
An campaign type taxonomy.
The base type for the form can be found at ou:camptype.
Properties:
- :title / ou:camptype:title
A brief title of the definition.
The property type is str.
- :summary / ou:camptype:summary
A summary of the definition. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :sort / ou:camptype:sort
A display sort order for siblings.
The property type is int.
- :base / ou:camptype:base
The base taxon. It has the following property options set:
Read Only:
True
The property type is taxon.
- :depth / ou:camptype:depth
The depth indexed from 0. It has the following property options set:
Read Only:
True
The property type is int.
- :parent / ou:camptype:parent
The taxonomy parent. It has the following property options set:
Read Only:
True
The property type is ou:camptype.
ou:conference
A conference with a name and sponsoring org.
The base type for the form can be found at ou:conference.
Properties:
- :org / ou:conference:org
The org which created/managed the conference.
The property type is ou:org.
- :organizer / ou:conference:organizer
Contact information for the primary organizer of the conference.
The property type is ps:contact.
- :sponsors / ou:conference:sponsors
An array of contacts which sponsored the conference.
The property type is array. Its type has the following options set:
type:
ps:contactuniq:
Truesorted:
True
- :name / ou:conference:name
The full name of the conference. It has the following property options set:
Example:
decfon 2017
The property type is str. Its type has the following options set:
lower:
True
- :desc / ou:conference:desc
A description of the conference. It has the following property options set:
Example:
annual cybersecurity conferencedisp:
{'hint': 'text'}
The property type is str. Its type has the following options set:
lower:
True
- :base / ou:conference:base
The base name which is shared by all conference instances. It has the following property options set:
Example:
defcon
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :start / ou:conference:start
The conference start date / time.
The property type is time.
- :end / ou:conference:end
The conference end date / time.
The property type is time.
- :place / ou:conference:place
The geo:place node where the conference was held.
The property type is geo:place.
- :url / ou:conference:url
The inet:url node for the conference website.
The property type is inet:url.
ou:conference:attendee
Deprecated. Please use ou:attendee.
The base type for the form can be found at ou:conference:attendee.
Properties:
- :conference / ou:conference:attendee:conference
The conference which was attended. It has the following property options set:
Read Only:
True
The property type is ou:conference.
- :person / ou:conference:attendee:person
The person who attended the conference. It has the following property options set:
Read Only:
True
The property type is ps:person.
- :arrived / ou:conference:attendee:arrived
The time when a person arrived to the conference.
The property type is time.
- :departed / ou:conference:attendee:departed
The time when a person departed from the conference.
The property type is time.
- :role:staff / ou:conference:attendee:role:staff
The person worked as staff at the conference.
The property type is bool.
- :role:speaker / ou:conference:attendee:role:speaker
The person was a speaker or presenter at the conference.
The property type is bool.
- :roles / ou:conference:attendee:roles
List of the roles the person had at the conference.
The property type is array. Its type has the following options set:
type:
struniq:
Truesorted:
True
ou:conference:event
A conference event with a name and associated conference.
The base type for the form can be found at ou:conference:event.
Properties:
- :conference / ou:conference:event:conference
The conference to which the event is associated. It has the following property options set:
Read Only:
True
The property type is ou:conference.
- :organizer / ou:conference:event:organizer
Contact information for the primary organizer of the event.
The property type is ps:contact.
- :sponsors / ou:conference:event:sponsors
An array of contacts which sponsored the event.
The property type is array. Its type has the following options set:
type:
ps:contactuniq:
Truesorted:
True
- :place / ou:conference:event:place
The geo:place where the event occurred.
The property type is geo:place.
- :name / ou:conference:event:name
The name of the conference event. It has the following property options set:
Example:
foobar conference dinner
The property type is str. Its type has the following options set:
lower:
True
- :desc / ou:conference:event:desc
A description of the conference event. It has the following property options set:
Example:
foobar conference networking dinner at ridge hoteldisp:
{'hint': 'text'}
The property type is str. Its type has the following options set:
lower:
True
- :url / ou:conference:event:url
The inet:url node for the conference event website.
The property type is inet:url.
- :contact / ou:conference:event:contact
Contact info for the event.
The property type is ps:contact.
- :start / ou:conference:event:start
The event start date / time.
The property type is time.
- :end / ou:conference:event:end
The event end date / time.
The property type is time.
ou:conference:event:attendee
Deprecated. Please use ou:attendee.
The base type for the form can be found at ou:conference:event:attendee.
Properties:
- :event / ou:conference:event:attendee:event
The conference event which was attended. It has the following property options set:
Read Only:
True
The property type is ou:conference:event.
- :person / ou:conference:event:attendee:person
The person who attended the conference event. It has the following property options set:
Read Only:
True
The property type is ps:person.
- :arrived / ou:conference:event:attendee:arrived
The time when a person arrived to the conference event.
The property type is time.
- :departed / ou:conference:event:attendee:departed
The time when a person departed from the conference event.
The property type is time.
- :roles / ou:conference:event:attendee:roles
List of the roles the person had at the conference event.
The property type is array. Its type has the following options set:
type:
struniq:
Truesorted:
True
ou:contest
A competitive event resulting in a ranked set of participants.
The base type for the form can be found at ou:contest.
Properties:
- :name / ou:contest:name
The name of the contest. It has the following property options set:
Example:
defcon ctf 2020
The property type is str. Its type has the following options set:
lower:
Trueonespace:
True
- :type / ou:contest:type
The type of contest. It has the following property options set:
Example:
cyber ctf
The property type is str. Its type has the following options set:
lower:
Trueonespace:
True
- :family / ou:contest:family
A name for a series of recurring contests. It has the following property options set:
Example:
defcon ctf
The property type is str. Its type has the following options set:
lower:
Trueonespace:
True
- :desc / ou:contest:desc
A description of the contest. It has the following property options set:
Example:
the capture-the-flag event hosted at defcon 2020disp:
{'hint': 'text'}
The property type is str. Its type has the following options set:
lower:
True
- :url / ou:contest:url
The contest website URL.
The property type is inet:url.
- :start / ou:contest:start
The contest start date / time.
The property type is time.
- :end / ou:contest:end
The contest end date / time.
The property type is time.
- :loc / ou:contest:loc
The geopolitical affiliation of the contest.
The property type is loc.
- :place / ou:contest:place
The geo:place where the contest was held.
The property type is geo:place.
- :latlong / ou:contest:latlong
The latlong where the contest was held.
The property type is geo:latlong.
- :conference / ou:contest:conference
The conference that the contest is associated with.
The property type is ou:conference.
- :contests / ou:contest:contests
An array of sub-contests that contributed to the rankings.
The property type is array. Its type has the following options set:
type:
ou:contestsplit:
,uniq:
Truesorted:
True
- :sponsors / ou:contest:sponsors
Contact information for contest sponsors.
The property type is array. Its type has the following options set:
type:
ps:contactsplit:
,uniq:
Truesorted:
True
- :organizers / ou:contest:organizers
Contact information for contest organizers.
The property type is array. Its type has the following options set:
type:
ps:contactsplit:
,uniq:
Truesorted:
True
- :participants / ou:contest:participants
Contact information for contest participants.
The property type is array. Its type has the following options set:
type:
ps:contactsplit:
,uniq:
Truesorted:
True
ou:contest:result
The results from a single contest participant.
The base type for the form can be found at ou:contest:result.
Properties:
- :contest / ou:contest:result:contest
The contest. It has the following property options set:
Read Only:
True
The property type is ou:contest.
- :participant / ou:contest:result:participant
The participant. It has the following property options set:
Read Only:
True
The property type is ps:contact.
- :rank / ou:contest:result:rank
The rank order of the participant.
The property type is int.
- :score / ou:contest:result:score
The score of the participant.
The property type is int.
- :url / ou:contest:result:url
The contest result website URL.
The property type is inet:url.
ou:contract
An contract between multiple entities.
The base type for the form can be found at ou:contract.
Properties:
- :title / ou:contract:title
A terse title for the contract.
The property type is str.
- :type / ou:contract:type
The type of contract.
The property type is ou:conttype.
- :sponsor / ou:contract:sponsor
The contract sponsor.
The property type is ps:contact.
- :parties / ou:contract:parties
The non-sponsor entities bound by the contract.
The property type is array. Its type has the following options set:
type:
ps:contactuniq:
Truesorted:
True
- :document / ou:contract:document
The best/current contract document.
The property type is file:bytes.
- :signed / ou:contract:signed
The date that the contract signing was complete.
The property type is time.
- :begins / ou:contract:begins
The date that the contract goes into effect.
The property type is time.
- :expires / ou:contract:expires
The date that the contract expires.
The property type is time.
- :completed / ou:contract:completed
The date that the contract was completed.
The property type is time.
- :terminated / ou:contract:terminated
The date that the contract was terminated.
The property type is time.
- :award:price / ou:contract:award:price
The value of the contract at time of award.
The property type is econ:currency.
- :budget:price / ou:contract:budget:price
The amount of money budgeted for the contract.
The property type is econ:currency.
- :purchase / ou:contract:purchase
Purchase details of the contract.
The property type is econ:purchase.
- :requirements / ou:contract:requirements
The requirements levied upon the parties.
The property type is array. Its type has the following options set:
type:
ou:goaluniq:
Truesorted:
True
- :types / ou:contract:types
A list of types that apply to the contract. It has the following property options set:
deprecated:
True
The property type is array. Its type has the following options set:
type:
ou:contract:typesplit:
,uniq:
Truesorted:
True
ou:conttype
A contract type taxonomy.
The base type for the form can be found at ou:conttype.
Properties:
- :title / ou:conttype:title
A brief title of the definition.
The property type is str.
- :summary / ou:conttype:summary
A summary of the definition. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :sort / ou:conttype:sort
A display sort order for siblings.
The property type is int.
- :base / ou:conttype:base
The base taxon. It has the following property options set:
Read Only:
True
The property type is taxon.
- :depth / ou:conttype:depth
The depth indexed from 0. It has the following property options set:
Read Only:
True
The property type is int.
- :parent / ou:conttype:parent
The taxonomy parent. It has the following property options set:
Read Only:
True
The property type is ou:conttype.
ou:employment
An employment type taxonomy.
The base type for the form can be found at ou:employment.
An example of ou:employment:
fulltime.salary
Properties:
- :title / ou:employment:title
A brief title of the definition.
The property type is str.
- :summary / ou:employment:summary
A summary of the definition. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :sort / ou:employment:sort
A display sort order for siblings.
The property type is int.
- :base / ou:employment:base
The base taxon. It has the following property options set:
Read Only:
True
The property type is taxon.
- :depth / ou:employment:depth
The depth indexed from 0. It has the following property options set:
Read Only:
True
The property type is int.
- :parent / ou:employment:parent
The taxonomy parent. It has the following property options set:
Read Only:
True
The property type is ou:employment.
ou:goal
An assessed or stated goal which may be abstract or org specific.
The base type for the form can be found at ou:goal.
Properties:
- :name / ou:goal:name
A terse name for the goal.
The property type is str.
- :type / ou:goal:type
A user specified goal type.
The property type is str.
- :desc / ou:goal:desc
A description of the goal. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :prev / ou:goal:prev
The previous/parent goal in a list or hierarchy.
The property type is ou:goal.
ou:hasalias
The knowledge that an organization has an alias.
The base type for the form can be found at ou:hasalias.
Properties:
ou:hasgoal
An org has an assessed or stated goal.
The base type for the form can be found at ou:hasgoal.
Properties:
- :org / ou:hasgoal:org
The org which has the goal. It has the following property options set:
Read Only:
True
The property type is ou:org.
- :goal / ou:hasgoal:goal
The goal which the org has. It has the following property options set:
Read Only:
True
The property type is ou:goal.
- :stated / ou:hasgoal:stated
Set to true/false if the goal is known to be self stated.
The property type is bool.
- :window / ou:hasgoal:window
Set if a goal has a limited time window.
The property type is ival.
ou:id:number
A unique id number issued by a specific organization.
The base type for the form can be found at ou:id:number.
Properties:
- :type / ou:id:number:type
The type of org id. It has the following property options set:
Read Only:
True
The property type is ou:id:type.
- :value / ou:id:number:value
The type of org id. It has the following property options set:
Read Only:
True
The property type is ou:id:value.
- :status / ou:id:number:status
A freeform status such as valid, suspended, expired.
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :issued / ou:id:number:issued
The time at which the org issued the ID number.
The property type is time.
- :expires / ou:id:number:expires
The time at which the ID number expires.
The property type is time.
ou:id:type
A type of id number issued by an org.
The base type for the form can be found at ou:id:type.
Properties:
ou:id:update
A status update to an org:id:number.
The base type for the form can be found at ou:id:update.
Properties:
- :number / ou:id:update:number
The id number that was updated.
The property type is ou:id:number.
- :status / ou:id:update:status
The updated status of the id number.
The property type is str. Its type has the following options set:
strip:
Truelower:
True
- :time / ou:id:update:time
The date/time that the id number was updated.
The property type is time.
ou:industry
An industry classification type.
The base type for the form can be found at ou:industry.
Properties:
- :name / ou:industry:name
The name of the industry.
The property type is ou:industryname.
- :names / ou:industry:names
An array of alternative names for the industry.
The property type is array. Its type has the following options set:
type:
ou:industrynameuniq:
Truesorted:
True
- :subs / ou:industry:subs
An array of sub-industries.
The property type is array. Its type has the following options set:
type:
ou:industrysplit:
,uniq:
Truesorted:
True
- :sic / ou:industry:sic
An array of SIC codes that map to the industry.
The property type is array. Its type has the following options set:
type:
ou:sicsplit:
,uniq:
Truesorted:
True
- :naics / ou:industry:naics
An array of NAICS codes that map to the industry.
The property type is array. Its type has the following options set:
type:
ou:naicssplit:
,uniq:
Truesorted:
True
- :isic / ou:industry:isic
An array of ISIC codes that map to the industry.
The property type is array. Its type has the following options set:
type:
ou:isicsplit:
,uniq:
Truesorted:
True
- :desc / ou:industry:desc
A description of the industry. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
ou:industryname
The name of an industry.
The base type for the form can be found at ou:industryname.
Properties:
ou:jobtitle
A title for a position within an org.
The base type for the form can be found at ou:jobtitle.
Properties:
ou:jobtype
A title for a position within an org.
The base type for the form can be found at ou:jobtype.
An example of ou:jobtype:
it.dev.python
Properties:
- :title / ou:jobtype:title
A brief title of the definition.
The property type is str.
- :summary / ou:jobtype:summary
A summary of the definition. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :sort / ou:jobtype:sort
A display sort order for siblings.
The property type is int.
- :base / ou:jobtype:base
The base taxon. It has the following property options set:
Read Only:
True
The property type is taxon.
- :depth / ou:jobtype:depth
The depth indexed from 0. It has the following property options set:
Read Only:
True
The property type is int.
- :parent / ou:jobtype:parent
The taxonomy parent. It has the following property options set:
Read Only:
True
The property type is ou:jobtype.
ou:meet
An informal meeting of people which has no title or sponsor. See also: ou:conference.
The base type for the form can be found at ou:meet.
Properties:
- :name / ou:meet:name
A human friendly name for the meeting.
The property type is str. Its type has the following options set:
lower:
True
- :start / ou:meet:start
The date / time the meet starts.
The property type is time.
- :end / ou:meet:end
The date / time the meet ends.
The property type is time.
- :place / ou:meet:place
The geo:place node where the meet was held.
The property type is geo:place.
ou:meet:attendee
Deprecated. Please use ou:attendee.
The base type for the form can be found at ou:meet:attendee.
Properties:
- :meet / ou:meet:attendee:meet
The meeting which was attended. It has the following property options set:
Read Only:
True
The property type is ou:meet.
- :person / ou:meet:attendee:person
The person who attended the meeting. It has the following property options set:
Read Only:
True
The property type is ps:person.
- :arrived / ou:meet:attendee:arrived
The time when a person arrived to the meeting.
The property type is time.
- :departed / ou:meet:attendee:departed
The time when a person departed from the meeting.
The property type is time.
ou:member
Deprecated. Please use ou:position.
The base type for the form can be found at ou:member.
Properties:
- :org / ou:member:org
The GUID of the org the person is a member of. It has the following property options set:
Read Only:
True
The property type is ou:org.
- :person / ou:member:person
The GUID of the person that is a member of an org. It has the following property options set:
Read Only:
True
The property type is ps:person.
- :title / ou:member:title
The persons normalized title.
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :start / ou:member:start
Earliest known association of the person with the org.
The property type is time. Its type has the following options set:
ismin:
True
- :end / ou:member:end
Most recent known association of the person with the org.
The property type is time. Its type has the following options set:
ismax:
True
ou:name
The name of an organization. This may be a formal name or informal name of the organization.
The base type for the form can be found at ou:name.
An example of ou:name:
acme corporation
Properties:
ou:opening
A job/work opening within an org.
The base type for the form can be found at ou:opening.
Properties:
- :org / ou:opening:org
The org which has the opening.
The property type is ou:org.
- :orgname / ou:opening:orgname
The name of the organization as listed in the opening.
The property type is ou:name.
- :orgfqdn / ou:opening:orgfqdn
The FQDN of the organization as listed in the opening.
The property type is inet:fqdn.
- :posted / ou:opening:posted
The date/time that the job opening was posted.
The property type is time.
- :removed / ou:opening:removed
The date/time that the job opening was removed.
The property type is time.
- :postings / ou:opening:postings
URLs where the opening is listed.
The property type is array. Its type has the following options set:
type:
inet:urluniq:
Truesorted:
True
- :contact / ou:opening:contact
The contact details to inquire about the opening.
The property type is ps:contact.
- :loc / ou:opening:loc
The geopolitical boundary of the opening.
The property type is loc.
- :jobtype / ou:opening:jobtype
The job type taxonomy.
The property type is ou:jobtype.
- :employment / ou:opening:employment
The type of employment.
The property type is ou:employment.
- :jobtitle / ou:opening:jobtitle
The title of the opening.
The property type is ou:jobtitle.
- :remote / ou:opening:remote
Set to true if the opening will allow a fully remote worker.
The property type is bool.
- :yearlypay / ou:opening:yearlypay
The yearly income associated with the opening.
The property type is econ:price.
- :paycurrency / ou:opening:paycurrency
The currency that the yearly pay was delivered in.
The property type is econ:currency.
ou:org
A GUID for a human organization such as a company or military unit.
The base type for the form can be found at ou:org.
Properties:
- :loc / ou:org:loc
Location for an organization.
The property type is loc.
- :name / ou:org:name
The localized name of an organization.
The property type is ou:name.
- :type / ou:org:type
The type of organization. It has the following property options set:
deprecated:
True
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :orgtype / ou:org:orgtype
The type of organization. It has the following property options set:
disp:
{'hint': 'taxonomy'}
The property type is ou:orgtype.
- :vitals / ou:org:vitals
The most recent/accurate ou:vitals for the org.
The property type is ou:vitals.
- :desc / ou:org:desc
A description of the org.
The property type is str.
- :logo / ou:org:logo
An image file representing the logo for the organization.
The property type is file:bytes.
- :names / ou:org:names
A list of alternate names for the organization.
The property type is array. Its type has the following options set:
type:
ou:nameuniq:
Truesorted:
True
- :alias / ou:org:alias
The default alias for an organization.
The property type is ou:alias.
- :phone / ou:org:phone
The primary phone number for the organization.
The property type is tel:phone.
- :sic / ou:org:sic
The Standard Industrial Classification code for the organization. It has the following property options set:
deprecated:
True
The property type is ou:sic.
- :naics / ou:org:naics
The North American Industry Classification System code for the organization. It has the following property options set:
deprecated:
True
The property type is ou:naics.
- :industries / ou:org:industries
The industries associated with the org.
The property type is array. Its type has the following options set:
type:
ou:industryuniq:
Truesorted:
True
- :us:cage / ou:org:us:cage
The Commercial and Government Entity (CAGE) code for the organization.
The property type is gov:us:cage.
- :founded / ou:org:founded
The date on which the org was founded.
The property type is time.
- :dissolved / ou:org:dissolved
The date on which the org was dissolved.
The property type is time.
- :url / ou:org:url
The primary url for the organization.
The property type is inet:url.
- :subs / ou:org:subs
An set of sub-organizations.
The property type is array. Its type has the following options set:
type:
ou:orguniq:
Truesorted:
True
- :orgchart / ou:org:orgchart
The root node for an orgchart made up ou:position nodes.
The property type is ou:position.
- :hq / ou:org:hq
A collection of contact information for the “main office” of an org.
The property type is ps:contact.
- :locations / ou:org:locations
An array of contacts for facilities operated by the org.
The property type is array. Its type has the following options set:
type:
ps:contactuniq:
Truesorted:
True
- :dns:mx / ou:org:dns:mx
An array of MX domains used by email addresses issued by the org.
The property type is array. Its type has the following options set:
type:
inet:fqdnuniq:
Truesorted:
True
ou:org:has
An org owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time.
The base type for the form can be found at ou:org:has.
Properties:
- :org / ou:org:has:org
The org who owns or controls the object or resource. It has the following property options set:
Read Only:
True
The property type is ou:org.
- :node / ou:org:has:node
The object or resource that is owned or controlled by the org. It has the following property options set:
Read Only:
True
The property type is ndef.
- :node:form / ou:org:has:node:form
The form of the object or resource that is owned or controlled by the org. It has the following property options set:
Read Only:
True
The property type is str.
ou:orgnet4
An organization’s IPv4 netblock.
The base type for the form can be found at ou:orgnet4.
Properties:
- :org / ou:orgnet4:org
The org guid which owns the netblock. It has the following property options set:
Read Only:
True
The property type is ou:org.
- :net / ou:orgnet4:net
Netblock owned by the organization. It has the following property options set:
Read Only:
True
The property type is inet:net4.
- :name / ou:orgnet4:name
The name that the organization assigns to this netblock.
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
ou:orgnet6
An organization’s IPv6 netblock.
The base type for the form can be found at ou:orgnet6.
Properties:
- :org / ou:orgnet6:org
The org guid which owns the netblock. It has the following property options set:
Read Only:
True
The property type is ou:org.
- :net / ou:orgnet6:net
Netblock owned by the organization. It has the following property options set:
Read Only:
True
The property type is inet:net6.
- :name / ou:orgnet6:name
The name that the organization assigns to this netblock.
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
ou:orgtype
An org type taxonomy.
The base type for the form can be found at ou:orgtype.
Properties:
- :title / ou:orgtype:title
A brief title of the definition.
The property type is str.
- :summary / ou:orgtype:summary
A summary of the definition. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :sort / ou:orgtype:sort
A display sort order for siblings.
The property type is int.
- :base / ou:orgtype:base
The base taxon. It has the following property options set:
Read Only:
True
The property type is taxon.
- :depth / ou:orgtype:depth
The depth indexed from 0. It has the following property options set:
Read Only:
True
The property type is int.
- :parent / ou:orgtype:parent
The taxonomy parent. It has the following property options set:
Read Only:
True
The property type is ou:orgtype.
ou:position
A position within an org. May be organized into an org chart.
The base type for the form can be found at ou:position.
Properties:
- :org / ou:position:org
The org which has the position.
The property type is ou:org.
- :team / ou:position:team
The team that the position is a member of.
The property type is ou:team.
- :contact / ou:position:contact
The contact info for the person who holds the position.
The property type is ps:contact.
- :title / ou:position:title
The title of the position.
The property type is str. Its type has the following options set:
lower:
Trueonespace:
True
- :reports / ou:position:reports
An array of positions which report to this position.
The property type is array. Its type has the following options set:
type:
ou:positionuniq:
Truesorted:
True
ou:preso
A webinar, conference talk, or other type of presentation.
The base type for the form can be found at ou:preso.
Properties:
- :organizer / ou:preso:organizer
Contact information for the primary organizer of the presentation.
The property type is ps:contact.
- :sponsors / ou:preso:sponsors
A set of contacts which sponsored the presentation.
The property type is array. Its type has the following options set:
type:
ps:contactuniq:
Truesorted:
True
- :presenters / ou:preso:presenters
A set of contacts which gave the presentation.
The property type is array. Its type has the following options set:
type:
ps:contactuniq:
Truesorted:
True
- :title / ou:preso:title
The full name of the presentation. It has the following property options set:
Example:
Synapse 101 - 2021/06/22
The property type is str. Its type has the following options set:
lower:
True
- :desc / ou:preso:desc
A description of the presentation. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str. Its type has the following options set:
lower:
True
- :time / ou:preso:time
The scheduled presentation start time.
The property type is time.
- :duration / ou:preso:duration
The scheduled duration of the presentation.
The property type is duration.
- :loc / ou:preso:loc
The geopolitical location string for where the presentation was given.
The property type is loc.
- :place / ou:preso:place
The geo:place node where the presentation was held.
The property type is geo:place.
- :deck:url / ou:preso:deck:url
The URL hosting a copy of the presentation materials.
The property type is inet:url.
- :deck:file / ou:preso:deck:file
A file containing the presentation materials.
The property type is file:bytes.
- :attendee:url / ou:preso:attendee:url
The URL visited by live attendees of the presentation.
The property type is inet:url.
- :recording:url / ou:preso:recording:url
The URL hosting a recording of the presentation.
The property type is inet:url.
- :recording:file / ou:preso:recording:file
A file containing a recording of the presentation.
The property type is file:bytes.
- :conference / ou:preso:conference
The conference which hosted the presentation.
The property type is ou:conference.
ou:suborg
Any parent/child relationship between two orgs. May represent ownership, organizational structure, etc.
The base type for the form can be found at ou:suborg.
Properties:
- :org / ou:suborg:org
The org which owns the sub organization. It has the following property options set:
Read Only:
True
The property type is ou:org.
- :sub / ou:suborg:sub
The sub org which owned by the org. It has the following property options set:
Read Only:
True
The property type is ou:org.
- :perc / ou:suborg:perc
The optional percentage of sub which is owned by org.
The property type is int. Its type has the following options set:
min:
0max:
100
- :founded / ou:suborg:founded
The date on which the suborg relationship was founded.
The property type is time.
- :dissolved / ou:suborg:dissolved
The date on which the suborg relationship was dissolved.
The property type is time.
- :current / ou:suborg:current
Bool indicating if the suborg relationship still current.
The property type is bool.
ou:team
A GUID for a team within an organization.
The base type for the form can be found at ou:team.
Properties:
ou:user
A user name within an organization.
The base type for the form can be found at ou:user.
Properties:
- :org / ou:user:org
The org guid which owns the netblock. It has the following property options set:
Read Only:
True
The property type is ou:org.
- :user / ou:user:user
The username associated with the organization. It has the following property options set:
Read Only:
True
The property type is inet:user.
ou:vitals
Vital statistics about an org for a given time period.
The base type for the form can be found at ou:vitals.
Properties:
- :asof / ou:vitals:asof
The time that the vitals represent.
The property type is time.
- :org / ou:vitals:org
The resolved org.
The property type is ou:org.
- :orgname / ou:vitals:orgname
The org name as reported by the source of the vitals.
The property type is ou:name.
- :orgfqdn / ou:vitals:orgfqdn
The org FQDN as reported by the source of the vitals.
The property type is inet:fqdn.
- :currency / ou:vitals:currency
The currency of the econ:price values.
The property type is econ:currency.
- :costs / ou:vitals:costs
The costs/expendatures over the period.
The property type is econ:price.
- :revenue / ou:vitals:revenue
The gross revenue over the period.
The property type is econ:price.
- :profit / ou:vitals:profit
The net profit over the period.
The property type is econ:price.
- :valuation / ou:vitals:valuation
The assesed value of the org.
The property type is econ:price.
- :shares / ou:vitals:shares
The number of shares outstanding.
The property type is int.
- :population / ou:vitals:population
The population of the org.
The property type is int.
- :delta:costs / ou:vitals:delta:costs
The change in costs over last period.
The property type is econ:price.
- :delta:revenue / ou:vitals:delta:revenue
The change in revenue over last period.
The property type is econ:price.
- :delta:profit / ou:vitals:delta:profit
The change in profit over last period.
The property type is econ:price.
- :delta:valuation / ou:vitals:delta:valuation
The change in valuation over last period.
The property type is econ:price.
- :delta:population / ou:vitals:delta:population
The change in population over last period.
The property type is int.
pol:country
A GUID for a country.
The base type for the form can be found at pol:country.
Properties:
- :flag / pol:country:flag
The file bytes type with SHA256 based primary property.
The property type is file:bytes.
- :founded / pol:country:founded
A date/time value.
The property type is time.
- :iso2 / pol:country:iso2
The 2 digit ISO country code.
The property type is pol:iso2.
- :iso3 / pol:country:iso3
The 3 digit ISO country code.
The property type is pol:iso3.
- :isonum / pol:country:isonum
The ISO integer country code.
The property type is pol:isonum.
- :name / pol:country:name
The base string type.
The property type is str. Its type has the following options set:
lower:
True
- :pop / pol:country:pop
The base 64 bit signed integer type.
The property type is int.
- :tld / pol:country:tld
A Fully Qualified Domain Name (FQDN).
The property type is inet:fqdn.
proj:attachment
The base GUID type.
The base type for the form can be found at proj:attachment.
Properties:
- :name / proj:attachment:name
A file name with no path.
The property type is file:base.
- :file / proj:attachment:file
The file bytes type with SHA256 based primary property.
The property type is file:bytes.
- :creator / proj:attachment:creator
A Synapse user GUID.
The property type is syn:user.
- :created / proj:attachment:created
A date/time value.
The property type is time.
- :ticket / proj:attachment:ticket
The base GUID type.
The property type is proj:ticket.
- :comment / proj:attachment:comment
The base GUID type.
The property type is proj:comment.
proj:comment
The base GUID type.
The base type for the form can be found at proj:comment.
Properties:
- :creator / proj:comment:creator
A Synapse user GUID.
The property type is syn:user.
- :created / proj:comment:created
A date/time value.
The property type is time.
- :updated / proj:comment:updated
A date/time value.
The property type is time.
- :ticket / proj:comment:ticket
The base GUID type.
The property type is proj:ticket.
- :text / proj:comment:text
The base string type.
The property type is str.
proj:epic
The base GUID type.
The base type for the form can be found at proj:epic.
Properties:
- :name / proj:epic:name
The base string type.
The property type is str. Its type has the following options set:
onespace:
True
- :project / proj:epic:project
The base GUID type.
The property type is proj:project.
- :creator / proj:epic:creator
A Synapse user GUID.
The property type is syn:user.
- :created / proj:epic:created
A date/time value.
The property type is time.
- :updated / proj:epic:updated
A date/time value.
The property type is time. Its type has the following options set:
max:
True
proj:project
The base GUID type.
The base type for the form can be found at proj:project.
Properties:
- :name / proj:project:name
The project name.
The property type is str. Its type has the following options set:
lower:
Trueonespace:
True
- :desc / proj:project:desc
The project description. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :creator / proj:project:creator
The synapse user who created the project.
The property type is syn:user.
- :created / proj:project:created
The time the project was created.
The property type is time.
proj:sprint
The base GUID type.
The base type for the form can be found at proj:sprint.
Properties:
- :name / proj:sprint:name
The name of the sprint.
The property type is str. Its type has the following options set:
lower:
Trueonespace:
True
- :status / proj:sprint:status
The sprint status.
The property type is str. Its type has the following options set:
enums:
planned,current,completed
- :project / proj:sprint:project
The project containing the sprint.
The property type is proj:project.
- :creator / proj:sprint:creator
The synapse user who created the sprint.
The property type is syn:user.
- :created / proj:sprint:created
The date the sprint was created.
The property type is time.
- :period / proj:sprint:period
The interval for the sprint.
The property type is ival.
- :desc / proj:sprint:desc
A description of the sprint.
The property type is str.
proj:ticket
The base GUID type.
The base type for the form can be found at proj:ticket.
Properties:
- :project / proj:ticket:project
The base GUID type.
The property type is proj:project.
- :ext:id / proj:ticket:ext:id
A ticket ID from an external system.
The property type is str. Its type has the following options set:
strip:
True
- :ext:url / proj:ticket:ext:url
A URL to the ticket in an external system.
The property type is inet:url.
- :epic / proj:ticket:epic
The epic that includes the ticket.
The property type is proj:epic.
- :created / proj:ticket:created
The time the ticket was created.
The property type is time.
- :updated / proj:ticket:updated
The last time the ticket was updated.
The property type is time. Its type has the following options set:
max:
True
- :name / proj:ticket:name
The name of the ticket.
The property type is str. Its type has the following options set:
onespace:
True
- :desc / proj:ticket:desc
A description of the ticket.
The property type is str.
- :points / proj:ticket:points
Optional SCRUM style story points value.
The property type is int.
- :status / proj:ticket:status
The ticket completion status.
The property type is int. Its type has the following options set:
enums:
((0, 'new'), (10, 'in validation'), (20, 'in backlog'), (30, 'in sprint'), (40, 'in progress'), (50, 'in review'), (60, 'completed'), (70, 'done'), (80, 'blocked'))
- :sprint / proj:ticket:sprint
The sprint that contains the ticket.
The property type is proj:sprint.
- :priority / proj:ticket:priority
The priority of the ticket.
The property type is int. Its type has the following options set:
enums:
((0, 'none'), (10, 'lowest'), (20, 'low'), (30, 'medium'), (40, 'high'), (50, 'highest'))
- :type / proj:ticket:type
The type of ticket. (eg story / bug).
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :creator / proj:ticket:creator
The synapse user who created the ticket.
The property type is syn:user.
- :assignee / proj:ticket:assignee
The synapse user who the ticket is assigned to.
The property type is syn:user.
ps:achievement
An instance of an individual receiving an award.
The base type for the form can be found at ps:achievement.
Properties:
- :awardee / ps:achievement:awardee
The recipient of the award.
The property type is ps:contact.
- :award / ps:achievement:award
The award bestowed on the awardee.
The property type is ou:award.
- :awarded / ps:achievement:awarded
The date the award was granted to the awardee.
The property type is time.
- :expires / ps:achievement:expires
The date the award or certification expires.
The property type is time.
- :revoked / ps:achievement:revoked
The date the award was revoked by the org.
The property type is time.
ps:contact
A GUID for a contact info record.
The base type for the form can be found at ps:contact.
Properties:
- :org / ps:contact:org
The org which this contact represents.
The property type is ou:org.
- :asof / ps:contact:asof
A date/time value. It has the following property options set:
date:
The time this contact was created or modified.
The property type is time.
- :person / ps:contact:person
The ps:person GUID which owns this contact.
The property type is ps:person.
- :name / ps:contact:name
The person name listed for the contact.
The property type is ps:name.
- :title / ps:contact:title
The job/org title listed for this contact.
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :photo / ps:contact:photo
The photo listed for this contact.
The property type is file:bytes.
- :orgname / ps:contact:orgname
The listed org/company name for this contact.
The property type is ou:name.
- :orgfqdn / ps:contact:orgfqdn
The listed org/company FQDN for this contact.
The property type is inet:fqdn.
- :user / ps:contact:user
The username or handle for this contact.
The property type is inet:user.
- :web:acct / ps:contact:web:acct
The social media account for this contact.
The property type is inet:web:acct.
- :web:group / ps:contact:web:group
A web group representing this contact.
The property type is inet:web:group.
- :birth:place / ps:contact:birth:place
A fully resolved place of birth for this contact.
The property type is geo:place.
- :birth:place:loc / ps:contact:birth:place:loc
The loc of the place of birth of this contact.
The property type is loc.
- :birth:place:name / ps:contact:birth:place:name
The name of the place of birth of this contact.
The property type is geo:name.
- :death:place / ps:contact:death:place
A fully resolved place of death for this contact.
The property type is geo:place.
- :death:place:loc / ps:contact:death:place:loc
The loc of the place of death of this contact.
The property type is loc.
- :death:place:name / ps:contact:death:place:name
The name of the place of death of this contact.
The property type is geo:name.
- :dob / ps:contact:dob
The date of birth for this contact.
The property type is time.
- :dod / ps:contact:dod
The date of death for this contact.
The property type is time.
- :url / ps:contact:url
The home or main site for this contact.
The property type is inet:url.
- :email / ps:contact:email
The main email address for this contact.
The property type is inet:email.
- :email:work / ps:contact:email:work
The work email address for this contact.
The property type is inet:email.
- :loc / ps:contact:loc
Best known contact geopolitical location.
The property type is loc.
- :address / ps:contact:address
The street address listed for the contact.
The property type is geo:address.
- :place / ps:contact:place
The place associated with this contact.
The property type is geo:place.
- :phone / ps:contact:phone
The main phone number for this contact.
The property type is tel:phone.
- :phone:fax / ps:contact:phone:fax
The fax number for this contact.
The property type is tel:phone.
- :phone:work / ps:contact:phone:work
The work phone number for this contact.
The property type is tel:phone.
- :id:number / ps:contact:id:number
An ID number issued by an org and associated with this contact.
The property type is ou:id:number.
- :adid / ps:contact:adid
A Advertising ID associated with this contact.
The property type is it:adid.
- :imid / ps:contact:imid
An IMID associated with the contact.
The property type is tel:mob:imid.
- :imid:imei / ps:contact:imid:imei
An IMEI associated with the contact.
The property type is tel:mob:imei.
- :imid:imsi / ps:contact:imid:imsi
An IMSI associated with the contact.
The property type is tel:mob:imsi.
- :names / ps:contact:names
The person name listed for the contact.
The property type is array. Its type has the following options set:
type:
ps:nameuniq:
Truesorted:
True
- :emails / ps:contact:emails
An array of secondary/associated email addresses.
The property type is array. Its type has the following options set:
type:
inet:emailuniq:
Truesorted:
True
- :web:accts / ps:contact:web:accts
An array of secondary/associated web accounts.
The property type is array. Its type has the following options set:
type:
inet:web:acctuniq:
Truesorted:
True
- :id:numbers / ps:contact:id:numbers
An array of secondary/associated IDs.
The property type is array. Its type has the following options set:
type:
ou:id:numberuniq:
Truesorted:
True
- :users / ps:contact:users
An array of secondary/associated user names.
The property type is array. Its type has the following options set:
type:
inet:useruniq:
Truesorted:
True
- :crypto:address / ps:contact:crypto:address
A crypto currency address associated with the contact.
The property type is crypto:currency:address.
ps:contactlist
A GUID for a list of associated contacts.
The base type for the form can be found at ps:contactlist.
Properties:
- :contacts / ps:contactlist:contacts
The array of contacts contained in the list.
The property type is array. Its type has the following options set:
type:
ps:contactuniq:
Truesplit:
,sorted:
True
- :source:host / ps:contactlist:source:host
The host from which the contact list was extracted.
The property type is it:host.
- :source:file / ps:contactlist:source:file
The file from which the contact list was extracted.
The property type is file:bytes.
- :source:acct / ps:contactlist:source:acct
The web account from which the contact list was extracted.
The property type is inet:web:acct.
ps:education
A period of education for an individual.
The base type for the form can be found at ps:education.
Properties:
- :student / ps:education:student
The contact of the person being educated.
The property type is ps:contact.
- :institution / ps:education:institution
The contact info for the org providing educational services.
The property type is ps:contact.
- :attended:first / ps:education:attended:first
The first date the student attended a class.
The property type is time.
- :attended:last / ps:education:attended:last
The last date the student attended a class.
The property type is time.
- :classes / ps:education:classes
The classes attended by the student.
The property type is array. Its type has the following options set:
type:
edu:classuniq:
Truesorted:
True
- :achievement / ps:education:achievement
The achievement awarded to the individual.
The property type is ps:achievement.
ps:name
An arbitrary, lower spaced string with normalized whitespace.
The base type for the form can be found at ps:name.
An example of ps:name:
robert grey
Properties:
ps:person
A GUID for a person.
The base type for the form can be found at ps:person.
Properties:
- :dob / ps:person:dob
The date on which the person was born.
The property type is time.
- :dod / ps:person:dod
The date on which the person died.
The property type is time.
- :img / ps:person:img
Deprecated: use ps:person:photo. It has the following property options set:
deprecated:
True
The property type is file:bytes.
- :photo / ps:person:photo
The primary image of a person.
The property type is file:bytes.
- :nick / ps:person:nick
A username commonly used by the person.
The property type is inet:user.
- :name / ps:person:name
The localized name for the person.
The property type is ps:name.
- :name:sur / ps:person:name:sur
The surname of the person.
The property type is ps:tokn.
- :name:middle / ps:person:name:middle
The middle name of the person.
The property type is ps:tokn.
- :name:given / ps:person:name:given
The given name of the person.
The property type is ps:tokn.
- :names / ps:person:names
Variations of the name for the person.
The property type is array. Its type has the following options set:
type:
ps:nameuniq:
Truesorted:
True
- :nicks / ps:person:nicks
Usernames used by the person.
The property type is array. Its type has the following options set:
type:
inet:useruniq:
Truesorted:
True
ps:person:has
A person owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time.
The base type for the form can be found at ps:person:has.
Properties:
- :person / ps:person:has:person
The person who owns or controls the object or resource. It has the following property options set:
Read Only:
True
The property type is ps:person.
- :node / ps:person:has:node
The object or resource that is owned or controlled by the person. It has the following property options set:
Read Only:
True
The property type is ndef.
- :node:form / ps:person:has:node:form
The form of the object or resource that is owned or controlled by the person. It has the following property options set:
Read Only:
True
The property type is str.
ps:persona
A GUID for a suspected person.
The base type for the form can be found at ps:persona.
Properties:
- :person / ps:persona:person
The real person behind the persona.
The property type is ps:person.
- :dob / ps:persona:dob
The Date of Birth (DOB) if known.
The property type is time.
- :img / ps:persona:img
The primary image of a suspected person.
The property type is file:bytes.
- :nick / ps:persona:nick
A username commonly used by the suspected person.
The property type is inet:user.
- :name / ps:persona:name
The localized name for the suspected person.
The property type is ps:name.
- :name:sur / ps:persona:name:sur
The surname of the suspected person.
The property type is ps:tokn.
- :name:middle / ps:persona:name:middle
The middle name of the suspected person.
The property type is ps:tokn.
- :name:given / ps:persona:name:given
The given name of the suspected person.
The property type is ps:tokn.
- :names / ps:persona:names
Variations of the name for a persona.
The property type is array. Its type has the following options set:
type:
ps:nameuniq:
Truesorted:
True
- :nicks / ps:persona:nicks
Usernames used by the persona.
The property type is array. Its type has the following options set:
type:
inet:useruniq:
Truesorted:
True
ps:persona:has
A persona owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time.
The base type for the form can be found at ps:persona:has.
Properties:
- :persona / ps:persona:has:persona
The persona who owns or controls the object or resource. It has the following property options set:
Read Only:
True
The property type is ps:persona.
- :node / ps:persona:has:node
The object or resource that is owned or controlled by the persona. It has the following property options set:
Read Only:
True
The property type is ndef.
- :node:form / ps:persona:has:node:form
The form of the object or resource that is owned or controlled by the persona. It has the following property options set:
Read Only:
True
The property type is str.
ps:tokn
A single name element (potentially given or sur).
The base type for the form can be found at ps:tokn.
An example of ps:tokn:
robert
Properties:
ps:workhist
A GUID representing entry in a contact’s work history.
The base type for the form can be found at ps:workhist.
Properties:
- :contact / ps:workhist:contact
The contact which has the work history.
The property type is ps:contact.
- :org / ps:workhist:org
The org that this work history orgname refers to.
The property type is ou:org.
- :orgname / ps:workhist:orgname
The reported name of the org the contact worked for.
The property type is ou:name.
- :orgfqdn / ps:workhist:orgfqdn
The reported fqdn of the org the contact worked for.
The property type is inet:fqdn.
- :jobtype / ps:workhist:jobtype
The type of job.
The property type is ou:jobtype.
- :employment / ps:workhist:employment
The type of employment.
The property type is ou:employment.
- :jobtitle / ps:workhist:jobtitle
The job title.
The property type is ou:jobtitle.
- :started / ps:workhist:started
The date that the contact began working.
The property type is time.
- :ended / ps:workhist:ended
The date that the contact stopped working.
The property type is time.
- :duration / ps:workhist:duration
The duration of the period of work.
The property type is duration.
- :pay / ps:workhist:pay
The estimated/average yearly pay for the work.
The property type is econ:price.
- :currency / ps:workhist:currency
The currency that the yearly pay was delivered in.
The property type is econ:currency.
risk:alert
An instance of an alert which indicates the presence of a risk.
The base type for the form can be found at risk:alert.
Properties:
- :type / risk:alert:type
An alert type.
The property type is str. Its type has the following options set:
lower:
Trueonespace:
True
- :name / risk:alert:name
The alert name.
The property type is str.
- :desc / risk:alert:desc
A free-form description / overview of the alert. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :detected / risk:alert:detected
The time the alerted condition was detected.
The property type is time.
- :vuln / risk:alert:vuln
The optional vulnerability that the alert indicates.
The property type is risk:vuln.
- :attack / risk:alert:attack
A confirmed attack that this alert indicates.
The property type is risk:attack.
risk:attack
An instance of an actor attacking a target.
The base type for the form can be found at risk:attack.
Properties:
- :desc / risk:attack:desc
A description of the attack. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :type / risk:attack:type
The attack type. It has the following property options set:
Example:
cno.phishing
The property type is risk:attacktype.
- :time / risk:attack:time
Set if the time of the attack is known.
The property type is time.
- :success / risk:attack:success
Set if the attack was known to have succeeded or not.
The property type is bool.
- :targeted / risk:attack:targeted
Set if the attack was assessed to be targeted or not.
The property type is bool.
- :goal / risk:attack:goal
The tactical goal of this specific attack.
The property type is ou:goal.
- :campaign / risk:attack:campaign
Set if the attack was part of a larger campaign.
The property type is ou:campaign.
- :compromise / risk:attack:compromise
A compromise that this attack contributed to.
The property type is risk:compromise.
- :prev / risk:attack:prev
The previous/parent attack in a list or hierarchy.
The property type is risk:attack.
- :actor:org / risk:attack:actor:org
Deprecated. Please use :attacker to allow entity resolution. It has the following property options set:
deprecated:
True
The property type is ou:org.
- :actor:person / risk:attack:actor:person
Deprecated. Please use :attacker to allow entity resolution. It has the following property options set:
deprecated:
True
The property type is ps:person.
- :attacker / risk:attack:attacker
Contact information associated with the attacker.
The property type is ps:contact.
- :target / risk:attack:target
Contact information associated with the target.
The property type is ps:contact.
- :target:org / risk:attack:target:org
Deprecated. Please use :target to allow entity resolution. It has the following property options set:
deprecated:
True
The property type is ou:org.
- :target:host / risk:attack:target:host
The host was the target of the attack.
The property type is it:host.
- :target:person / risk:attack:target:person
Deprecated. Please use :target to allow entity resolution. It has the following property options set:
deprecated:
True
The property type is ps:person.
- :target:place / risk:attack:target:place
The place that was the target of the attack.
The property type is geo:place.
- :via:ipv4 / risk:attack:via:ipv4
The target host was contacted via the IPv4 address.
The property type is inet:ipv4.
- :via:ipv6 / risk:attack:via:ipv6
The target host was contacted via the IPv6 address.
The property type is inet:ipv6.
- :via:email / risk:attack:via:email
The target person/org was contacted via the email address.
The property type is inet:email.
- :via:phone / risk:attack:via:phone
The target person/org was contacted via the phone number.
The property type is tel:phone.
- :used:vuln / risk:attack:used:vuln
The actor used the vuln in the attack.
The property type is risk:vuln.
- :used:url / risk:attack:used:url
The actor used the url in the attack.
The property type is inet:url.
- :used:host / risk:attack:used:host
The actor used the host in the attack.
The property type is it:host.
- :used:email / risk:attack:used:email
The actor used the email in the attack.
The property type is inet:email.
- :used:file / risk:attack:used:file
The actor used the file in the attack.
The property type is file:bytes.
- :used:server / risk:attack:used:server
The actor used the server in the attack.
The property type is inet:server.
- :used:software / risk:attack:used:software
The actor used the software in the attack.
The property type is it:prod:softver.
risk:attacktype
An attack type taxonomy.
The base type for the form can be found at risk:attacktype.
Properties:
- :title / risk:attacktype:title
A brief title of the definition.
The property type is str.
- :summary / risk:attacktype:summary
A summary of the definition. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :sort / risk:attacktype:sort
A display sort order for siblings.
The property type is int.
- :base / risk:attacktype:base
The base taxon. It has the following property options set:
Read Only:
True
The property type is taxon.
- :depth / risk:attacktype:depth
The depth indexed from 0. It has the following property options set:
Read Only:
True
The property type is int.
- :parent / risk:attacktype:parent
The taxonomy parent. It has the following property options set:
Read Only:
True
The property type is risk:attacktype.
risk:compromise
An instance of a compromise and its aggregate impact.
The base type for the form can be found at risk:compromise.
Properties:
- :name / risk:compromise:name
A brief name for the compromise event.
The property type is str. Its type has the following options set:
lower:
Trueonespace:
True
- :desc / risk:compromise:desc
A prose description of the compromise event. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :type / risk:compromise:type
The compromise type. It has the following property options set:
Example:
cno.breach
The property type is risk:compromisetype.
- :target / risk:compromise:target
Contact information of the target.
The property type is ps:contact.
- :attacker / risk:compromise:attacker
Contact information of the attacker.
The property type is ps:contact.
- :campaign / risk:compromise:campaign
The campaign that this compromise is part of.
The property type is ou:campaign.
- :time / risk:compromise:time
Earliest known evidence of compromise.
The property type is time.
- :lasttime / risk:compromise:lasttime
Last known evidence of compromise.
The property type is time.
- :duration / risk:compromise:duration
The duration of the compromise.
The property type is duration.
- :loss:pii / risk:compromise:loss:pii
The number of records compromised which contain PII.
The property type is int.
- :loss:econ / risk:compromise:loss:econ
The total economic cost of the compromise.
The property type is econ:price.
- :loss:life / risk:compromise:loss:life
The total loss of life due to the compromise.
The property type is int.
- :loss:bytes / risk:compromise:loss:bytes
An estimate of the volume of data compromised.
The property type is int.
- :ransom:paid / risk:compromise:ransom:paid
The value of the ransom paid by the target.
The property type is econ:price.
- :ransom:price / risk:compromise:ransom:price
The value of the ransom demanded by the attacker.
The property type is econ:price.
- :response:cost / risk:compromise:response:cost
The economic cost of the response and mitigation efforts.
The property type is econ:price.
- :theft:price / risk:compromise:theft:price
The total value of the theft of assets.
The property type is econ:price.
- :econ:currency / risk:compromise:econ:currency
The currency type for the econ:price fields.
The property type is econ:currency.
risk:compromisetype
A compromise type taxonomy.
The base type for the form can be found at risk:compromisetype.
An example of risk:compromisetype:
cno.breach
Properties:
- :title / risk:compromisetype:title
A brief title of the definition.
The property type is str.
- :summary / risk:compromisetype:summary
A summary of the definition. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :sort / risk:compromisetype:sort
A display sort order for siblings.
The property type is int.
- :base / risk:compromisetype:base
The base taxon. It has the following property options set:
Read Only:
True
The property type is taxon.
- :depth / risk:compromisetype:depth
The depth indexed from 0. It has the following property options set:
Read Only:
True
The property type is int.
- :parent / risk:compromisetype:parent
The taxonomy parent. It has the following property options set:
Read Only:
True
The property type is risk:compromisetype.
risk:hasvuln
An instance of a vulnerability present in a target.
The base type for the form can be found at risk:hasvuln.
Properties:
- :vuln / risk:hasvuln:vuln
The vulnerability present in the target.
The property type is risk:vuln.
- :person / risk:hasvuln:person
The vulnerable person.
The property type is ps:person.
- :org / risk:hasvuln:org
The vulnerable org.
The property type is ou:org.
- :place / risk:hasvuln:place
The vulnerable place.
The property type is geo:place.
- :software / risk:hasvuln:software
The vulnerable software.
The property type is it:prod:softver.
- :hardware / risk:hasvuln:hardware
The vulnerable hardware.
The property type is it:prod:hardware.
- :spec / risk:hasvuln:spec
The vulnerable material specification.
The property type is mat:spec.
- :item / risk:hasvuln:item
The vulnerable material item.
The property type is mat:item.
- :host / risk:hasvuln:host
The vulnerable host.
The property type is it:host.
risk:mitigation
A mitigation for a specific risk:vuln.
The base type for the form can be found at risk:mitigation.
Properties:
- :vuln / risk:mitigation:vuln
The vulnerability that this mitigation addresses.
The property type is risk:vuln.
- :name / risk:mitigation:name
A brief name for this risk mitigation.
The property type is str.
- :desc / risk:mitigation:desc
A description of the mitigation approach for the vulnerability. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :software / risk:mitigation:software
A software version which implements a fix for the vulnerability.
The property type is it:prod:softver.
- :hardware / risk:mitigation:hardware
A hardware version which implements a fix for the vulnerability.
The property type is it:prod:hardware.
risk:vuln
A unique vulnerability.
The base type for the form can be found at risk:vuln.
Properties:
- :name / risk:vuln:name
A user specified name for the vulnerability.
The property type is str.
- :type / risk:vuln:type
A user specified type for the vulnerability.
The property type is str.
- :desc / risk:vuln:desc
A description of the vulnerability. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :cve / risk:vuln:cve
The CVE ID of the vulnerability.
The property type is it:sec:cve.
- :cvss:av / risk:vuln:cvss:av
The CVSS Attack Vector (AV) value.
The property type is str. Its type has the following options set:
enums:
N,A,V,L
- :cvss:ac / risk:vuln:cvss:ac
The CVSS Attack Complexity (AC) value. It has the following property options set:
disp:
{'enums': (('Low', 'L'), ('High', 'H'))}
The property type is str. Its type has the following options set:
enums:
L,H
- :cvss:pr / risk:vuln:cvss:pr
The CVSS Privileges Required (PR) value. It has the following property options set:
disp:
{'enums': ({'title': 'None', 'value': 'N', 'doc': 'FIXME privs stuff'}, {'title': 'Low', 'value': 'L', 'doc': 'FIXME privs stuff'}, {'title': 'High', 'value': 'H', 'doc': 'FIXME privs stuff'})}
The property type is str. Its type has the following options set:
enums:
N,L,H
- :cvss:ui / risk:vuln:cvss:ui
The CVSS User Interaction (UI) value.
The property type is str. Its type has the following options set:
enums:
N,R
- :cvss:s / risk:vuln:cvss:s
The CVSS Scope (S) value.
The property type is str. Its type has the following options set:
enums:
U,C
- :cvss:c / risk:vuln:cvss:c
The CVSS Confidentiality Impact (C) value.
The property type is str. Its type has the following options set:
enums:
N,L,H
- :cvss:i / risk:vuln:cvss:i
The CVSS Integrity Impact (I) value.
The property type is str. Its type has the following options set:
enums:
N,L,H
- :cvss:a / risk:vuln:cvss:a
The CVSS Availability Impact (A) value.
The property type is str. Its type has the following options set:
enums:
N,L,H
- :cvss:e / risk:vuln:cvss:e
The CVSS Exploit Code Maturity (E) value.
The property type is str. Its type has the following options set:
enums:
X,U,P,F,H
- :cvss:rl / risk:vuln:cvss:rl
The CVSS Remediation Level (RL) value.
The property type is str. Its type has the following options set:
enums:
X,O,T,W,U
- :cvss:rc / risk:vuln:cvss:rc
The CVSS Report Confidence (AV) value.
The property type is str. Its type has the following options set:
enums:
X,U,R,C
- :cvss:mav / risk:vuln:cvss:mav
The CVSS Environmental Attack Vector (MAV) value.
The property type is str. Its type has the following options set:
enums:
X,N,A,L,P
- :cvss:mac / risk:vuln:cvss:mac
The CVSS Environmental Attack Complexity (MAC) value.
The property type is str. Its type has the following options set:
enums:
X,L,H
- :cvss:mpr / risk:vuln:cvss:mpr
The CVSS Environmental Privileges Required (MPR) value.
The property type is str. Its type has the following options set:
enums:
X,N,L,H
- :cvss:mui / risk:vuln:cvss:mui
The CVSS Environmental User Interaction (MUI) value.
The property type is str. Its type has the following options set:
enums:
X,N,R
- :cvss:ms / risk:vuln:cvss:ms
The CVSS Environmental Scope (MS) value.
The property type is str. Its type has the following options set:
enums:
X,U,C
- :cvss:mc / risk:vuln:cvss:mc
The CVSS Environmental Confidentiality Impact (MC) value.
The property type is str. Its type has the following options set:
enums:
X,N,L,H
- :cvss:mi / risk:vuln:cvss:mi
The CVSS Environmental Integrity Impact (MI) value.
The property type is str. Its type has the following options set:
enums:
X,N,L,H
- :cvss:ma / risk:vuln:cvss:ma
The CVSS Environmental Accessibility Impact (MA) value.
The property type is str. Its type has the following options set:
enums:
X,N,L,H
- :cvss:cr / risk:vuln:cvss:cr
The CVSS Environmental Confidentiality Requirement (CR) value.
The property type is str. Its type has the following options set:
enums:
X,L,M,H
- :cvss:ir / risk:vuln:cvss:ir
The CVSS Environmental Integrity Requirement (IR) value.
The property type is str. Its type has the following options set:
enums:
X,L,M,H
- :cvss:ar / risk:vuln:cvss:ar
The CVSS Environmental Availability Requirement (AR) value.
The property type is str. Its type has the following options set:
enums:
X,L,M,H
- :cvss:score / risk:vuln:cvss:score
The Overall CVSS Score value.
The property type is float.
- :cvss:score:base / risk:vuln:cvss:score:base
The CVSS Base Score value.
The property type is float.
- :cvss:score:temporal / risk:vuln:cvss:score:temporal
The CVSS Temporal Score value.
The property type is float.
- :cvss:score:environmental / risk:vuln:cvss:score:environmental
The CVSS Environmental Score value.
The property type is float.
- :cwes / risk:vuln:cwes
An array of MITRE CWE values that apply to the vulnerability.
The property type is array. Its type has the following options set:
type:
it:sec:cweuniq:
Truesorted:
True
rsa:key
An RSA keypair modulus and public exponent.
The base type for the form can be found at rsa:key.
Properties:
- :mod / rsa:key:mod
The RSA key modulus. It has the following property options set:
Read Only:
True
The property type is hex.
- :pub:exp / rsa:key:pub:exp
The public exponent of the key. It has the following property options set:
Read Only:
True
The property type is int.
- :bits / rsa:key:bits
The length of the modulus in bits.
The property type is int.
- :priv:exp / rsa:key:priv:exp
The private exponent of the key.
The property type is hex.
- :priv:p / rsa:key:priv:p
One of the two private primes.
The property type is hex.
- :priv:q / rsa:key:priv:q
One of the two private primes.
The property type is hex.
syn:cmd
A Synapse storm command.
The base type for the form can be found at syn:cmd.
Properties:
- :doc / syn:cmd:doc
Description of the command. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str. Its type has the following options set:
strip:
True
- :package / syn:cmd:package
Storm package which provided the command.
The property type is str. Its type has the following options set:
strip:
True
- :svciden / syn:cmd:svciden
Storm service iden which provided the package.
The property type is guid. Its type has the following options set:
strip:
True
- :input / syn:cmd:input
The list of forms accepted by the command as input. It has the following property options set:
uniq:
Truesorted:
TrueRead Only:
True
The property type is array. Its type has the following options set:
type:
syn:form
- :output / syn:cmd:output
The list of forms produced by the command as output. It has the following property options set:
uniq:
Truesorted:
TrueRead Only:
True
The property type is array. Its type has the following options set:
type:
syn:form
- :nodedata / syn:cmd:nodedata
The list of nodedata that may be added by the command. It has the following property options set:
uniq:
Truesorted:
TrueRead Only:
True
The property type is array. Its type has the following options set:
type:
syn:nodedata
syn:cron
A Cortex cron job.
The base type for the form can be found at syn:cron.
Properties:
- :doc / syn:cron:doc
A description of the cron job. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :name / syn:cron:name
A user friendly name/alias for the cron job.
The property type is str.
- :storm / syn:cron:storm
The storm query executed by the cron job. It has the following property options set:
Read Only:
Truedisp:
{'hint': 'text'}
The property type is str.
syn:form
A Synapse form used for representing nodes in the graph.
The base type for the form can be found at syn:form.
Properties:
- :doc / syn:form:doc
The docstring for the form. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
strip:
True
- :type / syn:form:type
Synapse type for this form. It has the following property options set:
Read Only:
True
The property type is syn:type.
- :runt / syn:form:runt
Whether or not the form is runtime only. It has the following property options set:
Read Only:
True
The property type is bool.
syn:prop
A Synapse property.
The base type for the form can be found at syn:prop.
Properties:
- :doc / syn:prop:doc
Description of the property definition.
The property type is str. Its type has the following options set:
strip:
True
- :form / syn:prop:form
The form of the property. It has the following property options set:
Read Only:
True
The property type is syn:form.
- :type / syn:prop:type
The synapse type for this property. It has the following property options set:
Read Only:
True
The property type is syn:type.
- :relname / syn:prop:relname
Relative property name. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
strip:
True
- :univ / syn:prop:univ
Specifies if a prop is universal. It has the following property options set:
Read Only:
True
The property type is bool.
- :base / syn:prop:base
Base name of the property. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
strip:
True
- :ro / syn:prop:ro
If the property is read-only after being set. It has the following property options set:
Read Only:
True
The property type is bool.
- :extmodel / syn:prop:extmodel
If the property is an extended model property or not. It has the following property options set:
Read Only:
True
The property type is bool.
syn:splice
A splice from a layer.
The base type for the form can be found at syn:splice.
Properties:
- :type / syn:splice:type
Type of splice. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
strip:
True
- :iden / syn:splice:iden
The iden of the node involved in the splice. It has the following property options set:
Read Only:
True
The property type is str.
- :form / syn:splice:form
The form involved in the splice. It has the following property options set:
Read Only:
True
The property type is syn:form. Its type has the following options set:
strip:
True
- :prop / syn:splice:prop
Property modified in the splice. It has the following property options set:
Read Only:
True
The property type is syn:prop. Its type has the following options set:
strip:
True
- :tag / syn:splice:tag
Tag modified in the splice. It has the following property options set:
Read Only:
True
The property type is syn:tag. Its type has the following options set:
strip:
True
- :valu / syn:splice:valu
The value being set in the splice. It has the following property options set:
Read Only:
True
The property type is data.
- :oldv / syn:splice:oldv
The value before the splice. It has the following property options set:
Read Only:
True
The property type is data.
- :user / syn:splice:user
The user who caused the splice. It has the following property options set:
Read Only:
True
The property type is guid.
- :prov / syn:splice:prov
The provenance stack of the splice. It has the following property options set:
Read Only:
True
The property type is guid.
- :time / syn:splice:time
The time the splice occurred. It has the following property options set:
Read Only:
True
The property type is time.
- :splice / syn:splice:splice
The splice. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
strip:
True
syn:tag
The base type for a synapse tag.
The base type for the form can be found at syn:tag.
Properties:
- :up / syn:tag:up
The parent tag for the tag. It has the following property options set:
Read Only:
True
The property type is syn:tag.
- :isnow / syn:tag:isnow
Set to an updated tag if the tag has been renamed.
The property type is syn:tag.
- :doc / syn:tag:doc
A short definition for the tag. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :doc:url / syn:tag:doc:url
A URL link to additional documentation about the tag.
The property type is inet:url.
- :depth / syn:tag:depth
How deep the tag is in the hierarchy. It has the following property options set:
Read Only:
True
The property type is int.
- :title / syn:tag:title
A display title for the tag.
The property type is str.
- :base / syn:tag:base
The tag base name. Eg baz for foo.bar.baz . It has the following property options set:
Read Only:
True
The property type is str.
syn:tagprop
A user defined tag property.
The base type for the form can be found at syn:tagprop.
Properties:
syn:trigger
A Cortex trigger.
The base type for the form can be found at syn:trigger.
Properties:
- :vers / syn:trigger:vers
Trigger version. It has the following property options set:
Read Only:
True
The property type is int.
- :doc / syn:trigger:doc
A documentation string describing the trigger. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :name / syn:trigger:name
A user friendly name/alias for the trigger.
The property type is str.
- :cond / syn:trigger:cond
The trigger condition. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
strip:
Truelower:
True
- :user / syn:trigger:user
User who owns the trigger. It has the following property options set:
Read Only:
True
The property type is str.
- :storm / syn:trigger:storm
The Storm query for the trigger. It has the following property options set:
Read Only:
Truedisp:
{'hint': 'text'}
The property type is str.
- :enabled / syn:trigger:enabled
Trigger enabled status. It has the following property options set:
Read Only:
True
The property type is bool.
- :form / syn:trigger:form
Form the trigger is watching for.
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :prop / syn:trigger:prop
Property the trigger is watching for.
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :tag / syn:trigger:tag
Tag the trigger is watching for.
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
syn:type
A Synapse type used for normalizing nodes and properties.
The base type for the form can be found at syn:type.
Properties:
- :doc / syn:type:doc
The docstring for the type. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
strip:
True
- :ctor / syn:type:ctor
The python ctor path for the type object. It has the following property options set:
Read Only:
True
The property type is str. Its type has the following options set:
strip:
True
- :subof / syn:type:subof
Type which this inherits from. It has the following property options set:
Read Only:
True
The property type is syn:type.
- :opts / syn:type:opts
Arbitrary type options. It has the following property options set:
Read Only:
True
The property type is data.
tel:call
A guid for a telephone call record.
The base type for the form can be found at tel:call.
Properties:
- :src / tel:call:src
The source phone number for a call.
The property type is tel:phone.
- :dst / tel:call:dst
The destination phone number for a call.
The property type is tel:phone.
- :time / tel:call:time
The time the call was initiated.
The property type is time.
- :duration / tel:call:duration
The duration of the call in seconds.
The property type is int.
- :connected / tel:call:connected
Indicator of whether the call was connected.
The property type is bool.
- :text / tel:call:text
The text transcription of the call. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :file / tel:call:file
A file containing related media.
The property type is file:bytes.
tel:mob:carrier
The fusion of a MCC/MNC.
The base type for the form can be found at tel:mob:carrier.
Properties:
- :mcc / tel:mob:carrier:mcc
ITU Mobile Country Code. It has the following property options set:
Read Only:
True
The property type is tel:mob:mcc.
- :mnc / tel:mob:carrier:mnc
ITU Mobile Network Code. It has the following property options set:
Read Only:
True
The property type is tel:mob:mnc.
- :org / tel:mob:carrier:org
Organization operating the carrier.
The property type is ou:org.
- :loc / tel:mob:carrier:loc
Location the carrier operates from.
The property type is loc.
tel:mob:cell
A mobile cell site which a phone may connect to.
The base type for the form can be found at tel:mob:cell.
Properties:
- :carrier / tel:mob:cell:carrier
Mobile carrier. It has the following property options set:
Read Only:
True
The property type is tel:mob:carrier.
- :carrier:mcc / tel:mob:cell:carrier:mcc
Mobile Country Code. It has the following property options set:
Read Only:
True
The property type is tel:mob:mcc.
- :carrier:mnc / tel:mob:cell:carrier:mnc
Mobile Network Code. It has the following property options set:
Read Only:
True
The property type is tel:mob:mnc.
- :lac / tel:mob:cell:lac
Location Area Code. LTE networks may call this a TAC. It has the following property options set:
Read Only:
True
The property type is int.
- :cid / tel:mob:cell:cid
The Cell ID. It has the following property options set:
Read Only:
True
The property type is int.
- :radio / tel:mob:cell:radio
Cell radio type.
The property type is str. Its type has the following options set:
lower:
1onespace:
1
- :latlong / tel:mob:cell:latlong
Last known location of the cell site.
The property type is geo:latlong.
- :loc / tel:mob:cell:loc
Location at which the cell is operated.
The property type is loc.
- :place / tel:mob:cell:place
The place associated with the latlong property.
The property type is geo:place.
tel:mob:imei
An International Mobile Equipment Id.
The base type for the form can be found at tel:mob:imei.
An example of tel:mob:imei:
490154203237518
Properties:
- :tac / tel:mob:imei:tac
The Type Allocate Code within the IMEI. It has the following property options set:
Read Only:
True
The property type is tel:mob:tac.
- :serial / tel:mob:imei:serial
The serial number within the IMEI. It has the following property options set:
Read Only:
True
The property type is int.
tel:mob:imid
Fused knowledge of an IMEI/IMSI used together.
The base type for the form can be found at tel:mob:imid.
An example of tel:mob:imid:
(490154203237518, 310150123456789)
Properties:
- :imei / tel:mob:imid:imei
The IMEI for the phone hardware. It has the following property options set:
Read Only:
True
The property type is tel:mob:imei.
- :imsi / tel:mob:imid:imsi
The IMSI for the phone subscriber. It has the following property options set:
Read Only:
True
The property type is tel:mob:imsi.
tel:mob:imsi
An International Mobile Subscriber Id.
The base type for the form can be found at tel:mob:imsi.
An example of tel:mob:imsi:
310150123456789
Properties:
- :mcc / tel:mob:imsi:mcc
The Mobile Country Code. It has the following property options set:
Read Only:
True
The property type is tel:mob:mcc.
tel:mob:imsiphone
Fused knowledge of an IMSI assigned phone number.
The base type for the form can be found at tel:mob:imsiphone.
An example of tel:mob:imsiphone:
(310150123456789, "+7(495) 124-59-83")
Properties:
- :phone / tel:mob:imsiphone:phone
The phone number assigned to the IMSI. It has the following property options set:
Read Only:
True
The property type is tel:phone.
- :imsi / tel:mob:imsiphone:imsi
The IMSI with the assigned phone number. It has the following property options set:
Read Only:
True
The property type is tel:mob:imsi.
tel:mob:mcc
ITU Mobile Country Code.
The base type for the form can be found at tel:mob:mcc.
Properties:
- :loc / tel:mob:mcc:loc
Location assigned to the MCC.
The property type is loc.
tel:mob:tac
A mobile Type Allocation Code.
The base type for the form can be found at tel:mob:tac.
An example of tel:mob:tac:
49015420
Properties:
- :org / tel:mob:tac:org
The org guid for the manufacturer.
The property type is ou:org.
- :manu / tel:mob:tac:manu
The TAC manufacturer name.
The property type is str. Its type has the following options set:
lower:
1
- :model / tel:mob:tac:model
The TAC model name.
The property type is str. Its type has the following options set:
lower:
1
- :internal / tel:mob:tac:internal
The TAC internal model name.
The property type is str. Its type has the following options set:
lower:
1
tel:mob:telem
A single mobile telemetry measurement.
The base type for the form can be found at tel:mob:telem.
Properties:
- :time / tel:mob:telem:time
A date/time value.
The property type is time.
- :latlong / tel:mob:telem:latlong
A Lat/Long string specifying a point on Earth.
The property type is geo:latlong.
- :http:request / tel:mob:telem:http:request
The HTTP request that the telemetry was extracted from.
The property type is inet:http:request.
- :host / tel:mob:telem:host
The host that generated the mobile telemetry data.
The property type is it:host.
- :place / tel:mob:telem:place
The place representing the location of the mobile telemetry sample.
The property type is geo:place.
- :loc / tel:mob:telem:loc
The geo-political location of the mobile telemetry sample.
The property type is loc.
- :accuracy / tel:mob:telem:accuracy
The reported accuracy of the latlong telemetry reading.
The property type is geo:dist.
- :cell / tel:mob:telem:cell
A mobile cell site which a phone may connect to.
The property type is tel:mob:cell.
- :cell:carrier / tel:mob:telem:cell:carrier
The fusion of a MCC/MNC.
The property type is tel:mob:carrier.
- :imsi / tel:mob:telem:imsi
An International Mobile Subscriber Id.
The property type is tel:mob:imsi.
- :imei / tel:mob:telem:imei
An International Mobile Equipment Id.
The property type is tel:mob:imei.
- :phone / tel:mob:telem:phone
A phone number.
The property type is tel:phone.
- :mac / tel:mob:telem:mac
A 48-bit Media Access Control (MAC) address.
The property type is inet:mac.
- :ipv4 / tel:mob:telem:ipv4
An IPv4 address.
The property type is inet:ipv4.
- :ipv6 / tel:mob:telem:ipv6
An IPv6 address.
The property type is inet:ipv6.
- :wifi / tel:mob:telem:wifi
An SSID/MAC address combination for a wireless access point.
The property type is inet:wifi:ap.
- :wifi:ssid / tel:mob:telem:wifi:ssid
A WiFi service set identifier (SSID) name.
The property type is inet:wifi:ssid.
- :wifi:bssid / tel:mob:telem:wifi:bssid
A 48-bit Media Access Control (MAC) address.
The property type is inet:mac.
- :adid / tel:mob:telem:adid
An advertising identification string.
The property type is it:adid.
- :aaid / tel:mob:telem:aaid
An android advertising identification string.
The property type is it:os:android:aaid.
- :idfa / tel:mob:telem:idfa
An iOS advertising identification string.
The property type is it:os:ios:idfa.
- :name / tel:mob:telem:name
An arbitrary, lower spaced string with normalized whitespace.
The property type is ps:name.
- :email / tel:mob:telem:email
An e-mail address.
The property type is inet:email.
- :acct / tel:mob:telem:acct
An account with a given Internet-based site or service.
The property type is inet:web:acct.
- :app / tel:mob:telem:app
A specific version of a software product.
The property type is it:prod:softver.
- :data / tel:mob:telem:data
Arbitrary json compatible data.
The property type is data.
tel:phone
A phone number.
The base type for the form can be found at tel:phone.
An example of tel:phone:
+15558675309
Properties:
tel:txtmesg
A guid for an individual text message.
The base type for the form can be found at tel:txtmesg.
Properties:
- :from / tel:txtmesg:from
The phone number assigned to the sender.
The property type is tel:phone.
- :to / tel:txtmesg:to
The phone number assigned to the primary recipient.
The property type is tel:phone.
- :recipients / tel:txtmesg:recipients
An array of phone numbers for additional recipients of the message.
The property type is array. Its type has the following options set:
type:
tel:phoneuniq:
Truesorted:
True
- :svctype / tel:txtmesg:svctype
The message service type (sms, mms, rcs).
The property type is str. Its type has the following options set:
enums:
sms,mms,rcsstrip:
1lower:
1
- :time / tel:txtmesg:time
The time the message was sent.
The property type is time.
- :text / tel:txtmesg:text
The text of the message. It has the following property options set:
disp:
{'hint': 'text'}
The property type is str.
- :file / tel:txtmesg:file
A file containing related media.
The property type is file:bytes.
transport:air:craft
An individual aircraft.
The base type for the form can be found at transport:air:craft.
Properties:
- :tailnum / transport:air:craft:tailnum
The aircraft tail number.
The property type is transport:air:tailnum.
- :type / transport:air:craft:type
The type of aircraft.
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :built / transport:air:craft:built
The date the aircraft was constructed.
The property type is time.
- :make / transport:air:craft:make
The make of the aircraft.
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :model / transport:air:craft:model
The model of the aircraft.
The property type is str. Its type has the following options set:
lower:
Truestrip:
True
- :serial / transport:air:craft:serial
The serial number of the aircraft.
The property type is str. Its type has the following options set:
strip:
True
- :operator / transport:air:craft:operator
Contact info representing the person or org that operates the aircraft.
The property type is ps:contact.
transport:air:flight
An individual instance of a flight.
The base type for the form can be found at transport:air:flight.
Properties:
- :num / transport:air:flight:num
The flight number of this flight.
The property type is transport:air:flightnum.
- :scheduled:departure / transport:air:flight:scheduled:departure
The time this flight was originally scheduled to depart.
The property type is time.
- :scheduled:arrival / transport:air:flight:scheduled:arrival
The time this flight was originally scheduled to arrive.
The property type is time.
- :departed / transport:air:flight:departed
The time this flight departed.
The property type is time.
- :arrived / transport:air:flight:arrived
The time this flight arrived.
The property type is time.
- :carrier / transport:air:flight:carrier
The org which operates the given flight number.
The property type is ou:org.
- :craft / transport:air:flight:craft
The aircraft that flew this flight.
The property type is transport:air:craft.
- :tailnum / transport:air:flight:tailnum
The tail/registration number at the time the aircraft flew this flight.
The property type is transport:air:tailnum.
- :to:port / transport:air:flight:to:port
The destination airport of this flight.
The property type is transport:air:port.
- :from:port / transport:air:flight:from:port
The origin airport of this flight.
The property type is transport:air:port.
- :stops / transport:air:flight:stops
An ordered list of aiport codes for stops which occured during this flight.
The property type is array. Its type has the following options set:
type:
transport:air:port
- :cancelled / transport:air:flight:cancelled
Set to true for cancelled flights.
The property type is bool.
transport:air:flightnum
A commercial flight designator including airline and serial.
The base type for the form can be found at transport:air:flightnum.
An example of transport:air:flightnum:
ua2437
Properties:
- :carrier / transport:air:flightnum:carrier
The org which operates the given flight number.
The property type is ou:org.
- :to:port / transport:air:flightnum:to:port
The most recently registered destination for the flight number.
The property type is transport:air:port.
- :from:port / transport:air:flightnum:from:port
The most recently registered origin for the flight number.
The property type is transport:air:port.
- :stops / transport:air:flightnum:stops
An ordered list of aiport codes for the flight segments.
The property type is array. Its type has the following options set:
type:
transport:air:port
transport:air:occupant
An occupant of a specific flight.
The base type for the form can be found at transport:air:occupant.
Properties:
- :type / transport:air:occupant:type
The type of occupant such as pilot, crew or passenger.
The property type is str. Its type has the following options set:
lower:
True
- :flight / transport:air:occupant:flight
The flight that the occupant was aboard.
The property type is transport:air:flight.
- :seat / transport:air:occupant:seat
The seat assigned to the occupant.
The property type is str. Its type has the following options set:
lower:
True
- :contact / transport:air:occupant:contact
The contact information of the occupant.
The property type is ps:contact.
transport:air:port
An IATA assigned airport code.
The base type for the form can be found at transport:air:port.
Properties:
transport:air:tailnum
An aircraft registration number or military aircraft serial number.
The base type for the form can be found at transport:air:tailnum.
An example of transport:air:tailnum:
ff023
Properties:
transport:air:telem
A telemtry sample from an aircraft in transit.
The base type for the form can be found at transport:air:telem.
Properties:
- :flight / transport:air:telem:flight
The flight being measured.
The property type is transport:air:flight.
- :latlong / transport:air:telem:latlong
The lat/lon of the aircraft at the time.
The property type is geo:latlong.
- :loc / transport:air:telem:loc
The location of the aircraft at the time.
The property type is loc.
- :place / transport:air:telem:place
The place that the lat/lon geocodes to.
The property type is geo:place.
- :accuracy / transport:air:telem:accuracy
The horizontal accuracy of the latlong sample.
The property type is geo:dist.
- :altitude / transport:air:telem:altitude
The altitude of the aircraft at the time.
The property type is geo:altitude.
- :altitude:accuracy / transport:air:telem:altitude:accuracy
The vertical accuracy of the altitude measurement.
The property type is geo:dist.
- :time / transport:air:telem:time
The time the telemetry sample was taken.
The property type is time.
transport:sea:telem
A telemetry sample from a vessel in transit.
The base type for the form can be found at transport:sea:telem.
Properties:
- :vessel / transport:sea:telem:vessel
The vessel being measured.
The property type is transport:sea:vessel.
- :time / transport:sea:telem:time
The time the telemetry was sampled.
The property type is time.
- :latlong / transport:sea:telem:latlong
The lat/lon of the vessel at the time.
The property type is geo:latlong.
- :loc / transport:sea:telem:loc
The location of the vessel at the time.
The property type is loc.
- :place / transport:sea:telem:place
The place that the lat/lon geocodes to.
The property type is geo:place.
- :accuracy / transport:sea:telem:accuracy
The horizontal accuracy of the latlong sample.
The property type is geo:dist.
- :draft / transport:sea:telem:draft
The keel depth at the time.
The property type is geo:dist.
- :airdraft / transport:sea:telem:airdraft
The maximum height of the ship from the waterline.
The property type is geo:dist.
transport:sea:vessel
An individual sea vessel.
The base type for the form can be found at transport:sea:vessel.
Properties:
- :imo / transport:sea:vessel:imo
The International Maritime Organization number for the vessel.
The property type is transport:sea:imo.
- :name / transport:sea:vessel:name
The name of the vessel.
The property type is str. Its type has the following options set:
lower:
Trueonespace:
True
- :length / transport:sea:vessel:length
The official overall vessel length.
The property type is geo:dist.
- :beam / transport:sea:vessel:beam
The official overall vessel beam.
The property type is geo:dist.
- :flag / transport:sea:vessel:flag
The country the vessel is flagged to.
The property type is iso:3166:cc.
- :mmsi / transport:sea:vessel:mmsi
The Maritime Mobile Service Identifier assigned to the vessel.
The property type is transport:sea:mmsi.
- :built / transport:sea:vessel:built
The year the vessel was constructed.
The property type is time.
- :operator / transport:sea:vessel:operator
The contact information of the operator.
The property type is ps:contact.
Universal Properties
Universal props are system level properties which may be present on every node.
These properties are not specific to a particular form and exist outside of a particular namespace.
.created
The time the node was created in the cortex. It has the following property options set:
Read Only:
True
The universal property type is time.
.seen
The time interval for first/last observation of the node.
The universal property type is ival.