Synapse Data Model - Forms

Forms

Forms are derived from types, or base types. Forms represent node types in the graph.

auth:access

An instance of using creds to access a resource.

The base type for the form can be found at auth:access.

Properties:

:creds / auth:access:creds

The credentials used to attempt access.

The property type is auth:creds.

:time / auth:access:time

The time of the access attempt.

The property type is time.

:success / auth:access:success

Set to true if the access was successful.

The property type is bool.

:person / auth:access:person

The person who attempted access.

The property type is ps:person.

auth:creds

A unique set of credentials used to access a resource.

The base type for the form can be found at auth:creds.

Properties:

:email / auth:creds:email

The email address used to identify the user.

The property type is inet:email.

:user / auth:creds:user

The user name used to identify the user.

The property type is inet:user.

:phone / auth:creds:phone

The phone number used to identify the user.

The property type is tel:phone.

:passwd / auth:creds:passwd

The password used to authenticate.

The property type is inet:passwd.

:passwdhash / auth:creds:passwdhash

The password hash used to authenticate.

The property type is it:auth:passwdhash.

:account / auth:creds:account

The account that the creds allow access to.

The property type is it:account.

:website / auth:creds:website

The base URL of the website that the credentials allow access to.

The property type is inet:url.

:host / auth:creds:host

The host that the credentials allow access to.

The property type is it:host.

:wifi:ssid / auth:creds:wifi:ssid

The WiFi SSID that the credentials allow access to.

The property type is inet:wifi:ssid.

:web:acct / auth:creds:web:acct

The web account that the credentials allow access to.

The property type is inet:web:acct.

biz:bundle

A bundle allows construction of products which bundle instances of other products.

The base type for the form can be found at biz:bundle.

Properties:

:count / biz:bundle:count

The number of instances of the product or service included in the bundle.

The property type is int.

:price / biz:bundle:price

The price of the bundle.

The property type is econ:price.

:product / biz:bundle:product

The product included in the bundle.

The property type is biz:product.

:service / biz:bundle:service

The service included in the bundle.

The property type is biz:service.

:deal / biz:bundle:deal

Deprecated. Please use econ:receipt:item for instances of bundles being sold. It has the following property options set:

• deprecated: True

The property type is biz:deal.

:purchase / biz:bundle:purchase

Deprecated. Please use econ:receipt:item for instances of bundles being sold. It has the following property options set:

• deprecated: True

The property type is econ:purchase.

biz:deal

A sales or procurement effort in pursuit of a purchase.

The base type for the form can be found at biz:deal.

Properties:

:title / biz:deal:title

A title for the deal.

The property type is str.

:type / biz:deal:type

The type of deal. It has the following property options set:

• disp: {'hint': 'taxonomy'}

The property type is biz:dealtype.

:status / biz:deal:status

The status of the deal. It has the following property options set:

• disp: {'hint': 'taxonomy'}

The property type is biz:dealstatus.

:updated / biz:deal:updated

The last time the deal had a significant update.

The property type is time.

:contacted / biz:deal:contacted

The last time the contacts communicated about the deal.

The property type is time.

:rfp / biz:deal:rfp

The RFP that the deal is in response to.

The property type is biz:rfp.

:buyer / biz:deal:buyer

The primary contact information for the buyer.

The property type is ps:contact.

:buyer:org / biz:deal:buyer:org

The buyer org.

The property type is ou:org.

:buyer:orgname / biz:deal:buyer:orgname

The reported ou:name of the buyer org.

The property type is ou:name.

:buyer:orgfqdn / biz:deal:buyer:orgfqdn

The reported inet:fqdn of the buyer org.

The property type is inet:fqdn.

:seller / biz:deal:seller

The primary contact information for the seller.

The property type is ps:contact.

:seller:org / biz:deal:seller:org

The seller org.

The property type is ou:org.

:seller:orgname / biz:deal:seller:orgname

The reported ou:name of the seller org.

The property type is ou:name.

:seller:orgfqdn / biz:deal:seller:orgfqdn

The reported inet:fqdn of the seller org.

The property type is inet:fqdn.

:currency / biz:deal:currency

The currency of econ:price values associated with the deal.

The property type is econ:currency.

:buyer:budget / biz:deal:buyer:budget

The buyers budget for the eventual purchase.

The property type is econ:price.

:buyer:deadline / biz:deal:buyer:deadline

When the buyer intends to make a decision.

The property type is time.

:offer:price / biz:deal:offer:price

The total price of the offered products.

The property type is econ:price.

:offer:expires / biz:deal:offer:expires

When the offer expires.

The property type is time.

:purchase / biz:deal:purchase

Records a purchase resulting from the deal.

The property type is econ:purchase.

biz:dealstatus

A deal/rfp status taxonomy.

The base type for the form can be found at biz:dealstatus.

Properties:

:title / biz:dealstatus:title

A brief title of the definition.

The property type is str.

:summary / biz:dealstatus:summary

A summary of the definition. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:sort / biz:dealstatus:sort

A display sort order for siblings.

The property type is int.

:base / biz:dealstatus:base

The base taxon. It has the following property options set:

• Read Only: True

The property type is taxon.

:depth / biz:dealstatus:depth

The depth indexed from 0. It has the following property options set:

• Read Only: True

The property type is int.

:parent / biz:dealstatus:parent

The taxonomy parent. It has the following property options set:

• Read Only: True

The property type is biz:dealstatus.

biz:dealtype

A deal type taxonomy.

The base type for the form can be found at biz:dealtype.

Properties:

:title / biz:dealtype:title

A brief title of the definition.

The property type is str.

:summary / biz:dealtype:summary

A summary of the definition. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:sort / biz:dealtype:sort

A display sort order for siblings.

The property type is int.

:base / biz:dealtype:base

The base taxon. It has the following property options set:

• Read Only: True

The property type is taxon.

:depth / biz:dealtype:depth

The depth indexed from 0. It has the following property options set:

• Read Only: True

The property type is int.

:parent / biz:dealtype:parent

The taxonomy parent. It has the following property options set:

• Read Only: True

The property type is biz:dealtype.

biz:listing

A product or service being listed for sale at a given price by a specific seller.

The base type for the form can be found at biz:listing.

Properties:

:seller / biz:listing:seller

The contact information for the seller.

The property type is ps:contact.

:product / biz:listing:product

The product being offered.

The property type is biz:product.

:service / biz:listing:service

The service being offered.

The property type is biz:service.

:current / biz:listing:current

Set to true if the offer is still current.

The property type is bool.

:time / biz:listing:time

The first known offering of this product/service by the organization for the asking price.

The property type is time.

:expires / biz:listing:expires

Set if the offer has a known expiration date.

The property type is time.

:price / biz:listing:price

The asking price of the product or service.

The property type is econ:price.

:currency / biz:listing:currency

The currency of the asking price.

The property type is econ:currency.

biz:prodtype

A product type taxonomy.

The base type for the form can be found at biz:prodtype.

Properties:

:title / biz:prodtype:title

A brief title of the definition.

The property type is str.

:summary / biz:prodtype:summary

A summary of the definition. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:sort / biz:prodtype:sort

A display sort order for siblings.

The property type is int.

:base / biz:prodtype:base

The base taxon. It has the following property options set:

• Read Only: True

The property type is taxon.

:depth / biz:prodtype:depth

The depth indexed from 0. It has the following property options set:

• Read Only: True

The property type is int.

:parent / biz:prodtype:parent

The taxonomy parent. It has the following property options set:

• Read Only: True

The property type is biz:prodtype.

biz:product

A product which is available for purchase.

The base type for the form can be found at biz:product.

Properties:

:name / biz:product:name

The name of the product.

The property type is str.

:type / biz:product:type

The type of product. It has the following property options set:

• disp: {'hint': 'taxonomy'}

The property type is biz:prodtype.

:summary / biz:product:summary

A brief summary of the product. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:maker / biz:product:maker

A contact for the maker of the product.

The property type is ps:contact.

:madeby:org / biz:product:madeby:org

Deprecated. Please use biz:product:maker. It has the following property options set:

• deprecated: True

The property type is ou:org.

:madeby:orgname / biz:product:madeby:orgname

Deprecated. Please use biz:product:maker. It has the following property options set:

• deprecated: True

The property type is ou:name.

:madeby:orgfqdn / biz:product:madeby:orgfqdn

Deprecated. Please use biz:product:maker. It has the following property options set:

• deprecated: True

The property type is inet:fqdn.

:price:retail / biz:product:price:retail

The MSRP price of the product.

The property type is econ:price.

:price:bottom / biz:product:price:bottom

The minimum offered or observed price of the product.

The property type is econ:price.

:price:currency / biz:product:price:currency

The currency of the retail and bottom price properties.

The property type is econ:currency.

:bundles / biz:product:bundles

An array of bundles included with the product.

The property type is array. Its type has the following options set:

• type: biz:bundle

• uniq: True

• sorted: True

biz:rfp

An RFP (Request for Proposal) soliciting proposals.

The base type for the form can be found at biz:rfp.

Properties:

:ext:id / biz:rfp:ext:id

An externally specified identifier for the RFP.

The property type is str.

:title / biz:rfp:title

The title of the RFP.

The property type is str.

:summary / biz:rfp:summary

A brief summary of the RFP. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:status / biz:rfp:status

The status of the RFP. It has the following property options set:

• disp: {'hint': 'enum'}

The property type is biz:dealstatus.

:url / biz:rfp:url

The official URL for the RFP.

The property type is inet:url.

:file / biz:rfp:file

The RFP document.

The property type is file:bytes.

:posted / biz:rfp:posted

The date/time that the RFP was posted.

The property type is time.

:quesdue / biz:rfp:quesdue

The date/time that questions are due.

The property type is time.

:propdue / biz:rfp:propdue

The date/time that proposals are due.

The property type is time.

:contact / biz:rfp:contact

The contact information given for the org requesting offers.

The property type is ps:contact.

:purchases / biz:rfp:purchases

Any known purchases that resulted from the RFP.

The property type is array. Its type has the following options set:

• type: econ:purchase

• uniq: True

• sorted: True

:requirements / biz:rfp:requirements

A typed array which indexes each field.

The property type is array. Its type has the following options set:

• type: ou:goal

• uniq: True

• sorted: True

biz:service

A service which is performed by a specific organization.

The base type for the form can be found at biz:service.

Properties:

:provider / biz:service:provider

The contact info of the entity which performs the service.

The property type is ps:contact.

:name / biz:service:name

The name of the service being performed.

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:summary / biz:service:summary

A brief summary of the service. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:type / biz:service:type

A taxonomy of service types.

The property type is biz:service:type:taxonomy.

:launched / biz:service:launched

The time when the operator first made the service available.

The property type is time.

biz:stake

A stake or partial ownership in a company.

The base type for the form can be found at biz:stake.

Properties:

:vitals / biz:stake:vitals

The ou:vitals snapshot this stake is part of.

The property type is ou:vitals.

:org / biz:stake:org

The resolved org.

The property type is ou:org.

:orgname / biz:stake:orgname

The org name as reported by the source of the vitals.

The property type is ou:name.

:orgfqdn / biz:stake:orgfqdn

The org FQDN as reported by the source of the vitals.

The property type is inet:fqdn.

:name / biz:stake:name

An arbitrary name for this stake. Can be non-contact like “pool”.

The property type is str.

:asof / biz:stake:asof

The time the stake is being measured. Likely as part of an ou:vitals.

The property type is time.

:shares / biz:stake:shares

The number of shares represented by the stake.

The property type is int.

:invested / biz:stake:invested

The amount of money invested in the cap table iteration.

The property type is econ:price.

:value / biz:stake:value

The monetary value of the stake.

The property type is econ:price.

:percent / biz:stake:percent

The percentage ownership represented by this stake.

The property type is hugenum.

:owner / biz:stake:owner

Contact information of the owner of the stake.

The property type is ps:contact.

:purchase / biz:stake:purchase

The purchase event for the stake.

The property type is econ:purchase.

crypto:algorithm

A cryptographic algorithm name.

The base type for the form can be found at crypto:algorithm.

An example of crypto:algorithm:

• aes256

Properties:

crypto:currency:address

An individual crypto currency address.

The base type for the form can be found at crypto:currency:address.

An example of crypto:currency:address:

• btc/1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2

Properties:

:coin / crypto:currency:address:coin

The crypto coin to which the address belongs. It has the following property options set:

• Read Only: True

The property type is crypto:currency:coin.

:seed / crypto:currency:address:seed

The cryptographic key and or password used to generate the address.

The property type is crypto:key.

:iden / crypto:currency:address:iden

The coin specific address identifier. It has the following property options set:

• Read Only: True

The property type is str.

:desc / crypto:currency:address:desc

A free-form description of the address.

The property type is str.

:contact / crypto:currency:address:contact

Contact information associated with the address.

The property type is ps:contact.

crypto:currency:block

An individual crypto currency block record on the blockchain.

The base type for the form can be found at crypto:currency:block.

Properties:

:coin / crypto:currency:block:coin

The coin/blockchain this block resides on. It has the following property options set:

• Read Only: True

The property type is crypto:currency:coin.

:offset / crypto:currency:block:offset

The index of this block. It has the following property options set:

• Read Only: True

The property type is int.

:hash / crypto:currency:block:hash

The unique hash for the block.

The property type is hex.

:minedby / crypto:currency:block:minedby

The address which mined the block.

The property type is crypto:currency:address.

:time / crypto:currency:block:time

Time timestamp embedded in the block by the miner.

The property type is time.

crypto:currency:client

A fused node representing a crypto currency address used by an Internet client.

The base type for the form can be found at crypto:currency:client.

An example of crypto:currency:client:

• (1.2.3.4, (btc, 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2))

Properties:

:inetaddr / crypto:currency:client:inetaddr

The Internet client address observed using the crypto currency address. It has the following property options set:

• Read Only: True

The property type is inet:client.

:coinaddr / crypto:currency:client:coinaddr

The crypto currency address observed in use by the Internet client. It has the following property options set:

• Read Only: True

The property type is crypto:currency:address.

crypto:currency:coin

An individual crypto currency type.

The base type for the form can be found at crypto:currency:coin.

An example of crypto:currency:coin:

• btc

Properties:

:name / crypto:currency:coin:name

The full name of the crypto coin.

The property type is str.

crypto:currency:transaction

An individual crypto currency transaction recorded on the blockchain.

The base type for the form can be found at crypto:currency:transaction.

Properties:

:hash / crypto:currency:transaction:hash

The unique transaction hash for the transaction.

The property type is hex.

:desc / crypto:currency:transaction:desc

An analyst specified description of the transaction.

The property type is str.

:block / crypto:currency:transaction:block

The block which records the transaction.

The property type is crypto:currency:block.

:block:coin / crypto:currency:transaction:block:coin

The coin/blockchain of the block which records this transaction.

The property type is crypto:currency:coin.

:block:offset / crypto:currency:transaction:block:offset

The offset of the block which records this transaction.

The property type is int.

:success / crypto:currency:transaction:success

Set to true if the transaction was successfully executed and recorded.

The property type is bool.

:status:code / crypto:currency:transaction:status:code

A coin specific status code which may represent an error reason.

The property type is int.

:status:message / crypto:currency:transaction:status:message

A coin specific status message which may contain an error reason.

The property type is str.

:to / crypto:currency:transaction:to

The destination address of the transaction.

The property type is crypto:currency:address.

:from / crypto:currency:transaction:from

The source address of the transaction.

The property type is crypto:currency:address.

:inputs / crypto:currency:transaction:inputs

Deprecated. Please use crypto:payment:input:transaction. It has the following property options set:

• deprecated: True

The property type is array. Its type has the following options set:

• type: crypto:payment:input

• sorted: True

• uniq: True

:outputs / crypto:currency:transaction:outputs

Deprecated. Please use crypto:payment:output:transaction. It has the following property options set:

• deprecated: True

The property type is array. Its type has the following options set:

• type: crypto:payment:output

• sorted: True

• uniq: True

:fee / crypto:currency:transaction:fee

The total fee paid to execute the transaction.

The property type is econ:price.

:value / crypto:currency:transaction:value

The total value of the transaction.

The property type is econ:price.

:time / crypto:currency:transaction:time

The time this transaction was initiated.

The property type is time.

:eth:gasused / crypto:currency:transaction:eth:gasused

The amount of gas used to execute this transaction.

The property type is int.

:eth:gaslimit / crypto:currency:transaction:eth:gaslimit

The ETH gas limit specified for this transaction.

The property type is int.

:eth:gasprice / crypto:currency:transaction:eth:gasprice

The gas price (in ETH) specified for this transaction.

The property type is econ:price.

:contract:input / crypto:currency:transaction:contract:input

Input value to a smart contract call.

The property type is file:bytes.

:contract:output / crypto:currency:transaction:contract:output

Output value of a smart contract call.

The property type is file:bytes.

crypto:key

A cryptographic key and algorithm.

The base type for the form can be found at crypto:key.

Properties:

:algorithm / crypto:key:algorithm

The cryptographic algorithm which uses the key material. It has the following property options set:

• Example: aes256

The property type is crypto:algorithm.

:mode / crypto:key:mode

The algorithm specific mode in use.

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:iv / crypto:key:iv

The hex encoded initialization vector.

The property type is hex.

:public / crypto:key:public

The hex encoded public key material if the algorithm has a public/private key pair.

The property type is hex.

:public:md5 / crypto:key:public:md5

The MD5 hash of the public key in raw binary form.

The property type is hash:md5.

:public:sha1 / crypto:key:public:sha1

The SHA1 hash of the public key in raw binary form.

The property type is hash:sha1.

:public:sha256 / crypto:key:public:sha256

The SHA256 hash of the public key in raw binary form.

The property type is hash:sha256.

:private / crypto:key:private

The hex encoded private key material. All symmetric keys are private.

The property type is hex.

:private:md5 / crypto:key:private:md5

The MD5 hash of the private key in raw binary form.

The property type is hash:md5.

:private:sha1 / crypto:key:private:sha1

The SHA1 hash of the private key in raw binary form.

The property type is hash:sha1.

:private:sha256 / crypto:key:private:sha256

The SHA256 hash of the private key in raw binary form.

The property type is hash:sha256.

:seed:passwd / crypto:key:seed:passwd

The seed password used to generate the key material.

The property type is inet:passwd.

:seed:algorithm / crypto:key:seed:algorithm

The algorithm used to generate the key from the seed password. It has the following property options set:

• Example: pbkdf2

The property type is crypto:algorithm.

crypto:payment:input

A payment made into a transaction.

The base type for the form can be found at crypto:payment:input.

Properties:

:transaction / crypto:payment:input:transaction

The transaction the payment was input to.

The property type is crypto:currency:transaction.

:address / crypto:payment:input:address

The address which paid into the transaction.

The property type is crypto:currency:address.

:value / crypto:payment:input:value

The value of the currency paid into the transaction.

The property type is econ:price.

crypto:payment:output

A payment received from a transaction.

The base type for the form can be found at crypto:payment:output.

Properties:

:transaction / crypto:payment:output:transaction

The transaction the payment was output from.

The property type is crypto:currency:transaction.

:address / crypto:payment:output:address

The address which received payment from the transaction.

The property type is crypto:currency:address.

:value / crypto:payment:output:value

The value of the currency received from the transaction.

The property type is econ:price.

crypto:smart:contract

A smart contract.

The base type for the form can be found at crypto:smart:contract.

Properties:

:transaction / crypto:smart:contract:transaction

The transaction which created the contract.

The property type is crypto:currency:transaction.

:address / crypto:smart:contract:address

The address of the contract.

The property type is crypto:currency:address.

:bytecode / crypto:smart:contract:bytecode

The bytecode which implements the contract.

The property type is file:bytes.

:token:name / crypto:smart:contract:token:name

The ERC-20 token name.

The property type is str.

:token:symbol / crypto:smart:contract:token:symbol

The ERC-20 token symbol.

The property type is str.

:token:totalsupply / crypto:smart:contract:token:totalsupply

The ERC-20 totalSupply value.

The property type is hugenum.

crypto:smart:effect:burntoken

A smart contract effect which destroys a non-fungible token.

The base type for the form can be found at crypto:smart:effect:burntoken.

Properties:

:token / crypto:smart:effect:burntoken:token

The non-fungible token that was destroyed.

The property type is crypto:smart:token.

:index / crypto:smart:effect:burntoken:index

The order of the effect within the effects of one transaction.

The property type is int.

:transaction / crypto:smart:effect:burntoken:transaction

The transaction where the smart contract was called.

The property type is crypto:currency:transaction.

crypto:smart:effect:edittokensupply

A smart contract effect which increases or decreases the supply of a fungible token.

The base type for the form can be found at crypto:smart:effect:edittokensupply.

Properties:

:contract / crypto:smart:effect:edittokensupply:contract

The contract which defines the tokens.

The property type is crypto:smart:contract.

:amount / crypto:smart:effect:edittokensupply:amount

The number of tokens added or removed if negative.

The property type is hugenum.

:totalsupply / crypto:smart:effect:edittokensupply:totalsupply

The total supply of tokens after this modification.

The property type is hugenum.

:index / crypto:smart:effect:edittokensupply:index

The order of the effect within the effects of one transaction.

The property type is int.

:transaction / crypto:smart:effect:edittokensupply:transaction

The transaction where the smart contract was called.

The property type is crypto:currency:transaction.

crypto:smart:effect:minttoken

A smart contract effect which creates a new non-fungible token.

The base type for the form can be found at crypto:smart:effect:minttoken.

Properties:

:token / crypto:smart:effect:minttoken:token

The non-fungible token that was created.

The property type is crypto:smart:token.

:index / crypto:smart:effect:minttoken:index

The order of the effect within the effects of one transaction.

The property type is int.

:transaction / crypto:smart:effect:minttoken:transaction

The transaction where the smart contract was called.

The property type is crypto:currency:transaction.

crypto:smart:effect:proxytoken

A smart contract effect which grants a non-owner address the ability to manipulate a specific non-fungible token.

The base type for the form can be found at crypto:smart:effect:proxytoken.

Properties:

:owner / crypto:smart:effect:proxytoken:owner

The address granting proxy authority to manipulate non-fungible tokens.

The property type is crypto:currency:address.

:proxy / crypto:smart:effect:proxytoken:proxy

The address granted proxy authority to manipulate non-fungible tokens.

The property type is crypto:currency:address.

:token / crypto:smart:effect:proxytoken:token

The specific token being granted access to.

The property type is crypto:smart:token.

:index / crypto:smart:effect:proxytoken:index

The order of the effect within the effects of one transaction.

The property type is int.

:transaction / crypto:smart:effect:proxytoken:transaction

The transaction where the smart contract was called.

The property type is crypto:currency:transaction.

crypto:smart:effect:proxytokenall

A smart contract effect which grants a non-owner address the ability to manipulate all non-fungible tokens of the owner.

The base type for the form can be found at crypto:smart:effect:proxytokenall.

Properties:

:contract / crypto:smart:effect:proxytokenall:contract

The contract which defines the tokens.

The property type is crypto:smart:contract.

:owner / crypto:smart:effect:proxytokenall:owner

The address granting/denying proxy authority to manipulate all non-fungible tokens of the owner.

The property type is crypto:currency:address.

:proxy / crypto:smart:effect:proxytokenall:proxy

The address granted/denied proxy authority to manipulate all non-fungible tokens of the owner.

The property type is crypto:currency:address.

:approval / crypto:smart:effect:proxytokenall:approval

The approval status.

The property type is bool.

:index / crypto:smart:effect:proxytokenall:index

The order of the effect within the effects of one transaction.

The property type is int.

:transaction / crypto:smart:effect:proxytokenall:transaction

The transaction where the smart contract was called.

The property type is crypto:currency:transaction.

crypto:smart:effect:proxytokens

A smart contract effect which grants a non-owner address the ability to manipulate fungible tokens.

The base type for the form can be found at crypto:smart:effect:proxytokens.

Properties:

:contract / crypto:smart:effect:proxytokens:contract

The contract which defines the tokens.

The property type is crypto:smart:contract.

:owner / crypto:smart:effect:proxytokens:owner

The address granting proxy authority to manipulate fungible tokens.

The property type is crypto:currency:address.

:proxy / crypto:smart:effect:proxytokens:proxy

The address granted proxy authority to manipulate fungible tokens.

The property type is crypto:currency:address.

:amount / crypto:smart:effect:proxytokens:amount

The hex encoded amount of tokens the proxy is allowed to manipulate.

The property type is hex.

:index / crypto:smart:effect:proxytokens:index

The order of the effect within the effects of one transaction.

The property type is int.

:transaction / crypto:smart:effect:proxytokens:transaction

The transaction where the smart contract was called.

The property type is crypto:currency:transaction.

crypto:smart:effect:transfertoken

A smart contract effect which transfers ownership of a non-fungible token.

The base type for the form can be found at crypto:smart:effect:transfertoken.

Properties:

:token / crypto:smart:effect:transfertoken:token

The non-fungible token that was transferred.

The property type is crypto:smart:token.

:from / crypto:smart:effect:transfertoken:from

The address the NFT was transferred from.

The property type is crypto:currency:address.

:to / crypto:smart:effect:transfertoken:to

The address the NFT was transferred to.

The property type is crypto:currency:address.

:index / crypto:smart:effect:transfertoken:index

The order of the effect within the effects of one transaction.

The property type is int.

:transaction / crypto:smart:effect:transfertoken:transaction

The transaction where the smart contract was called.

The property type is crypto:currency:transaction.

crypto:smart:effect:transfertokens

A smart contract effect which transfers fungible tokens.

The base type for the form can be found at crypto:smart:effect:transfertokens.

Properties:

:contract / crypto:smart:effect:transfertokens:contract

The contract which defines the tokens.

The property type is crypto:smart:contract.

:from / crypto:smart:effect:transfertokens:from

The address the tokens were transferred from.

The property type is crypto:currency:address.

:to / crypto:smart:effect:transfertokens:to

The address the tokens were transferred to.

The property type is crypto:currency:address.

:amount / crypto:smart:effect:transfertokens:amount

The number of tokens transferred.

The property type is hugenum.

:index / crypto:smart:effect:transfertokens:index

The order of the effect within the effects of one transaction.

The property type is int.

:transaction / crypto:smart:effect:transfertokens:transaction

The transaction where the smart contract was called.

The property type is crypto:currency:transaction.

crypto:smart:token

A token managed by a smart contract.

The base type for the form can be found at crypto:smart:token.

Properties:

:contract / crypto:smart:token:contract

The smart contract which defines and manages the token. It has the following property options set:

• Read Only: True

The property type is crypto:smart:contract.

:tokenid / crypto:smart:token:tokenid

The token ID. It has the following property options set:

• Read Only: True

The property type is hugenum.

:owner / crypto:smart:token:owner

The address which currently owns the token.

The property type is crypto:currency:address.

:nft:url / crypto:smart:token:nft:url

The URL which hosts the NFT metadata.

The property type is inet:url.

:nft:meta / crypto:smart:token:nft:meta

The raw NFT metadata.

The property type is data.

:nft:meta:name / crypto:smart:token:nft:meta:name

The name field from the NFT metadata.

The property type is str.

:nft:meta:description / crypto:smart:token:nft:meta:description

The description field from the NFT metadata. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:nft:meta:image / crypto:smart:token:nft:meta:image

The image URL from the NFT metadata.

The property type is inet:url.

crypto:x509:cert

A unique X.509 certificate.

The base type for the form can be found at crypto:x509:cert.

Properties:

:file / crypto:x509:cert:file

The file that the certificate metadata was parsed from.

The property type is file:bytes.

:subject / crypto:x509:cert:subject

The subject identifier, commonly in X.500/LDAP format, to which the certificate was issued.

The property type is str.

:issuer / crypto:x509:cert:issuer

The Distinguished Name (DN) of the Certificate Authority (CA) which issued the certificate.

The property type is str.

:issuer:cert / crypto:x509:cert:issuer:cert

The certificate used by the issuer to sign this certificate.

The property type is crypto:x509:cert.

:serial / crypto:x509:cert:serial

The certificate serial number as a big endian hex value.

The property type is hex. Its type has the following options set:

• size: 40

:version / crypto:x509:cert:version

The version integer in the certificate. (ex. 2 == v3 ).

The property type is int. Its type has the following options set:

• enums: ((0, 'v1'), (2, 'v3'))

:validity:notbefore / crypto:x509:cert:validity:notbefore

The timestamp for the beginning of the certificate validity period.

The property type is time.

:validity:notafter / crypto:x509:cert:validity:notafter

The timestamp for the end of the certificate validity period.

The property type is time.

:md5 / crypto:x509:cert:md5

The MD5 fingerprint for the certificate.

The property type is hash:md5.

:sha1 / crypto:x509:cert:sha1

The SHA1 fingerprint for the certificate.

The property type is hash:sha1.

:sha256 / crypto:x509:cert:sha256

The SHA256 fingerprint for the certificate.

The property type is hash:sha256.

:rsa:key / crypto:x509:cert:rsa:key

The optional RSA public key associated with the certificate.

The property type is rsa:key.

:algo / crypto:x509:cert:algo

The X.509 signature algorithm OID.

The property type is iso:oid.

:signature / crypto:x509:cert:signature

The hexadecimal representation of the digital signature.

The property type is hex.

:ext:sans / crypto:x509:cert:ext:sans

The Subject Alternate Names (SANs) listed in the certificate.

The property type is array. Its type has the following options set:

• type: crypto:x509:san

• uniq: True

• sorted: True

:ext:crls / crypto:x509:cert:ext:crls

A list of Subject Alternate Names (SANs) for Distribution Points.

The property type is array. Its type has the following options set:

• type: crypto:x509:san

• uniq: True

• sorted: True

:identities:fqdns / crypto:x509:cert:identities:fqdns

The fused list of FQDNs identified by the cert CN and SANs.

The property type is array. Its type has the following options set:

• type: inet:fqdn

• uniq: True

• sorted: True

:identities:emails / crypto:x509:cert:identities:emails

The fused list of e-mail addresses identified by the cert CN and SANs.

The property type is array. Its type has the following options set:

• type: inet:email

• uniq: True

• sorted: True

:identities:ipv4s / crypto:x509:cert:identities:ipv4s

The fused list of IPv4 addresses identified by the cert CN and SANs.

The property type is array. Its type has the following options set:

• type: inet:ipv4

• uniq: True

• sorted: True

:identities:ipv6s / crypto:x509:cert:identities:ipv6s

The fused list of IPv6 addresses identified by the cert CN and SANs.

The property type is array. Its type has the following options set:

• type: inet:ipv6

• uniq: True

• sorted: True

:identities:urls / crypto:x509:cert:identities:urls

The fused list of URLs identified by the cert CN and SANs.

The property type is array. Its type has the following options set:

• type: inet:url

• uniq: True

• sorted: True

:crl:urls / crypto:x509:cert:crl:urls

The extracted URL values from the CRLs extension.

The property type is array. Its type has the following options set:

• type: inet:url

• uniq: True

• sorted: True

:selfsigned / crypto:x509:cert:selfsigned

Whether this is a self-signed certificate.

The property type is bool.

crypto:x509:crl

A unique X.509 Certificate Revocation List.

The base type for the form can be found at crypto:x509:crl.

Properties:

:file / crypto:x509:crl:file

The file containing the CRL.

The property type is file:bytes.

:url / crypto:x509:crl:url

The URL where the CRL was published.

The property type is inet:url.

crypto:x509:revoked

A revocation relationship between a CRL and an X.509 certificate.

The base type for the form can be found at crypto:x509:revoked.

Properties:

:crl / crypto:x509:revoked:crl

The CRL which revoked the certificate. It has the following property options set:

• Read Only: True

The property type is crypto:x509:crl.

:cert / crypto:x509:revoked:cert

The certificate revoked by the CRL. It has the following property options set:

• Read Only: True

The property type is crypto:x509:cert.

crypto:x509:signedfile

A digital signature relationship between an X.509 certificate and a file.

The base type for the form can be found at crypto:x509:signedfile.

Properties:

:cert / crypto:x509:signedfile:cert

The certificate for the key which signed the file. It has the following property options set:

• Read Only: True

The property type is crypto:x509:cert.

:file / crypto:x509:signedfile:file

The file which was signed by the certificates key. It has the following property options set:

• Read Only: True

The property type is file:bytes.

econ:acct:balance

A snapshot of the balance of an account at a point in time.

The base type for the form can be found at econ:acct:balance.

Properties:

:time / econ:acct:balance:time

The time the balance was recorded.

The property type is time.

:pay:card / econ:acct:balance:pay:card

The payment card holding the balance.

The property type is econ:pay:card.

:crypto:address / econ:acct:balance:crypto:address

The crypto currency address holding the balance.

The property type is crypto:currency:address.

:amount / econ:acct:balance:amount

The account balance at the time.

The property type is econ:price.

:currency / econ:acct:balance:currency

The currency of the balance amount.

The property type is econ:currency.

:delta / econ:acct:balance:delta

The change since last regular sample.

The property type is econ:price.

:total:received / econ:acct:balance:total:received

The total amount of currency received by the account.

The property type is econ:price.

:total:sent / econ:acct:balance:total:sent

The total amount of currency sent from the account.

The property type is econ:price.

econ:acct:payment

A payment or crypto currency transaction.

The base type for the form can be found at econ:acct:payment.

Properties:

:txnid / econ:acct:payment:txnid

A payment processor specific transaction id.

The property type is str. Its type has the following options set:

• strip: True

:fee / econ:acct:payment:fee

The transaction fee paid by the recipient to the payment processor.

The property type is econ:price.

:from:pay:card / econ:acct:payment:from:pay:card

The payment card making the payment.

The property type is econ:pay:card.

:from:contract / econ:acct:payment:from:contract

A contract used as an aggregate payment source.

The property type is ou:contract.

:from:coinaddr / econ:acct:payment:from:coinaddr

The crypto currency address making the payment.

The property type is crypto:currency:address.

:from:contact / econ:acct:payment:from:contact

Contact information for the person/org being paid.

The property type is ps:contact.

:to:coinaddr / econ:acct:payment:to:coinaddr

The crypto currency address receiving the payment.

The property type is crypto:currency:address.

:to:contact / econ:acct:payment:to:contact

Contact information for the person/org being paid.

The property type is ps:contact.

:to:contract / econ:acct:payment:to:contract

A contract used as an aggregate payment destination.

The property type is ou:contract.

:time / econ:acct:payment:time

The time the payment was processed.

The property type is time.

:purchase / econ:acct:payment:purchase

The purchase which the payment was paying for.

The property type is econ:purchase.

:amount / econ:acct:payment:amount

The amount of money transferred in the payment.

The property type is econ:price.

:currency / econ:acct:payment:currency

The currency of the payment.

The property type is econ:currency.

:memo / econ:acct:payment:memo

A small note specified by the payer common in financial transactions.

The property type is str.

:crypto:transaction / econ:acct:payment:crypto:transaction

A crypto currency transaction that initiated the payment.

The property type is crypto:currency:transaction.

econ:acquired

Deprecated. Please use econ:purchase -(acquired)> *.

The base type for the form can be found at econ:acquired.

Properties:

:purchase / econ:acquired:purchase

The purchase event which acquired an item. It has the following property options set:

• Read Only: True

The property type is econ:purchase.

:item / econ:acquired:item

A reference to the item that was acquired. It has the following property options set:

• Read Only: True

The property type is ndef.

:item:form / econ:acquired:item:form

The form of item purchased.

The property type is str.

econ:fin:bar

A sample of the open, close, high, low prices of a security in a specific time window.

The base type for the form can be found at econ:fin:bar.

Properties:

:security / econ:fin:bar:security

The security measured by the bar.

The property type is econ:fin:security.

:ival / econ:fin:bar:ival

The interval of measurement.

The property type is ival.

:price:open / econ:fin:bar:price:open

The opening price of the security.

The property type is econ:price.

:price:close / econ:fin:bar:price:close

The closing price of the security.

The property type is econ:price.

:price:low / econ:fin:bar:price:low

The low price of the security.

The property type is econ:price.

:price:high / econ:fin:bar:price:high

The high price of the security.

The property type is econ:price.

econ:fin:exchange

A financial exchange where securities are traded.

The base type for the form can be found at econ:fin:exchange.

Properties:

:name / econ:fin:exchange:name

A simple name for the exchange. It has the following property options set:

• Example: nasdaq

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:org / econ:fin:exchange:org

The organization that operates the exchange.

The property type is ou:org.

:currency / econ:fin:exchange:currency

The currency used for all transactions in the exchange. It has the following property options set:

• Example: usd

The property type is econ:currency.

econ:fin:security

A financial security which is typically traded on an exchange.

The base type for the form can be found at econ:fin:security.

Properties:

:exchange / econ:fin:security:exchange

The exchange on which the security is traded.

The property type is econ:fin:exchange.

:ticker / econ:fin:security:ticker

The identifier for this security within the exchange.

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:type / econ:fin:security:type

A user defined type such as stock, bond, option, future, or forex.

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:price / econ:fin:security:price

The last known/available price of the security.

The property type is econ:price.

:time / econ:fin:security:time

The time of the last know price sample.

The property type is time.

econ:fin:tick

A sample of the price of a security at a single moment in time.

The base type for the form can be found at econ:fin:tick.

Properties:

:security / econ:fin:tick:security

The security measured by the tick.

The property type is econ:fin:security.

:time / econ:fin:tick:time

The time the price was sampled.

The property type is time.

:price / econ:fin:tick:price

The price of the security at the time.

The property type is econ:price.

econ:pay:card

A single payment card.

The base type for the form can be found at econ:pay:card.

Properties:

:pan / econ:pay:card:pan

The payment card number.

The property type is econ:pay:pan.

:pan:mii / econ:pay:card:pan:mii

The payment card MII.

The property type is econ:pay:mii.

:pan:iin / econ:pay:card:pan:iin

The payment card IIN.

The property type is econ:pay:iin.

:name / econ:pay:card:name

The name as it appears on the card.

The property type is ps:name.

:expr / econ:pay:card:expr

The expiration date for the card.

The property type is time.

:cvv / econ:pay:card:cvv

The Card Verification Value on the card.

The property type is econ:pay:cvv.

:pin / econ:pay:card:pin

The Personal Identification Number on the card.

The property type is econ:pay:pin.

econ:pay:iin

An Issuer Id Number (IIN).

The base type for the form can be found at econ:pay:iin.

Properties:

:org / econ:pay:iin:org

The issuer organization.

The property type is ou:org.

:name / econ:pay:iin:name

The registered name of the issuer.

The property type is str. Its type has the following options set:

• lower: True

econ:purchase

A purchase event.

The base type for the form can be found at econ:purchase.

Properties:

:by:contact / econ:purchase:by:contact

The contact information used to make the purchase.

The property type is ps:contact.

:from:contact / econ:purchase:from:contact

The contact information used to sell the item.

The property type is ps:contact.

:time / econ:purchase:time

The time of the purchase.

The property type is time.

:place / econ:purchase:place

The place where the purchase took place.

The property type is geo:place.

:paid / econ:purchase:paid

Set to True if the purchase has been paid in full.

The property type is bool.

:paid:time / econ:purchase:paid:time

The point in time where the purchase was paid in full.

The property type is time.

:settled / econ:purchase:settled

The point in time where the purchase was settled.

The property type is time.

:campaign / econ:purchase:campaign

The campaign that the purchase was in support of.

The property type is ou:campaign.

:price / econ:purchase:price

The econ:price of the purchase.

The property type is econ:price.

:currency / econ:purchase:currency

The econ:price of the purchase.

The property type is econ:currency.

econ:receipt:item

A line item included as part of a purchase.

The base type for the form can be found at econ:receipt:item.

Properties:

:purchase / econ:receipt:item:purchase

The purchase that contains this line item.

The property type is econ:purchase.

:count / econ:receipt:item:count

The number of items included in this line item.

The property type is int. Its type has the following options set:

• min: 1

:price / econ:receipt:item:price

The total cost of this receipt line item.

The property type is econ:price.

:product / econ:receipt:item:product

The product being being purchased in this line item.

The property type is biz:product.

edge:has

A digraph edge which records that N1 has N2.

The base type for the form can be found at edge:has.

Properties:

:n1 / edge:has:n1

The node definition type for a (form,valu) compound field. It has the following property options set:

• Read Only: True

The property type is ndef.

:n1:form / edge:has:n1:form

The base string type. It has the following property options set:

• Read Only: True

The property type is str.

:n2 / edge:has:n2

The node definition type for a (form,valu) compound field. It has the following property options set:

• Read Only: True

The property type is ndef.

:n2:form / edge:has:n2:form

The base string type. It has the following property options set:

• Read Only: True

The property type is str.

edge:refs

A digraph edge which records that N1 refers to or contains N2.

The base type for the form can be found at edge:refs.

Properties:

:n1 / edge:refs:n1

The node definition type for a (form,valu) compound field. It has the following property options set:

• Read Only: True

The property type is ndef.

:n1:form / edge:refs:n1:form

The base string type. It has the following property options set:

• Read Only: True

The property type is str.

:n2 / edge:refs:n2

The node definition type for a (form,valu) compound field. It has the following property options set:

• Read Only: True

The property type is ndef.

:n2:form / edge:refs:n2:form

The base string type. It has the following property options set:

• Read Only: True

The property type is str.

edge:wentto

A digraph edge which records that N1 went to N2 at a specific time.

The base type for the form can be found at edge:wentto.

Properties:

:n1 / edge:wentto:n1

The node definition type for a (form,valu) compound field. It has the following property options set:

• Read Only: True

The property type is ndef.

:n1:form / edge:wentto:n1:form

The base string type. It has the following property options set:

• Read Only: True

The property type is str.

:n2 / edge:wentto:n2

The node definition type for a (form,valu) compound field. It has the following property options set:

• Read Only: True

The property type is ndef.

:n2:form / edge:wentto:n2:form

The base string type. It has the following property options set:

• Read Only: True

The property type is str.

:time / edge:wentto:time

A date/time value. It has the following property options set:

• Read Only: True

The property type is time.

edu:class

An instance of an edu:course taught at a given time.

The base type for the form can be found at edu:class.

Properties:

:course / edu:class:course

The course being taught in the class.

The property type is edu:course.

:instructor / edu:class:instructor

The primary instructor for the class.

The property type is ps:contact.

:assistants / edu:class:assistants

An array of assistant/co-instructor contacts.

The property type is array. Its type has the following options set:

• type: ps:contact

• uniq: True

• sorted: True

:date:first / edu:class:date:first

The date of the first day of class.

The property type is time.

:date:last / edu:class:date:last

The date of the last day of class.

The property type is time.

:isvirtual / edu:class:isvirtual

Set if the class is known to be virtual.

The property type is bool.

:virtual:url / edu:class:virtual:url

The URL a student would use to attend the virtual class.

The property type is inet:url.

:virtual:provider / edu:class:virtual:provider

Contact info for the virtual infrastructure provider.

The property type is ps:contact.

:place / edu:class:place

The place that the class is held.

The property type is geo:place.

edu:course

A course of study taught by an org.

The base type for the form can be found at edu:course.

Properties:

:name / edu:course:name

The name of the course. It has the following property options set:

• Example: organic chemistry for beginners

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:desc / edu:course:desc

A brief course description.

The property type is str.

:code / edu:course:code

The course catalog number or designator. It has the following property options set:

• Example: chem101

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:institution / edu:course:institution

The org or department which teaches the course.

The property type is ps:contact.

:prereqs / edu:course:prereqs

The pre-requisite courses for taking this course.

The property type is array. Its type has the following options set:

• type: edu:course

• uniq: True

• sorted: True

file:base

A file name with no path.

The base type for the form can be found at file:base.

An example of file:base:

• woot.exe

Properties:

:ext / file:base:ext

The file extension (if any). It has the following property options set:

• Read Only: True

The property type is str.

file:bytes

The file bytes type with SHA256 based primary property.

The base type for the form can be found at file:bytes.

Properties:

:size / file:bytes:size

The file size in bytes.

The property type is int.

:md5 / file:bytes:md5

The md5 hash of the file.

The property type is hash:md5.

:sha1 / file:bytes:sha1

The sha1 hash of the file.

The property type is hash:sha1.

:sha256 / file:bytes:sha256

The sha256 hash of the file.

The property type is hash:sha256.

:sha512 / file:bytes:sha512

The sha512 hash of the file.

The property type is hash:sha512.

:name / file:bytes:name

The best known base name for the file.

The property type is file:base.

:mime / file:bytes:mime

The “best” mime type name for the file.

The property type is file:mime.

:mime:x509:cn / file:bytes:mime:x509:cn

The Common Name (CN) attribute of the x509 Subject.

The property type is str.

:mime:pe:size / file:bytes:mime:pe:size

The size of the executable file according to the PE file header.

The property type is int.

:mime:pe:imphash / file:bytes:mime:pe:imphash

The PE import hash of the file as calculated by pefile; https://github.com/erocarrera/pefile .

The property type is guid.

:mime:pe:compiled / file:bytes:mime:pe:compiled

The compile time of the file according to the PE header.

The property type is time.

:mime:pe:pdbpath / file:bytes:mime:pe:pdbpath

The PDB string according to the PE.

The property type is file:path.

:mime:pe:exports:time / file:bytes:mime:pe:exports:time

The export time of the file according to the PE.

The property type is time.

:mime:pe:exports:libname / file:bytes:mime:pe:exports:libname

The export library name according to the PE.

The property type is str.

:mime:pe:richhdr / file:bytes:mime:pe:richhdr

The sha256 hash of the rich header bytes.

The property type is hash:sha256.

:exe:compiler / file:bytes:exe:compiler

The software used to compile the file.

The property type is it:prod:softver.

:exe:packer / file:bytes:exe:packer

The packer software used to encode the file.

The property type is it:prod:softver.

file:filepath

The fused knowledge of the association of a file:bytes node and a file:path.

The base type for the form can be found at file:filepath.

Properties:

:file / file:filepath:file

The file seen at a path. It has the following property options set:

• Read Only: True

The property type is file:bytes.

:path / file:filepath:path

The path a file was seen at. It has the following property options set:

• Read Only: True

The property type is file:path.

:path:dir / file:filepath:path:dir

The parent directory. It has the following property options set:

• Read Only: True

The property type is file:path.

:path:base / file:filepath:path:base

The name of the file. It has the following property options set:

• Read Only: True

The property type is file:base.

:path:base:ext / file:filepath:path:base:ext

The extension of the file name. It has the following property options set:

• Read Only: True

The property type is str.

file:ismime

Records one, of potentially multiple, mime types for a given file.

The base type for the form can be found at file:ismime.

Properties:

:file / file:ismime:file

The file node that is an instance of the named mime type. It has the following property options set:

• Read Only: True

The property type is file:bytes.

:mime / file:ismime:mime

The mime type of the file. It has the following property options set:

• Read Only: True

The property type is file:mime.

file:mime

A file mime name string.

The base type for the form can be found at file:mime.

An example of file:mime:

• text/plain

Properties:

file:mime:gif

The GUID of a set of mime metadata for a .gif file.

The base type for the form can be found at file:mime:gif.

Properties:

:desc / file:mime:gif:desc

MIME specific description field extracted from metadata.

The property type is str.

:comment / file:mime:gif:comment

MIME specific comment field extracted from metadata.

The property type is str.

:created / file:mime:gif:created

MIME specific creation timestamp extracted from metadata.

The property type is time.

:imageid / file:mime:gif:imageid

MIME specific unique identifier extracted from metadata.

The property type is str.

:author / file:mime:gif:author

MIME specific contact information extracted from metadata.

The property type is ps:contact.

:latlong / file:mime:gif:latlong

MIME specific lat/long information extracted from metadata.

The property type is geo:latlong.

:altitude / file:mime:gif:altitude

MIME specific altitude information extracted from metadata.

The property type is geo:altitude.

:file / file:mime:gif:file

The file that the mime info was parsed from.

The property type is file:bytes.

:file:offs / file:mime:gif:file:offs

The optional offset where the mime info was parsed from.

The property type is int.

:file:data / file:mime:gif:file:data

A mime specific arbitrary data structure for non-indexed data.

The property type is data.

file:mime:jpg

The GUID of a set of mime metadata for a .jpg file.

The base type for the form can be found at file:mime:jpg.

Properties:

:desc / file:mime:jpg:desc

MIME specific description field extracted from metadata.

The property type is str.

:comment / file:mime:jpg:comment

MIME specific comment field extracted from metadata.

The property type is str.

:created / file:mime:jpg:created

MIME specific creation timestamp extracted from metadata.

The property type is time.

:imageid / file:mime:jpg:imageid

MIME specific unique identifier extracted from metadata.

The property type is str.

:author / file:mime:jpg:author

MIME specific contact information extracted from metadata.

The property type is ps:contact.

:latlong / file:mime:jpg:latlong

MIME specific lat/long information extracted from metadata.

The property type is geo:latlong.

:altitude / file:mime:jpg:altitude

MIME specific altitude information extracted from metadata.

The property type is geo:altitude.

:file / file:mime:jpg:file

The file that the mime info was parsed from.

The property type is file:bytes.

:file:offs / file:mime:jpg:file:offs

The optional offset where the mime info was parsed from.

The property type is int.

:file:data / file:mime:jpg:file:data

A mime specific arbitrary data structure for non-indexed data.

The property type is data.

file:mime:macho:loadcmd

A generic load command pulled from the Mach-O headers.

The base type for the form can be found at file:mime:macho:loadcmd.

Properties:

:file / file:mime:macho:loadcmd:file

The Mach-O file containing the load command.

The property type is file:bytes.

:type / file:mime:macho:loadcmd:type

The type of the load command.

The property type is int. Its type has the following options set:

• enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))

:size / file:mime:macho:loadcmd:size

The size of the load command structure in bytes.

The property type is int.

file:mime:macho:section

A section inside a Mach-O binary denoting a named region of bytes inside a segment.

The base type for the form can be found at file:mime:macho:section.

Properties:

:segment / file:mime:macho:section:segment

The Mach-O segment that contains this section.

The property type is file:mime:macho:segment.

:name / file:mime:macho:section:name

Name of the section.

The property type is str.

:size / file:mime:macho:section:size

Size of the section in bytes.

The property type is int.

:type / file:mime:macho:section:type

The type of the section.

The property type is int. Its type has the following options set:

• enums: ((0, 'regular'), (1, 'zero fill on demand'), (2, 'only literal C strings'), (3, 'only 4 byte literals'), (4, 'only 8 byte literals'), (5, 'only pointers to literals'), (6, 'only non-lazy symbol pointers'), (7, 'only lazy symbol pointers'), (8, 'only symbol stubs'), (9, 'only function pointers for init'), (10, 'only function pointers for fini'), (11, 'contains symbols to be coalesced'), (12, 'zero fill on deman (greater than 4gb)'), (13, 'only pairs of function pointers for interposing'), (14, 'only 16 byte literals'), (15, 'dtrace object format'), (16, 'only lazy symbols pointers to lazy dynamic libraries'))

:sha256 / file:mime:macho:section:sha256

The sha256 hash of the bytes of the Mach-O section.

The property type is hash:sha256.

:offset / file:mime:macho:section:offset

The file offset to the beginning of the section.

The property type is int.

file:mime:macho:segment

A named region of bytes inside a Mach-O binary.

The base type for the form can be found at file:mime:macho:segment.

Properties:

:name / file:mime:macho:segment:name

The name of the Mach-O segment.

The property type is str.

:memsize / file:mime:macho:segment:memsize

The size of the segment in bytes, when resident in memory, according to the load command structure.

The property type is int.

:disksize / file:mime:macho:segment:disksize

The size of the segment in bytes, when on disk, according to the load command structure.

The property type is int.

:sha256 / file:mime:macho:segment:sha256

The sha256 hash of the bytes of the segment.

The property type is hash:sha256.

:offset / file:mime:macho:segment:offset

The file offset to the beginning of the segment.

The property type is int.

:file / file:mime:macho:segment:file

The Mach-O file containing the load command.

The property type is file:bytes.

:type / file:mime:macho:segment:type

The type of the load command.

The property type is int. Its type has the following options set:

• enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))

:size / file:mime:macho:segment:size

The size of the load command structure in bytes.

The property type is int.

file:mime:macho:uuid

A specific load command denoting a UUID used to uniquely identify the Mach-O binary.

The base type for the form can be found at file:mime:macho:uuid.

Properties:

:uuid / file:mime:macho:uuid:uuid

The UUID of the Mach-O application (as defined in an LC_UUID load command).

The property type is guid.

:file / file:mime:macho:uuid:file

The Mach-O file containing the load command.

The property type is file:bytes.

:type / file:mime:macho:uuid:type

The type of the load command.

The property type is int. Its type has the following options set:

• enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))

:size / file:mime:macho:uuid:size

The size of the load command structure in bytes.

The property type is int.

file:mime:macho:version

A specific load command used to denote the version of the source used to build the Mach-O binary.

The base type for the form can be found at file:mime:macho:version.

Properties:

:version / file:mime:macho:version:version

The version of the Mach-O file encoded in an LC_VERSION load command.

The property type is str.

:file / file:mime:macho:version:file

The Mach-O file containing the load command.

The property type is file:bytes.

:type / file:mime:macho:version:type

The type of the load command.

The property type is int. Its type has the following options set:

• enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))

:size / file:mime:macho:version:size

The size of the load command structure in bytes.

The property type is int.

file:mime:msdoc

The GUID of a set of mime metadata for a Microsoft Word file.

The base type for the form can be found at file:mime:msdoc.

Properties:

:title / file:mime:msdoc:title

The title extracted from Microsoft Office metadata.

The property type is str.

:author / file:mime:msdoc:author

The author extracted from Microsoft Office metadata.

The property type is str.

:subject / file:mime:msdoc:subject

The subject extracted from Microsoft Office metadata.

The property type is str.

:application / file:mime:msdoc:application

The creating_application extracted from Microsoft Office metadata.

The property type is str.

:created / file:mime:msdoc:created

The create_time extracted from Microsoft Office metadata.

The property type is time.

:lastsaved / file:mime:msdoc:lastsaved

The last_saved_time extracted from Microsoft Office metadata.

The property type is time.

:file / file:mime:msdoc:file

The file that the mime info was parsed from.

The property type is file:bytes.

:file:offs / file:mime:msdoc:file:offs

The optional offset where the mime info was parsed from.

The property type is int.

:file:data / file:mime:msdoc:file:data

A mime specific arbitrary data structure for non-indexed data.

The property type is data.

file:mime:msppt

The GUID of a set of mime metadata for a Microsoft Powerpoint file.

The base type for the form can be found at file:mime:msppt.

Properties:

:title / file:mime:msppt:title

The title extracted from Microsoft Office metadata.

The property type is str.

:author / file:mime:msppt:author

The author extracted from Microsoft Office metadata.

The property type is str.

:subject / file:mime:msppt:subject

The subject extracted from Microsoft Office metadata.

The property type is str.

:application / file:mime:msppt:application

The creating_application extracted from Microsoft Office metadata.

The property type is str.

:created / file:mime:msppt:created

The create_time extracted from Microsoft Office metadata.

The property type is time.

:lastsaved / file:mime:msppt:lastsaved

The last_saved_time extracted from Microsoft Office metadata.

The property type is time.

:file / file:mime:msppt:file

The file that the mime info was parsed from.

The property type is file:bytes.

:file:offs / file:mime:msppt:file:offs

The optional offset where the mime info was parsed from.

The property type is int.

:file:data / file:mime:msppt:file:data

A mime specific arbitrary data structure for non-indexed data.

The property type is data.

file:mime:msxls

The GUID of a set of mime metadata for a Microsoft Excel file.

The base type for the form can be found at file:mime:msxls.

Properties:

:title / file:mime:msxls:title

The title extracted from Microsoft Office metadata.

The property type is str.

:author / file:mime:msxls:author

The author extracted from Microsoft Office metadata.

The property type is str.

:subject / file:mime:msxls:subject

The subject extracted from Microsoft Office metadata.

The property type is str.

:application / file:mime:msxls:application

The creating_application extracted from Microsoft Office metadata.

The property type is str.

:created / file:mime:msxls:created

The create_time extracted from Microsoft Office metadata.

The property type is time.

:lastsaved / file:mime:msxls:lastsaved

The last_saved_time extracted from Microsoft Office metadata.

The property type is time.

:file / file:mime:msxls:file

The file that the mime info was parsed from.

The property type is file:bytes.

:file:offs / file:mime:msxls:file:offs

The optional offset where the mime info was parsed from.

The property type is int.

:file:data / file:mime:msxls:file:data

A mime specific arbitrary data structure for non-indexed data.

The property type is data.

file:mime:pe:export

The fused knowledge of a file:bytes node containing a pe named export.

The base type for the form can be found at file:mime:pe:export.

Properties:

:file / file:mime:pe:export:file

The file containing the export. It has the following property options set:

• Read Only: True

The property type is file:bytes.

:name / file:mime:pe:export:name

The name of the export in the file. It has the following property options set:

• Read Only: True

The property type is str.

file:mime:pe:resource

The fused knowledge of a file:bytes node containing a pe resource.

The base type for the form can be found at file:mime:pe:resource.

Properties:

:file / file:mime:pe:resource:file

The file containing the resource. It has the following property options set:

• Read Only: True

The property type is file:bytes.

:type / file:mime:pe:resource:type

The typecode for the resource. It has the following property options set:

• Read Only: True

The property type is pe:resource:type.

:langid / file:mime:pe:resource:langid

The language code for the resource. It has the following property options set:

• Read Only: True

The property type is pe:langid.

:resource / file:mime:pe:resource:resource

The sha256 hash of the resource bytes. It has the following property options set:

• Read Only: True

The property type is file:bytes.

file:mime:pe:section

The fused knowledge a file:bytes node containing a pe section.

The base type for the form can be found at file:mime:pe:section.

Properties:

:file / file:mime:pe:section:file

The file containing the section. It has the following property options set:

• Read Only: True

The property type is file:bytes.

:name / file:mime:pe:section:name

The textual name of the section. It has the following property options set:

• Read Only: True

The property type is str.

:sha256 / file:mime:pe:section:sha256

The sha256 hash of the section. Relocations must be zeroed before hashing. It has the following property options set:

• Read Only: True

The property type is hash:sha256.

file:mime:pe:vsvers:info

knowledge of a file:bytes node containing vsvers info.

The base type for the form can be found at file:mime:pe:vsvers:info.

Properties:

:file / file:mime:pe:vsvers:info:file

The file containing the vsversion keyval pair. It has the following property options set:

• Read Only: True

The property type is file:bytes.

:keyval / file:mime:pe:vsvers:info:keyval

The vsversion info keyval in this file:bytes node. It has the following property options set:

• Read Only: True

The property type is file:mime:pe:vsvers:keyval.

file:mime:pe:vsvers:keyval

A key value pair found in a PE vsversion info structure.

The base type for the form can be found at file:mime:pe:vsvers:keyval.

Properties:

:name / file:mime:pe:vsvers:keyval:name

The key for the vsversion keyval pair. It has the following property options set:

• Read Only: True

The property type is str.

:value / file:mime:pe:vsvers:keyval:value

The value for the vsversion keyval pair. It has the following property options set:

• Read Only: True

The property type is str.

file:mime:png

The GUID of a set of mime metadata for a .png file.

The base type for the form can be found at file:mime:png.

Properties:

:desc / file:mime:png:desc

MIME specific description field extracted from metadata.

The property type is str.

:comment / file:mime:png:comment

MIME specific comment field extracted from metadata.

The property type is str.

:created / file:mime:png:created

MIME specific creation timestamp extracted from metadata.

The property type is time.

:imageid / file:mime:png:imageid

MIME specific unique identifier extracted from metadata.

The property type is str.

:author / file:mime:png:author

MIME specific contact information extracted from metadata.

The property type is ps:contact.

:latlong / file:mime:png:latlong

MIME specific lat/long information extracted from metadata.

The property type is geo:latlong.

:altitude / file:mime:png:altitude

MIME specific altitude information extracted from metadata.

The property type is geo:altitude.

:file / file:mime:png:file

The file that the mime info was parsed from.

The property type is file:bytes.

:file:offs / file:mime:png:file:offs

The optional offset where the mime info was parsed from.

The property type is int.

:file:data / file:mime:png:file:data

A mime specific arbitrary data structure for non-indexed data.

The property type is data.

file:mime:rtf

The GUID of a set of mime metadata for a .rtf file.

The base type for the form can be found at file:mime:rtf.

Properties:

:guid / file:mime:rtf:guid

The parsed GUID embedded in the .rtf file.

The property type is guid.

:file / file:mime:rtf:file

The file that the mime info was parsed from.

The property type is file:bytes.

:file:offs / file:mime:rtf:file:offs

The optional offset where the mime info was parsed from.

The property type is int.

:file:data / file:mime:rtf:file:data

A mime specific arbitrary data structure for non-indexed data.

The property type is data.

file:mime:tif

The GUID of a set of mime metadata for a .tif file.

The base type for the form can be found at file:mime:tif.

Properties:

:desc / file:mime:tif:desc

MIME specific description field extracted from metadata.

The property type is str.

:comment / file:mime:tif:comment

MIME specific comment field extracted from metadata.

The property type is str.

:created / file:mime:tif:created

MIME specific creation timestamp extracted from metadata.

The property type is time.

:imageid / file:mime:tif:imageid

MIME specific unique identifier extracted from metadata.

The property type is str.

:author / file:mime:tif:author

MIME specific contact information extracted from metadata.

The property type is ps:contact.

:latlong / file:mime:tif:latlong

MIME specific lat/long information extracted from metadata.

The property type is geo:latlong.

:altitude / file:mime:tif:altitude

MIME specific altitude information extracted from metadata.

The property type is geo:altitude.

:file / file:mime:tif:file

The file that the mime info was parsed from.

The property type is file:bytes.

:file:offs / file:mime:tif:file:offs

The optional offset where the mime info was parsed from.

The property type is int.

:file:data / file:mime:tif:file:data

A mime specific arbitrary data structure for non-indexed data.

The property type is data.

file:path

A normalized file path.

The base type for the form can be found at file:path.

An example of file:path:

• c:/windows/system32/calc.exe

Properties:

:dir / file:path:dir

The parent directory. It has the following property options set:

• Read Only: True

The property type is file:path.

:base / file:path:base

The file base name. It has the following property options set:

• Read Only: True

The property type is file:base.

:base:ext / file:path:base:ext

The file extension. It has the following property options set:

• Read Only: True

The property type is str.

file:string

Deprecated. Please use the edge -(refs)> it:dev:str.

The base type for the form can be found at file:string.

Properties:

:file / file:string:file

The file containing the string. It has the following property options set:

• Read Only: True

The property type is file:bytes.

:string / file:string:string

The string contained in this file:bytes node. It has the following property options set:

• Read Only: True

The property type is str.

file:subfile

A parent file that fully contains the specified child file.

The base type for the form can be found at file:subfile.

Properties:

:parent / file:subfile:parent

The parent file containing the child file. It has the following property options set:

• Read Only: True

The property type is file:bytes.

:child / file:subfile:child

The child file contained in the parent file. It has the following property options set:

• Read Only: True

The property type is file:bytes.

:name / file:subfile:name

Deprecated, please use the :path property. It has the following property options set:

• deprecated: True

The property type is file:base.

:path / file:subfile:path

The path that the parent uses to refer to the child file.

The property type is file:path.

geo:name

An unstructured place name or address.

The base type for the form can be found at geo:name.

Properties:

geo:nloc

Records a node latitude/longitude in space-time.

The base type for the form can be found at geo:nloc.

Properties:

:ndef / geo:nloc:ndef

The node with location in geospace and time. It has the following property options set:

• Read Only: True

The property type is ndef.

:ndef:form / geo:nloc:ndef:form

The form of node referenced by the ndef. It has the following property options set:

• Read Only: True

The property type is str.

:latlong / geo:nloc:latlong

The latitude/longitude the node was observed. It has the following property options set:

• Read Only: True

The property type is geo:latlong.

:time / geo:nloc:time

The time the node was observed at location. It has the following property options set:

• Read Only: True

The property type is time.

:place / geo:nloc:place

The place corresponding to the latlong property.

The property type is geo:place.

:loc / geo:nloc:loc

The geo-political location string for the node.

The property type is loc.

geo:place

A GUID for a geographic place.

The base type for the form can be found at geo:place.

Properties:

:name / geo:place:name

The name of the place.

The property type is geo:name.

:type / geo:place:type

The type of place.

The property type is geo:place:taxonomy.

:names / geo:place:names

An array of alternative place names.

The property type is array. Its type has the following options set:

• type: geo:name

• sorted: True

• uniq: True

:parent / geo:place:parent

A parent place, possibly from reverse geocoding.

The property type is geo:place.

:desc / geo:place:desc

A long form description of the place.

The property type is str.

:loc / geo:place:loc

The geo-political location string for the node.

The property type is loc.

:address / geo:place:address

The street/mailing address for the place.

The property type is geo:address.

:geojson / geo:place:geojson

A GeoJSON representation of the place.

The property type is geo:json.

:latlong / geo:place:latlong

The lat/long position for the place.

The property type is geo:latlong.

:bbox / geo:place:bbox

A bounding box which encompasses the place.

The property type is geo:bbox.

:radius / geo:place:radius

An approximate radius to use for bounding box calculation.

The property type is geo:dist.

:photo / geo:place:photo

The image file to use as the primary image of the place.

The property type is file:bytes.

geo:place:taxonomy

A taxonomy of place types.

The base type for the form can be found at geo:place:taxonomy.

Properties:

geo:telem

A geospatial position of a node at a given time. The node should be linked via -(seenat)> edges.

The base type for the form can be found at geo:telem.

Properties:

:time / geo:telem:time

The time that the node was at the position.

The property type is time.

:desc / geo:telem:desc

A description of the telemetry sample.

The property type is str.

:latlong / geo:telem:latlong

The latitude/longitude reading at the time.

The property type is geo:latlong.

:accuracy / geo:telem:accuracy

The reported accuracy of the latlong telemetry reading.

The property type is geo:dist.

:place / geo:telem:place

The place which includes the latlong value.

The property type is geo:place.

:place:name / geo:telem:place:name

The purported place name. Used for entity resolution.

The property type is geo:name.

gov:cn:icp

A Chinese Internet Content Provider ID.

The base type for the form can be found at gov:cn:icp.

Properties:

:org / gov:cn:icp:org

The org with the Internet Content Provider ID.

The property type is ou:org.

gov:cn:mucd

A Chinese PLA MUCD.

The base type for the form can be found at gov:cn:mucd.

Properties:

gov:us:cage

A Commercial and Government Entity (CAGE) code.

The base type for the form can be found at gov:us:cage.

Properties:

:name0 / gov:us:cage:name0

The name of the organization.

The property type is ou:name.

:name1 / gov:us:cage:name1

Name Part 1.

The property type is str. Its type has the following options set:

• lower: True

:street / gov:us:cage:street

The base string type.

The property type is str. Its type has the following options set:

• lower: True

:city / gov:us:cage:city

The base string type.

The property type is str. Its type has the following options set:

• lower: True

:state / gov:us:cage:state

The base string type.

The property type is str. Its type has the following options set:

• lower: True

:zip / gov:us:cage:zip

A US Postal Zip Code.

The property type is gov:us:zip.

:cc / gov:us:cage:cc

The 2 digit ISO country code.

The property type is pol:iso2.

:country / gov:us:cage:country

The base string type.

The property type is str. Its type has the following options set:

• lower: True

:phone0 / gov:us:cage:phone0

A phone number.

The property type is tel:phone.

:phone1 / gov:us:cage:phone1

A phone number.

The property type is tel:phone.

gov:us:ssn

A US Social Security Number (SSN).

The base type for the form can be found at gov:us:ssn.

Properties:

gov:us:zip

A US Postal Zip Code.

The base type for the form can be found at gov:us:zip.

Properties:

graph:cluster

A generic node, used in conjunction with Edge types, to cluster arbitrary nodes to a single node in the model.

The base type for the form can be found at graph:cluster.

Properties:

:name / graph:cluster:name

A human friendly name for the cluster.

The property type is str. Its type has the following options set:

• lower: True

:desc / graph:cluster:desc

A human friendly long form description for the cluster.

The property type is str. Its type has the following options set:

• lower: True

:type / graph:cluster:type

An optional type field used to group clusters.

The property type is str. Its type has the following options set:

• lower: True

graph:edge

A generic digraph edge to show relationships outside the model.

The base type for the form can be found at graph:edge.

Properties:

:n1 / graph:edge:n1

The node definition type for a (form,valu) compound field. It has the following property options set:

• Read Only: True

The property type is ndef.

:n1:form / graph:edge:n1:form

The base string type. It has the following property options set:

• Read Only: True

The property type is str.

:n2 / graph:edge:n2

The node definition type for a (form,valu) compound field. It has the following property options set:

• Read Only: True

The property type is ndef.

:n2:form / graph:edge:n2:form

The base string type. It has the following property options set:

• Read Only: True

The property type is str.

graph:event

A generic event node to represent events outside the model.

The base type for the form can be found at graph:event.

Properties:

:time / graph:event:time

The time of the event.

The property type is time.

:type / graph:event:type

A arbitrary type string for the event.

The property type is str.

:name / graph:event:name

A name for the event.

The property type is str.

:data / graph:event:data

Arbitrary non-indexed msgpack data attached to the event.

The property type is data.

graph:node

A generic node used to represent objects outside the model.

The base type for the form can be found at graph:node.

Properties:

:type / graph:node:type

The type name for the non-model node.

The property type is str.

:name / graph:node:name

A human readable name for this record.

The property type is str.

:data / graph:node:data

Arbitrary non-indexed msgpack data attached to the node.

The property type is data.

graph:timeedge

A generic digraph time edge to show relationships outside the model.

The base type for the form can be found at graph:timeedge.

Properties:

:time / graph:timeedge:time

A date/time value. It has the following property options set:

• Read Only: True

The property type is time.

:n1 / graph:timeedge:n1

The node definition type for a (form,valu) compound field. It has the following property options set:

• Read Only: True

The property type is ndef.

:n1:form / graph:timeedge:n1:form

The base string type. It has the following property options set:

• Read Only: True

The property type is str.

:n2 / graph:timeedge:n2

The node definition type for a (form,valu) compound field. It has the following property options set:

• Read Only: True

The property type is ndef.

:n2:form / graph:timeedge:n2:form

The base string type. It has the following property options set:

• Read Only: True

The property type is str.

hash:md5

A hex encoded MD5 hash.

The base type for the form can be found at hash:md5.

An example of hash:md5:

• d41d8cd98f00b204e9800998ecf8427e

Properties:

hash:sha1

A hex encoded SHA1 hash.

The base type for the form can be found at hash:sha1.

An example of hash:sha1:

• da39a3ee5e6b4b0d3255bfef95601890afd80709

Properties:

hash:sha256

A hex encoded SHA256 hash.

The base type for the form can be found at hash:sha256.

An example of hash:sha256:

• ad9f4fe922b61e674a09530831759843b1880381de686a43460a76864ca0340c

Properties:

hash:sha384

A hex encoded SHA384 hash.

The base type for the form can be found at hash:sha384.

An example of hash:sha384:

• d425f1394e418ce01ed1579069a8bfaa1da8f32cf823982113ccbef531fa36bda9987f389c5af05b5e28035242efab6c

Properties:

hash:sha512

A hex encoded SHA512 hash.

The base type for the form can be found at hash:sha512.

An example of hash:sha512:

• ca74fe2ff2d03b29339ad7d08ba21d192077fece1715291c7b43c20c9136cd132788239189f3441a87eb23ce2660aa243f334295902c904b5520f6e80ab91f11

Properties:

inet:asn

An Autonomous System Number (ASN).

The base type for the form can be found at inet:asn.

Properties:

:name / inet:asn:name

The name of the organization currently responsible for the ASN.

The property type is str. Its type has the following options set:

• lower: True

:owner / inet:asn:owner

The guid of the organization currently responsible for the ASN.

The property type is ou:org.

inet:asnet4

An Autonomous System Number (ASN) and its associated IPv4 address range.

The base type for the form can be found at inet:asnet4.

An example of inet:asnet4:

• (54959, (1.2.3.4, 1.2.3.20))

Properties:

:asn / inet:asnet4:asn

The Autonomous System Number (ASN) of the netblock. It has the following property options set:

• Read Only: True

The property type is inet:asn.

:net4 / inet:asnet4:net4

The IPv4 address range assigned to the ASN. It has the following property options set:

• Read Only: True

The property type is inet:net4.

:net4:min / inet:asnet4:net4:min

The first IPv4 in the range assigned to the ASN. It has the following property options set:

• Read Only: True

The property type is inet:ipv4.

:net4:max / inet:asnet4:net4:max

The last IPv4 in the range assigned to the ASN. It has the following property options set:

• Read Only: True

The property type is inet:ipv4.

inet:asnet6

An Autonomous System Number (ASN) and its associated IPv6 address range.

The base type for the form can be found at inet:asnet6.

An example of inet:asnet6:

• (54959, (ff::00, ff::02))

Properties:

:asn / inet:asnet6:asn

The Autonomous System Number (ASN) of the netblock. It has the following property options set:

• Read Only: True

The property type is inet:asn.

:net6 / inet:asnet6:net6

The IPv6 address range assigned to the ASN. It has the following property options set:

• Read Only: True

The property type is inet:net6.

:net6:min / inet:asnet6:net6:min

The first IPv6 in the range assigned to the ASN. It has the following property options set:

• Read Only: True

The property type is inet:ipv6.

:net6:max / inet:asnet6:net6:max

The last IPv6 in the range assigned to the ASN. It has the following property options set:

• Read Only: True

The property type is inet:ipv6.

inet:banner

A network protocol banner string presented by a server.

The base type for the form can be found at inet:banner.

Properties:

:server / inet:banner:server

The server which presented the banner string. It has the following property options set:

• Read Only: True

The property type is inet:server.

:server:ipv4 / inet:banner:server:ipv4

The IPv4 address of the server. It has the following property options set:

• Read Only: True

The property type is inet:ipv4.

:server:ipv6 / inet:banner:server:ipv6

The IPv6 address of the server. It has the following property options set:

• Read Only: True

The property type is inet:ipv6.

:server:port / inet:banner:server:port

The network port. It has the following property options set:

• Read Only: True

The property type is inet:port.

:text / inet:banner:text

The banner text. It has the following property options set:

• Read Only: True

• disp: {'hint': 'text'}

The property type is it:dev:str.

inet:cidr4

An IPv4 address block in Classless Inter-Domain Routing (CIDR) notation.

The base type for the form can be found at inet:cidr4.

An example of inet:cidr4:

• 1.2.3.0/24

Properties:

:broadcast / inet:cidr4:broadcast

The broadcast IP address from the CIDR notation. It has the following property options set:

• Read Only: True

The property type is inet:ipv4.

:mask / inet:cidr4:mask

The mask from the CIDR notation. It has the following property options set:

• Read Only: True

The property type is int.

:network / inet:cidr4:network

The network IP address from the CIDR notation. It has the following property options set:

• Read Only: True

The property type is inet:ipv4.

inet:cidr6

An IPv6 address block in Classless Inter-Domain Routing (CIDR) notation.

The base type for the form can be found at inet:cidr6.

An example of inet:cidr6:

• 2001:db8::/101

Properties:

:broadcast / inet:cidr6:broadcast

The broadcast IP address from the CIDR notation. It has the following property options set:

• Read Only: True

The property type is inet:ipv6.

:mask / inet:cidr6:mask

The mask from the CIDR notation. It has the following property options set:

• Read Only: True

The property type is int.

:network / inet:cidr6:network

The network IP address from the CIDR notation. It has the following property options set:

• Read Only: True

The property type is inet:ipv6.

inet:client

A network client address.

The base type for the form can be found at inet:client.

An example of inet:client:

• tcp://1.2.3.4:80

Properties:

:proto / inet:client:proto

The network protocol of the client. It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

:ipv4 / inet:client:ipv4

The IPv4 of the client. It has the following property options set:

• Read Only: True

The property type is inet:ipv4.

:ipv6 / inet:client:ipv6

The IPv6 of the client. It has the following property options set:

• Read Only: True

The property type is inet:ipv6.

:host / inet:client:host

The it:host node for the client. It has the following property options set:

• Read Only: True

The property type is it:host.

:port / inet:client:port

The client tcp/udp port.

The property type is inet:port.

inet:dns:a

The result of a DNS A record lookup.

The base type for the form can be found at inet:dns:a.

An example of inet:dns:a:

• (vertex.link,1.2.3.4)

Properties:

:fqdn / inet:dns:a:fqdn

The domain queried for its DNS A record. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

:ipv4 / inet:dns:a:ipv4

The IPv4 address returned in the A record. It has the following property options set:

• Read Only: True

The property type is inet:ipv4.

inet:dns:aaaa

The result of a DNS AAAA record lookup.

The base type for the form can be found at inet:dns:aaaa.

An example of inet:dns:aaaa:

• (vertex.link,2607:f8b0:4004:809::200e)

Properties:

:fqdn / inet:dns:aaaa:fqdn

The domain queried for its DNS AAAA record. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

:ipv6 / inet:dns:aaaa:ipv6

The IPv6 address returned in the AAAA record. It has the following property options set:

• Read Only: True

The property type is inet:ipv6.

inet:dns:answer

A single answer from within a DNS reply.

The base type for the form can be found at inet:dns:answer.

Properties:

:ttl / inet:dns:answer:ttl

The base 64 bit signed integer type.

The property type is int.

:request / inet:dns:answer:request

A single instance of a DNS resolver request and optional reply info.

The property type is inet:dns:request.

:a / inet:dns:answer:a

The DNS A record returned by the lookup. It has the following property options set:

• Read Only: True

The property type is inet:dns:a.

:ns / inet:dns:answer:ns

The DNS NS record returned by the lookup. It has the following property options set:

• Read Only: True

The property type is inet:dns:ns.

:rev / inet:dns:answer:rev

The DNS PTR record returned by the lookup. It has the following property options set:

• Read Only: True

The property type is inet:dns:rev.

:aaaa / inet:dns:answer:aaaa

The DNS AAAA record returned by the lookup. It has the following property options set:

• Read Only: True

The property type is inet:dns:aaaa.

:rev6 / inet:dns:answer:rev6

The DNS PTR record returned by the lookup of an IPv6 address. It has the following property options set:

• Read Only: True

The property type is inet:dns:rev6.

:cname / inet:dns:answer:cname

The DNS CNAME record returned by the lookup. It has the following property options set:

• Read Only: True

The property type is inet:dns:cname.

:mx / inet:dns:answer:mx

The DNS MX record returned by the lookup. It has the following property options set:

• Read Only: True

The property type is inet:dns:mx.

:soa / inet:dns:answer:soa

The domain queried for its SOA record. It has the following property options set:

• Read Only: True

The property type is inet:dns:soa.

:txt / inet:dns:answer:txt

The DNS TXT record returned by the lookup. It has the following property options set:

• Read Only: True

The property type is inet:dns:txt.

inet:dns:cname

The result of a DNS CNAME record lookup.

The base type for the form can be found at inet:dns:cname.

An example of inet:dns:cname:

• (foo.vertex.link,vertex.link)

Properties:

:fqdn / inet:dns:cname:fqdn

The domain queried for its CNAME record. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

:cname / inet:dns:cname:cname

The domain returned in the CNAME record. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

inet:dns:mx

The result of a DNS MX record lookup.

The base type for the form can be found at inet:dns:mx.

An example of inet:dns:mx:

• (vertex.link,mail.vertex.link)

Properties:

:fqdn / inet:dns:mx:fqdn

The domain queried for its MX record. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

:mx / inet:dns:mx:mx

The domain returned in the MX record. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

inet:dns:ns

The result of a DNS NS record lookup.

The base type for the form can be found at inet:dns:ns.

An example of inet:dns:ns:

• (vertex.link,ns.dnshost.com)

Properties:

:zone / inet:dns:ns:zone

The domain queried for its DNS NS record. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

:ns / inet:dns:ns:ns

The domain returned in the NS record. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

inet:dns:query

A DNS query unique to a given client.

The base type for the form can be found at inet:dns:query.

An example of inet:dns:query:

• (1.2.3.4, woot.com, 1)

Properties:

:client / inet:dns:query:client

A network client address. It has the following property options set:

• Read Only: True

The property type is inet:client.

:name / inet:dns:query:name

A DNS query name string. Likely an FQDN but not always. It has the following property options set:

• Read Only: True

The property type is inet:dns:name.

:name:ipv4 / inet:dns:query:name:ipv4

An IPv4 address.

The property type is inet:ipv4.

:name:ipv6 / inet:dns:query:name:ipv6

An IPv6 address.

The property type is inet:ipv6.

:name:fqdn / inet:dns:query:name:fqdn

A Fully Qualified Domain Name (FQDN).

The property type is inet:fqdn.

:type / inet:dns:query:type

The base 64 bit signed integer type. It has the following property options set:

• Read Only: True

The property type is int.

inet:dns:request

A single instance of a DNS resolver request and optional reply info.

The base type for the form can be found at inet:dns:request.

Properties:

:time / inet:dns:request:time

A date/time value.

The property type is time.

:query / inet:dns:request:query

A DNS query unique to a given client.

The property type is inet:dns:query.

:query:name / inet:dns:request:query:name

A DNS query name string. Likely an FQDN but not always.

The property type is inet:dns:name.

:query:name:ipv4 / inet:dns:request:query:name:ipv4

An IPv4 address.

The property type is inet:ipv4.

:query:name:ipv6 / inet:dns:request:query:name:ipv6

An IPv6 address.

The property type is inet:ipv6.

:query:name:fqdn / inet:dns:request:query:name:fqdn

A Fully Qualified Domain Name (FQDN).

The property type is inet:fqdn.

:query:type / inet:dns:request:query:type

The base 64 bit signed integer type.

The property type is int.

:server / inet:dns:request:server

A network server address.

The property type is inet:server.

:reply:code / inet:dns:request:reply:code

The DNS server response code.

The property type is int.

:exe / inet:dns:request:exe

The file containing the code that attempted the DNS lookup.

The property type is file:bytes.

:proc / inet:dns:request:proc

The process that attempted the DNS lookup.

The property type is it:exec:proc.

:host / inet:dns:request:host

The host that attempted the DNS lookup.

The property type is it:host.

:sandbox:file / inet:dns:request:sandbox:file

The initial sample given to a sandbox environment to analyze.

The property type is file:bytes.

inet:dns:rev

The transformed result of a DNS PTR record lookup.

The base type for the form can be found at inet:dns:rev.

An example of inet:dns:rev:

• (1.2.3.4,vertex.link)

Properties:

:ipv4 / inet:dns:rev:ipv4

The IPv4 address queried for its DNS PTR record. It has the following property options set:

• Read Only: True

The property type is inet:ipv4.

:fqdn / inet:dns:rev:fqdn

The domain returned in the PTR record. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

inet:dns:rev6

The transformed result of a DNS PTR record for an IPv6 address.

The base type for the form can be found at inet:dns:rev6.

An example of inet:dns:rev6:

• (2607:f8b0:4004:809::200e,vertex.link)

Properties:

:ipv6 / inet:dns:rev6:ipv6

The IPv6 address queried for its DNS PTR record. It has the following property options set:

• Read Only: True

The property type is inet:ipv6.

:fqdn / inet:dns:rev6:fqdn

The domain returned in the PTR record. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

inet:dns:soa

The result of a DNS SOA record lookup.

The base type for the form can be found at inet:dns:soa.

Properties:

:fqdn / inet:dns:soa:fqdn

The domain queried for its SOA record.

The property type is inet:fqdn.

:ns / inet:dns:soa:ns

The domain (MNAME) returned in the SOA record.

The property type is inet:fqdn.

:email / inet:dns:soa:email

The email address (RNAME) returned in the SOA record.

The property type is inet:email.

inet:dns:txt

The result of a DNS MX record lookup.

The base type for the form can be found at inet:dns:txt.

An example of inet:dns:txt:

• (hehe.vertex.link,"fancy TXT record")

Properties:

:fqdn / inet:dns:txt:fqdn

The domain queried for its TXT record. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

:txt / inet:dns:txt:txt

The string returned in the TXT record. It has the following property options set:

• Read Only: True

The property type is str.

inet:dns:wild:a

A DNS A wild card record and the IPv4 it resolves to.

The base type for the form can be found at inet:dns:wild:a.

Properties:

:fqdn / inet:dns:wild:a:fqdn

The domain containing a wild card record. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

:ipv4 / inet:dns:wild:a:ipv4

The IPv4 address returned by wild card resolutions. It has the following property options set:

• Read Only: True

The property type is inet:ipv4.

inet:dns:wild:aaaa

A DNS AAAA wild card record and the IPv6 it resolves to.

The base type for the form can be found at inet:dns:wild:aaaa.

Properties:

:fqdn / inet:dns:wild:aaaa:fqdn

The domain containing a wild card record. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

:ipv6 / inet:dns:wild:aaaa:ipv6

The IPv6 address returned by wild card resolutions. It has the following property options set:

• Read Only: True

The property type is inet:ipv6.

inet:download

An instance of a file downloaded from a server.

The base type for the form can be found at inet:download.

Properties:

:time / inet:download:time

The time the file was downloaded.

The property type is time.

:fqdn / inet:download:fqdn

The FQDN used to resolve the server.

The property type is inet:fqdn.

:file / inet:download:file

The file that was downloaded.

The property type is file:bytes.

:server / inet:download:server

The inet:addr of the server.

The property type is inet:server.

:server:host / inet:download:server:host

The it:host node for the server.

The property type is it:host.

:server:ipv4 / inet:download:server:ipv4

The IPv4 of the server.

The property type is inet:ipv4.

:server:ipv6 / inet:download:server:ipv6

The IPv6 of the server.

The property type is inet:ipv6.

:server:port / inet:download:server:port

The server tcp/udp port.

The property type is inet:port.

:server:proto / inet:download:server:proto

The server network layer protocol.

The property type is str. Its type has the following options set:

• lower: True

:client / inet:download:client

The inet:addr of the client.

The property type is inet:client.

:client:host / inet:download:client:host

The it:host node for the client.

The property type is it:host.

:client:ipv4 / inet:download:client:ipv4

The IPv4 of the client.

The property type is inet:ipv4.

:client:ipv6 / inet:download:client:ipv6

The IPv6 of the client.

The property type is inet:ipv6.

:client:port / inet:download:client:port

The client tcp/udp port.

The property type is inet:port.

:client:proto / inet:download:client:proto

The client network layer protocol.

The property type is str. Its type has the following options set:

• lower: True

inet:email

An e-mail address.

The base type for the form can be found at inet:email.

Properties:

:user / inet:email:user

The username of the email address. It has the following property options set:

• Read Only: True

The property type is inet:user.

:fqdn / inet:email:fqdn

The domain of the email address. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

inet:email:header

A unique email message header.

The base type for the form can be found at inet:email:header.

Properties:

:name / inet:email:header:name

The name of the email header. It has the following property options set:

• Read Only: True

The property type is inet:email:header:name.

:value / inet:email:header:value

The value of the email header. It has the following property options set:

• Read Only: True

The property type is str.

inet:email:message

A unique email message.

The base type for the form can be found at inet:email:message.

Properties:

:to / inet:email:message:to

The email address of the recipient.

The property type is inet:email.

:from / inet:email:message:from

The email address of the sender.

The property type is inet:email.

:replyto / inet:email:message:replyto

The email address from the reply-to header.

The property type is inet:email.

:subject / inet:email:message:subject

The email message subject line.

The property type is str.

:body / inet:email:message:body

The body of the email message. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:date / inet:email:message:date

The time the email message was received.

The property type is time.

:bytes / inet:email:message:bytes

The file bytes which contain the email message.

The property type is file:bytes.

:headers / inet:email:message:headers

An array of email headers from the message.

The property type is array. Its type has the following options set:

• type: inet:email:header

inet:email:message:attachment

A file which was attached to an email message.

The base type for the form can be found at inet:email:message:attachment.

Properties:

:message / inet:email:message:attachment:message

The message containing the attached file. It has the following property options set:

• Read Only: True

The property type is inet:email:message.

:file / inet:email:message:attachment:file

The attached file. It has the following property options set:

• Read Only: True

The property type is file:bytes.

:name / inet:email:message:attachment:name

The name of the attached file.

The property type is file:base.

inet:email:message:link

A url/link embedded in an email message.

The base type for the form can be found at inet:email:message:link.

Properties:

:message / inet:email:message:link:message

The message containing the embedded link. It has the following property options set:

• Read Only: True

The property type is inet:email:message.

:url / inet:email:message:link:url

The url contained within the email message. It has the following property options set:

• Read Only: True

The property type is inet:url.

:text / inet:email:message:link:text

The displayed hyperlink text if it was not the raw URL.

The property type is str.

inet:flow

An individual network connection between a given source and destination.

The base type for the form can be found at inet:flow.

Properties:

:time / inet:flow:time

The time the network connection was initiated.

The property type is time.

:duration / inet:flow:duration

The duration of the flow in seconds.

The property type is int.

:from / inet:flow:from

The ingest source file/iden. Used for reparsing.

The property type is guid.

:dst / inet:flow:dst

The destination address / port for a connection.

The property type is inet:server.

:dst:ipv4 / inet:flow:dst:ipv4

The destination IPv4 address.

The property type is inet:ipv4.

:dst:ipv6 / inet:flow:dst:ipv6

The destination IPv6 address.

The property type is inet:ipv6.

:dst:port / inet:flow:dst:port

The destination port.

The property type is inet:port.

:dst:proto / inet:flow:dst:proto

The destination protocol.

The property type is str. Its type has the following options set:

• lower: True

:dst:host / inet:flow:dst:host

The guid of the destination host.

The property type is it:host.

:dst:proc / inet:flow:dst:proc

The guid of the destination process.

The property type is it:exec:proc.

:dst:exe / inet:flow:dst:exe

The file (executable) that received the connection.

The property type is file:bytes.

:dst:txcount / inet:flow:dst:txcount

The number of packets sent by the destination host.

The property type is int.

:dst:txbytes / inet:flow:dst:txbytes

The number of bytes sent by the destination host.

The property type is int.

:dst:handshake / inet:flow:dst:handshake

A text representation of the initial handshake sent by the server. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:src / inet:flow:src

The source address / port for a connection.

The property type is inet:client.

:src:ipv4 / inet:flow:src:ipv4

The source IPv4 address.

The property type is inet:ipv4.

:src:ipv6 / inet:flow:src:ipv6

The source IPv6 address.

The property type is inet:ipv6.

:src:port / inet:flow:src:port

The source port.

The property type is inet:port.

:src:proto / inet:flow:src:proto

The source protocol.

The property type is str. Its type has the following options set:

• lower: True

:src:host / inet:flow:src:host

The guid of the source host.

The property type is it:host.

:src:proc / inet:flow:src:proc

The guid of the source process.

The property type is it:exec:proc.

:src:exe / inet:flow:src:exe

The file (executable) that created the connection.

The property type is file:bytes.

:src:txcount / inet:flow:src:txcount

The number of packets sent by the source host.

The property type is int.

:src:txbytes / inet:flow:src:txbytes

The number of bytes sent by the source host.

The property type is int.

:tot:txcount / inet:flow:tot:txcount

The number of packets sent in both directions.

The property type is int.

:tot:txbytes / inet:flow:tot:txbytes

The number of bytes sent in both directions.

The property type is int.

:src:handshake / inet:flow:src:handshake

A text representation of the initial handshake sent by the client. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:dst:cpes / inet:flow:dst:cpes

An array of NIST CPEs identified on the destination host.

The property type is array. Its type has the following options set:

• type: it:sec:cpe

• uniq: True

• sorted: True

:dst:softnames / inet:flow:dst:softnames

An array of software names identified on the destination host.

The property type is array. Its type has the following options set:

• type: it:prod:softname

• uniq: True

• sorted: True

:src:cpes / inet:flow:src:cpes

An array of NIST CPEs identified on the source host.

The property type is array. Its type has the following options set:

• type: it:sec:cpe

• uniq: True

• sorted: True

:src:softnames / inet:flow:src:softnames

An array of software names identified on the source host.

The property type is array. Its type has the following options set:

• type: it:prod:softname

• uniq: True

• sorted: True

:ip:proto / inet:flow:ip:proto

The IP protocol number of the flow.

The property type is int. Its type has the following options set:

• min: 0

• max: 255

:ip:tcp:flags / inet:flow:ip:tcp:flags

An aggregation of observed TCP flags commonly provided by flow APIs.

The property type is int. Its type has the following options set:

• min: 0

• max: 255

:sandbox:file / inet:flow:sandbox:file

The initial sample given to a sandbox environment to analyze.

The property type is file:bytes.

inet:fqdn

A Fully Qualified Domain Name (FQDN).

The base type for the form can be found at inet:fqdn.

An example of inet:fqdn:

• vertex.link

Properties:

:domain / inet:fqdn:domain

The parent domain for the FQDN. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

:host / inet:fqdn:host

The host part of the FQDN. It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

:issuffix / inet:fqdn:issuffix

True if the FQDN is considered a suffix.

The property type is bool.

:iszone / inet:fqdn:iszone

True if the FQDN is considered a zone.

The property type is bool.

:zone / inet:fqdn:zone

The zone level parent for this FQDN.

The property type is inet:fqdn.

inet:group

A group name string.

The base type for the form can be found at inet:group.

Properties:

inet:http:cookie

An HTTP cookie string.

The base type for the form can be found at inet:http:cookie.

Properties:

inet:http:param

An HTTP request path query parameter.

The base type for the form can be found at inet:http:param.

Properties:

:name / inet:http:param:name

The name of the HTTP query parameter. It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

:value / inet:http:param:value

The value of the HTTP query parameter. It has the following property options set:

• Read Only: True

The property type is str.

inet:http:request

A single HTTP request.

The base type for the form can be found at inet:http:request.

Properties:

:method / inet:http:request:method

The HTTP request method string.

The property type is str.

:path / inet:http:request:path

The requested HTTP path (without query parameters).

The property type is str.

:url / inet:http:request:url

The reconstructed URL for the request if known.

The property type is inet:url.

:query / inet:http:request:query

The HTTP query string which optionally follows the path.

The property type is str.

:headers / inet:http:request:headers

An array of HTTP headers from the request.

The property type is array. Its type has the following options set:

• type: inet:http:request:header

:body / inet:http:request:body

The body of the HTTP request.

The property type is file:bytes.

:response:time / inet:http:request:response:time

A date/time value.

The property type is time.

:response:code / inet:http:request:response:code

The base 64 bit signed integer type.

The property type is int.

:response:reason / inet:http:request:response:reason

The base string type.

The property type is str.

:response:headers / inet:http:request:response:headers

An array of HTTP headers from the response.

The property type is array. Its type has the following options set:

• type: inet:http:response:header

:response:body / inet:http:request:response:body

The file bytes type with SHA256 based primary property.

The property type is file:bytes.

:session / inet:http:request:session

The HTTP session this request was part of.

The property type is inet:http:session.

:flow / inet:http:request:flow

The raw inet:flow containing the request.

The property type is inet:flow.

:client / inet:http:request:client

The inet:addr of the client.

The property type is inet:client.

:client:ipv4 / inet:http:request:client:ipv4

The server IPv4 address that the request was sent from.

The property type is inet:ipv4.

:client:ipv6 / inet:http:request:client:ipv6

The server IPv6 address that the request was sent from.

The property type is inet:ipv6.

:client:host / inet:http:request:client:host

The host that the request was sent from.

The property type is it:host.

:server / inet:http:request:server

The inet:addr of the server.

The property type is inet:server.

:server:ipv4 / inet:http:request:server:ipv4

The server IPv4 address that the request was sent to.

The property type is inet:ipv4.

:server:ipv6 / inet:http:request:server:ipv6

The server IPv6 address that the request was sent to.

The property type is inet:ipv6.

:server:port / inet:http:request:server:port

The server port that the request was sent to.

The property type is inet:port.

:server:host / inet:http:request:server:host

The host that the request was sent to.

The property type is it:host.

:exe / inet:http:request:exe

The executable file which caused the activity.

The property type is file:bytes.

:proc / inet:http:request:proc

The host process which caused the activity.

The property type is it:exec:proc.

:thread / inet:http:request:thread

The host thread which caused the activity.

The property type is it:exec:thread.

:host / inet:http:request:host

The host on which the activity occurred.

The property type is it:host.

:time / inet:http:request:time

The time that the activity started.

The property type is time.

:sandbox:file / inet:http:request:sandbox:file

The initial sample given to a sandbox environment to analyze.

The property type is file:bytes.

inet:http:request:header

An HTTP request header.

The base type for the form can be found at inet:http:request:header.

Properties:

:name / inet:http:request:header:name

The name of the HTTP request header. It has the following property options set:

• Read Only: True

The property type is inet:http:header:name.

:value / inet:http:request:header:value

The value of the HTTP request header. It has the following property options set:

• Read Only: True

The property type is str.

inet:http:response:header

An HTTP response header.

The base type for the form can be found at inet:http:response:header.

Properties:

:name / inet:http:response:header:name

The name of the HTTP response header. It has the following property options set:

• Read Only: True

The property type is inet:http:header:name.

:value / inet:http:response:header:value

The value of the HTTP response header. It has the following property options set:

• Read Only: True

The property type is str.

inet:http:session

An HTTP session.

The base type for the form can be found at inet:http:session.

Properties:

:contact / inet:http:session:contact

The ps:contact which owns the session.

The property type is ps:contact.

inet:iface

A network interface with a set of associated protocol addresses.

The base type for the form can be found at inet:iface.

Properties:

:host / inet:iface:host

The guid of the host the interface is associated with.

The property type is it:host.

:network / inet:iface:network

The guid of the it:network the interface connected to.

The property type is it:network.

:type / inet:iface:type

The free-form interface type.

The property type is str. Its type has the following options set:

• lower: True

:mac / inet:iface:mac

The ethernet (MAC) address of the interface.

The property type is inet:mac.

:ipv4 / inet:iface:ipv4

The IPv4 address of the interface.

The property type is inet:ipv4.

:ipv6 / inet:iface:ipv6

The IPv6 address of the interface.

The property type is inet:ipv6.

:phone / inet:iface:phone

The telephone number of the interface.

The property type is tel:phone.

:wifi:ssid / inet:iface:wifi:ssid

The wifi SSID of the interface.

The property type is inet:wifi:ssid.

:wifi:bssid / inet:iface:wifi:bssid

The wifi BSSID of the interface.

The property type is inet:mac.

:adid / inet:iface:adid

An advertising ID associated with the interface.

The property type is it:adid.

:mob:imei / inet:iface:mob:imei

The IMEI of the interface.

The property type is tel:mob:imei.

:mob:imsi / inet:iface:mob:imsi

The IMSI of the interface.

The property type is tel:mob:imsi.

inet:ipv4

An IPv4 address.

The base type for the form can be found at inet:ipv4.

An example of inet:ipv4:

• 1.2.3.4

Properties:

:asn / inet:ipv4:asn

The ASN to which the IPv4 address is currently assigned.

The property type is inet:asn.

:latlong / inet:ipv4:latlong

The best known latitude/longitude for the node.

The property type is geo:latlong.

:loc / inet:ipv4:loc

The geo-political location string for the IPv4.

The property type is loc.

:place / inet:ipv4:place

The geo:place associated with the latlong property.

The property type is geo:place.

:type / inet:ipv4:type

The type of IP address (e.g., private, multicast, etc.).

The property type is str.

:dns:rev / inet:ipv4:dns:rev

The most current DNS reverse lookup for the IPv4.

The property type is inet:fqdn.

inet:ipv6

An IPv6 address.

The base type for the form can be found at inet:ipv6.

An example of inet:ipv6:

• 2607:f8b0:4004:809::200e

Properties:

:asn / inet:ipv6:asn

The ASN to which the IPv6 address is currently assigned.

The property type is inet:asn.

:ipv4 / inet:ipv6:ipv4

The mapped ipv4.

The property type is inet:ipv4.

:latlong / inet:ipv6:latlong

The last known latitude/longitude for the node.

The property type is geo:latlong.

:place / inet:ipv6:place

The geo:place associated with the latlong property.

The property type is geo:place.

:dns:rev / inet:ipv6:dns:rev

The most current DNS reverse lookup for the IPv6.

The property type is inet:fqdn.

:loc / inet:ipv6:loc

The geo-political location string for the IPv6.

The property type is loc.

inet:mac

A 48-bit Media Access Control (MAC) address.

The base type for the form can be found at inet:mac.

An example of inet:mac:

• aa:bb:cc:dd:ee:ff

Properties:

:vendor / inet:mac:vendor

The vendor associated with the 24-bit prefix of a MAC address.

The property type is str.

inet:passwd

A password string.

The base type for the form can be found at inet:passwd.

Properties:

:md5 / inet:passwd:md5

The MD5 hash of the password. It has the following property options set:

• Read Only: True

The property type is hash:md5.

:sha1 / inet:passwd:sha1

The SHA1 hash of the password. It has the following property options set:

• Read Only: True

The property type is hash:sha1.

:sha256 / inet:passwd:sha256

The SHA256 hash of the password. It has the following property options set:

• Read Only: True

The property type is hash:sha256.

inet:rfc2822:addr

An RFC 2822 Address field.

The base type for the form can be found at inet:rfc2822:addr.

An example of inet:rfc2822:addr:

• "Visi Kenshoto" <visi@vertex.link>

Properties:

:name / inet:rfc2822:addr:name

The name field parsed from an RFC 2822 address string. It has the following property options set:

• Read Only: True

The property type is ps:name.

:email / inet:rfc2822:addr:email

The email field parsed from an RFC 2822 address string. It has the following property options set:

• Read Only: True

The property type is inet:email.

inet:search:query

An instance of a search query issued to a search engine.

The base type for the form can be found at inet:search:query.

Properties:

:text / inet:search:query:text

The search query text. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:time / inet:search:query:time

The time the web search was issued.

The property type is time.

:acct / inet:search:query:acct

The account that the query was issued as.

The property type is inet:web:acct.

:host / inet:search:query:host

The host that issued the query.

The property type is it:host.

:engine / inet:search:query:engine

A simple name for the search engine used. It has the following property options set:

• Example: google

The property type is str. Its type has the following options set:

• lower: True

inet:search:result

A single result from a web search.

The base type for the form can be found at inet:search:result.

Properties:

:query / inet:search:result:query

The search query that produced the result.

The property type is inet:search:query.

:title / inet:search:result:title

The title of the matching web page.

The property type is str. Its type has the following options set:

• lower: True

:rank / inet:search:result:rank

The rank/order of the query result.

The property type is int.

:url / inet:search:result:url

The URL hosting the matching content.

The property type is inet:url.

:text / inet:search:result:text

Extracted/matched text from the matched content.

The property type is str. Its type has the following options set:

• lower: True

inet:server

A network server address.

The base type for the form can be found at inet:server.

An example of inet:server:

• tcp://1.2.3.4:80

Properties:

:proto / inet:server:proto

The network protocol of the server. It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

:ipv4 / inet:server:ipv4

The IPv4 of the server. It has the following property options set:

• Read Only: True

The property type is inet:ipv4.

:ipv6 / inet:server:ipv6

The IPv6 of the server. It has the following property options set:

• Read Only: True

The property type is inet:ipv6.

:host / inet:server:host

The it:host node for the server. It has the following property options set:

• Read Only: True

The property type is it:host.

:port / inet:server:port

The server tcp/udp port.

The property type is inet:port.

inet:servfile

A file hosted on a server for access over a network protocol.

The base type for the form can be found at inet:servfile.

Properties:

:file / inet:servfile:file

The file hosted by the server. It has the following property options set:

• Read Only: True

The property type is file:bytes.

:server / inet:servfile:server

The inet:addr of the server. It has the following property options set:

• Read Only: True

The property type is inet:server.

:server:proto / inet:servfile:server:proto

The network protocol of the server. It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

:server:ipv4 / inet:servfile:server:ipv4

The IPv4 of the server. It has the following property options set:

• Read Only: True

The property type is inet:ipv4.

:server:ipv6 / inet:servfile:server:ipv6

The IPv6 of the server. It has the following property options set:

• Read Only: True

The property type is inet:ipv6.

:server:host / inet:servfile:server:host

The it:host node for the server. It has the following property options set:

• Read Only: True

The property type is it:host.

:server:port / inet:servfile:server:port

The server tcp/udp port.

The property type is inet:port.

inet:ssl:cert

An SSL certificate file served by a server.

The base type for the form can be found at inet:ssl:cert.

An example of inet:ssl:cert:

• (1.2.3.4:443, guid:d41d8cd98f00b204e9800998ecf8427e)

Properties:

:file / inet:ssl:cert:file

The file bytes for the SSL certificate. It has the following property options set:

• Read Only: True

The property type is file:bytes.

:server / inet:ssl:cert:server

The server that presented the SSL certificate. It has the following property options set:

• Read Only: True

The property type is inet:server.

:server:ipv4 / inet:ssl:cert:server:ipv4

The SSL server IPv4 address. It has the following property options set:

• Read Only: True

The property type is inet:ipv4.

:server:ipv6 / inet:ssl:cert:server:ipv6

The SSL server IPv6 address. It has the following property options set:

• Read Only: True

The property type is inet:ipv6.

:server:port / inet:ssl:cert:server:port

The SSL server listening port. It has the following property options set:

• Read Only: True

The property type is inet:port.

inet:ssl:jarmhash

A TLS JARM fingerprint hash.

The base type for the form can be found at inet:ssl:jarmhash.

Properties:

:ciphers / inet:ssl:jarmhash:ciphers

The encoded cipher and TLS version of the server. It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

• strip: True

• regex: ^[0-9a-f]{30}$

:extensions / inet:ssl:jarmhash:extensions

The truncated SHA256 of the TLS server extensions. It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

• strip: True

• regex: ^[0-9a-f]{32}$

inet:ssl:jarmsample

A JARM hash sample taken from a server.

The base type for the form can be found at inet:ssl:jarmsample.

Properties:

:jarmhash / inet:ssl:jarmsample:jarmhash

The JARM hash computed from the server responses. It has the following property options set:

• Read Only: True

The property type is inet:ssl:jarmhash.

:server / inet:ssl:jarmsample:server

The server that was sampled to compute the JARM hash. It has the following property options set:

• Read Only: True

The property type is inet:server.

inet:tunnel

A specific sequence of hosts forwarding connections such as a VPN or proxy.

The base type for the form can be found at inet:tunnel.

Properties:

:anon / inet:tunnel:anon

Indicates that this tunnel provides anonymization.

The property type is bool.

:type / inet:tunnel:type

The type of tunnel such as vpn or proxy.

The property type is inet:tunnel:type:taxonomy.

:ingress / inet:tunnel:ingress

The server where client traffic enters the tunnel.

The property type is inet:server.

:egress / inet:tunnel:egress

The server where client traffic leaves the tunnel.

The property type is inet:server.

:operator / inet:tunnel:operator

The contact information for the tunnel operator.

The property type is ps:contact.

inet:tunnel:type:taxonomy

A taxonomy of network tunnel types.

The base type for the form can be found at inet:tunnel:type:taxonomy.

Properties:

:title / inet:tunnel:type:taxonomy:title

A brief title of the definition.

The property type is str.

:summary / inet:tunnel:type:taxonomy:summary

A summary of the definition. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:sort / inet:tunnel:type:taxonomy:sort

A display sort order for siblings.

The property type is int.

:base / inet:tunnel:type:taxonomy:base

The base taxon. It has the following property options set:

• Read Only: True

The property type is taxon.

:depth / inet:tunnel:type:taxonomy:depth

The depth indexed from 0. It has the following property options set:

• Read Only: True

The property type is int.

:parent / inet:tunnel:type:taxonomy:parent

The taxonomy parent. It has the following property options set:

• Read Only: True

The property type is inet:tunnel:type:taxonomy.

inet:url

A Universal Resource Locator (URL).

The base type for the form can be found at inet:url.

An example of inet:url:

• http://www.woot.com/files/index.html

Properties:

:fqdn / inet:url:fqdn

The fqdn used in the URL (e.g., http://www.woot.com/page.html). It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

:ipv4 / inet:url:ipv4

The IPv4 address used in the URL (e.g., http://1.2.3.4/page.html). It has the following property options set:

• Read Only: True

The property type is inet:ipv4.

:ipv6 / inet:url:ipv6

The IPv6 address used in the URL. It has the following property options set:

• Read Only: True

The property type is inet:ipv6.

:passwd / inet:url:passwd

The optional password used to access the URL. It has the following property options set:

• Read Only: True

The property type is inet:passwd.

:base / inet:url:base

The base scheme, user/pass, fqdn, port and path w/o parameters. It has the following property options set:

• Read Only: True

The property type is str.

:path / inet:url:path

The path in the URL w/o parameters. It has the following property options set:

• Read Only: True

The property type is str.

:params / inet:url:params

The URL parameter string. It has the following property options set:

• Read Only: True

The property type is str.

:port / inet:url:port

The port of the URL. URLs prefixed with http will be set to port 80 and URLs prefixed with https will be set to port 443 unless otherwise specified. It has the following property options set:

• Read Only: True

The property type is inet:port.

:proto / inet:url:proto

The protocol in the URL. It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

:user / inet:url:user

The optional username used to access the URL. It has the following property options set:

• Read Only: True

The property type is inet:user.

inet:url:mirror

A URL mirror site.

The base type for the form can be found at inet:url:mirror.

Properties:

:of / inet:url:mirror:of

The URL being mirrored. It has the following property options set:

• Read Only: True

The property type is inet:url.

:at / inet:url:mirror:at

The URL of the mirror. It has the following property options set:

• Read Only: True

The property type is inet:url.

inet:urlfile

A file hosted at a specific Universal Resource Locator (URL).

The base type for the form can be found at inet:urlfile.

Properties:

:url / inet:urlfile:url

The URL where the file was hosted. It has the following property options set:

• Read Only: True

The property type is inet:url.

:file / inet:urlfile:file

The file that was hosted at the URL. It has the following property options set:

• Read Only: True

The property type is file:bytes.

inet:urlredir

A URL that redirects to another URL, such as via a URL shortening service or an HTTP 302 response.

The base type for the form can be found at inet:urlredir.

An example of inet:urlredir:

• (http://foo.com/,http://bar.com/)

Properties:

:src / inet:urlredir:src

The original/source URL before redirect. It has the following property options set:

• Read Only: True

The property type is inet:url.

:src:fqdn / inet:urlredir:src:fqdn

The FQDN within the src URL (if present). It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

:dst / inet:urlredir:dst

The redirected/destination URL. It has the following property options set:

• Read Only: True

The property type is inet:url.

:dst:fqdn / inet:urlredir:dst:fqdn

The FQDN within the dst URL (if present). It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

inet:user

A username string.

The base type for the form can be found at inet:user.

Properties:

inet:web:acct

An account with a given Internet-based site or service.

The base type for the form can be found at inet:web:acct.

An example of inet:web:acct:

• twitter.com/invisig0th

Properties:

:avatar / inet:web:acct:avatar

The file representing the avatar (e.g., profile picture) for the account.

The property type is file:bytes.

:banner / inet:web:acct:banner

The file representing the banner for the account.

The property type is file:bytes.

:dob / inet:web:acct:dob

A self-declared date of birth for the account (if the account belongs to a person).

The property type is time.

:email / inet:web:acct:email

The email address associated with the account.

The property type is inet:email.

:linked:accts / inet:web:acct:linked:accts

Linked accounts specified in the account profile.

The property type is array. Its type has the following options set:

• type: inet:web:acct

• uniq: True

• sorted: True

:latlong / inet:web:acct:latlong

The last known latitude/longitude for the node.

The property type is geo:latlong.

:place / inet:web:acct:place

The geo:place associated with the latlong property.

The property type is geo:place.

:loc / inet:web:acct:loc

A self-declared location for the account.

The property type is loc.

:name / inet:web:acct:name

The localized name associated with the account (may be different from the account identifier, e.g., a display name).

The property type is inet:user.

:name:en / inet:web:acct:name:en

The English version of the name associated with the (may be different from the account identifier, e.g., a display name).

The property type is inet:user.

:aliases / inet:web:acct:aliases

An array of alternate names for the user.

The property type is array. Its type has the following options set:

• type: inet:user

• uniq: True

• sorted: True

:occupation / inet:web:acct:occupation

A self-declared occupation for the account.

The property type is str. Its type has the following options set:

• lower: True

:passwd / inet:web:acct:passwd

The current password for the account.

The property type is inet:passwd.

:phone / inet:web:acct:phone

The phone number associated with the account.

The property type is tel:phone.

:realname / inet:web:acct:realname

The localized version of the real name of the account owner / registrant.

The property type is ps:name.

:realname:en / inet:web:acct:realname:en

The English version of the real name of the account owner / registrant.

The property type is ps:name.

:signup / inet:web:acct:signup

The date and time the account was registered.

The property type is time.

:signup:client / inet:web:acct:signup:client

The client address used to sign up for the account.

The property type is inet:client.

:signup:client:ipv4 / inet:web:acct:signup:client:ipv4

The IPv4 address used to sign up for the account.

The property type is inet:ipv4.

:signup:client:ipv6 / inet:web:acct:signup:client:ipv6

The IPv6 address used to sign up for the account.

The property type is inet:ipv6.

:site / inet:web:acct:site

The site or service associated with the account. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

:tagline / inet:web:acct:tagline

The text of the account status or tag line.

The property type is str.

:url / inet:web:acct:url

The service provider URL where the account is hosted.

The property type is inet:url.

:user / inet:web:acct:user

The unique identifier for the account (may be different from the common name or display name). It has the following property options set:

• Read Only: True

The property type is inet:user.

:webpage / inet:web:acct:webpage

A related URL specified by the account (e.g., a personal or company web page, blog, etc.).

The property type is inet:url.

:recovery:email / inet:web:acct:recovery:email

An email address registered as a recovery email address for the account.

The property type is inet:email.

inet:web:action

An instance of an account performing an action at an Internet-based site or service.

The base type for the form can be found at inet:web:action.

Properties:

:act / inet:web:action:act

The action performed by the account.

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:acct / inet:web:action:acct

The web account associated with the action.

The property type is inet:web:acct.

:acct:site / inet:web:action:acct:site

The site or service associated with the account.

The property type is inet:fqdn.

:acct:user / inet:web:action:acct:user

The unique identifier for the account.

The property type is inet:user.

:time / inet:web:action:time

The date and time the account performed the action.

The property type is time.

:client / inet:web:action:client

The source client address of the action.

The property type is inet:client.

:client:ipv4 / inet:web:action:client:ipv4

The source IPv4 address of the action.

The property type is inet:ipv4.

:client:ipv6 / inet:web:action:client:ipv6

The source IPv6 address of the action.

The property type is inet:ipv6.

:loc / inet:web:action:loc

The location of the user executing the web action.

The property type is loc.

:latlong / inet:web:action:latlong

The latlong of the user when executing the web action.

The property type is geo:latlong.

:place / inet:web:action:place

The geo:place of the user when executing the web action.

The property type is geo:place.

inet:web:channel

A channel within a web service or instance such as slack or discord.

The base type for the form can be found at inet:web:channel.

Properties:

:url / inet:web:channel:url

The primary URL used to identify the channel. It has the following property options set:

• Example: https://app.slack.com/client/T2XK1223Y/C2XHHNDS7

The property type is inet:url.

:id / inet:web:channel:id

The operator specified ID of this channel. It has the following property options set:

• Example: C2XHHNDS7

The property type is str. Its type has the following options set:

• strip: True

:instance / inet:web:channel:instance

The instance which contains the channel.

The property type is inet:web:instance.

:name / inet:web:channel:name

The visible name of the channel. It has the following property options set:

• Example: general

The property type is str. Its type has the following options set:

• strip: True

:topic / inet:web:channel:topic

The visible topic of the channel. It has the following property options set:

• Example: Synapse Discussion - Feel free to invite others!

The property type is str. Its type has the following options set:

• strip: True

:created / inet:web:channel:created

The time the channel was created.

The property type is time.

:creator / inet:web:channel:creator

The account which created the channel.

The property type is inet:web:acct.

inet:web:chprofile

A change to a web account. Used to capture historical properties associated with an account, as opposed to current data in the inet:web:acct node.

The base type for the form can be found at inet:web:chprofile.

Properties:

:acct / inet:web:chprofile:acct

The web account associated with the change.

The property type is inet:web:acct.

:acct:site / inet:web:chprofile:acct:site

The site or service associated with the account.

The property type is inet:fqdn.

:acct:user / inet:web:chprofile:acct:user

The unique identifier for the account.

The property type is inet:user.

:client / inet:web:chprofile:client

The source address used to make the account change.

The property type is inet:client.

:client:ipv4 / inet:web:chprofile:client:ipv4

The source IPv4 address used to make the account change.

The property type is inet:ipv4.

:client:ipv6 / inet:web:chprofile:client:ipv6

The source IPv6 address used to make the account change.

The property type is inet:ipv6.

:time / inet:web:chprofile:time

The date and time when the account change occurred.

The property type is time.

:pv / inet:web:chprofile:pv

The prop=valu of the account property that was changed. Valu should be the old / original value, while the new value should be updated on the inet:web:acct form.

The property type is nodeprop.

:pv:prop / inet:web:chprofile:pv:prop

The property that was changed.

The property type is str.

inet:web:file

A file posted by a web account.

The base type for the form can be found at inet:web:file.

Properties:

:acct / inet:web:file:acct

The account that owns or is associated with the file. It has the following property options set:

• Read Only: True

The property type is inet:web:acct.

:acct:site / inet:web:file:acct:site

The site or service associated with the account. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

:acct:user / inet:web:file:acct:user

The unique identifier for the account. It has the following property options set:

• Read Only: True

The property type is inet:user.

:file / inet:web:file:file

The file owned by or associated with the account. It has the following property options set:

• Read Only: True

The property type is file:bytes.

:name / inet:web:file:name

The name of the file owned by or associated with the account.

The property type is file:base.

:posted / inet:web:file:posted

The date and time the file was posted / submitted.

The property type is time.

:client / inet:web:file:client

The source client address used to post or submit the file.

The property type is inet:client.

:client:ipv4 / inet:web:file:client:ipv4

The source IPv4 address used to post or submit the file.

The property type is inet:ipv4.

:client:ipv6 / inet:web:file:client:ipv6

The source IPv6 address used to post or submit the file.

The property type is inet:ipv6.

inet:web:follows

A web account follows or is connected to another web account.

The base type for the form can be found at inet:web:follows.

Properties:

:follower / inet:web:follows:follower

The account following an account. It has the following property options set:

• Read Only: True

The property type is inet:web:acct.

:followee / inet:web:follows:followee

The account followed by an account. It has the following property options set:

• Read Only: True

The property type is inet:web:acct.

inet:web:group

A group hosted within or registered with a given Internet-based site or service.

The base type for the form can be found at inet:web:group.

An example of inet:web:group:

• somesite.com/mycoolgroup

Properties:

:site / inet:web:group:site

The site or service associated with the group. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

:id / inet:web:group:id

The site-specific unique identifier for the group (may be different from the common name or display name). It has the following property options set:

• Read Only: True

The property type is inet:group.

:name / inet:web:group:name

The localized name associated with the group (may be different from the account identifier, e.g., a display name).

The property type is inet:group.

:aliases / inet:web:group:aliases

An array of alternate names for the group.

The property type is array. Its type has the following options set:

• type: inet:group

• uniq: True

• sorted: True

:name:en / inet:web:group:name:en

The English version of the name associated with the group (may be different from the localized name).

The property type is inet:group.

:url / inet:web:group:url

The service provider URL where the group is hosted.

The property type is inet:url.

:avatar / inet:web:group:avatar

The file representing the avatar (e.g., profile picture) for the group.

The property type is file:bytes.

:desc / inet:web:group:desc

The text of the description of the group.

The property type is str.

:webpage / inet:web:group:webpage

A related URL specified by the group (e.g., primary web site, etc.).

The property type is inet:url.

:loc / inet:web:group:loc

A self-declared location for the group.

The property type is str. Its type has the following options set:

• lower: True

:latlong / inet:web:group:latlong

The last known latitude/longitude for the node.

The property type is geo:latlong.

:place / inet:web:group:place

The geo:place associated with the latlong property.

The property type is geo:place.

:signup / inet:web:group:signup

The date and time the group was created on the site.

The property type is time.

:signup:client / inet:web:group:signup:client

The client address used to create the group.

The property type is inet:client.

:signup:client:ipv4 / inet:web:group:signup:client:ipv4

The IPv4 address used to create the group.

The property type is inet:ipv4.

:signup:client:ipv6 / inet:web:group:signup:client:ipv6

The IPv6 address used to create the group.

The property type is inet:ipv6.

inet:web:hashtag

A hashtag used in a web post.

The base type for the form can be found at inet:web:hashtag.

Properties:

inet:web:instance

An instance of a web service such as slack or discord.

The base type for the form can be found at inet:web:instance.

Properties:

:url / inet:web:instance:url

The primary URL used to identify the instance. It has the following property options set:

• Example: https://app.slack.com/client/T2XK1223Y

The property type is inet:url.

:id / inet:web:instance:id

The operator specified ID of this instance. It has the following property options set:

• Example: T2XK1223Y

The property type is str. Its type has the following options set:

• strip: True

:name / inet:web:instance:name

The visible name of the instance. It has the following property options set:

• Example: vertex synapse

The property type is str. Its type has the following options set:

• strip: True

:created / inet:web:instance:created

The time the instance was created.

The property type is time.

:creator / inet:web:instance:creator

The account which created the instance.

The property type is inet:web:acct.

:owner / inet:web:instance:owner

The organization which created the instance.

The property type is ou:org.

:owner:fqdn / inet:web:instance:owner:fqdn

The FQDN of the organization which created the instance. Used for entity resolution. It has the following property options set:

• Example: vertex.link

The property type is inet:fqdn.

:owner:name / inet:web:instance:owner:name

The name of the organization which created the instance. Used for entity resolution. It has the following property options set:

• Example: the vertex project, llc.

The property type is ou:name.

:operator / inet:web:instance:operator

The organization which operates the instance.

The property type is ou:org.

:operator:name / inet:web:instance:operator:name

The name of the organization which operates the instance. Used for entity resolution. It has the following property options set:

• Example: slack

The property type is ou:name.

:operator:fqdn / inet:web:instance:operator:fqdn

The FQDN of the organization which operates the instance. Used for entity resolution. It has the following property options set:

• Example: slack.com

The property type is inet:fqdn.

inet:web:logon

An instance of an account authenticating to an Internet-based site or service.

The base type for the form can be found at inet:web:logon.

Properties:

:acct / inet:web:logon:acct

The web account associated with the logon event. It has the following property options set:

• Read Only: True

The property type is inet:web:acct.

:acct:site / inet:web:logon:acct:site

The site or service associated with the account. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

:acct:user / inet:web:logon:acct:user

The unique identifier for the account. It has the following property options set:

• Read Only: True

The property type is inet:user.

:time / inet:web:logon:time

The date and time the account logged into the service. It has the following property options set:

• Read Only: True

The property type is time.

:client / inet:web:logon:client

The source address of the logon.

The property type is inet:client.

:client:ipv4 / inet:web:logon:client:ipv4

The source IPv4 address of the logon.

The property type is inet:ipv4.

:client:ipv6 / inet:web:logon:client:ipv6

The source IPv6 address of the logon.

The property type is inet:ipv6.

:logout / inet:web:logon:logout

The date and time the account logged out of the service. It has the following property options set:

• Read Only: True

The property type is time.

:loc / inet:web:logon:loc

The location of the user executing the logon.

The property type is loc.

:latlong / inet:web:logon:latlong

The latlong of the user executing the logon.

The property type is geo:latlong.

:place / inet:web:logon:place

The geo:place of the user executing the logon.

The property type is geo:place.

inet:web:memb

Deprecated. Please use inet:web:member.

The base type for the form can be found at inet:web:memb.

Properties:

:acct / inet:web:memb:acct

The account that is a member of the group. It has the following property options set:

• Read Only: True

The property type is inet:web:acct.

:group / inet:web:memb:group

The group that the account is a member of. It has the following property options set:

• Read Only: True

The property type is inet:web:group.

:title / inet:web:memb:title

The title or status of the member (e.g., admin, new member, etc.).

The property type is str. Its type has the following options set:

• lower: True

:joined / inet:web:memb:joined

The date / time the account joined the group.

The property type is time.

inet:web:member

Represents a web account membership in a channel or group.

The base type for the form can be found at inet:web:member.

Properties:

:acct / inet:web:member:acct

The account that is a member of the group or channel.

The property type is inet:web:acct.

:group / inet:web:member:group

The group that the account is a member of.

The property type is inet:web:group.

:channel / inet:web:member:channel

The channel that the account is a member of.

The property type is inet:web:channel.

:added / inet:web:member:added

The date / time the account was added to the group or channel.

The property type is time.

:removed / inet:web:member:removed

The date / time the account was removed from the group or channel.

The property type is time.

inet:web:mesg

A message sent from one web account to another web account or channel.

The base type for the form can be found at inet:web:mesg.

An example of inet:web:mesg:

• ((twitter.com, invisig0th), (twitter.com, gobbles), 20041012130220)

Properties:

:from / inet:web:mesg:from

The web account that sent the message. It has the following property options set:

• Read Only: True

The property type is inet:web:acct.

:to / inet:web:mesg:to

The web account that received the message. It has the following property options set:

• Read Only: True

The property type is inet:web:acct.

:client / inet:web:mesg:client

The source address of the message.

The property type is inet:client.

:client:ipv4 / inet:web:mesg:client:ipv4

The source IPv4 address of the message.

The property type is inet:ipv4.

:client:ipv6 / inet:web:mesg:client:ipv6

The source IPv6 address of the message.

The property type is inet:ipv6.

:time / inet:web:mesg:time

The date and time at which the message was sent. It has the following property options set:

• Read Only: True

The property type is time.

:url / inet:web:mesg:url

The URL where the message is posted / visible.

The property type is inet:url.

:text / inet:web:mesg:text

The text of the message. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:deleted / inet:web:mesg:deleted

The message was deleted.

The property type is bool.

:file / inet:web:mesg:file

The file attached to or sent with the message.

The property type is file:bytes.

:place / inet:web:mesg:place

The place that the message was reportedly sent from.

The property type is geo:place.

:place:name / inet:web:mesg:place:name

The name of the place that the message was reportedly sent from. Used for entity resolution.

The property type is geo:name.

:instance / inet:web:mesg:instance

The instance where the message was sent.

The property type is inet:web:instance.

inet:web:post

A post made by a web account.

The base type for the form can be found at inet:web:post.

Properties:

:acct / inet:web:post:acct

The web account that made the post.

The property type is inet:web:acct.

:acct:site / inet:web:post:acct:site

The site or service associated with the account.

The property type is inet:fqdn.

:client / inet:web:post:client

The source address of the post.

The property type is inet:client.

:client:ipv4 / inet:web:post:client:ipv4

The source IPv4 address of the post.

The property type is inet:ipv4.

:client:ipv6 / inet:web:post:client:ipv6

The source IPv6 address of the post.

The property type is inet:ipv6.

:acct:user / inet:web:post:acct:user

The unique identifier for the account.

The property type is inet:user.

:text / inet:web:post:text

The text of the post. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:time / inet:web:post:time

The date and time that the post was made.

The property type is time.

:deleted / inet:web:post:deleted

The message was deleted by the poster.

The property type is bool.

:url / inet:web:post:url

The URL where the post is published / visible.

The property type is inet:url.

:file / inet:web:post:file

The file that was attached to the post.

The property type is file:bytes.

:replyto / inet:web:post:replyto

The post that this post is in reply to.

The property type is inet:web:post.

:repost / inet:web:post:repost

The original post that this is a repost of.

The property type is inet:web:post.

:hashtags / inet:web:post:hashtags

Hashtags mentioned within the post.

The property type is array. Its type has the following options set:

• type: inet:web:hashtag

• uniq: True

• sorted: True

• split: ,

:mentions:users / inet:web:post:mentions:users

Accounts mentioned within the post.

The property type is array. Its type has the following options set:

• type: inet:web:acct

• uniq: True

• sorted: True

• split: ,

:mentions:groups / inet:web:post:mentions:groups

Groups mentioned within the post.

The property type is array. Its type has the following options set:

• type: inet:web:group

• uniq: True

• sorted: True

• split: ,

:loc / inet:web:post:loc

The location that the post was reportedly sent from.

The property type is loc.

:place / inet:web:post:place

The place that the post was reportedly sent from.

The property type is geo:place.

:place:name / inet:web:post:place:name

The name of the place that the post was reportedly sent from. Used for entity resolution.

The property type is geo:name.

:latlong / inet:web:post:latlong

The place that the post was reportedly sent from.

The property type is geo:latlong.

:channel / inet:web:post:channel

The channel where the post was made.

The property type is inet:web:channel.

inet:web:post:link

A link contained within post text.

The base type for the form can be found at inet:web:post:link.

Properties:

:post / inet:web:post:link:post

The post containing the embedded link.

The property type is inet:web:post.

:url / inet:web:post:link:url

The url that the link forwards to.

The property type is inet:url.

:text / inet:web:post:link:text

The displayed hyperlink text if it was not the raw URL.

The property type is str.

inet:whois:contact

An individual contact from a domain whois record.

The base type for the form can be found at inet:whois:contact.

Properties:

:rec / inet:whois:contact:rec

The whois record containing the contact data. It has the following property options set:

• Read Only: True

The property type is inet:whois:rec.

:rec:fqdn / inet:whois:contact:rec:fqdn

The domain associated with the whois record. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

:rec:asof / inet:whois:contact:rec:asof

The date of the whois record. It has the following property options set:

• Read Only: True

The property type is time.

:type / inet:whois:contact:type

The contact type (e.g., registrar, registrant, admin, billing, tech, etc.). It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

:id / inet:whois:contact:id

The ID associated with the contact.

The property type is str. Its type has the following options set:

• lower: True

:name / inet:whois:contact:name

The name of the contact.

The property type is str. Its type has the following options set:

• lower: True

:email / inet:whois:contact:email

The email address of the contact.

The property type is inet:email.

:orgname / inet:whois:contact:orgname

The name of the contact organization.

The property type is ou:name.

:address / inet:whois:contact:address

The content of the street address field(s) of the contact.

The property type is str. Its type has the following options set:

• lower: True

:city / inet:whois:contact:city

The content of the city field of the contact.

The property type is str. Its type has the following options set:

• lower: True

:state / inet:whois:contact:state

The content of the state field of the contact.

The property type is str. Its type has the following options set:

• lower: True

:country / inet:whois:contact:country

The two-letter country code of the contact.

The property type is str. Its type has the following options set:

• lower: True

:phone / inet:whois:contact:phone

The content of the phone field of the contact.

The property type is tel:phone.

:fax / inet:whois:contact:fax

The content of the fax field of the contact.

The property type is tel:phone.

:url / inet:whois:contact:url

The URL specified for the contact.

The property type is inet:url.

:whois:fqdn / inet:whois:contact:whois:fqdn

The whois server FQDN for the given contact (most likely a registrar).

The property type is inet:fqdn.

inet:whois:email

An email address associated with an FQDN via whois registration text.

The base type for the form can be found at inet:whois:email.

Properties:

:fqdn / inet:whois:email:fqdn

The domain with a whois record containing the email address. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

:email / inet:whois:email:email

The email address associated with the domain whois record. It has the following property options set:

• Read Only: True

The property type is inet:email.

inet:whois:ipcontact

An individual contact from an IP block record.

The base type for the form can be found at inet:whois:ipcontact.

Properties:

:contact / inet:whois:ipcontact:contact

Contact information associated with a registration.

The property type is ps:contact.

:asof / inet:whois:ipcontact:asof

The date of the record.

The property type is time.

:created / inet:whois:ipcontact:created

The “created” time from the record.

The property type is time.

:updated / inet:whois:ipcontact:updated

The “last updated” time from the record.

The property type is time.

:role / inet:whois:ipcontact:role

The primary role for the contact.

The property type is str. Its type has the following options set:

• lower: True

:roles / inet:whois:ipcontact:roles

Additional roles assigned to the contact.

The property type is array. Its type has the following options set:

• type: str

• uniq: True

• sorted: True

:asn / inet:whois:ipcontact:asn

The associated Autonomous System Number (ASN).

The property type is inet:asn.

:id / inet:whois:ipcontact:id

The registry unique identifier (e.g. NET-74-0-0-0-1).

The property type is inet:whois:regid.

:links / inet:whois:ipcontact:links

URLs provided with the record.

The property type is array. Its type has the following options set:

• type: inet:url

• uniq: True

• sorted: True

:status / inet:whois:ipcontact:status

The state of the registered contact (e.g. validated, obscured).

The property type is str. Its type has the following options set:

• lower: True

:contacts / inet:whois:ipcontact:contacts

Additional contacts referenced by this contact.

The property type is array. Its type has the following options set:

• type: inet:whois:ipcontact

• uniq: True

• sorted: True

inet:whois:ipquery

Query details used to retrieve an IP record.

The base type for the form can be found at inet:whois:ipquery.

Properties:

:time / inet:whois:ipquery:time

The time the request was made.

The property type is time.

:url / inet:whois:ipquery:url

The query URL when using the HTTP RDAP Protocol.

The property type is inet:url.

:fqdn / inet:whois:ipquery:fqdn

The FQDN of the host server when using the legacy WHOIS Protocol.

The property type is inet:fqdn.

:ipv4 / inet:whois:ipquery:ipv4

The IPv4 address queried.

The property type is inet:ipv4.

:ipv6 / inet:whois:ipquery:ipv6

The IPv6 address queried.

The property type is inet:ipv6.

:success / inet:whois:ipquery:success

Whether the host returned a valid response for the query.

The property type is bool.

:rec / inet:whois:ipquery:rec

The resulting record from the query.

The property type is inet:whois:iprec.

inet:whois:iprec

An IPv4/IPv6 block registration record.

The base type for the form can be found at inet:whois:iprec.

Properties:

:net4 / inet:whois:iprec:net4

The IPv4 address range assigned.

The property type is inet:net4.

:net4:min / inet:whois:iprec:net4:min

The first IPv4 in the range assigned.

The property type is inet:ipv4.

:net4:max / inet:whois:iprec:net4:max

The last IPv4 in the range assigned.

The property type is inet:ipv4.

:net6 / inet:whois:iprec:net6

The IPv6 address range assigned.

The property type is inet:net6.

:net6:min / inet:whois:iprec:net6:min

The first IPv6 in the range assigned.

The property type is inet:ipv6.

:net6:max / inet:whois:iprec:net6:max

The last IPv6 in the range assigned.

The property type is inet:ipv6.

:asof / inet:whois:iprec:asof

The date of the record.

The property type is time.

:created / inet:whois:iprec:created

The “created” time from the record.

The property type is time.

:updated / inet:whois:iprec:updated

The “last updated” time from the record.

The property type is time.

:text / inet:whois:iprec:text

The full text of the record. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str. Its type has the following options set:

• lower: True

:desc / inet:whois:iprec:desc

Notes concerning the record. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str. Its type has the following options set:

• lower: True

:asn / inet:whois:iprec:asn

The associated Autonomous System Number (ASN).

The property type is inet:asn.

:id / inet:whois:iprec:id

The registry unique identifier (e.g. NET-74-0-0-0-1).

The property type is inet:whois:regid.

:name / inet:whois:iprec:name

The name assigned to the network by the registrant.

The property type is str.

:parentid / inet:whois:iprec:parentid

The registry unique identifier of the parent whois record (e.g. NET-74-0-0-0-0).

The property type is inet:whois:regid.

:registrant / inet:whois:iprec:registrant

The registrant contact from the record.

The property type is inet:whois:ipcontact.

:contacts / inet:whois:iprec:contacts

Additional contacts from the record.

The property type is array. Its type has the following options set:

• type: inet:whois:ipcontact

• uniq: True

• sorted: True

:country / inet:whois:iprec:country

The two-letter ISO 3166 country code.

The property type is str. Its type has the following options set:

• lower: True

• regex: ^[a-z]{2}$

:status / inet:whois:iprec:status

The state of the registered network.

The property type is str. Its type has the following options set:

• lower: True

:type / inet:whois:iprec:type

The classification of the registered network (e.g. direct allocation).

The property type is str. Its type has the following options set:

• lower: True

:links / inet:whois:iprec:links

URLs provided with the record.

The property type is array. Its type has the following options set:

• type: inet:url

• uniq: True

• sorted: True

inet:whois:rar

A domain registrar.

The base type for the form can be found at inet:whois:rar.

An example of inet:whois:rar:

• godaddy, inc.

Properties:

inet:whois:rec

A domain whois record.

The base type for the form can be found at inet:whois:rec.

Properties:

:fqdn / inet:whois:rec:fqdn

The domain associated with the whois record. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

:asof / inet:whois:rec:asof

The date of the whois record. It has the following property options set:

• Read Only: True

The property type is time.

:text / inet:whois:rec:text

The full text of the whois record. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str. Its type has the following options set:

• lower: True

:created / inet:whois:rec:created

The “created” time from the whois record.

The property type is time.

:updated / inet:whois:rec:updated

The “last updated” time from the whois record.

The property type is time.

:expires / inet:whois:rec:expires

The “expires” time from the whois record.

The property type is time.

:registrar / inet:whois:rec:registrar

The registrar name from the whois record.

The property type is inet:whois:rar.

:registrant / inet:whois:rec:registrant

The registrant name from the whois record.

The property type is inet:whois:reg.

inet:whois:recns

A nameserver associated with a domain whois record.

The base type for the form can be found at inet:whois:recns.

Properties:

:ns / inet:whois:recns:ns

A nameserver for a domain as listed in the domain whois record. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

:rec / inet:whois:recns:rec

The whois record containing the nameserver data. It has the following property options set:

• Read Only: True

The property type is inet:whois:rec.

:rec:fqdn / inet:whois:recns:rec:fqdn

The domain associated with the whois record. It has the following property options set:

• Read Only: True

The property type is inet:fqdn.

:rec:asof / inet:whois:recns:rec:asof

The date of the whois record. It has the following property options set:

• Read Only: True

The property type is time.

inet:whois:reg

A domain registrant.

The base type for the form can be found at inet:whois:reg.

An example of inet:whois:reg:

• woot hostmaster

Properties:

inet:whois:regid

The registry unique identifier of the registration record.

The base type for the form can be found at inet:whois:regid.

An example of inet:whois:regid:

• NET-10-0-0-0-1

Properties:

inet:wifi:ap

An SSID/MAC address combination for a wireless access point.

The base type for the form can be found at inet:wifi:ap.

Properties:

:ssid / inet:wifi:ap:ssid

The SSID for the wireless access point. It has the following property options set:

• Read Only: True

The property type is inet:wifi:ssid.

:bssid / inet:wifi:ap:bssid

The MAC address for the wireless access point. It has the following property options set:

• Read Only: True

The property type is inet:mac.

:latlong / inet:wifi:ap:latlong

The best known latitude/longitude for the wireless access point.

The property type is geo:latlong.

:accuracy / inet:wifi:ap:accuracy

The reported accuracy of the latlong telemetry reading.

The property type is geo:dist.

:channel / inet:wifi:ap:channel

The WIFI channel that the AP was last observed operating on.

The property type is int.

:encryption / inet:wifi:ap:encryption

The type of encryption used by the WIFI AP such as “wpa2”.

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:place / inet:wifi:ap:place

The geo:place associated with the latlong property.

The property type is geo:place.

:loc / inet:wifi:ap:loc

The geo-political location string for the wireless access point.

The property type is loc.

:org / inet:wifi:ap:org

The organization that owns/operates the access point.

The property type is ou:org.

inet:wifi:ssid

A WiFi service set identifier (SSID) name.

The base type for the form can be found at inet:wifi:ssid.

An example of inet:wifi:ssid:

• The Vertex Project

Properties:

iso:oid

An ISO Object Identifier string.

The base type for the form can be found at iso:oid.

Properties:

:descr / iso:oid:descr

A description of the value or meaning of the OID.

The property type is str.

:identifier / iso:oid:identifier

The string identifier for the deepest tree element.

The property type is str.

it:account

A GUID that represents an account on a host or network.

The base type for the form can be found at it:account.

Properties:

:user / it:account:user

The username associated with the account.

The property type is inet:user.

:contact / it:account:contact

Additional contact information associated with this account.

The property type is ps:contact.

:host / it:account:host

The host where the account is registered.

The property type is it:host.

:domain / it:account:domain

The authentication domain where the account is registered.

The property type is it:domain.

:posix:uid / it:account:posix:uid

The user ID of the account. It has the following property options set:

• Example: 1001

The property type is int.

:posix:gid / it:account:posix:gid

The primary group ID of the account. It has the following property options set:

• Example: 1001

The property type is int.

:posix:gecos / it:account:posix:gecos

The GECOS field for the POSIX account.

The property type is int.

:posix:home / it:account:posix:home

The path to the POSIX account’s home directory. It has the following property options set:

• Example: /home/visi

The property type is file:path.

:posix:shell / it:account:posix:shell

The path to the POSIX account’s default shell. It has the following property options set:

• Example: /bin/bash

The property type is file:path.

:windows:sid / it:account:windows:sid

The Microsoft Windows Security Identifier of the account.

The property type is it:os:windows:sid.

:groups / it:account:groups

An array of groups that the account is a member of.

The property type is array. Its type has the following options set:

• type: it:group

• uniq: True

• sorted: True

it:adid

An advertising identification string.

The base type for the form can be found at it:adid.

Properties:

it:app:snort:hit

An instance of a snort rule hit.

The base type for the form can be found at it:app:snort:hit.

Properties:

:rule / it:app:snort:hit:rule

The snort rule that matched the file.

The property type is it:app:snort:rule.

:flow / it:app:snort:hit:flow

The inet:flow that matched the snort rule.

The property type is inet:flow.

:src / it:app:snort:hit:src

The source address of flow that caused the hit.

The property type is inet:addr.

:src:ipv4 / it:app:snort:hit:src:ipv4

The source IPv4 address of the flow that caused the hit.

The property type is inet:ipv4.

:src:ipv6 / it:app:snort:hit:src:ipv6

The source IPv6 address of the flow that caused the hit.

The property type is inet:ipv6.

:src:port / it:app:snort:hit:src:port

The source port of the flow that caused the hit.

The property type is inet:port.

:dst / it:app:snort:hit:dst

The destination address of the trigger.

The property type is inet:addr.

:dst:ipv4 / it:app:snort:hit:dst:ipv4

The destination IPv4 address of the flow that caused the hit.

The property type is inet:ipv4.

:dst:ipv6 / it:app:snort:hit:dst:ipv6

The destination IPv4 address of the flow that caused the hit.

The property type is inet:ipv6.

:dst:port / it:app:snort:hit:dst:port

The destination port of the flow that caused the hit.

The property type is inet:port.

:time / it:app:snort:hit:time

The time of the network flow that caused the hit.

The property type is time.

:sensor / it:app:snort:hit:sensor

The sensor host node that produced the hit.

The property type is it:host.

:version / it:app:snort:hit:version

The version of the rule at the time of match.

The property type is it:semver.

it:app:snort:rule

A snort rule unique identifier.

The base type for the form can be found at it:app:snort:rule.

Properties:

:text / it:app:snort:rule:text

The snort rule text. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:name / it:app:snort:rule:name

The name of the snort rule.

The property type is str.

:version / it:app:snort:rule:version

The current version of the rule.

The property type is it:semver.

it:app:yara:match

A YARA rule match to a file.

The base type for the form can be found at it:app:yara:match.

Properties:

:rule / it:app:yara:match:rule

The YARA rule that matched the file. It has the following property options set:

• Read Only: True

The property type is it:app:yara:rule.

:file / it:app:yara:match:file

The file that matched the YARA rule. It has the following property options set:

• Read Only: True

The property type is file:bytes.

:version / it:app:yara:match:version

The most recent version of the rule evaluated as a match.

The property type is it:semver.

it:app:yara:procmatch

An instance of a YARA rule match to a process.

The base type for the form can be found at it:app:yara:procmatch.

Properties:

:rule / it:app:yara:procmatch:rule

The YARA rule that matched the file.

The property type is it:app:yara:rule.

:proc / it:app:yara:procmatch:proc

The process that matched the YARA rule.

The property type is it:exec:proc.

:time / it:app:yara:procmatch:time

The time that the YARA engine matched the process to the rule.

The property type is time.

:version / it:app:yara:procmatch:version

The most recent version of the rule evaluated as a match.

The property type is it:semver.

it:app:yara:rule

A YARA rule unique identifier.

The base type for the form can be found at it:app:yara:rule.

Properties:

:text / it:app:yara:rule:text

The YARA rule text. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:name / it:app:yara:rule:name

The name of the YARA rule.

The property type is str.

:author / it:app:yara:rule:author

Contact info for the author of the YARA rule.

The property type is ps:contact.

:version / it:app:yara:rule:version

The current version of the rule.

The property type is it:semver.

:created / it:app:yara:rule:created

The time the YARA rule was initially created.

The property type is time.

:updated / it:app:yara:rule:updated

The time the YARA rule was most recently modified.

The property type is time.

:enabled / it:app:yara:rule:enabled

The rule enabled status to be used for YARA evaluation engines.

The property type is bool.

:family / it:app:yara:rule:family

The name of the software family the rule is designed to detect.

The property type is it:prod:softname.

it:auth:passwdhash

An instance of a password hash.

The base type for the form can be found at it:auth:passwdhash.

Properties:

:salt / it:auth:passwdhash:salt

The (optional) hex encoded salt value used to calculate the password hash.

The property type is hex.

:hash:md5 / it:auth:passwdhash:hash:md5

The MD5 password hash value.

The property type is hash:md5.

:hash:sha1 / it:auth:passwdhash:hash:sha1

The SHA1 password hash value.

The property type is hash:sha1.

:hash:sha256 / it:auth:passwdhash:hash:sha256

The SHA256 password hash value.

The property type is hash:sha256.

:hash:sha512 / it:auth:passwdhash:hash:sha512

The SHA512 password hash value.

The property type is hash:sha512.

:hash:lm / it:auth:passwdhash:hash:lm

The LM password hash value.

The property type is hash:lm.

:hash:ntlm / it:auth:passwdhash:hash:ntlm

The NTLM password hash value.

The property type is hash:ntlm.

:passwd / it:auth:passwdhash:passwd

The (optional) clear text password for this password hash.

The property type is inet:passwd.

it:av:filehit

A file that triggered an alert on a specific antivirus signature.

The base type for the form can be found at it:av:filehit.

Properties:

:file / it:av:filehit:file

The file that triggered the signature hit. It has the following property options set:

• Read Only: True

The property type is file:bytes.

:sig / it:av:filehit:sig

The signature that the file triggered on. It has the following property options set:

• Read Only: True

The property type is it:av:sig.

:sig:name / it:av:filehit:sig:name

The signature name. It has the following property options set:

• Read Only: True

The property type is it:av:signame.

:sig:soft / it:av:filehit:sig:soft

The anti-virus product which contains the signature. It has the following property options set:

• Read Only: True

The property type is it:prod:soft.

it:av:prochit

An instance of a process triggering an alert on a specific antivirus signature.

The base type for the form can be found at it:av:prochit.

Properties:

:proc / it:av:prochit:proc

The file that triggered the signature hit.

The property type is it:exec:proc.

:sig / it:av:prochit:sig

The signature that the file triggered on.

The property type is it:av:sig.

:time / it:av:prochit:time

The time that the AV engine detected the signature.

The property type is time.

it:av:sig

A signature name within the namespace of an antivirus engine name.

The base type for the form can be found at it:av:sig.

Properties:

:soft / it:av:sig:soft

The anti-virus product which contains the signature. It has the following property options set:

• Read Only: True

The property type is it:prod:soft.

:name / it:av:sig:name

The signature name. It has the following property options set:

• Read Only: True

The property type is it:av:signame.

:desc / it:av:sig:desc

A free-form description of the signature. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:url / it:av:sig:url

A reference URL for information about the signature.

The property type is inet:url.

it:av:signame

An antivirus signature name.

The base type for the form can be found at it:av:signame.

Properties:

it:cmd

A unique command-line string.

The base type for the form can be found at it:cmd.

An example of it:cmd:

• foo.exe --dostuff bar

Properties:

it:dev:int

A developer selected integer constant.

The base type for the form can be found at it:dev:int.

Properties:

it:dev:mutex

A string representing a mutex.

The base type for the form can be found at it:dev:mutex.

Properties:

it:dev:pipe

A string representing a named pipe.

The base type for the form can be found at it:dev:pipe.

Properties:

it:dev:regkey

A Windows registry key.

The base type for the form can be found at it:dev:regkey.

An example of it:dev:regkey:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Properties:

it:dev:regval

A Windows registry key/value pair.

The base type for the form can be found at it:dev:regval.

Properties:

:key / it:dev:regval:key

The Windows registry key.

The property type is it:dev:regkey.

:str / it:dev:regval:str

The value of the registry key, if the value is a string.

The property type is it:dev:str.

:int / it:dev:regval:int

The value of the registry key, if the value is an integer.

The property type is it:dev:int.

:bytes / it:dev:regval:bytes

The file representing the value of the registry key, if the value is binary data.

The property type is file:bytes.

it:dev:str

A developer-selected string.

The base type for the form can be found at it:dev:str.

Properties:

:norm / it:dev:str:norm

Lower case normalized version of the it:dev:str.

The property type is str. Its type has the following options set:

• lower: True

it:domain

A logical boundary of authentication and configuration such as a windows domain.

The base type for the form can be found at it:domain.

Properties:

:name / it:domain:name

The name of the domain.

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:desc / it:domain:desc

A brief description of the domain.

The property type is str.

:org / it:domain:org

The org that operates the given domain.

The property type is ou:org.

it:exec:bind

An instance of a host binding a listening port.

The base type for the form can be found at it:exec:bind.

Properties:

:proc / it:exec:bind:proc

The main process executing code that bound the listening port.

The property type is it:exec:proc.

:host / it:exec:bind:host

The host running the process that bound the listening port. Typically the same host referenced in :proc, if present.

The property type is it:host.

:exe / it:exec:bind:exe

The specific file containing code that bound the listening port. May or may not be the same :exe specified in :proc, if present.

The property type is file:bytes.

:time / it:exec:bind:time

The time the port was bound.

The property type is time.

:server / it:exec:bind:server

The inet:addr of the server when binding the port.

The property type is inet:server.

:server:ipv4 / it:exec:bind:server:ipv4

The IPv4 address specified to bind().

The property type is inet:ipv4.

:server:ipv6 / it:exec:bind:server:ipv6

The IPv6 address specified to bind().

The property type is inet:ipv6.

:server:port / it:exec:bind:server:port

The bound (listening) TCP port.

The property type is inet:port.

:sandbox:file / it:exec:bind:sandbox:file

The initial sample given to a sandbox environment to analyze.

The property type is file:bytes.

it:exec:file:add

An instance of a host adding a file to a filesystem.

The base type for the form can be found at it:exec:file:add.

Properties:

:proc / it:exec:file:add:proc

The main process executing code that created the new file.

The property type is it:exec:proc.

:host / it:exec:file:add:host

The host running the process that created the new file. Typically the same host referenced in :proc, if present.

The property type is it:host.

:exe / it:exec:file:add:exe

The specific file containing code that created the new file. May or may not be the same :exe specified in :proc, if present.

The property type is file:bytes.

:time / it:exec:file:add:time

The time the file was created.

The property type is time.

:path / it:exec:file:add:path

The path where the file was created.

The property type is file:path.

:path:dir / it:exec:file:add:path:dir

The parent directory of the file path (parsed from :path). It has the following property options set:

• Read Only: True

The property type is file:path.

:path:ext / it:exec:file:add:path:ext

The file extension of the file name (parsed from :path). It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:path:base / it:exec:file:add:path:base

The final component of the file path (parsed from :path). It has the following property options set:

• Read Only: True

The property type is file:base.

:file / it:exec:file:add:file

The file that was created.

The property type is file:bytes.

:sandbox:file / it:exec:file:add:sandbox:file

The initial sample given to a sandbox environment to analyze.

The property type is file:bytes.

it:exec:file:del

An instance of a host deleting a file from a filesystem.

The base type for the form can be found at it:exec:file:del.

Properties:

:proc / it:exec:file:del:proc

The main process executing code that deleted the file.

The property type is it:exec:proc.

:host / it:exec:file:del:host

The host running the process that deleted the file. Typically the same host referenced in :proc, if present.

The property type is it:host.

:exe / it:exec:file:del:exe

The specific file containing code that deleted the file. May or may not be the same :exe specified in :proc, if present.

The property type is file:bytes.

:time / it:exec:file:del:time

The time the file was deleted.

The property type is time.

:path / it:exec:file:del:path

The path where the file was deleted.

The property type is file:path.

:path:dir / it:exec:file:del:path:dir

The parent directory of the file path (parsed from :path). It has the following property options set:

• Read Only: True

The property type is file:path.

:path:ext / it:exec:file:del:path:ext

The file extension of the file name (parsed from :path). It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:path:base / it:exec:file:del:path:base

The final component of the file path (parsed from :path). It has the following property options set:

• Read Only: True

The property type is file:base.

:file / it:exec:file:del:file

The file that was deleted.

The property type is file:bytes.

:sandbox:file / it:exec:file:del:sandbox:file

The initial sample given to a sandbox environment to analyze.

The property type is file:bytes.

it:exec:file:read

An instance of a host reading a file from a filesystem.

The base type for the form can be found at it:exec:file:read.

Properties:

:proc / it:exec:file:read:proc

The main process executing code that read the file.

The property type is it:exec:proc.

:host / it:exec:file:read:host

The host running the process that read the file. Typically the same host referenced in :proc, if present.

The property type is it:host.

:exe / it:exec:file:read:exe

The specific file containing code that read the file. May or may not be the same :exe specified in :proc, if present.

The property type is file:bytes.

:time / it:exec:file:read:time

The time the file was read.

The property type is time.

:path / it:exec:file:read:path

The path where the file was read.

The property type is file:path.

:path:dir / it:exec:file:read:path:dir

The parent directory of the file path (parsed from :path). It has the following property options set:

• Read Only: True

The property type is file:path.

:path:ext / it:exec:file:read:path:ext

The file extension of the file name (parsed from :path). It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:path:base / it:exec:file:read:path:base

The final component of the file path (parsed from :path). It has the following property options set:

• Read Only: True

The property type is file:base.

:file / it:exec:file:read:file

The file that was read.

The property type is file:bytes.

:sandbox:file / it:exec:file:read:sandbox:file

The initial sample given to a sandbox environment to analyze.

The property type is file:bytes.

it:exec:file:write

An instance of a host writing a file to a filesystem.

The base type for the form can be found at it:exec:file:write.

Properties:

:proc / it:exec:file:write:proc

The main process executing code that wrote to / modified the existing file.

The property type is it:exec:proc.

:host / it:exec:file:write:host

The host running the process that wrote to the file. Typically the same host referenced in :proc, if present.

The property type is it:host.

:exe / it:exec:file:write:exe

The specific file containing code that wrote to the file. May or may not be the same :exe specified in :proc, if present.

The property type is file:bytes.

:time / it:exec:file:write:time

The time the file was written to/modified.

The property type is time.

:path / it:exec:file:write:path

The path where the file was written to/modified.

The property type is file:path.

:path:dir / it:exec:file:write:path:dir

The parent directory of the file path (parsed from :path). It has the following property options set:

• Read Only: True

The property type is file:path.

:path:ext / it:exec:file:write:path:ext

The file extension of the file name (parsed from :path). It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:path:base / it:exec:file:write:path:base

The final component of the file path (parsed from :path). It has the following property options set:

• Read Only: True

The property type is file:base.

:file / it:exec:file:write:file

The file that was modified.

The property type is file:bytes.

:sandbox:file / it:exec:file:write:sandbox:file

The initial sample given to a sandbox environment to analyze.

The property type is file:bytes.

it:exec:loadlib

A library load event in a process.

The base type for the form can be found at it:exec:loadlib.

Properties:

:proc / it:exec:loadlib:proc

The process where the library was loaded.

The property type is it:exec:proc.

:va / it:exec:loadlib:va

The base memory address where the library was loaded in the process.

The property type is int.

:loaded / it:exec:loadlib:loaded

The time the library was loaded.

The property type is time.

:unloaded / it:exec:loadlib:unloaded

The time the library was unloaded.

The property type is time.

:path / it:exec:loadlib:path

The path that the library was loaded from.

The property type is file:path.

:file / it:exec:loadlib:file

The library file that was loaded.

The property type is file:bytes.

:sandbox:file / it:exec:loadlib:sandbox:file

The initial sample given to a sandbox environment to analyze.

The property type is file:bytes.

it:exec:mmap

A memory mapped segment located in a process.

The base type for the form can be found at it:exec:mmap.

Properties:

:proc / it:exec:mmap:proc

The process where the memory was mapped.

The property type is it:exec:proc.

:va / it:exec:mmap:va

The base memory address where the map was created in the process.

The property type is int.

:size / it:exec:mmap:size

The size of the memory map in bytes.

The property type is int.

:perms:read / it:exec:mmap:perms:read

True if the mmap is mapped with read permissions.

The property type is bool.

:perms:write / it:exec:mmap:perms:write

True if the mmap is mapped with write permissions.

The property type is bool.

:perms:execute / it:exec:mmap:perms:execute

True if the mmap is mapped with execute permissions.

The property type is bool.

:created / it:exec:mmap:created

The time the memory map was created.

The property type is time.

:deleted / it:exec:mmap:deleted

The time the memory map was deleted.

The property type is time.

:path / it:exec:mmap:path

The file path if the mmap is a mapped view of a file.

The property type is file:path.

:hash:sha256 / it:exec:mmap:hash:sha256

A SHA256 hash of the memory map. Bytes may optionally be present in the axon.

The property type is hash:sha256.

:sandbox:file / it:exec:mmap:sandbox:file

The initial sample given to a sandbox environment to analyze.

The property type is file:bytes.

it:exec:mutex

A mutex created by a process at runtime.

The base type for the form can be found at it:exec:mutex.

Properties:

:proc / it:exec:mutex:proc

The main process executing code that created the mutex.

The property type is it:exec:proc.

:host / it:exec:mutex:host

The host running the process that created the mutex. Typically the same host referenced in :proc, if present.

The property type is it:host.

:exe / it:exec:mutex:exe

The specific file containing code that created the mutex. May or may not be the same :exe specified in :proc, if present.

The property type is file:bytes.

:time / it:exec:mutex:time

The time the mutex was created.

The property type is time.

:name / it:exec:mutex:name

The mutex string.

The property type is it:dev:mutex.

:sandbox:file / it:exec:mutex:sandbox:file

The initial sample given to a sandbox environment to analyze.

The property type is file:bytes.

it:exec:pipe

A named pipe created by a process at runtime.

The base type for the form can be found at it:exec:pipe.

Properties:

:proc / it:exec:pipe:proc

The main process executing code that created the named pipe.

The property type is it:exec:proc.

:host / it:exec:pipe:host

The host running the process that created the named pipe. Typically the same host referenced in :proc, if present.

The property type is it:host.

:exe / it:exec:pipe:exe

The specific file containing code that created the named pipe. May or may not be the same :exe specified in :proc, if present.

The property type is file:bytes.

:time / it:exec:pipe:time

The time the named pipe was created.

The property type is time.

:name / it:exec:pipe:name

The named pipe string.

The property type is it:dev:pipe.

:sandbox:file / it:exec:pipe:sandbox:file

The initial sample given to a sandbox environment to analyze.

The property type is file:bytes.

it:exec:proc

A process executing on a host. May be an actual (e.g., endpoint) or virtual (e.g., malware sandbox) host.

The base type for the form can be found at it:exec:proc.

Properties:

:host / it:exec:proc:host

The host that executed the process. May be an actual or a virtual / notional host.

The property type is it:host.

:exe / it:exec:proc:exe

The file considered the “main” executable for the process. For example, rundll32.exe may be considered the “main” executable for DLLs loaded by that program.

The property type is file:bytes.

:cmd / it:exec:proc:cmd

The command string used to launch the process, including any command line parameters. It has the following property options set:

• disp: {'hint': 'text'}

The property type is it:cmd.

:pid / it:exec:proc:pid

The process ID.

The property type is int.

:time / it:exec:proc:time

The start time for the process.

The property type is time.

:name / it:exec:proc:name

The display name specified by the process.

The property type is str.

:exited / it:exec:proc:exited

The time the process exited.

The property type is time.

:exitcode / it:exec:proc:exitcode

The exit code for the process.

The property type is int.

:user / it:exec:proc:user

The user name of the process owner. It has the following property options set:

• deprecated: True

The property type is inet:user.

:account / it:exec:proc:account

The account of the process owner.

The property type is it:account.

:path / it:exec:proc:path

The path to the executable of the process.

The property type is file:path.

:path:base / it:exec:proc:path:base

The file basename of the executable of the process.

The property type is file:base.

:src:exe / it:exec:proc:src:exe

The path to the executable which started the process.

The property type is file:path.

:src:proc / it:exec:proc:src:proc

The process which created the process.

The property type is it:exec:proc.

:killedby / it:exec:proc:killedby

The process which killed this process.

The property type is it:exec:proc.

:sandbox:file / it:exec:proc:sandbox:file

The initial sample given to a sandbox environment to analyze.

The property type is file:bytes.

it:exec:query

An instance of an executed query.

The base type for the form can be found at it:exec:query.

Properties:

:text / it:exec:query:text

The query string that was executed.

The property type is it:query.

:opts / it:exec:query:opts

An opaque JSON object containing query parameters and options.

The property type is data.

:api:url / it:exec:query:api:url

The URL of the API endpoint the query was sent to.

The property type is inet:url.

:language / it:exec:query:language

The name of the language that the query is expressed in.

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:exe / it:exec:query:exe

The executable file which caused the activity.

The property type is file:bytes.

:proc / it:exec:query:proc

The host process which caused the activity.

The property type is it:exec:proc.

:thread / it:exec:query:thread

The host thread which caused the activity.

The property type is it:exec:thread.

:host / it:exec:query:host

The host on which the activity occurred.

The property type is it:host.

:time / it:exec:query:time

The time that the activity started.

The property type is time.

:sandbox:file / it:exec:query:sandbox:file

The initial sample given to a sandbox environment to analyze.

The property type is file:bytes.

it:exec:reg:del

An instance of a host deleting a registry key.

The base type for the form can be found at it:exec:reg:del.

Properties:

:proc / it:exec:reg:del:proc

The main process executing code that deleted data from the registry.

The property type is it:exec:proc.

:host / it:exec:reg:del:host

The host running the process that deleted data from the registry. Typically the same host referenced in :proc, if present.

The property type is it:host.

:exe / it:exec:reg:del:exe

The specific file containing code that deleted data from the registry. May or may not be the same :exe referenced in :proc, if present.

The property type is file:bytes.

:time / it:exec:reg:del:time

The time the data from the registry was deleted.

The property type is time.

:reg / it:exec:reg:del:reg

The registry key or value that was deleted.

The property type is it:dev:regval.

:sandbox:file / it:exec:reg:del:sandbox:file

The initial sample given to a sandbox environment to analyze.

The property type is file:bytes.

it:exec:reg:get

An instance of a host getting a registry key.

The base type for the form can be found at it:exec:reg:get.

Properties:

:proc / it:exec:reg:get:proc

The main process executing code that read the registry.

The property type is it:exec:proc.

:host / it:exec:reg:get:host

The host running the process that read the registry. Typically the same host referenced in :proc, if present.

The property type is it:host.

:exe / it:exec:reg:get:exe

The specific file containing code that read the registry. May or may not be the same :exe referenced in :proc, if present.

The property type is file:bytes.

:time / it:exec:reg:get:time

The time the registry was read.

The property type is time.

:reg / it:exec:reg:get:reg

The registry key or value that was read.

The property type is it:dev:regval.

:sandbox:file / it:exec:reg:get:sandbox:file

The initial sample given to a sandbox environment to analyze.

The property type is file:bytes.

it:exec:reg:set

An instance of a host creating or setting a registry key.

The base type for the form can be found at it:exec:reg:set.

Properties:

:proc / it:exec:reg:set:proc

The main process executing code that wrote to the registry.

The property type is it:exec:proc.

:host / it:exec:reg:set:host

The host running the process that wrote to the registry. Typically the same host referenced in :proc, if present.

The property type is it:host.

:exe / it:exec:reg:set:exe

The specific file containing code that wrote to the registry. May or may not be the same :exe referenced in :proc, if present.

The property type is file:bytes.

:time / it:exec:reg:set:time

The time the registry was written to.

The property type is time.

:reg / it:exec:reg:set:reg

The registry key or value that was written to.

The property type is it:dev:regval.

:sandbox:file / it:exec:reg:set:sandbox:file

The initial sample given to a sandbox environment to analyze.

The property type is file:bytes.

it:exec:thread

A thread executing in a process.

The base type for the form can be found at it:exec:thread.

Properties:

:proc / it:exec:thread:proc

The process which contains the thread.

The property type is it:exec:proc.

:created / it:exec:thread:created

The time the thread was created.

The property type is time.

:exited / it:exec:thread:exited

The time the thread exited.

The property type is time.

:exitcode / it:exec:thread:exitcode

The exit code or return value for the thread.

The property type is int.

:src:proc / it:exec:thread:src:proc

An external process which created the thread.

The property type is it:exec:proc.

:src:thread / it:exec:thread:src:thread

The thread which created this thread.

The property type is it:exec:thread.

:sandbox:file / it:exec:thread:sandbox:file

The initial sample given to a sandbox environment to analyze.

The property type is file:bytes.

it:exec:url

An instance of a host requesting a URL.

The base type for the form can be found at it:exec:url.

Properties:

:proc / it:exec:url:proc

The main process executing code that requested the URL.

The property type is it:exec:proc.

:browser / it:exec:url:browser

The software version of the browser.

The property type is it:prod:softver.

:host / it:exec:url:host

The host running the process that requested the URL. Typically the same host referenced in :proc, if present.

The property type is it:host.

:exe / it:exec:url:exe

The specific file containing code that requested the URL. May or may not be the same :exe specified in :proc, if present.

The property type is file:bytes.

:time / it:exec:url:time

The time the URL was requested.

The property type is time.

:url / it:exec:url:url

The URL that was requested.

The property type is inet:url.

:page:pdf / it:exec:url:page:pdf

The rendered DOM saved as a PDF file.

The property type is file:bytes.

:page:html / it:exec:url:page:html

The rendered DOM saved as an HTML file.

The property type is file:bytes.

:page:image / it:exec:url:page:image

The rendered DOM saved as an image.

The property type is file:bytes.

:http:request / it:exec:url:http:request

The HTTP request made to retrieve the initial URL contents.

The property type is inet:http:request.

:client / it:exec:url:client

The address of the client during the URL retrieval.

The property type is inet:client.

:client:ipv4 / it:exec:url:client:ipv4

The IPv4 of the client during the URL retrieval..

The property type is inet:ipv4.

:client:ipv6 / it:exec:url:client:ipv6

The IPv6 of the client during the URL retrieval..

The property type is inet:ipv6.

:client:port / it:exec:url:client:port

The client port during the URL retrieval..

The property type is inet:port.

:sandbox:file / it:exec:url:sandbox:file

The initial sample given to a sandbox environment to analyze.

The property type is file:bytes.

it:fs:file

A file on a host.

The base type for the form can be found at it:fs:file.

Properties:

:host / it:fs:file:host

The host containing the file.

The property type is it:host.

:path / it:fs:file:path

The path for the file.

The property type is file:path.

:path:dir / it:fs:file:path:dir

The parent directory of the file path (parsed from :path). It has the following property options set:

• Read Only: True

The property type is file:path.

:path:ext / it:fs:file:path:ext

The file extension of the file name (parsed from :path). It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:path:base / it:fs:file:path:base

The final component of the file path (parsed from :path). It has the following property options set:

• Read Only: True

The property type is file:base.

:file / it:fs:file:file

The file on the host.

The property type is file:bytes.

:ctime / it:fs:file:ctime

The file creation time.

The property type is time.

:mtime / it:fs:file:mtime

The file modification time.

The property type is time.

:atime / it:fs:file:atime

The file access time.

The property type is time.

:user / it:fs:file:user

The owner of the file.

The property type is inet:user.

:group / it:fs:file:group

The group owner of the file.

The property type is inet:user.

it:group

A GUID that represents a group on a host or network.

The base type for the form can be found at it:group.

Properties:

:name / it:group:name

The name of the group.

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:desc / it:group:desc

A brief description of the group.

The property type is str.

:host / it:group:host

The host where the group is registered.

The property type is it:host.

:domain / it:group:domain

The authentication domain where the group is registered.

The property type is it:domain.

:groups / it:group:groups

Groups that are a member of this group.

The property type is array. Its type has the following options set:

• type: it:group

• uniq: True

• sorted: True

:posix:gid / it:group:posix:gid

The primary group ID of the account. It has the following property options set:

• Example: 1001

The property type is int.

:windows:sid / it:group:windows:sid

The Microsoft Windows Security Identifier of the group.

The property type is it:os:windows:sid.

it:host

A GUID that represents a host or system.

The base type for the form can be found at it:host.

Properties:

:name / it:host:name

The name of the host or system.

The property type is it:hostname.

:desc / it:host:desc

A free-form description of the host.

The property type is str.

:domain / it:host:domain

The authentication domain that the host is a member of.

The property type is it:domain.

:ipv4 / it:host:ipv4

The last known ipv4 address for the host.

The property type is inet:ipv4.

:latlong / it:host:latlong

The last known location for the host.

The property type is geo:latlong.

:place / it:host:place

The place where the host resides.

The property type is geo:place.

:loc / it:host:loc

The geo-political location string for the node.

The property type is loc.

:os / it:host:os

The operating system of the host.

The property type is it:prod:softver.

:os:name / it:host:os:name

A software product name for the host operating system. Used for entity resolution.

The property type is it:prod:softname.

:hardware / it:host:hardware

The hardware specification for this host.

The property type is it:prod:hardware.

:manu / it:host:manu

Please use :hardware:make. It has the following property options set:

• deprecated: True

The property type is str.

:model / it:host:model

Please use :hardware:model. It has the following property options set:

• deprecated: True

The property type is str.

:serial / it:host:serial

The serial number of the host.

The property type is str.

:operator / it:host:operator

The operator of the host.

The property type is ps:contact.

:org / it:host:org

The org that operates the given host.

The property type is ou:org.

it:hostname

The name of a host or system.

The base type for the form can be found at it:hostname.

Properties:

it:hostsoft

A version of a software product which is present on a given host.

The base type for the form can be found at it:hostsoft.

Properties:

:host / it:hostsoft:host

Host with the software. It has the following property options set:

• Read Only: True

The property type is it:host.

:softver / it:hostsoft:softver

Software on the host. It has the following property options set:

• Read Only: True

The property type is it:prod:softver.

it:hosturl

A url hosted on or served by a host or system.

The base type for the form can be found at it:hosturl.

Properties:

:host / it:hosturl:host

Host serving a url. It has the following property options set:

• Read Only: True

The property type is it:host.

:url / it:hosturl:url

URL available on the host. It has the following property options set:

• Read Only: True

The property type is inet:url.

it:log:event

A GUID representing an individual log event.

The base type for the form can be found at it:log:event.

Properties:

:mesg / it:log:event:mesg

The log messsage text.

The property type is str.

:severity / it:log:event:severity

A log level integer that increases with severity.

The property type is int. Its type has the following options set:

• enums: ((10, 'debug'), (20, 'info'), (30, 'notice'), (40, 'warning'), (50, 'err'), (60, 'crit'), (70, 'alert'), (80, 'emerg'))

:data / it:log:event:data

A raw JSON record of the log event.

The property type is data.

:exe / it:log:event:exe

The executable file which caused the activity.

The property type is file:bytes.

:proc / it:log:event:proc

The host process which caused the activity.

The property type is it:exec:proc.

:thread / it:log:event:thread

The host thread which caused the activity.

The property type is it:exec:thread.

:host / it:log:event:host

The host on which the activity occurred.

The property type is it:host.

:time / it:log:event:time

The time that the activity started.

The property type is time.

:sandbox:file / it:log:event:sandbox:file

The initial sample given to a sandbox environment to analyze.

The property type is file:bytes.

it:logon

A GUID that represents an individual logon/logoff event.

The base type for the form can be found at it:logon.

Properties:

:time / it:logon:time

The time the logon occurred.

The property type is time.

:success / it:logon:success

Set to false to indicate an unsuccessful logon attempt.

The property type is bool.

:logoff:time / it:logon:logoff:time

The time the logon session ended.

The property type is time.

:host / it:logon:host

The host that the account logged in to.

The property type is it:host.

:account / it:logon:account

The account that logged in.

The property type is it:account.

:creds / it:logon:creds

The credentials that were used for the logon.

The property type is auth:creds.

:duration / it:logon:duration

The duration of the logon session.

The property type is duration.

:client:host / it:logon:client:host

The host where the logon originated.

The property type is it:host.

:client:ipv4 / it:logon:client:ipv4

The IPv4 where the logon originated.

The property type is inet:ipv4.

:client:ipv6 / it:logon:client:ipv6

The IPv6 where the logon originated.

The property type is inet:ipv6.

it:mitre:attack:group

A Mitre ATT&CK Group ID.

The base type for the form can be found at it:mitre:attack:group.

An example of it:mitre:attack:group:

• G0100

Properties:

:org / it:mitre:attack:group:org

Used to map an ATT&CK group to a synapse ou:org.

The property type is ou:org.

:name / it:mitre:attack:group:name

The primary name for the ATT&CK group.

The property type is ou:name.

:names / it:mitre:attack:group:names

An array of alternate names for the ATT&CK group.

The property type is array. Its type has the following options set:

• type: ou:name

• uniq: True

• sorted: True

:desc / it:mitre:attack:group:desc

A description of the ATT&CK group. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:isnow / it:mitre:attack:group:isnow

If deprecated, this field may contain the current value for the group.

The property type is it:mitre:attack:group.

:url / it:mitre:attack:group:url

The URL that documents the ATT&CK group.

The property type is inet:url.

:tag / it:mitre:attack:group:tag

The synapse tag used to annotate nodes included in this ATT&CK group ID. It has the following property options set:

• Example: cno.mitre.g0100

The property type is syn:tag.

:references / it:mitre:attack:group:references

An array of URLs that document the ATT&CK group.

The property type is array. Its type has the following options set:

• type: inet:url

• uniq: True

:techniques / it:mitre:attack:group:techniques

An array of ATT&CK technique IDs used by the group.

The property type is array. Its type has the following options set:

• type: it:mitre:attack:technique

• uniq: True

• sorted: True

• split: ,

:software / it:mitre:attack:group:software

An array of ATT&CK software IDs used by the group.

The property type is array. Its type has the following options set:

• type: it:mitre:attack:software

• uniq: True

• sorted: True

• split: ,

it:mitre:attack:mitigation

A Mitre ATT&CK Mitigation ID.

The base type for the form can be found at it:mitre:attack:mitigation.

An example of it:mitre:attack:mitigation:

• M1036

Properties:

:name / it:mitre:attack:mitigation:name

The primary name for the ATT&CK mitigation.

The property type is str. Its type has the following options set:

• strip: True

:desc / it:mitre:attack:mitigation:desc

A description of the ATT&CK mitigation. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str. Its type has the following options set:

• strip: True

:url / it:mitre:attack:mitigation:url

The URL that documents the ATT&CK mitigation.

The property type is inet:url.

:tag / it:mitre:attack:mitigation:tag

The synapse tag used to annotate nodes included in this ATT&CK mitigation. It has the following property options set:

• Example: cno.mitre.m0100

The property type is syn:tag.

:references / it:mitre:attack:mitigation:references

An array of URLs that document the ATT&CK mitigation.

The property type is array. Its type has the following options set:

• type: inet:url

• uniq: True

:addresses / it:mitre:attack:mitigation:addresses

An array of ATT&CK technique IDs addressed by the mitigation.

The property type is array. Its type has the following options set:

• type: it:mitre:attack:technique

• uniq: True

• sorted: True

• split: ,

it:mitre:attack:software

A Mitre ATT&CK Software ID.

The base type for the form can be found at it:mitre:attack:software.

An example of it:mitre:attack:software:

• S0154

Properties:

:software / it:mitre:attack:software:software

Used to map an ATT&CK software to a synapse it:prod:soft.

The property type is it:prod:soft.

:name / it:mitre:attack:software:name

The primary name for the ATT&CK software.

The property type is it:prod:softname.

:names / it:mitre:attack:software:names

Associated names for the ATT&CK software.

The property type is array. Its type has the following options set:

• type: it:prod:softname

• uniq: True

• sorted: True

:desc / it:mitre:attack:software:desc

A description of the ATT&CK software. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str. Its type has the following options set:

• strip: True

:isnow / it:mitre:attack:software:isnow

If deprecated, this field may contain the current value for the software.

The property type is it:mitre:attack:software.

:url / it:mitre:attack:software:url

The URL that documents the ATT&CK software.

The property type is inet:url.

:tag / it:mitre:attack:software:tag

The synapse tag used to annotate nodes included in this ATT&CK software. It has the following property options set:

• Example: cno.mitre.s0100

The property type is syn:tag.

:references / it:mitre:attack:software:references

An array of URLs that document the ATT&CK software.

The property type is array. Its type has the following options set:

• type: inet:url

• uniq: True

:techniques / it:mitre:attack:software:techniques

An array of techniques used by the software.

The property type is array. Its type has the following options set:

• type: it:mitre:attack:technique

• uniq: True

• sorted: True

• split: ,

it:mitre:attack:tactic

A Mitre ATT&CK Tactic ID.

The base type for the form can be found at it:mitre:attack:tactic.

An example of it:mitre:attack:tactic:

• TA0040

Properties:

:name / it:mitre:attack:tactic:name

The primary name for the ATT&CK tactic.

The property type is str. Its type has the following options set:

• strip: True

:desc / it:mitre:attack:tactic:desc

A description of the ATT&CK tactic. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:url / it:mitre:attack:tactic:url

The URL that documents the ATT&CK tactic.

The property type is inet:url.

:tag / it:mitre:attack:tactic:tag

The synapse tag used to annotate nodes included in this ATT&CK tactic. It has the following property options set:

• Example: cno.mitre.ta0100

The property type is syn:tag.

:references / it:mitre:attack:tactic:references

An array of URLs that document the ATT&CK tactic.

The property type is array. Its type has the following options set:

• type: inet:url

• uniq: True

it:mitre:attack:technique

A Mitre ATT&CK Technique ID.

The base type for the form can be found at it:mitre:attack:technique.

An example of it:mitre:attack:technique:

• T1548

Properties:

:name / it:mitre:attack:technique:name

The primary name for the ATT&CK technique.

The property type is str. Its type has the following options set:

• strip: True

:status / it:mitre:attack:technique:status

The status of this ATT&CK technique.

The property type is it:mitre:attack:status.

:isnow / it:mitre:attack:technique:isnow

If deprecated, this field may contain the current value for the technique.

The property type is it:mitre:attack:technique.

:desc / it:mitre:attack:technique:desc

A description of the ATT&CK technique. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str. Its type has the following options set:

• strip: True

:url / it:mitre:attack:technique:url

The URL that documents the ATT&CK technique.

The property type is inet:url.

:tag / it:mitre:attack:technique:tag

The synapse tag used to annotate nodes included in this ATT&CK technique. It has the following property options set:

• Example: cno.mitre.t0100

The property type is syn:tag.

:references / it:mitre:attack:technique:references

An array of URLs that document the ATT&CK technique.

The property type is array. Its type has the following options set:

• type: inet:url

• uniq: True

:parent / it:mitre:attack:technique:parent

The parent ATT&CK technique on this sub-technique.

The property type is it:mitre:attack:technique.

:tactics / it:mitre:attack:technique:tactics

An array of ATT&CK tactics that include this technique.

The property type is array. Its type has the following options set:

• type: it:mitre:attack:tactic

• uniq: True

• sorted: True

• split: ,

it:network

A GUID that represents a logical network.

The base type for the form can be found at it:network.

Properties:

:name / it:network:name

The name of the network.

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:desc / it:network:desc

A brief description of the network.

The property type is str.

:org / it:network:org

The org that owns/operates the network.

The property type is ou:org.

:net4 / it:network:net4

The optional contiguous IPv4 address range of this network.

The property type is inet:net4.

:net6 / it:network:net6

The optional contiguous IPv6 address range of this network.

The property type is inet:net6.

it:os:android:aaid

An android advertising identification string.

The base type for the form can be found at it:os:android:aaid.

Properties:

it:os:android:ibroadcast

The given software broadcasts the given Android intent.

The base type for the form can be found at it:os:android:ibroadcast.

Properties:

:app / it:os:android:ibroadcast:app

The app software which broadcasts the android intent. It has the following property options set:

• Read Only: True

The property type is it:prod:softver.

:intent / it:os:android:ibroadcast:intent

The android intent which is broadcast by the app. It has the following property options set:

• Read Only: True

The property type is it:os:android:intent.

it:os:android:ilisten

The given software listens for an android intent.

The base type for the form can be found at it:os:android:ilisten.

Properties:

:app / it:os:android:ilisten:app

The app software which listens for the android intent. It has the following property options set:

• Read Only: True

The property type is it:prod:softver.

:intent / it:os:android:ilisten:intent

The android intent which is listened for by the app. It has the following property options set:

• Read Only: True

The property type is it:os:android:intent.

it:os:android:intent

An android intent string.

The base type for the form can be found at it:os:android:intent.

Properties:

it:os:android:perm

An android permission string.

The base type for the form can be found at it:os:android:perm.

Properties:

it:os:android:reqperm

The given software requests the android permission.

The base type for the form can be found at it:os:android:reqperm.

Properties:

:app / it:os:android:reqperm:app

The android app which requests the permission. It has the following property options set:

• Read Only: True

The property type is it:prod:softver.

:perm / it:os:android:reqperm:perm

The android permission requested by the app. It has the following property options set:

• Read Only: True

The property type is it:os:android:perm.

it:os:ios:idfa

An iOS advertising identification string.

The base type for the form can be found at it:os:ios:idfa.

Properties:

it:prod:component

A specific instance of an it:prod:hardware most often as part of an it:host.

The base type for the form can be found at it:prod:component.

Properties:

:hardware / it:prod:component:hardware

The hardware specification of this component.

The property type is it:prod:hardware.

:serial / it:prod:component:serial

The serial number of this component.

The property type is str.

:host / it:prod:component:host

The it:host which has this component installed.

The property type is it:host.

it:prod:hardware

A specification for a piece of IT hardware.

The base type for the form can be found at it:prod:hardware.

Properties:

:name / it:prod:hardware:name

The display name for this hardware specification.

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:type / it:prod:hardware:type

The type of hardware.

The property type is it:prod:hardwaretype.

:desc / it:prod:hardware:desc

A brief description of the hardware. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:cpe / it:prod:hardware:cpe

The NIST CPE 2.3 string specifying this hardware.

The property type is it:sec:cpe.

:make / it:prod:hardware:make

The name of the organization which manufactures this hardware.

The property type is ou:name.

:model / it:prod:hardware:model

The model name or number for this hardware specification.

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:version / it:prod:hardware:version

Version string associated with this hardware specification.

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:released / it:prod:hardware:released

The initial release date for this hardware.

The property type is time.

:parts / it:prod:hardware:parts

An array of it:prod:hadware parts included in this hardware specification.

The property type is array. Its type has the following options set:

• type: it:prod:hardware

• uniq: True

• sorted: True

it:prod:hardwaretype

An IT hardware type taxonomy.

The base type for the form can be found at it:prod:hardwaretype.

Properties:

:title / it:prod:hardwaretype:title

A brief title of the definition.

The property type is str.

:summary / it:prod:hardwaretype:summary

A summary of the definition. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:sort / it:prod:hardwaretype:sort

A display sort order for siblings.

The property type is int.

:base / it:prod:hardwaretype:base

The base taxon. It has the following property options set:

• Read Only: True

The property type is taxon.

:depth / it:prod:hardwaretype:depth

The depth indexed from 0. It has the following property options set:

• Read Only: True

The property type is int.

:parent / it:prod:hardwaretype:parent

The taxonomy parent. It has the following property options set:

• Read Only: True

The property type is it:prod:hardwaretype.

it:prod:soft

A software product.

The base type for the form can be found at it:prod:soft.

Properties:

:name / it:prod:soft:name

Name of the software.

The property type is it:prod:softname.

:type / it:prod:soft:type

The software type.

The property type is it:prod:soft:taxonomy.

:names / it:prod:soft:names

Observed/variant names for this software.

The property type is array. Its type has the following options set:

• type: it:prod:softname

• uniq: True

• sorted: True

:desc / it:prod:soft:desc

A description of the software. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:desc:short / it:prod:soft:desc:short

A short description of the software.

The property type is str. Its type has the following options set:

• lower: True

:cpe / it:prod:soft:cpe

The NIST CPE 2.3 string specifying this software.

The property type is it:sec:cpe.

:author / it:prod:soft:author

The contact information of the org or person who authored the software.

The property type is ps:contact.

:author:org / it:prod:soft:author:org

Deprecated. Please use :author to link to a ps:contact. It has the following property options set:

• deprecated: True

The property type is ou:org.

:author:acct / it:prod:soft:author:acct

Deprecated. Please use :author to link to a ps:contact. It has the following property options set:

• deprecated: True

The property type is inet:web:acct.

:author:email / it:prod:soft:author:email

Deprecated. Please use :author to link to a ps:contact. It has the following property options set:

• deprecated: True

The property type is inet:email.

:author:person / it:prod:soft:author:person

Deprecated. Please use :author to link to a ps:contact. It has the following property options set:

• deprecated: True

The property type is ps:person.

:url / it:prod:soft:url

URL relevant for the software.

The property type is inet:url.

:isos / it:prod:soft:isos

Set to True if the software is an operating system.

The property type is bool.

:islib / it:prod:soft:islib

Set to True if the software is a library.

The property type is bool.

:techniques / it:prod:soft:techniques

Deprecated for scalability. Please use -(uses)> ou:technique. It has the following property options set:

• deprecated: True

The property type is array. Its type has the following options set:

• type: ou:technique

• sorted: True

• uniq: True

it:prod:soft:taxonomy

A software type taxonomy.

The base type for the form can be found at it:prod:soft:taxonomy.

Properties:

it:prod:softfile

A file is distributed by a specific software version.

The base type for the form can be found at it:prod:softfile.

Properties:

:soft / it:prod:softfile:soft

The software which distributes the file. It has the following property options set:

• Read Only: True

The property type is it:prod:softver.

:file / it:prod:softfile:file

The file distributed by the software. It has the following property options set:

• Read Only: True

The property type is file:bytes.

:path / it:prod:softfile:path

The default installation path of the file.

The property type is file:path.

it:prod:softlib

A software version contains a library software version.

The base type for the form can be found at it:prod:softlib.

Properties:

:soft / it:prod:softlib:soft

The software version that contains the library. It has the following property options set:

• Read Only: True

The property type is it:prod:softver.

:lib / it:prod:softlib:lib

The library software version. It has the following property options set:

• Read Only: True

The property type is it:prod:softver.

it:prod:softname

A software product name.

The base type for the form can be found at it:prod:softname.

Properties:

it:prod:softos

The software version is known to be compatible with the given os software version.

The base type for the form can be found at it:prod:softos.

Properties:

:soft / it:prod:softos:soft

The software which can run on the operating system. It has the following property options set:

• Read Only: True

The property type is it:prod:softver.

:os / it:prod:softos:os

The operating system which the software can run on. It has the following property options set:

• Read Only: True

The property type is it:prod:softver.

it:prod:softver

A specific version of a software product.

The base type for the form can be found at it:prod:softver.

Properties:

:software / it:prod:softver:software

Software associated with this version instance.

The property type is it:prod:soft.

:software:name / it:prod:softver:software:name

Deprecated. Please use it:prod:softver:name. It has the following property options set:

• deprecated: True

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:name / it:prod:softver:name

Name of the software version.

The property type is it:prod:softname.

:names / it:prod:softver:names

Observed/variant names for this software version.

The property type is array. Its type has the following options set:

• type: it:prod:softname

• uniq: True

• sorted: True

:desc / it:prod:softver:desc

A description of the software. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:cpe / it:prod:softver:cpe

The NIST CPE 2.3 string specifying this software version.

The property type is it:sec:cpe.

:cves / it:prod:softver:cves

A list of CVEs that apply to this software version.

The property type is array. Its type has the following options set:

• type: it:sec:cve

• uniq: True

• sorted: True

:vers / it:prod:softver:vers

Version string associated with this version instance.

The property type is it:dev:str.

:vers:norm / it:prod:softver:vers:norm

Normalized version of the version string.

The property type is str. Its type has the following options set:

• lower: True

:arch / it:prod:softver:arch

Software architecture.

The property type is it:dev:str.

:released / it:prod:softver:released

Timestamp for when this version of the software was released.

The property type is time.

:semver / it:prod:softver:semver

System normalized semantic version number.

The property type is it:semver.

:semver:major / it:prod:softver:semver:major

Version major number.

The property type is int.

:semver:minor / it:prod:softver:semver:minor

Version minor number.

The property type is int.

:semver:patch / it:prod:softver:semver:patch

Version patch number.

The property type is int.

:semver:pre / it:prod:softver:semver:pre

Semver prerelease string.

The property type is str.

:semver:build / it:prod:softver:semver:build

Semver build string.

The property type is str.

:url / it:prod:softver:url

URL where a specific version of the software is available from.

The property type is inet:url.

it:query

A unique query string.

The base type for the form can be found at it:query.

Properties:

it:reveng:filefunc

An instance of a function in an executable.

The base type for the form can be found at it:reveng:filefunc.

Properties:

:function / it:reveng:filefunc:function

The guid matching the function. It has the following property options set:

• Read Only: True

The property type is it:reveng:function.

:file / it:reveng:filefunc:file

The file that contains the function. It has the following property options set:

• Read Only: True

The property type is file:bytes.

:va / it:reveng:filefunc:va

The virtual address of the first codeblock of the function.

The property type is int.

:rank / it:reveng:filefunc:rank

The function rank score used to evaluate if it exhibits interesting behavior.

The property type is int.

:complexity / it:reveng:filefunc:complexity

The complexity of the function.

The property type is int.

:funccalls / it:reveng:filefunc:funccalls

Other function calls within the scope of the function.

The property type is array. Its type has the following options set:

• type: it:reveng:filefunc

• uniq: True

• sorted: True

it:reveng:funcstr

A reference to a string inside a function.

The base type for the form can be found at it:reveng:funcstr.

Properties:

:function / it:reveng:funcstr:function

The guid matching the function. It has the following property options set:

• Read Only: True

The property type is it:reveng:function.

:string / it:reveng:funcstr:string

The string that the function references. It has the following property options set:

• Read Only: True

The property type is str.

it:reveng:function

A function inside an executable.

The base type for the form can be found at it:reveng:function.

Properties:

:name / it:reveng:function:name

The name of the function.

The property type is str.

:description / it:reveng:function:description

Notes concerning the function.

The property type is str.

:impcalls / it:reveng:function:impcalls

Calls to imported library functions within the scope of the function.

The property type is array. Its type has the following options set:

• type: it:reveng:impfunc

• uniq: True

• sorted: True

:strings / it:reveng:function:strings

An array of strings referenced within the function.

The property type is array. Its type has the following options set:

• type: it:dev:str

• uniq: True

it:reveng:impfunc

A function from an imported library.

The base type for the form can be found at it:reveng:impfunc.

Properties:

it:screenshot

A screenshot of a host.

The base type for the form can be found at it:screenshot.

Properties:

:image / it:screenshot:image

The image file.

The property type is file:bytes.

:desc / it:screenshot:desc

A brief description of the screenshot. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:exe / it:screenshot:exe

The executable file which caused the activity.

The property type is file:bytes.

:proc / it:screenshot:proc

The host process which caused the activity.

The property type is it:exec:proc.

:thread / it:screenshot:thread

The host thread which caused the activity.

The property type is it:exec:thread.

:host / it:screenshot:host

The host on which the activity occurred.

The property type is it:host.

:time / it:screenshot:time

The time that the activity started.

The property type is time.

:sandbox:file / it:screenshot:sandbox:file

The initial sample given to a sandbox environment to analyze.

The property type is file:bytes.

it:sec:c2:config

An extracted C2 config from an executable.

The base type for the form can be found at it:sec:c2:config.

Properties:

:family / it:sec:c2:config:family

The name of the software family which uses the config.

The property type is it:prod:softname.

:file / it:sec:c2:config:file

The file that the C2 config was extracted from.

The property type is file:bytes.

:servers / it:sec:c2:config:servers

An array of connection URLs built from host/port/passwd combinations.

The property type is array. Its type has the following options set:

• type: inet:url

:proxies / it:sec:c2:config:proxies

An array of proxy URLs used to communicate with the C2 server.

The property type is array. Its type has the following options set:

• type: inet:url

:listens / it:sec:c2:config:listens

An array of listen URLs that the software should bind.

The property type is array. Its type has the following options set:

• type: inet:url

:dns:resolvers / it:sec:c2:config:dns:resolvers

An array of inet:servers to use when resolving DNS names.

The property type is array. Its type has the following options set:

• type: inet:server

:mutex / it:sec:c2:config:mutex

The mutex that the software uses to prevent multiple-installations.

The property type is it:dev:mutex.

:campaigncode / it:sec:c2:config:campaigncode

The operator selected string used to identify the campaign or group of targets.

The property type is it:dev:str.

:crypto:key / it:sec:c2:config:crypto:key

Static key material used to encrypt C2 communications.

The property type is crypto:key.

:connect:delay / it:sec:c2:config:connect:delay

The time delay from first execution to connecting to the C2 server.

The property type is duration.

:connect:interval / it:sec:c2:config:connect:interval

The configured duration to sleep between connections to the C2 server.

The property type is duration.

:raw / it:sec:c2:config:raw

A JSON blob containing the raw config extracted from the binary.

The property type is data.

:http:headers / it:sec:c2:config:http:headers

An array of HTTP headers that the sample should transmit to the C2 server.

The property type is array. Its type has the following options set:

• type: inet:http:header

it:sec:cpe

A NIST CPE 2.3 Formatted String.

The base type for the form can be found at it:sec:cpe.

Properties:

:v2_2 / it:sec:cpe:v2_2

The CPE 2.2 string which is equivalent to the primary property.

The property type is it:sec:cpe:v2_2.

:part / it:sec:cpe:part

The “part” field from the CPE 2.3 string. It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:vendor / it:sec:cpe:vendor

The “vendor” field from the CPE 2.3 string. It has the following property options set:

• Read Only: True

The property type is ou:name.

:product / it:sec:cpe:product

The “product” field from the CPE 2.3 string. It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:version / it:sec:cpe:version

The “version” field from the CPE 2.3 string. It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:update / it:sec:cpe:update

The “update” field from the CPE 2.3 string. It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:edition / it:sec:cpe:edition

The “edition” field from the CPE 2.3 string. It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:language / it:sec:cpe:language

The “language” field from the CPE 2.3 string. It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:sw_edition / it:sec:cpe:sw_edition

The “sw_edition” field from the CPE 2.3 string. It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:target_sw / it:sec:cpe:target_sw

The “target_sw” field from the CPE 2.3 string. It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:target_hw / it:sec:cpe:target_hw

The “target_hw” field from the CPE 2.3 string. It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:other / it:sec:cpe:other

The “other” field from the CPE 2.3 string. It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• lower: True

• strip: True

it:sec:cve

A vulnerability as designated by a Common Vulnerabilities and Exposures (CVE) number.

The base type for the form can be found at it:sec:cve.

An example of it:sec:cve:

• cve-2012-0158

Properties:

:desc / it:sec:cve:desc

Deprecated. Please use risk:vuln:cve:desc. It has the following property options set:

• deprecated: True

The property type is str.

:url / it:sec:cve:url

Deprecated. Please use risk:vuln:cve:url. It has the following property options set:

• deprecated: True

The property type is inet:url.

:references / it:sec:cve:references

Deprecated. Please use risk:vuln:cve:references. It has the following property options set:

• deprecated: True

The property type is array. Its type has the following options set:

• type: inet:url

• uniq: True

• sorted: True

it:sec:cwe

NIST NVD Common Weaknesses Enumeration Specification.

The base type for the form can be found at it:sec:cwe.

An example of it:sec:cwe:

• CWE-120

Properties:

:name / it:sec:cwe:name

The CWE description field. It has the following property options set:

• Example: Buffer Copy without Checking Size of Input (Classic Buffer Overflow)

The property type is str.

:desc / it:sec:cwe:desc

The CWE description field. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:url / it:sec:cwe:url

A URL linking this CWE to a full description.

The property type is inet:url.

:parents / it:sec:cwe:parents

An array of ChildOf CWE Relationships.

The property type is array. Its type has the following options set:

• type: it:sec:cwe

• uniq: True

• sorted: True

• split: ,

it:sec:stix:bundle

A STIX bundle.

The base type for the form can be found at it:sec:stix:bundle.

Properties:

:id / it:sec:stix:bundle:id

The id field from the STIX bundle.

The property type is str.

it:sec:stix:indicator

A STIX indicator pattern.

The base type for the form can be found at it:sec:stix:indicator.

Properties:

:id / it:sec:stix:indicator:id

The STIX id field from the indicator pattern.

The property type is str.

:name / it:sec:stix:indicator:name

The name of the STIX indicator pattern.

The property type is str.

:pattern / it:sec:stix:indicator:pattern

The STIX indicator pattern text.

The property type is str.

:created / it:sec:stix:indicator:created

The time that the indicator pattern was first created.

The property type is time.

:updated / it:sec:stix:indicator:updated

The time that the indicator pattern was last modified.

The property type is time.

:labels / it:sec:stix:indicator:labels

The label strings embedded in the STIX indicator pattern.

The property type is array. Its type has the following options set:

• type: str

• uniq: True

• sorted: True

lang:idiom

Deprecated. Please use lang:translation.

The base type for the form can be found at lang:idiom.

Properties:

:url / lang:idiom:url

Authoritative URL for the idiom.

The property type is inet:url.

:desc:en / lang:idiom:desc:en

English description. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

lang:language

A specific written or spoken language.

The base type for the form can be found at lang:language.

Properties:

:name / lang:language:name

The primary name of the language.

The property type is lang:name.

:names / lang:language:names

An array of alternative names for the language.

The property type is array. Its type has the following options set:

• type: lang:name

• sorted: True

• uniq: True

:skill / lang:language:skill

The skill used to annotate proficiency in the language.

The property type is ps:skill.

lang:name

A name used to refer to a language.

The base type for the form can be found at lang:name.

Properties:

lang:trans

Deprecated. Please use lang:translation.

The base type for the form can be found at lang:trans.

Properties:

:text:en / lang:trans:text:en

English translation. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:desc:en / lang:trans:desc:en

English description. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

lang:translation

A translation of text from one language to another.

The base type for the form can be found at lang:translation.

Properties:

:input / lang:translation:input

The input text. It has the following property options set:

• Example: hola

The property type is str.

:input:lang / lang:translation:input:lang

The input language code.

The property type is lang:code.

:output / lang:translation:output

The output text. It has the following property options set:

• Example: hi

The property type is str.

:output:lang / lang:translation:output:lang

The output language code.

The property type is lang:code.

:desc / lang:translation:desc

A description of the meaning of the output. It has the following property options set:

• Example: A standard greeting

The property type is str.

:engine / lang:translation:engine

The translation engine version used.

The property type is it:prod:softver.

mat:item

A GUID assigned to a material object.

The base type for the form can be found at mat:item.

Properties:

:name / mat:item:name

The name of the material item.

The property type is str. Its type has the following options set:

• lower: True

:type / mat:item:type

The taxonomy type of the item.

The property type is mat:type.

:spec / mat:item:spec

The specification which defines this item.

The property type is mat:spec.

:place / mat:item:place

The most recent place the item is known to reside.

The property type is geo:place.

:latlong / mat:item:latlong

The last known lat/long location of the node.

The property type is geo:latlong.

:loc / mat:item:loc

The geo-political location string for the node.

The property type is loc.

mat:itemimage

The base type for compound node fields.

The base type for the form can be found at mat:itemimage.

Properties:

:item / mat:itemimage:item

The item contained within the image file. It has the following property options set:

• Read Only: True

The property type is mat:item.

:file / mat:itemimage:file

The file containing an image of the item. It has the following property options set:

• Read Only: True

The property type is file:bytes.

mat:spec

A GUID assigned to a material specification.

The base type for the form can be found at mat:spec.

Properties:

:name / mat:spec:name

The name of the material specification.

The property type is str. Its type has the following options set:

• lower: True

:type / mat:spec:type

The taxonomy type for the specification.

The property type is mat:type.

mat:specimage

The base type for compound node fields.

The base type for the form can be found at mat:specimage.

Properties:

:spec / mat:specimage:spec

The spec contained within the image file. It has the following property options set:

• Read Only: True

The property type is mat:spec.

:file / mat:specimage:file

The file containing an image of the spec. It has the following property options set:

• Read Only: True

The property type is file:bytes.

media:news

A GUID for a news article or report.

The base type for the form can be found at media:news.

Properties:

:url / media:news:url

The (optional) URL where the news was published. It has the following property options set:

• Example: http://cnn.com/news/mars-lander.html

The property type is inet:url.

:url:fqdn / media:news:url:fqdn

The FQDN within the news URL. It has the following property options set:

• Example: cnn.com

The property type is inet:fqdn.

:type / media:news:type

A taxonomy for the type of reporting or news.

The property type is media:news:taxonomy.

:file / media:news:file

The (optional) file blob containing or published as the news.

The property type is file:bytes.

:title / media:news:title

Title/Headline for the news. It has the following property options set:

• Example: mars lander reaches mars

• disp: {'hint': 'text'}

The property type is str. Its type has the following options set:

• lower: True

:summary / media:news:summary

A brief summary of the news item. It has the following property options set:

• Example: lorum ipsum

• disp: {'hint': 'text'}

The property type is str.

:publisher / media:news:publisher

The organization which published the news.

The property type is ou:org.

:publisher:name / media:news:publisher:name

The name of the publishing org used to publish the news.

The property type is ou:name.

:published / media:news:published

The date the news item was published. It has the following property options set:

• Example: 20161201180433

The property type is time.

:org / media:news:org

Deprecated. Please use :publisher:name. It has the following property options set:

• deprecated: True

The property type is ou:alias.

:author / media:news:author

Deprecated. Please use :authors array of ps:contact nodes. It has the following property options set:

• deprecated: True

The property type is ps:name.

:authors / media:news:authors

An array of authors of the news item.

The property type is array. Its type has the following options set:

• type: ps:contact

• split: ,

• uniq: True

• sorted: True

:rss:feed / media:news:rss:feed

The RSS feed that published the news.

The property type is inet:url.

:ext:id / media:news:ext:id

An external identifier specified by the publisher.

The property type is str.

:topics / media:news:topics

An array of relevant topics discussed in the report.

The property type is array. Its type has the following options set:

• type: media:topic

• uniq: True

• sorted: True

media:news:taxonomy

A taxonomy of types or sources of news.

The base type for the form can be found at media:news:taxonomy.

Properties:

media:topic

A topic string.

The base type for the form can be found at media:topic.

Properties:

:desc / media:topic:desc

A brief description of the topic.

The property type is str.

meta:event

An analytically relevant event in a curated timeline.

The base type for the form can be found at meta:event.

Properties:

:timeline / meta:event:timeline

The timeline containing the event.

The property type is meta:timeline.

:title / meta:event:title

A title for the event.

The property type is str.

:summary / meta:event:summary

A prose summary of the event. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:time / meta:event:time

The time that the event occurred.

The property type is time.

:duration / meta:event:duration

The duration of the event.

The property type is duration.

:type / meta:event:type

Type of event.

The property type is meta:event:taxonomy.

meta:event:taxonomy

A taxonomy of event types for meta:event nodes.

The base type for the form can be found at meta:event:taxonomy.

Properties:

:title / meta:event:taxonomy:title

A brief title of the definition.

The property type is str.

:summary / meta:event:taxonomy:summary

A summary of the definition. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:sort / meta:event:taxonomy:sort

A display sort order for siblings.

The property type is int.

:base / meta:event:taxonomy:base

The base taxon. It has the following property options set:

• Read Only: True

The property type is taxon.

:depth / meta:event:taxonomy:depth

The depth indexed from 0. It has the following property options set:

• Read Only: True

The property type is int.

:parent / meta:event:taxonomy:parent

The taxonomy parent. It has the following property options set:

• Read Only: True

The property type is meta:event:taxonomy.

meta:note

An analyst note about nodes linked with -(about)> edges.

The base type for the form can be found at meta:note.

Properties:

:type / meta:note:type

The note type.

The property type is meta:note:type:taxonomy.

:text / meta:note:text

The analyst authored note text. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:author / meta:note:author

The contact information of the author.

The property type is ps:contact.

:creator / meta:note:creator

The synapse user who authored the note.

The property type is syn:user.

:created / meta:note:created

The time the note was created.

The property type is time.

meta:note:type:taxonomy

An analyst note type taxonomy.

The base type for the form can be found at meta:note:type:taxonomy.

Properties:

:title / meta:note:type:taxonomy:title

A brief title of the definition.

The property type is str.

:summary / meta:note:type:taxonomy:summary

A summary of the definition. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:sort / meta:note:type:taxonomy:sort

A display sort order for siblings.

The property type is int.

:base / meta:note:type:taxonomy:base

The base taxon. It has the following property options set:

• Read Only: True

The property type is taxon.

:depth / meta:note:type:taxonomy:depth

The depth indexed from 0. It has the following property options set:

• Read Only: True

The property type is int.

:parent / meta:note:type:taxonomy:parent

The taxonomy parent. It has the following property options set:

• Read Only: True

The property type is meta:note:type:taxonomy.

meta:rule

A generic rule linked to matches with -(matches)> edges.

The base type for the form can be found at meta:rule.

Properties:

:name / meta:rule:name

A name for the rule.

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:desc / meta:rule:desc

A description of the rule. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:text / meta:rule:text

The text of the rule logic. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:author / meta:rule:author

The contact information of the rule author.

The property type is ps:contact.

:created / meta:rule:created

The time the rule was initially created.

The property type is time.

:updated / meta:rule:updated

The time the rule was most recently modified.

The property type is time.

:url / meta:rule:url

A URL which documents the rule.

The property type is inet:url.

:ext:id / meta:rule:ext:id

An external identifier for the rule.

The property type is str.

meta:ruleset

A set of rules linked with -(has)> edges.

The base type for the form can be found at meta:ruleset.

Properties:

:name / meta:ruleset:name

A name for the ruleset.

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:desc / meta:ruleset:desc

A description of the ruleset. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:author / meta:ruleset:author

The contact information of the ruleset author.

The property type is ps:contact.

:created / meta:ruleset:created

The time the ruleset was initially created.

The property type is time.

:updated / meta:ruleset:updated

The time the ruleset was most recently modified.

The property type is time.

meta:seen

Annotates that the data in a node was obtained from or observed by a given source.

The base type for the form can be found at meta:seen.

Properties:

:source / meta:seen:source

The source which observed or provided the node. It has the following property options set:

• Read Only: True

The property type is meta:source.

:node / meta:seen:node

The node which was observed by or received from the source. It has the following property options set:

• Read Only: True

The property type is ndef.

meta:source

A data source unique identifier.

The base type for the form can be found at meta:source.

Properties:

:name / meta:source:name

A human friendly name for the source.

The property type is str. Its type has the following options set:

• lower: True

:type / meta:source:type

An optional type field used to group sources.

The property type is str. Its type has the following options set:

• lower: True

meta:timeline

A curated timeline of analytically relevant events.

The base type for the form can be found at meta:timeline.

Properties:

:title / meta:timeline:title

A title for the timeline. It has the following property options set:

• Example: The history of the Vertex Project

The property type is str.

:summary / meta:timeline:summary

A prose summary of the timeline. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:type / meta:timeline:type

The type of timeline.

The property type is meta:timeline:taxonomy.

meta:timeline:taxonomy

A taxonomy of timeline types for meta:timeline nodes.

The base type for the form can be found at meta:timeline:taxonomy.

Properties:

:title / meta:timeline:taxonomy:title

A brief title of the definition.

The property type is str.

:summary / meta:timeline:taxonomy:summary

A summary of the definition. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:sort / meta:timeline:taxonomy:sort

A display sort order for siblings.

The property type is int.

:base / meta:timeline:taxonomy:base

The base taxon. It has the following property options set:

• Read Only: True

The property type is taxon.

:depth / meta:timeline:taxonomy:depth

The depth indexed from 0. It has the following property options set:

• Read Only: True

The property type is int.

:parent / meta:timeline:taxonomy:parent

The taxonomy parent. It has the following property options set:

• Read Only: True

The property type is meta:timeline:taxonomy.

ou:attendee

A node representing a person attending a meeting, conference, or event.

The base type for the form can be found at ou:attendee.

Properties:

:person / ou:attendee:person

The contact information for the person who attended the event.

The property type is ps:contact.

:arrived / ou:attendee:arrived

The time when the person arrived.

The property type is time.

:departed / ou:attendee:departed

The time when the person departed.

The property type is time.

:roles / ou:attendee:roles

List of the roles the person had at the event.

The property type is array. Its type has the following options set:

• type: ou:role

• split: ,

• uniq: True

• sorted: True

:meet / ou:attendee:meet

The meeting that the person attended.

The property type is ou:meet.

:conference / ou:attendee:conference

The conference that the person attended.

The property type is ou:conference.

:conference:event / ou:attendee:conference:event

The conference event that the person attended.

The property type is ou:conference:event.

:contest / ou:attendee:contest

The contest that the person attended.

The property type is ou:contest.

:preso / ou:attendee:preso

The presentation that the person attended.

The property type is ou:preso.

ou:award

An award issued by an organization.

The base type for the form can be found at ou:award.

Properties:

:name / ou:award:name

The name of the award. It has the following property options set:

• Example: Bachelors of Science

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:type / ou:award:type

The type of award. It has the following property options set:

• Example: certification

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:org / ou:award:org

The organization which issues the award.

The property type is ou:org.

ou:campaign

Represents an org’s activity in pursuit of a goal.

The base type for the form can be found at ou:campaign.

Properties:

:org / ou:campaign:org

The org carrying out the campaign.

The property type is ou:org.

:org:name / ou:campaign:org:name

The name of the org responsible for the campaign. Used for entity resolution.

The property type is ou:name.

:org:fqdn / ou:campaign:org:fqdn

The FQDN of the org responsible for the campaign. Used for entity resolution.

The property type is inet:fqdn.

:goal / ou:campaign:goal

The assessed primary goal of the campaign.

The property type is ou:goal.

:actors / ou:campaign:actors

Actors who participated in the campaign.

The property type is array. Its type has the following options set:

• type: ps:contact

• split: ,

• uniq: True

• sorted: True

:goals / ou:campaign:goals

Additional assessed goals of the campaign.

The property type is array. Its type has the following options set:

• type: ou:goal

• split: ,

• uniq: True

• sorted: True

:success / ou:campaign:success

Records the success/failure status of the campaign if known.

The property type is bool.

:name / ou:campaign:name

A terse name of the campaign.

The property type is str.

:type / ou:campaign:type

Deprecated. Use the :camptype taxonomy. It has the following property options set:

• deprecated: True

The property type is str.

:sophistication / ou:campaign:sophistication

The assessed sophistication of the campaign.

The property type is meta:sophistication.

:camptype / ou:campaign:camptype

The campaign type taxonomy. It has the following property options set:

• disp: {'hint': 'taxonomy'}

The property type is ou:camptype.

:desc / ou:campaign:desc

A description of the campaign. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:period / ou:campaign:period

The time interval when the organization was running the campaign.

The property type is ival.

:cost / ou:campaign:cost

The actual cost to the organization.

The property type is econ:price.

:budget / ou:campaign:budget

The budget allocated by the organization to execute the campaign.

The property type is econ:price.

:currency / ou:campaign:currency

The currency used to record econ:price properties.

The property type is econ:currency.

:goal:revenue / ou:campaign:goal:revenue

A goal for revenue resulting from the campaign.

The property type is econ:price.

:result:revenue / ou:campaign:result:revenue

The revenue resulting from the campaign.

The property type is econ:price.

:goal:pop / ou:campaign:goal:pop

A goal for the number of people affected by the campaign.

The property type is int.

:result:pop / ou:campaign:result:pop

The count of people affected by the campaign.

The property type is int.

:team / ou:campaign:team

The org team responsible for carrying out the campaign.

The property type is ou:team.

:conflict / ou:campaign:conflict

The conflict in which this campaign is a primary participant.

The property type is ou:conflict.

:techniques / ou:campaign:techniques

Deprecated for scalability. Please use -(uses)> ou:technique. It has the following property options set:

• deprecated: True

The property type is array. Its type has the following options set:

• type: ou:technique

• sorted: True

• uniq: True

ou:camptype

An campaign type taxonomy.

The base type for the form can be found at ou:camptype.

Properties:

:title / ou:camptype:title

A brief title of the definition.

The property type is str.

:summary / ou:camptype:summary

A summary of the definition. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:sort / ou:camptype:sort

A display sort order for siblings.

The property type is int.

:base / ou:camptype:base

The base taxon. It has the following property options set:

• Read Only: True

The property type is taxon.

:depth / ou:camptype:depth

The depth indexed from 0. It has the following property options set:

• Read Only: True

The property type is int.

:parent / ou:camptype:parent

The taxonomy parent. It has the following property options set:

• Read Only: True

The property type is ou:camptype.

ou:conference

A conference with a name and sponsoring org.

The base type for the form can be found at ou:conference.

Properties:

:org / ou:conference:org

The org which created/managed the conference.

The property type is ou:org.

:organizer / ou:conference:organizer

Contact information for the primary organizer of the conference.

The property type is ps:contact.

:sponsors / ou:conference:sponsors

An array of contacts which sponsored the conference.

The property type is array. Its type has the following options set:

• type: ps:contact

• uniq: True

• sorted: True

:name / ou:conference:name

The full name of the conference. It has the following property options set:

• Example: decfon 2017

The property type is str. Its type has the following options set:

• lower: True

:desc / ou:conference:desc

A description of the conference. It has the following property options set:

• Example: annual cybersecurity conference

• disp: {'hint': 'text'}

The property type is str. Its type has the following options set:

• lower: True

:base / ou:conference:base

The base name which is shared by all conference instances. It has the following property options set:

• Example: defcon

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:start / ou:conference:start

The conference start date / time.

The property type is time.

:end / ou:conference:end

The conference end date / time.

The property type is time.

:place / ou:conference:place

The geo:place node where the conference was held.

The property type is geo:place.

:url / ou:conference:url

The inet:url node for the conference website.

The property type is inet:url.

ou:conference:attendee

Deprecated. Please use ou:attendee.

The base type for the form can be found at ou:conference:attendee.

Properties:

:conference / ou:conference:attendee:conference

The conference which was attended. It has the following property options set:

• Read Only: True

The property type is ou:conference.

:person / ou:conference:attendee:person

The person who attended the conference. It has the following property options set:

• Read Only: True

The property type is ps:person.

:arrived / ou:conference:attendee:arrived

The time when a person arrived to the conference.

The property type is time.

:departed / ou:conference:attendee:departed

The time when a person departed from the conference.

The property type is time.

:role:staff / ou:conference:attendee:role:staff

The person worked as staff at the conference.

The property type is bool.

:role:speaker / ou:conference:attendee:role:speaker

The person was a speaker or presenter at the conference.

The property type is bool.

:roles / ou:conference:attendee:roles

List of the roles the person had at the conference.

The property type is array. Its type has the following options set:

• type: str

• uniq: True

• sorted: True

ou:conference:event

A conference event with a name and associated conference.

The base type for the form can be found at ou:conference:event.

Properties:

:conference / ou:conference:event:conference

The conference to which the event is associated. It has the following property options set:

• Read Only: True

The property type is ou:conference.

:organizer / ou:conference:event:organizer

Contact information for the primary organizer of the event.

The property type is ps:contact.

:sponsors / ou:conference:event:sponsors

An array of contacts which sponsored the event.

The property type is array. Its type has the following options set:

• type: ps:contact

• uniq: True

• sorted: True

:place / ou:conference:event:place

The geo:place where the event occurred.

The property type is geo:place.

:name / ou:conference:event:name

The name of the conference event. It has the following property options set:

• Example: foobar conference dinner

The property type is str. Its type has the following options set:

• lower: True

:desc / ou:conference:event:desc

A description of the conference event. It has the following property options set:

• Example: foobar conference networking dinner at ridge hotel

• disp: {'hint': 'text'}

The property type is str. Its type has the following options set:

• lower: True

:url / ou:conference:event:url

The inet:url node for the conference event website.

The property type is inet:url.

:contact / ou:conference:event:contact

Contact info for the event.

The property type is ps:contact.

:start / ou:conference:event:start

The event start date / time.

The property type is time.

:end / ou:conference:event:end

The event end date / time.

The property type is time.

ou:conference:event:attendee

Deprecated. Please use ou:attendee.

The base type for the form can be found at ou:conference:event:attendee.

Properties:

:event / ou:conference:event:attendee:event

The conference event which was attended. It has the following property options set:

• Read Only: True

The property type is ou:conference:event.

:person / ou:conference:event:attendee:person

The person who attended the conference event. It has the following property options set:

• Read Only: True

The property type is ps:person.

:arrived / ou:conference:event:attendee:arrived

The time when a person arrived to the conference event.

The property type is time.

:departed / ou:conference:event:attendee:departed

The time when a person departed from the conference event.

The property type is time.

:roles / ou:conference:event:attendee:roles

List of the roles the person had at the conference event.

The property type is array. Its type has the following options set:

• type: str

• uniq: True

• sorted: True

ou:conflict

Represents a conflict where two or more campaigns have mutually exclusive goals.

The base type for the form can be found at ou:conflict.

Properties:

:name / ou:conflict:name

The name of the conflict.

The property type is str. Its type has the following options set:

• onespace: True

:started / ou:conflict:started

The time the conflict began.

The property type is time.

:ended / ou:conflict:ended

The time the conflict ended.

The property type is time.

:timeline / ou:conflict:timeline

A timeline of significant events related to the conflict.

The property type is meta:timeline.

ou:contest

A competitive event resulting in a ranked set of participants.

The base type for the form can be found at ou:contest.

Properties:

:name / ou:contest:name

The name of the contest. It has the following property options set:

• Example: defcon ctf 2020

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:type / ou:contest:type

The type of contest. It has the following property options set:

• Example: cyber ctf

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:family / ou:contest:family

A name for a series of recurring contests. It has the following property options set:

• Example: defcon ctf

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:desc / ou:contest:desc

A description of the contest. It has the following property options set:

• Example: the capture-the-flag event hosted at defcon 2020

• disp: {'hint': 'text'}

The property type is str. Its type has the following options set:

• lower: True

:url / ou:contest:url

The contest website URL.

The property type is inet:url.

:start / ou:contest:start

The contest start date / time.

The property type is time.

:end / ou:contest:end

The contest end date / time.

The property type is time.

:loc / ou:contest:loc

The geopolitical affiliation of the contest.

The property type is loc.

:place / ou:contest:place

The geo:place where the contest was held.

The property type is geo:place.

:latlong / ou:contest:latlong

The latlong where the contest was held.

The property type is geo:latlong.

:conference / ou:contest:conference

The conference that the contest is associated with.

The property type is ou:conference.

:contests / ou:contest:contests

An array of sub-contests that contributed to the rankings.

The property type is array. Its type has the following options set:

• type: ou:contest

• split: ,

• uniq: True

• sorted: True

:sponsors / ou:contest:sponsors

Contact information for contest sponsors.

The property type is array. Its type has the following options set:

• type: ps:contact

• split: ,

• uniq: True

• sorted: True

:organizers / ou:contest:organizers

Contact information for contest organizers.

The property type is array. Its type has the following options set:

• type: ps:contact

• split: ,

• uniq: True

• sorted: True

:participants / ou:contest:participants

Contact information for contest participants.

The property type is array. Its type has the following options set:

• type: ps:contact

• split: ,

• uniq: True

• sorted: True

ou:contest:result

The results from a single contest participant.

The base type for the form can be found at ou:contest:result.

Properties:

:contest / ou:contest:result:contest

The contest. It has the following property options set:

• Read Only: True

The property type is ou:contest.

:participant / ou:contest:result:participant

The participant. It has the following property options set:

• Read Only: True

The property type is ps:contact.

:rank / ou:contest:result:rank

The rank order of the participant.

The property type is int.

:score / ou:contest:result:score

The score of the participant.

The property type is int.

:url / ou:contest:result:url

The contest result website URL.

The property type is inet:url.

ou:contract

An contract between multiple entities.

The base type for the form can be found at ou:contract.

Properties:

:title / ou:contract:title

A terse title for the contract.

The property type is str.

:type / ou:contract:type

The type of contract.

The property type is ou:conttype.

:sponsor / ou:contract:sponsor

The contract sponsor.

The property type is ps:contact.

:parties / ou:contract:parties

The non-sponsor entities bound by the contract.

The property type is array. Its type has the following options set:

• type: ps:contact

• uniq: True

• sorted: True

:document / ou:contract:document

The best/current contract document.

The property type is file:bytes.

:signed / ou:contract:signed

The date that the contract signing was complete.

The property type is time.

:begins / ou:contract:begins

The date that the contract goes into effect.

The property type is time.

:expires / ou:contract:expires

The date that the contract expires.

The property type is time.

:completed / ou:contract:completed

The date that the contract was completed.

The property type is time.

:terminated / ou:contract:terminated

The date that the contract was terminated.

The property type is time.

:award:price / ou:contract:award:price

The value of the contract at time of award.

The property type is econ:price.

:budget:price / ou:contract:budget:price

The amount of money budgeted for the contract.

The property type is econ:price.

:currency / ou:contract:currency

The currency of the econ:price values.

The property type is econ:currency.

:purchase / ou:contract:purchase

Purchase details of the contract.

The property type is econ:purchase.

:requirements / ou:contract:requirements

The requirements levied upon the parties.

The property type is array. Its type has the following options set:

• type: ou:goal

• uniq: True

• sorted: True

:types / ou:contract:types

A list of types that apply to the contract. It has the following property options set:

• deprecated: True

The property type is array. Its type has the following options set:

• type: ou:contract:type

• split: ,

• uniq: True

• sorted: True

ou:contribution

Represents a specific instance of contributing material support to a campaign.

The base type for the form can be found at ou:contribution.

Properties:

:from / ou:contribution:from

The contact information of the contributor.

The property type is ps:contact.

:campaign / ou:contribution:campaign

The campaign receiving the contribution.

The property type is ou:campaign.

:value / ou:contribution:value

The assessed value of the contribution.

The property type is econ:price.

:currency / ou:contribution:currency

The currency used for the assessed value.

The property type is econ:currency.

:time / ou:contribution:time

The time the contribution occurred.

The property type is time.

:material:spec / ou:contribution:material:spec

The specification of material items contributed.

The property type is mat:spec.

:material:count / ou:contribution:material:count

The number of material items contributed.

The property type is int.

:monetary:payment / ou:contribution:monetary:payment

Payment details for a monetary contribution.

The property type is econ:acct:payment.

:personnel:count / ou:contribution:personnel:count

Number of personnel contributed to the campaign.

The property type is int.

:personnel:jobtitle / ou:contribution:personnel:jobtitle

Title or designation for the contributed personnel.

The property type is ou:jobtitle.

ou:conttype

A contract type taxonomy.

The base type for the form can be found at ou:conttype.

Properties:

:title / ou:conttype:title

A brief title of the definition.

The property type is str.

:summary / ou:conttype:summary

A summary of the definition. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:sort / ou:conttype:sort

A display sort order for siblings.

The property type is int.

:base / ou:conttype:base

The base taxon. It has the following property options set:

• Read Only: True

The property type is taxon.

:depth / ou:conttype:depth

The depth indexed from 0. It has the following property options set:

• Read Only: True

The property type is int.

:parent / ou:conttype:parent

The taxonomy parent. It has the following property options set:

• Read Only: True

The property type is ou:conttype.

ou:employment

An employment type taxonomy.

The base type for the form can be found at ou:employment.

An example of ou:employment:

• fulltime.salary

Properties:

:title / ou:employment:title

A brief title of the definition.

The property type is str.

:summary / ou:employment:summary

A summary of the definition. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:sort / ou:employment:sort

A display sort order for siblings.

The property type is int.

:base / ou:employment:base

The base taxon. It has the following property options set:

• Read Only: True

The property type is taxon.

:depth / ou:employment:depth

The depth indexed from 0. It has the following property options set:

• Read Only: True

The property type is int.

:parent / ou:employment:parent

The taxonomy parent. It has the following property options set:

• Read Only: True

The property type is ou:employment.

ou:goal

An assessed or stated goal which may be abstract or org specific.

The base type for the form can be found at ou:goal.

Properties:

:name / ou:goal:name

A terse name for the goal.

The property type is str.

:type / ou:goal:type

A user specified goal type.

The property type is str.

:desc / ou:goal:desc

A description of the goal. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:prev / ou:goal:prev

The previous/parent goal in a list or hierarchy.

The property type is ou:goal.

ou:hasalias

The knowledge that an organization has an alias.

The base type for the form can be found at ou:hasalias.

Properties:

:org / ou:hasalias:org

The org guid which has the alias. It has the following property options set:

• Read Only: True

The property type is ou:org.

:alias / ou:hasalias:alias

Alias for the organization. It has the following property options set:

• Read Only: True

The property type is ou:alias.

ou:hasgoal

Deprecated. Please use ou:org:goals.

The base type for the form can be found at ou:hasgoal.

Properties:

:org / ou:hasgoal:org

The org which has the goal. It has the following property options set:

• Read Only: True

The property type is ou:org.

:goal / ou:hasgoal:goal

The goal which the org has. It has the following property options set:

• Read Only: True

The property type is ou:goal.

:stated / ou:hasgoal:stated

Set to true/false if the goal is known to be self stated.

The property type is bool.

:window / ou:hasgoal:window

Set if a goal has a limited time window.

The property type is ival.

ou:id:number

A unique id number issued by a specific organization.

The base type for the form can be found at ou:id:number.

Properties:

:type / ou:id:number:type

The type of org id. It has the following property options set:

• Read Only: True

The property type is ou:id:type.

:value / ou:id:number:value

The type of org id. It has the following property options set:

• Read Only: True

The property type is ou:id:value.

:status / ou:id:number:status

A freeform status such as valid, suspended, expired.

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:issued / ou:id:number:issued

The time at which the org issued the ID number.

The property type is time.

:expires / ou:id:number:expires

The time at which the ID number expires.

The property type is time.

ou:id:type

A type of id number issued by an org.

The base type for the form can be found at ou:id:type.

Properties:

:org / ou:id:type:org

The org which issues id numbers of this type.

The property type is ou:org.

:name / ou:id:type:name

The friendly name of the id number type.

The property type is str.

ou:id:update

A status update to an org:id:number.

The base type for the form can be found at ou:id:update.

Properties:

:number / ou:id:update:number

The id number that was updated.

The property type is ou:id:number.

:status / ou:id:update:status

The updated status of the id number.

The property type is str. Its type has the following options set:

• strip: True

• lower: True

:time / ou:id:update:time

The date/time that the id number was updated.

The property type is time.

ou:industry

An industry classification type.

The base type for the form can be found at ou:industry.

Properties:

:name / ou:industry:name

The name of the industry.

The property type is ou:industryname.

:names / ou:industry:names

An array of alternative names for the industry.

The property type is array. Its type has the following options set:

• type: ou:industryname

• uniq: True

• sorted: True

:subs / ou:industry:subs

An array of sub-industries.

The property type is array. Its type has the following options set:

• type: ou:industry

• split: ,

• uniq: True

• sorted: True

:sic / ou:industry:sic

An array of SIC codes that map to the industry.

The property type is array. Its type has the following options set:

• type: ou:sic

• split: ,

• uniq: True

• sorted: True

:naics / ou:industry:naics

An array of NAICS codes that map to the industry.

The property type is array. Its type has the following options set:

• type: ou:naics

• split: ,

• uniq: True

• sorted: True

:isic / ou:industry:isic

An array of ISIC codes that map to the industry.

The property type is array. Its type has the following options set:

• type: ou:isic

• split: ,

• uniq: True

• sorted: True

:desc / ou:industry:desc

A description of the industry. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

ou:industryname

The name of an industry.

The base type for the form can be found at ou:industryname.

Properties:

ou:jobtitle

A title for a position within an org.

The base type for the form can be found at ou:jobtitle.

Properties:

ou:jobtype

A title for a position within an org.

The base type for the form can be found at ou:jobtype.

An example of ou:jobtype:

• it.dev.python

Properties:

:title / ou:jobtype:title

A brief title of the definition.

The property type is str.

:summary / ou:jobtype:summary

A summary of the definition. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:sort / ou:jobtype:sort

A display sort order for siblings.

The property type is int.

:base / ou:jobtype:base

The base taxon. It has the following property options set:

• Read Only: True

The property type is taxon.

:depth / ou:jobtype:depth

The depth indexed from 0. It has the following property options set:

• Read Only: True

The property type is int.

:parent / ou:jobtype:parent

The taxonomy parent. It has the following property options set:

• Read Only: True

The property type is ou:jobtype.

ou:meet

An informal meeting of people which has no title or sponsor. See also: ou:conference.

The base type for the form can be found at ou:meet.

Properties:

:name / ou:meet:name

A human friendly name for the meeting.

The property type is str. Its type has the following options set:

• lower: True

:start / ou:meet:start

The date / time the meet starts.

The property type is time.

:end / ou:meet:end

The date / time the meet ends.

The property type is time.

:place / ou:meet:place

The geo:place node where the meet was held.

The property type is geo:place.

ou:meet:attendee

Deprecated. Please use ou:attendee.

The base type for the form can be found at ou:meet:attendee.

Properties:

:meet / ou:meet:attendee:meet

The meeting which was attended. It has the following property options set:

• Read Only: True

The property type is ou:meet.

:person / ou:meet:attendee:person

The person who attended the meeting. It has the following property options set:

• Read Only: True

The property type is ps:person.

:arrived / ou:meet:attendee:arrived

The time when a person arrived to the meeting.

The property type is time.

:departed / ou:meet:attendee:departed

The time when a person departed from the meeting.

The property type is time.

ou:member

Deprecated. Please use ou:position.

The base type for the form can be found at ou:member.

Properties:

:org / ou:member:org

The GUID of the org the person is a member of. It has the following property options set:

• Read Only: True

The property type is ou:org.

:person / ou:member:person

The GUID of the person that is a member of an org. It has the following property options set:

• Read Only: True

The property type is ps:person.

:title / ou:member:title

The persons normalized title.

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:start / ou:member:start

Earliest known association of the person with the org.

The property type is time. Its type has the following options set:

• ismin: True

:end / ou:member:end

Most recent known association of the person with the org.

The property type is time. Its type has the following options set:

• ismax: True

ou:name

The name of an organization. This may be a formal name or informal name of the organization.

The base type for the form can be found at ou:name.

An example of ou:name:

• acme corporation

Properties:

ou:opening

A job/work opening within an org.

The base type for the form can be found at ou:opening.

Properties:

:org / ou:opening:org

The org which has the opening.

The property type is ou:org.

:orgname / ou:opening:orgname

The name of the organization as listed in the opening.

The property type is ou:name.

:orgfqdn / ou:opening:orgfqdn

The FQDN of the organization as listed in the opening.

The property type is inet:fqdn.

:posted / ou:opening:posted

The date/time that the job opening was posted.

The property type is time.

:removed / ou:opening:removed

The date/time that the job opening was removed.

The property type is time.

:postings / ou:opening:postings

URLs where the opening is listed.

The property type is array. Its type has the following options set:

• type: inet:url

• uniq: True

• sorted: True

:contact / ou:opening:contact

The contact details to inquire about the opening.

The property type is ps:contact.

:loc / ou:opening:loc

The geopolitical boundary of the opening.

The property type is loc.

:jobtype / ou:opening:jobtype

The job type taxonomy.

The property type is ou:jobtype.

:employment / ou:opening:employment

The type of employment.

The property type is ou:employment.

:jobtitle / ou:opening:jobtitle

The title of the opening.

The property type is ou:jobtitle.

:remote / ou:opening:remote

Set to true if the opening will allow a fully remote worker.

The property type is bool.

:yearlypay / ou:opening:yearlypay

The yearly income associated with the opening.

The property type is econ:price.

:paycurrency / ou:opening:paycurrency

The currency that the yearly pay was delivered in.

The property type is econ:currency.

ou:org

A GUID for a human organization such as a company or military unit.

The base type for the form can be found at ou:org.

Properties:

:loc / ou:org:loc

Location for an organization.

The property type is loc.

:name / ou:org:name

The localized name of an organization.

The property type is ou:name.

:type / ou:org:type

The type of organization. It has the following property options set:

• deprecated: True

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:orgtype / ou:org:orgtype

The type of organization. It has the following property options set:

• disp: {'hint': 'taxonomy'}

The property type is ou:orgtype.

:vitals / ou:org:vitals

The most recent/accurate ou:vitals for the org.

The property type is ou:vitals.

:desc / ou:org:desc

A description of the org. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:logo / ou:org:logo

An image file representing the logo for the organization.

The property type is file:bytes.

:names / ou:org:names

A list of alternate names for the organization.

The property type is array. Its type has the following options set:

• type: ou:name

• uniq: True

• sorted: True

:alias / ou:org:alias

The default alias for an organization.

The property type is ou:alias.

:phone / ou:org:phone

The primary phone number for the organization.

The property type is tel:phone.

:sic / ou:org:sic

The Standard Industrial Classification code for the organization. It has the following property options set:

• deprecated: True

The property type is ou:sic.

:naics / ou:org:naics

The North American Industry Classification System code for the organization. It has the following property options set:

• deprecated: True

The property type is ou:naics.

:industries / ou:org:industries

The industries associated with the org.

The property type is array. Its type has the following options set:

• type: ou:industry

• uniq: True

• sorted: True

:us:cage / ou:org:us:cage

The Commercial and Government Entity (CAGE) code for the organization.

The property type is gov:us:cage.

:founded / ou:org:founded

The date on which the org was founded.

The property type is time.

:dissolved / ou:org:dissolved

The date on which the org was dissolved.

The property type is time.

:url / ou:org:url

The primary url for the organization.

The property type is inet:url.

:subs / ou:org:subs

An set of sub-organizations.

The property type is array. Its type has the following options set:

• type: ou:org

• uniq: True

• sorted: True

:orgchart / ou:org:orgchart

The root node for an orgchart made up ou:position nodes.

The property type is ou:position.

:hq / ou:org:hq

A collection of contact information for the “main office” of an org.

The property type is ps:contact.

:locations / ou:org:locations

An array of contacts for facilities operated by the org.

The property type is array. Its type has the following options set:

• type: ps:contact

• uniq: True

• sorted: True

:dns:mx / ou:org:dns:mx

An array of MX domains used by email addresses issued by the org.

The property type is array. Its type has the following options set:

• type: inet:fqdn

• uniq: True

• sorted: True

:techniques / ou:org:techniques

Deprecated for scalability. Please use -(uses)> ou:technique. It has the following property options set:

• deprecated: True

The property type is array. Its type has the following options set:

• type: ou:technique

• sorted: True

• uniq: True

:goals / ou:org:goals

The assessed goals of the organization.

The property type is array. Its type has the following options set:

• type: ou:goal

• sorted: True

• uniq: True

ou:org:has

An org owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time.

The base type for the form can be found at ou:org:has.

Properties:

:org / ou:org:has:org

The org who owns or controls the object or resource. It has the following property options set:

• Read Only: True

The property type is ou:org.

:node / ou:org:has:node

The object or resource that is owned or controlled by the org. It has the following property options set:

• Read Only: True

The property type is ndef.

:node:form / ou:org:has:node:form

The form of the object or resource that is owned or controlled by the org. It has the following property options set:

• Read Only: True

The property type is str.

ou:orgnet4

An organization’s IPv4 netblock.

The base type for the form can be found at ou:orgnet4.

Properties:

:org / ou:orgnet4:org

The org guid which owns the netblock. It has the following property options set:

• Read Only: True

The property type is ou:org.

:net / ou:orgnet4:net

Netblock owned by the organization. It has the following property options set:

• Read Only: True

The property type is inet:net4.

:name / ou:orgnet4:name

The name that the organization assigns to this netblock.

The property type is str. Its type has the following options set:

• lower: True

• strip: True

ou:orgnet6

An organization’s IPv6 netblock.

The base type for the form can be found at ou:orgnet6.

Properties:

:org / ou:orgnet6:org

The org guid which owns the netblock. It has the following property options set:

• Read Only: True

The property type is ou:org.

:net / ou:orgnet6:net

Netblock owned by the organization. It has the following property options set:

• Read Only: True

The property type is inet:net6.

:name / ou:orgnet6:name

The name that the organization assigns to this netblock.

The property type is str. Its type has the following options set:

• lower: True

• strip: True

ou:orgtype

An org type taxonomy.

The base type for the form can be found at ou:orgtype.

Properties:

:title / ou:orgtype:title

A brief title of the definition.

The property type is str.

:summary / ou:orgtype:summary

A summary of the definition. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:sort / ou:orgtype:sort

A display sort order for siblings.

The property type is int.

:base / ou:orgtype:base

The base taxon. It has the following property options set:

• Read Only: True

The property type is taxon.

:depth / ou:orgtype:depth

The depth indexed from 0. It has the following property options set:

• Read Only: True

The property type is int.

:parent / ou:orgtype:parent

The taxonomy parent. It has the following property options set:

• Read Only: True

The property type is ou:orgtype.

ou:position

A position within an org. May be organized into an org chart.

The base type for the form can be found at ou:position.

Properties:

:org / ou:position:org

The org which has the position.

The property type is ou:org.

:team / ou:position:team

The team that the position is a member of.

The property type is ou:team.

:contact / ou:position:contact

The contact info for the person who holds the position.

The property type is ps:contact.

:title / ou:position:title

The title of the position.

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:reports / ou:position:reports

An array of positions which report to this position.

The property type is array. Its type has the following options set:

• type: ou:position

• uniq: True

• sorted: True

ou:preso

A webinar, conference talk, or other type of presentation.

The base type for the form can be found at ou:preso.

Properties:

:organizer / ou:preso:organizer

Contact information for the primary organizer of the presentation.

The property type is ps:contact.

:sponsors / ou:preso:sponsors

A set of contacts which sponsored the presentation.

The property type is array. Its type has the following options set:

• type: ps:contact

• uniq: True

• sorted: True

:presenters / ou:preso:presenters

A set of contacts which gave the presentation.

The property type is array. Its type has the following options set:

• type: ps:contact

• uniq: True

• sorted: True

:title / ou:preso:title

The full name of the presentation. It has the following property options set:

• Example: Synapse 101 - 2021/06/22

The property type is str. Its type has the following options set:

• lower: True

:desc / ou:preso:desc

A description of the presentation. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str. Its type has the following options set:

• lower: True

:time / ou:preso:time

The scheduled presentation start time.

The property type is time.

:duration / ou:preso:duration

The scheduled duration of the presentation.

The property type is duration.

:loc / ou:preso:loc

The geopolitical location string for where the presentation was given.

The property type is loc.

:place / ou:preso:place

The geo:place node where the presentation was held.

The property type is geo:place.

:deck:url / ou:preso:deck:url

The URL hosting a copy of the presentation materials.

The property type is inet:url.

:deck:file / ou:preso:deck:file

A file containing the presentation materials.

The property type is file:bytes.

:attendee:url / ou:preso:attendee:url

The URL visited by live attendees of the presentation.

The property type is inet:url.

:recording:url / ou:preso:recording:url

The URL hosting a recording of the presentation.

The property type is inet:url.

:recording:file / ou:preso:recording:file

A file containing a recording of the presentation.

The property type is file:bytes.

:conference / ou:preso:conference

The conference which hosted the presentation.

The property type is ou:conference.

ou:suborg

Any parent/child relationship between two orgs. May represent ownership, organizational structure, etc.

The base type for the form can be found at ou:suborg.

Properties:

:org / ou:suborg:org

The org which owns the sub organization. It has the following property options set:

• Read Only: True

The property type is ou:org.

:sub / ou:suborg:sub

The sub org which owned by the org. It has the following property options set:

• Read Only: True

The property type is ou:org.

:perc / ou:suborg:perc

The optional percentage of sub which is owned by org.

The property type is int. Its type has the following options set:

• min: 0

• max: 100

:founded / ou:suborg:founded

The date on which the suborg relationship was founded.

The property type is time.

:dissolved / ou:suborg:dissolved

The date on which the suborg relationship was dissolved.

The property type is time.

:current / ou:suborg:current

Bool indicating if the suborg relationship still current.

The property type is bool.

ou:team

A GUID for a team within an organization.

The base type for the form can be found at ou:team.

Properties:

:org / ou:team:org

A GUID for a human organization such as a company or military unit.

The property type is ou:org.

:name / ou:team:name

The name of an organization. This may be a formal name or informal name of the organization.

The property type is ou:name.

ou:technique

A specific technique used to achieve a goal.

The base type for the form can be found at ou:technique.

Properties:

:name / ou:technique:name

The normalized name of the technique.

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:type / ou:technique:type

The taxonomy classification of the technique.

The property type is ou:technique:taxonomy.

:sophistication / ou:technique:sophistication

The assessed sophistication of the technique.

The property type is meta:sophistication.

:desc / ou:technique:desc

A description of the technique. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:tag / ou:technique:tag

The tag used to annotate nodes where the technique was employed.

The property type is syn:tag.

:mitre:attack:technique / ou:technique:mitre:attack:technique

A mapping to a Mitre ATT&CK technique if applicable.

The property type is it:mitre:attack:technique.

ou:technique:taxonomy

An analyst defined taxonomy to classify techniques in different disciplines.

The base type for the form can be found at ou:technique:taxonomy.

Properties:

:title / ou:technique:taxonomy:title

A brief title of the definition.

The property type is str.

:summary / ou:technique:taxonomy:summary

A summary of the definition. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:sort / ou:technique:taxonomy:sort

A display sort order for siblings.

The property type is int.

:base / ou:technique:taxonomy:base

The base taxon. It has the following property options set:

• Read Only: True

The property type is taxon.

:depth / ou:technique:taxonomy:depth

The depth indexed from 0. It has the following property options set:

• Read Only: True

The property type is int.

:parent / ou:technique:taxonomy:parent

The taxonomy parent. It has the following property options set:

• Read Only: True

The property type is ou:technique:taxonomy.

ou:user

A user name within an organization.

The base type for the form can be found at ou:user.

Properties:

:org / ou:user:org

The org guid which owns the netblock. It has the following property options set:

• Read Only: True

The property type is ou:org.

:user / ou:user:user

The username associated with the organization. It has the following property options set:

• Read Only: True

The property type is inet:user.

ou:vitals

Vital statistics about an org for a given time period.

The base type for the form can be found at ou:vitals.

Properties:

:asof / ou:vitals:asof

The time that the vitals represent.

The property type is time.

:org / ou:vitals:org

The resolved org.

The property type is ou:org.

:orgname / ou:vitals:orgname

The org name as reported by the source of the vitals.

The property type is ou:name.

:orgfqdn / ou:vitals:orgfqdn

The org FQDN as reported by the source of the vitals.

The property type is inet:fqdn.

:currency / ou:vitals:currency

The currency of the econ:price values.

The property type is econ:currency.

:costs / ou:vitals:costs

The costs/expenditures over the period.

The property type is econ:price.

:revenue / ou:vitals:revenue

The gross revenue over the period.

The property type is econ:price.

:profit / ou:vitals:profit

The net profit over the period.

The property type is econ:price.

:valuation / ou:vitals:valuation

The assessed value of the org.

The property type is econ:price.

:shares / ou:vitals:shares

The number of shares outstanding.

The property type is int.

:population / ou:vitals:population

The population of the org.

The property type is int.

:delta:costs / ou:vitals:delta:costs

The change in costs over last period.

The property type is econ:price.

:delta:revenue / ou:vitals:delta:revenue

The change in revenue over last period.

The property type is econ:price.

:delta:profit / ou:vitals:delta:profit

The change in profit over last period.

The property type is econ:price.

:delta:valuation / ou:vitals:delta:valuation

The change in valuation over last period.

The property type is econ:price.

:delta:population / ou:vitals:delta:population

The change in population over last period.

The property type is int.

pol:candidate

A candidate for office in a specific race.

The base type for the form can be found at pol:candidate.

Properties:

:contact / pol:candidate:contact

The contact information of the candidate.

The property type is ps:contact.

:race / pol:candidate:race

The race the candidate is participating in.

The property type is pol:race.

:campaign / pol:candidate:campaign

The official campaign to elect the candidate.

The property type is ou:campaign.

:winner / pol:candidate:winner

Records the outcome of the race.

The property type is bool.

:party / pol:candidate:party

The declared political party of the candidate.

The property type is ou:org.

:incumbent / pol:candidate:incumbent

Set to true if the candidate is an incumbent in this race.

The property type is bool.

pol:country

A GUID for a country.

The base type for the form can be found at pol:country.

Properties:

:flag / pol:country:flag

A thumbnail image of the flag of the country.

The property type is file:bytes.

:iso2 / pol:country:iso2

The 2 digit ISO country code.

The property type is pol:iso2.

:iso3 / pol:country:iso3

The 3 digit ISO country code.

The property type is pol:iso3.

:isonum / pol:country:isonum

The ISO integer country code.

The property type is pol:isonum.

:pop / pol:country:pop

Deprecated. Please use :vitals::population. It has the following property options set:

• deprecated: True

The property type is int.

:tld / pol:country:tld

A Fully Qualified Domain Name (FQDN).

The property type is inet:fqdn.

:name / pol:country:name

The name of the country.

The property type is geo:name.

:names / pol:country:names

An array of alternate or localized names for the country.

The property type is array. Its type has the following options set:

• type: geo:name

• uniq: True

• sorted: True

:government / pol:country:government

The ou:org node which represents the government of the country.

The property type is ou:org.

:place / pol:country:place

A geo:place node representing the geospatial properties of the country.

The property type is geo:place.

:founded / pol:country:founded

The date that the country was founded.

The property type is time.

:dissolved / pol:country:dissolved

The date that the country was dissolved.

The property type is time.

:vitals / pol:country:vitals

The most recent known vitals for the country.

The property type is pol:vitals.

pol:election

An election involving one or more races for office.

The base type for the form can be found at pol:election.

Properties:

:name / pol:election:name

The name of the election. It has the following property options set:

• Example: 2022 united states congressional midterm election

The property type is str. Its type has the following options set:

• onespace: True

• lower: True

:time / pol:election:time

The date of the election.

The property type is time.

pol:office

An elected or appointed office.

The base type for the form can be found at pol:office.

Properties:

:title / pol:office:title

The title of the political office. It has the following property options set:

• Example: united states senator

The property type is ou:jobtitle.

:position / pol:office:position

The position this office holds in the org chart for the governing body.

The property type is ou:position.

:termlimit / pol:office:termlimit

The maximum number of times a single person may hold the office.

The property type is int.

:govbody / pol:office:govbody

The governmental body which contains the office.

The property type is ou:org.

pol:pollingplace

An official place where ballots may be cast for a specific election.

The base type for the form can be found at pol:pollingplace.

Properties:

:election / pol:pollingplace:election

The election that the polling place is designated for.

The property type is pol:election.

:name / pol:pollingplace:name

The name of the polling place at the time of the election. This may differ from the official place name.

The property type is geo:name.

:place / pol:pollingplace:place

The place where votes were cast.

The property type is geo:place.

:opens / pol:pollingplace:opens

The time that the polling place is scheduled to open.

The property type is time.

:closes / pol:pollingplace:closes

The time that the polling place is scheduled to close.

The property type is time.

:opened / pol:pollingplace:opened

The time that the polling place opened.

The property type is time.

:closed / pol:pollingplace:closed

The time that the polling place closed.

The property type is time.

pol:race

An individual race for office.

The base type for the form can be found at pol:race.

Properties:

:election / pol:race:election

The election that includes the race.

The property type is pol:election.

:office / pol:race:office

The political office that the candidates in the race are running for.

The property type is pol:office.

:voters / pol:race:voters

The number of eligible voters for this race.

The property type is int.

:turnout / pol:race:turnout

The number of individuals who voted in this race.

The property type is int.

pol:term

A term in office held by a specific individual.

The base type for the form can be found at pol:term.

Properties:

:office / pol:term:office

The office held for the term.

The property type is pol:office.

:start / pol:term:start

The start of the term of office.

The property type is time.

:end / pol:term:end

The end of the term of office.

The property type is time.

:race / pol:term:race

The race that determined who held office during the term.

The property type is pol:race.

:contact / pol:term:contact

The contact information of the person who held office during the term.

The property type is ps:contact.

:party / pol:term:party

The political party of the person who held office during the term.

The property type is ou:org.

pol:vitals

A set of vital statistics about a country.

The base type for the form can be found at pol:vitals.

Properties:

:country / pol:vitals:country

The country that the statistics are about.

The property type is pol:country.

:asof / pol:vitals:asof

The time that the vitals were measured.

The property type is time.

:area / pol:vitals:area

The area of the country.

The property type is geo:area.

:population / pol:vitals:population

The total number of people living in the country.

The property type is int.

:currency / pol:vitals:currency

The national currency.

The property type is econ:currency.

:econ:currency / pol:vitals:econ:currency

The currency used to record price properties.

The property type is econ:currency.

:econ:gdp / pol:vitals:econ:gdp

The gross domestic product of the country.

The property type is econ:price.

proj:attachment

A file attachment added to a ticket or comment.

The base type for the form can be found at proj:attachment.

Properties:

:name / proj:attachment:name

The name of the file that was attached.

The property type is file:base.

:file / proj:attachment:file

The file that was attached.

The property type is file:bytes.

:creator / proj:attachment:creator

The synapse user who added the attachment.

The property type is syn:user.

:created / proj:attachment:created

The time the attachment was added.

The property type is time.

:ticket / proj:attachment:ticket

The ticket the attachment was added to.

The property type is proj:ticket.

:comment / proj:attachment:comment

The comment the attachment was added to.

The property type is proj:comment.

proj:comment

A user comment on a ticket.

The base type for the form can be found at proj:comment.

Properties:

:creator / proj:comment:creator

The synapse user who added the comment.

The property type is syn:user.

:created / proj:comment:created

The time the comment was added.

The property type is time.

:updated / proj:comment:updated

The last time the comment was updated.

The property type is time. Its type has the following options set:

• max: True

:ticket / proj:comment:ticket

The ticket the comment was added to.

The property type is proj:ticket.

:text / proj:comment:text

The text of the comment.

The property type is str.

proj:epic

A collection of tickets related to a topic.

The base type for the form can be found at proj:epic.

Properties:

:name / proj:epic:name

The name of the epic.

The property type is str. Its type has the following options set:

• onespace: True

:project / proj:epic:project

The project containing the epic.

The property type is proj:project.

:creator / proj:epic:creator

The synapse user who created the epic.

The property type is syn:user.

:created / proj:epic:created

The time the epic was created.

The property type is time.

:updated / proj:epic:updated

The last time the epic was updated.

The property type is time. Its type has the following options set:

• max: True

proj:project

A project in a ticketing system.

The base type for the form can be found at proj:project.

Properties:

:name / proj:project:name

The project name.

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:desc / proj:project:desc

The project description. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:creator / proj:project:creator

The synapse user who created the project.

The property type is syn:user.

:created / proj:project:created

The time the project was created.

The property type is time.

proj:sprint

A timeboxed period to complete a set amount of work.

The base type for the form can be found at proj:sprint.

Properties:

:name / proj:sprint:name

The name of the sprint.

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:status / proj:sprint:status

The sprint status.

The property type is str. Its type has the following options set:

• enums: planned,current,completed

:project / proj:sprint:project

The project containing the sprint.

The property type is proj:project.

:creator / proj:sprint:creator

The synapse user who created the sprint.

The property type is syn:user.

:created / proj:sprint:created

The date the sprint was created.

The property type is time.

:period / proj:sprint:period

The interval for the sprint.

The property type is ival.

:desc / proj:sprint:desc

A description of the sprint.

The property type is str.

proj:ticket

A ticket in a ticketing system.

The base type for the form can be found at proj:ticket.

Properties:

:project / proj:ticket:project

The project containing the ticket.

The property type is proj:project.

:ext:id / proj:ticket:ext:id

A ticket ID from an external system.

The property type is str. Its type has the following options set:

• strip: True

:ext:url / proj:ticket:ext:url

A URL to the ticket in an external system.

The property type is inet:url.

:ext:creator / proj:ticket:ext:creator

Ticket creator contact information from an external system.

The property type is ps:contact.

:epic / proj:ticket:epic

The epic that includes the ticket.

The property type is proj:epic.

:created / proj:ticket:created

The time the ticket was created.

The property type is time.

:updated / proj:ticket:updated

The last time the ticket was updated.

The property type is time. Its type has the following options set:

• max: True

:name / proj:ticket:name

The name of the ticket.

The property type is str. Its type has the following options set:

• onespace: True

:desc / proj:ticket:desc

A description of the ticket.

The property type is str.

:points / proj:ticket:points

Optional SCRUM style story points value.

The property type is int.

:status / proj:ticket:status

The ticket completion status.

The property type is int. Its type has the following options set:

• enums: ((0, 'new'), (10, 'in validation'), (20, 'in backlog'), (30, 'in sprint'), (40, 'in progress'), (50, 'in review'), (60, 'completed'), (70, 'done'), (80, 'blocked'))

:sprint / proj:ticket:sprint

The sprint that contains the ticket.

The property type is proj:sprint.

:priority / proj:ticket:priority

The priority of the ticket.

The property type is int. Its type has the following options set:

• enums: ((0, 'none'), (10, 'lowest'), (20, 'low'), (30, 'medium'), (40, 'high'), (50, 'highest'))

:type / proj:ticket:type

The type of ticket. (eg story / bug).

The property type is str. Its type has the following options set:

• lower: True

• strip: True

:creator / proj:ticket:creator

The synapse user who created the ticket.

The property type is syn:user.

:assignee / proj:ticket:assignee

The synapse user who the ticket is assigned to.

The property type is syn:user.

ps:achievement

An instance of an individual receiving an award.

The base type for the form can be found at ps:achievement.

Properties:

:awardee / ps:achievement:awardee

The recipient of the award.

The property type is ps:contact.

:award / ps:achievement:award

The award bestowed on the awardee.

The property type is ou:award.

:awarded / ps:achievement:awarded

The date the award was granted to the awardee.

The property type is time.

:expires / ps:achievement:expires

The date the award or certification expires.

The property type is time.

:revoked / ps:achievement:revoked

The date the award was revoked by the org.

The property type is time.

ps:contact

A GUID for a contact info record.

The base type for the form can be found at ps:contact.

Properties:

:org / ps:contact:org

The org which this contact represents.

The property type is ou:org.

:type / ps:contact:type

The type of contact which may be used for entity resolution.

The property type is ps:contact:type:taxonomy.

:asof / ps:contact:asof

A date/time value. It has the following property options set:

• date: The time this contact was created or modified.

The property type is time.

:person / ps:contact:person

The ps:person GUID which owns this contact.

The property type is ps:person.

:vitals / ps:contact:vitals

The most recent known vitals for the contact.

The property type is ps:vitals.

:name / ps:contact:name

The person name listed for the contact.

The property type is ps:name.

:desc / ps:contact:desc

A description of this contact.

The property type is str.

:title / ps:contact:title

The job/org title listed for this contact.

The property type is ou:jobtitle.

:photo / ps:contact:photo

The photo listed for this contact.

The property type is file:bytes.

:orgname / ps:contact:orgname

The listed org/company name for this contact.

The property type is ou:name.

:orgfqdn / ps:contact:orgfqdn

The listed org/company FQDN for this contact.

The property type is inet:fqdn.

:user / ps:contact:user

The username or handle for this contact.

The property type is inet:user.

:web:acct / ps:contact:web:acct

The social media account for this contact.

The property type is inet:web:acct.

:web:group / ps:contact:web:group

A web group representing this contact.

The property type is inet:web:group.

:birth:place / ps:contact:birth:place

A fully resolved place of birth for this contact.

The property type is geo:place.

:birth:place:loc / ps:contact:birth:place:loc

The loc of the place of birth of this contact.

The property type is loc.

:birth:place:name / ps:contact:birth:place:name

The name of the place of birth of this contact.

The property type is geo:name.

:death:place / ps:contact:death:place

A fully resolved place of death for this contact.

The property type is geo:place.

:death:place:loc / ps:contact:death:place:loc

The loc of the place of death of this contact.

The property type is loc.

:death:place:name / ps:contact:death:place:name

The name of the place of death of this contact.

The property type is geo:name.

:dob / ps:contact:dob

The date of birth for this contact.

The property type is time.

:dod / ps:contact:dod

The date of death for this contact.

The property type is time.

:url / ps:contact:url

The home or main site for this contact.

The property type is inet:url.

:email / ps:contact:email

The main email address for this contact.

The property type is inet:email.

:email:work / ps:contact:email:work

The work email address for this contact.

The property type is inet:email.

:loc / ps:contact:loc

Best known contact geopolitical location.

The property type is loc.

:address / ps:contact:address

The street address listed for the contact. It has the following property options set:

• disp: {'hint': 'text'}

The property type is geo:address.

:place / ps:contact:place

The place associated with this contact.

The property type is geo:place.

:phone / ps:contact:phone

The main phone number for this contact.

The property type is tel:phone.

:phone:fax / ps:contact:phone:fax

The fax number for this contact.

The property type is tel:phone.

:phone:work / ps:contact:phone:work

The work phone number for this contact.

The property type is tel:phone.

:id:number / ps:contact:id:number

An ID number issued by an org and associated with this contact.

The property type is ou:id:number.

:adid / ps:contact:adid

A Advertising ID associated with this contact.

The property type is it:adid.

:imid / ps:contact:imid

An IMID associated with the contact.

The property type is tel:mob:imid.

:imid:imei / ps:contact:imid:imei

An IMEI associated with the contact.

The property type is tel:mob:imei.

:imid:imsi / ps:contact:imid:imsi

An IMSI associated with the contact.

The property type is tel:mob:imsi.

:names / ps:contact:names

An array of associated names/aliases for the person.

The property type is array. Its type has the following options set:

• type: ps:name

• uniq: True

• sorted: True

:orgnames / ps:contact:orgnames

An array of associated names/aliases for the organization.

The property type is array. Its type has the following options set:

• type: ou:name

• uniq: True

• sorted: True

:emails / ps:contact:emails

An array of secondary/associated email addresses.

The property type is array. Its type has the following options set:

• type: inet:email

• uniq: True

• sorted: True

:web:accts / ps:contact:web:accts

An array of secondary/associated web accounts.

The property type is array. Its type has the following options set:

• type: inet:web:acct

• uniq: True

• sorted: True

:id:numbers / ps:contact:id:numbers

An array of secondary/associated IDs.

The property type is array. Its type has the following options set:

• type: ou:id:number

• uniq: True

• sorted: True

:users / ps:contact:users

An array of secondary/associated user names.

The property type is array. Its type has the following options set:

• type: inet:user

• uniq: True

• sorted: True

:crypto:address / ps:contact:crypto:address

A crypto currency address associated with the contact.

The property type is crypto:currency:address.

:lang / ps:contact:lang

The language specified for the contact.

The property type is lang:language.

:langs / ps:contact:langs

An array of alternative languages specified for the contact.

The property type is array. Its type has the following options set:

• type: lang:language

ps:contact:type:taxonomy

A taxonomy of contact types.

The base type for the form can be found at ps:contact:type:taxonomy.

Properties:

:title / ps:contact:type:taxonomy:title

A brief title of the definition.

The property type is str.

:summary / ps:contact:type:taxonomy:summary

A summary of the definition. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:sort / ps:contact:type:taxonomy:sort

A display sort order for siblings.

The property type is int.

:base / ps:contact:type:taxonomy:base

The base taxon. It has the following property options set:

• Read Only: True

The property type is taxon.

:depth / ps:contact:type:taxonomy:depth

The depth indexed from 0. It has the following property options set:

• Read Only: True

The property type is int.

:parent / ps:contact:type:taxonomy:parent

The taxonomy parent. It has the following property options set:

• Read Only: True

The property type is ps:contact:type:taxonomy.

ps:contactlist

A GUID for a list of associated contacts.

The base type for the form can be found at ps:contactlist.

Properties:

:contacts / ps:contactlist:contacts

The array of contacts contained in the list.

The property type is array. Its type has the following options set:

• type: ps:contact

• uniq: True

• split: ,

• sorted: True

:source:host / ps:contactlist:source:host

The host from which the contact list was extracted.

The property type is it:host.

:source:file / ps:contactlist:source:file

The file from which the contact list was extracted.

The property type is file:bytes.

:source:acct / ps:contactlist:source:acct

The web account from which the contact list was extracted.

The property type is inet:web:acct.

ps:education

A period of education for an individual.

The base type for the form can be found at ps:education.

Properties:

:student / ps:education:student

The contact of the person being educated.

The property type is ps:contact.

:institution / ps:education:institution

The contact info for the org providing educational services.

The property type is ps:contact.

:attended:first / ps:education:attended:first

The first date the student attended a class.

The property type is time.

:attended:last / ps:education:attended:last

The last date the student attended a class.

The property type is time.

:classes / ps:education:classes

The classes attended by the student.

The property type is array. Its type has the following options set:

• type: edu:class

• uniq: True

• sorted: True

:achievement / ps:education:achievement

The achievement awarded to the individual.

The property type is ps:achievement.

ps:name

An arbitrary, lower spaced string with normalized whitespace.

The base type for the form can be found at ps:name.

An example of ps:name:

• robert grey

Properties:

:sur / ps:name:sur

The surname part of the name.

The property type is ps:tokn.

:middle / ps:name:middle

The middle name part of the name.

The property type is ps:tokn.

:given / ps:name:given

The given name part of the name.

The property type is ps:tokn.

ps:person

A GUID for a person.

The base type for the form can be found at ps:person.

Properties:

:dob / ps:person:dob

The date on which the person was born.

The property type is time.

:dod / ps:person:dod

The date on which the person died.

The property type is time.

:img / ps:person:img

Deprecated: use ps:person:photo. It has the following property options set:

• deprecated: True

The property type is file:bytes.

:photo / ps:person:photo

The primary image of a person.

The property type is file:bytes.

:nick / ps:person:nick

A username commonly used by the person.

The property type is inet:user.

:vitals / ps:person:vitals

The most recent known vitals for the person.

The property type is ps:vitals.

:name / ps:person:name

The localized name for the person.

The property type is ps:name.

:name:sur / ps:person:name:sur

The surname of the person.

The property type is ps:tokn.

:name:middle / ps:person:name:middle

The middle name of the person.

The property type is ps:tokn.

:name:given / ps:person:name:given

The given name of the person.

The property type is ps:tokn.

:names / ps:person:names

Variations of the name for the person.

The property type is array. Its type has the following options set:

• type: ps:name

• uniq: True

• sorted: True

:nicks / ps:person:nicks

Usernames used by the person.

The property type is array. Its type has the following options set:

• type: inet:user

• uniq: True

• sorted: True

ps:person:has

A person owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time.

The base type for the form can be found at ps:person:has.

Properties:

:person / ps:person:has:person

The person who owns or controls the object or resource. It has the following property options set:

• Read Only: True

The property type is ps:person.

:node / ps:person:has:node

The object or resource that is owned or controlled by the person. It has the following property options set:

• Read Only: True

The property type is ndef.

:node:form / ps:person:has:node:form

The form of the object or resource that is owned or controlled by the person. It has the following property options set:

• Read Only: True

The property type is str.

ps:persona

A GUID for a suspected person.

The base type for the form can be found at ps:persona.

Properties:

:person / ps:persona:person

The real person behind the persona.

The property type is ps:person.

:dob / ps:persona:dob

The Date of Birth (DOB) if known.

The property type is time.

:img / ps:persona:img

The primary image of a suspected person.

The property type is file:bytes.

:nick / ps:persona:nick

A username commonly used by the suspected person.

The property type is inet:user.

:name / ps:persona:name

The localized name for the suspected person.

The property type is ps:name.

:name:sur / ps:persona:name:sur

The surname of the suspected person.

The property type is ps:tokn.

:name:middle / ps:persona:name:middle

The middle name of the suspected person.

The property type is ps:tokn.

:name:given / ps:persona:name:given

The given name of the suspected person.

The property type is ps:tokn.

:names / ps:persona:names

Variations of the name for a persona.

The property type is array. Its type has the following options set:

• type: ps:name

• uniq: True

• sorted: True

:nicks / ps:persona:nicks

Usernames used by the persona.

The property type is array. Its type has the following options set:

• type: inet:user

• uniq: True

• sorted: True

ps:persona:has

A persona owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time.

The base type for the form can be found at ps:persona:has.

Properties:

:persona / ps:persona:has:persona

The persona who owns or controls the object or resource. It has the following property options set:

• Read Only: True

The property type is ps:persona.

:node / ps:persona:has:node

The object or resource that is owned or controlled by the persona. It has the following property options set:

• Read Only: True

The property type is ndef.

:node:form / ps:persona:has:node:form

The form of the object or resource that is owned or controlled by the persona. It has the following property options set:

• Read Only: True

The property type is str.

ps:proficiency

The assessment that a given contact possesses a specific skill.

The base type for the form can be found at ps:proficiency.

Properties:

:skill / ps:proficiency:skill

The skill in which the contact is proficient.

The property type is ps:skill.

:contact / ps:proficiency:contact

The contact which is proficient in the skill.

The property type is ps:contact.

ps:skill

A specific skill which a person or organization may have.

The base type for the form can be found at ps:skill.

Properties:

:name / ps:skill:name

The name of the skill.

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:type / ps:skill:type

The type of skill as a taxonomy.

The property type is ps:skill:type:taxonomy.

ps:skill:type:taxonomy

A taxonomy of skill types.

The base type for the form can be found at ps:skill:type:taxonomy.

Properties:

:title / ps:skill:type:taxonomy:title

A brief title of the definition.

The property type is str.

:summary / ps:skill:type:taxonomy:summary

A summary of the definition. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:sort / ps:skill:type:taxonomy:sort

A display sort order for siblings.

The property type is int.

:base / ps:skill:type:taxonomy:base

The base taxon. It has the following property options set:

• Read Only: True

The property type is taxon.

:depth / ps:skill:type:taxonomy:depth

The depth indexed from 0. It has the following property options set:

• Read Only: True

The property type is int.

:parent / ps:skill:type:taxonomy:parent

The taxonomy parent. It has the following property options set:

• Read Only: True

The property type is ps:skill:type:taxonomy.

ps:tokn

A single name element (potentially given or sur).

The base type for the form can be found at ps:tokn.

An example of ps:tokn:

• robert

Properties:

ps:vitals

Statistics and demographic data about a person or contact.

The base type for the form can be found at ps:vitals.

Properties:

:asof / ps:vitals:asof

The time the vitals were gathered or computed.

The property type is time.

:contact / ps:vitals:contact

The contact that the vitals are about.

The property type is ps:contact.

:person / ps:vitals:person

The person that the vitals are about.

The property type is ps:person.

:height / ps:vitals:height

The height of the person or contact.

The property type is geo:dist.

:weight / ps:vitals:weight

The weight of the person or contact.

The property type is mass.

:econ:currency / ps:vitals:econ:currency

The currency that the price values are recorded using.

The property type is econ:currency.

:econ:net:worth / ps:vitals:econ:net:worth

The net worth of the contact.

The property type is econ:price.

:econ:annual:income / ps:vitals:econ:annual:income

The yearly income of the contact.

The property type is econ:price.

ps:workhist

A GUID representing entry in a contact’s work history.

The base type for the form can be found at ps:workhist.

Properties:

:contact / ps:workhist:contact

The contact which has the work history.

The property type is ps:contact.

:org / ps:workhist:org

The org that this work history orgname refers to.

The property type is ou:org.

:orgname / ps:workhist:orgname

The reported name of the org the contact worked for.

The property type is ou:name.

:orgfqdn / ps:workhist:orgfqdn

The reported fqdn of the org the contact worked for.

The property type is inet:fqdn.

:jobtype / ps:workhist:jobtype

The type of job.

The property type is ou:jobtype.

:employment / ps:workhist:employment

The type of employment.

The property type is ou:employment.

:jobtitle / ps:workhist:jobtitle

The job title.

The property type is ou:jobtitle.

:started / ps:workhist:started

The date that the contact began working.

The property type is time.

:ended / ps:workhist:ended

The date that the contact stopped working.

The property type is time.

:duration / ps:workhist:duration

The duration of the period of work.

The property type is duration.

:pay / ps:workhist:pay

The estimated/average yearly pay for the work.

The property type is econ:price.

:currency / ps:workhist:currency

The currency that the yearly pay was delivered in.

The property type is econ:currency.

risk:alert

An instance of an alert which indicates the presence of a risk.

The base type for the form can be found at risk:alert.

Properties:

:type / risk:alert:type

An alert type.

The property type is risk:alert:taxonomy.

:name / risk:alert:name

The alert name.

The property type is str.

:desc / risk:alert:desc

A free-form description / overview of the alert. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:benign / risk:alert:benign

Set to true if the alert has been confirmed benign. Set to false if malicious.

The property type is bool.

:priority / risk:alert:priority

A numeric value used to rank alerts by priority.

The property type is int.

:verdict / risk:alert:verdict

Analyst specified verdict taxonomy about why the alert is malicious or benign. It has the following property options set:

• Example: benign.false_positive

The property type is risk:alert:verdict:taxonomy.

:engine / risk:alert:engine

The software which generated the alert.

The property type is it:prod:softver.

:detected / risk:alert:detected

The time the alerted condition was detected.

The property type is time.

:vuln / risk:alert:vuln

The optional vulnerability that the alert indicates.

The property type is risk:vuln.

:attack / risk:alert:attack

A confirmed attack that this alert indicates.

The property type is risk:attack.

:url / risk:alert:url

A URL which documents the alert.

The property type is inet:url.

:ext:id / risk:alert:ext:id

An external identifier for the alert.

The property type is str.

risk:alert:taxonomy

A taxonomy of alert types.

The base type for the form can be found at risk:alert:taxonomy.

Properties:

risk:alert:verdict:taxonomy

An assessment of the origin and validity of the alert.

The base type for the form can be found at risk:alert:verdict:taxonomy.

Properties:

risk:attack

An instance of an actor attacking a target.

The base type for the form can be found at risk:attack.

Properties:

:desc / risk:attack:desc

A description of the attack. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:type / risk:attack:type

The attack type. It has the following property options set:

• Example: cno.phishing

The property type is risk:attacktype.

:time / risk:attack:time

Set if the time of the attack is known.

The property type is time.

:success / risk:attack:success

Set if the attack was known to have succeeded or not.

The property type is bool.

:targeted / risk:attack:targeted

Set if the attack was assessed to be targeted or not.

The property type is bool.

:goal / risk:attack:goal

The tactical goal of this specific attack.

The property type is ou:goal.

:campaign / risk:attack:campaign

Set if the attack was part of a larger campaign.

The property type is ou:campaign.

:compromise / risk:attack:compromise

A compromise that this attack contributed to.

The property type is risk:compromise.

:severity / risk:attack:severity

An integer based relative severity score for the attack.

The property type is int.

:sophistication / risk:attack:sophistication

The assessed sophistication of the attack.

The property type is meta:sophistication.

:prev / risk:attack:prev

The previous/parent attack in a list or hierarchy.

The property type is risk:attack.

:actor:org / risk:attack:actor:org

Deprecated. Please use :attacker to allow entity resolution. It has the following property options set:

• deprecated: True

The property type is ou:org.

:actor:person / risk:attack:actor:person

Deprecated. Please use :attacker to allow entity resolution. It has the following property options set:

• deprecated: True

The property type is ps:person.

:attacker / risk:attack:attacker

Contact information associated with the attacker.

The property type is ps:contact.

:target / risk:attack:target

Deprecated. Please use -(targets)> light weight edges. It has the following property options set:

• deprecated: True

The property type is ps:contact.

:target:org / risk:attack:target:org

Deprecated. Please use -(targets)> light weight edges. It has the following property options set:

• deprecated: True

The property type is ou:org.

:target:host / risk:attack:target:host

Deprecated. Please use -(targets)> light weight edges. It has the following property options set:

• deprecated: True

The property type is it:host.

:target:person / risk:attack:target:person

Deprecated. Please use -(targets)> light weight edges. It has the following property options set:

• deprecated: True

The property type is ps:person.

:target:place / risk:attack:target:place

Deprecated. Please use -(targets)> light weight edges. It has the following property options set:

• deprecated: True

The property type is geo:place.

:via:ipv4 / risk:attack:via:ipv4

Deprecated. Please use -(uses)> light weight edges. It has the following property options set:

• deprecated: True

The property type is inet:ipv4.

:via:ipv6 / risk:attack:via:ipv6

Deprecated. Please use -(uses)> light weight edges. It has the following property options set:

• deprecated: True

The property type is inet:ipv6.

:via:email / risk:attack:via:email

Deprecated. Please use -(uses)> light weight edges. It has the following property options set:

• deprecated: True

The property type is inet:email.

:via:phone / risk:attack:via:phone

Deprecated. Please use -(uses)> light weight edges. It has the following property options set:

• deprecated: True

The property type is tel:phone.

:used:vuln / risk:attack:used:vuln

Deprecated. Please use -(uses)> light weight edges. It has the following property options set:

• deprecated: True

The property type is risk:vuln.

:used:url / risk:attack:used:url

Deprecated. Please use -(uses)> light weight edges. It has the following property options set:

• deprecated: True

The property type is inet:url.

:used:host / risk:attack:used:host

Deprecated. Please use -(uses)> light weight edges. It has the following property options set:

• deprecated: True

The property type is it:host.

:used:email / risk:attack:used:email

Deprecated. Please use -(uses)> light weight edges. It has the following property options set:

• deprecated: True

The property type is inet:email.

:used:file / risk:attack:used:file

Deprecated. Please use -(uses)> light weight edges. It has the following property options set:

• deprecated: True

The property type is file:bytes.

:used:server / risk:attack:used:server

Deprecated. Please use -(uses)> light weight edges. It has the following property options set:

• deprecated: True

The property type is inet:server.

:used:software / risk:attack:used:software

Deprecated. Please use -(uses)> light weight edges. It has the following property options set:

• deprecated: True

The property type is it:prod:softver.

:techniques / risk:attack:techniques

A list of techniques employed during the attack.

The property type is array. Its type has the following options set:

• type: ou:technique

• sorted: True

• uniq: True

risk:attacktype

An attack type taxonomy.

The base type for the form can be found at risk:attacktype.

Properties:

:title / risk:attacktype:title

A brief title of the definition.

The property type is str.

:summary / risk:attacktype:summary

A summary of the definition. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:sort / risk:attacktype:sort

A display sort order for siblings.

The property type is int.

:base / risk:attacktype:base

The base taxon. It has the following property options set:

• Read Only: True

The property type is taxon.

:depth / risk:attacktype:depth

The depth indexed from 0. It has the following property options set:

• Read Only: True

The property type is int.

:parent / risk:attacktype:parent

The taxonomy parent. It has the following property options set:

• Read Only: True

The property type is risk:attacktype.

risk:availability

A taxonomy of availability status values.

The base type for the form can be found at risk:availability.

Properties:

:title / risk:availability:title

A brief title of the definition.

The property type is str.

:summary / risk:availability:summary

A summary of the definition. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:sort / risk:availability:sort

A display sort order for siblings.

The property type is int.

:base / risk:availability:base

The base taxon. It has the following property options set:

• Read Only: True

The property type is taxon.

:depth / risk:availability:depth

The depth indexed from 0. It has the following property options set:

• Read Only: True

The property type is int.

:parent / risk:availability:parent

The taxonomy parent. It has the following property options set:

• Read Only: True

The property type is risk:availability.

risk:compromise

An instance of a compromise and its aggregate impact.

The base type for the form can be found at risk:compromise.

Properties:

:name / risk:compromise:name

A brief name for the compromise event.

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:desc / risk:compromise:desc

A prose description of the compromise event. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:type / risk:compromise:type

The compromise type. It has the following property options set:

• Example: cno.breach

The property type is risk:compromisetype.

:target / risk:compromise:target

Contact information of the target.

The property type is ps:contact.

:attacker / risk:compromise:attacker

Contact information of the attacker.

The property type is ps:contact.

:campaign / risk:compromise:campaign

The campaign that this compromise is part of.

The property type is ou:campaign.

:time / risk:compromise:time

Earliest known evidence of compromise.

The property type is time.

:lasttime / risk:compromise:lasttime

Last known evidence of compromise.

The property type is time.

:duration / risk:compromise:duration

The duration of the compromise.

The property type is duration.

:loss:pii / risk:compromise:loss:pii

The number of records compromised which contain PII.

The property type is int.

:loss:econ / risk:compromise:loss:econ

The total economic cost of the compromise.

The property type is econ:price.

:loss:life / risk:compromise:loss:life

The total loss of life due to the compromise.

The property type is int.

:loss:bytes / risk:compromise:loss:bytes

An estimate of the volume of data compromised.

The property type is int.

:ransom:paid / risk:compromise:ransom:paid

The value of the ransom paid by the target.

The property type is econ:price.

:ransom:price / risk:compromise:ransom:price

The value of the ransom demanded by the attacker.

The property type is econ:price.

:response:cost / risk:compromise:response:cost

The economic cost of the response and mitigation efforts.

The property type is econ:price.

:theft:price / risk:compromise:theft:price

The total value of the theft of assets.

The property type is econ:price.

:econ:currency / risk:compromise:econ:currency

The currency type for the econ:price fields.

The property type is econ:currency.

:severity / risk:compromise:severity

An integer based relative severity score for the compromise.

The property type is int.

:techniques / risk:compromise:techniques

A list of techniques employed during the compromise.

The property type is array. Its type has the following options set:

• type: ou:technique

• sorted: True

• uniq: True

risk:compromisetype

A compromise type taxonomy.

The base type for the form can be found at risk:compromisetype.

An example of risk:compromisetype:

• cno.breach

Properties:

:title / risk:compromisetype:title

A brief title of the definition.

The property type is str.

:summary / risk:compromisetype:summary

A summary of the definition. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:sort / risk:compromisetype:sort

A display sort order for siblings.

The property type is int.

:base / risk:compromisetype:base

The base taxon. It has the following property options set:

• Read Only: True

The property type is taxon.

:depth / risk:compromisetype:depth

The depth indexed from 0. It has the following property options set:

• Read Only: True

The property type is int.

:parent / risk:compromisetype:parent

The taxonomy parent. It has the following property options set:

• Read Only: True

The property type is risk:compromisetype.

risk:hasvuln

An instance of a vulnerability present in a target.

The base type for the form can be found at risk:hasvuln.

Properties:

:vuln / risk:hasvuln:vuln

The vulnerability present in the target.

The property type is risk:vuln.

:person / risk:hasvuln:person

The vulnerable person.

The property type is ps:person.

:org / risk:hasvuln:org

The vulnerable org.

The property type is ou:org.

:place / risk:hasvuln:place

The vulnerable place.

The property type is geo:place.

:software / risk:hasvuln:software

The vulnerable software.

The property type is it:prod:softver.

:hardware / risk:hasvuln:hardware

The vulnerable hardware.

The property type is it:prod:hardware.

:spec / risk:hasvuln:spec

The vulnerable material specification.

The property type is mat:spec.

:item / risk:hasvuln:item

The vulnerable material item.

The property type is mat:item.

:host / risk:hasvuln:host

The vulnerable host.

The property type is it:host.

risk:mitigation

A mitigation for a specific risk:vuln.

The base type for the form can be found at risk:mitigation.

Properties:

:vuln / risk:mitigation:vuln

The vulnerability that this mitigation addresses.

The property type is risk:vuln.

:name / risk:mitigation:name

A brief name for this risk mitigation.

The property type is str.

:desc / risk:mitigation:desc

A description of the mitigation approach for the vulnerability. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:software / risk:mitigation:software

A software version which implements a fix for the vulnerability.

The property type is it:prod:softver.

:hardware / risk:mitigation:hardware

A hardware version which implements a fix for the vulnerability.

The property type is it:prod:hardware.

risk:threat

A threat cluster or subgraph of threat activity.

The base type for the form can be found at risk:threat.

Properties:

:name / risk:threat:name

The name of the threat cluster. It has the following property options set:

• Example: apt1 (mandiant)

The property type is str. Its type has the following options set:

• lower: True

• onespace: True

:type / risk:threat:type

The type of threat cluster.

The property type is risk:threat:type:taxonomy.

:desc / risk:threat:desc

A description of the threat cluster.

The property type is str.

:tag / risk:threat:tag

The tag used to annotate nodes that are members of the cluster.

The property type is syn:tag.

:reporter / risk:threat:reporter

The organization who published the threat cluster.

The property type is ou:org.

:reporter:name / risk:threat:reporter:name

The name of the organization who published the threat cluster.

The property type is ou:name.

:org / risk:threat:org

The organization that the threat cluster is attributed to.

The property type is ou:org.

:org:loc / risk:threat:org:loc

The assessed location of the organization that the threat cluster is attributed to.

The property type is loc.

:org:name / risk:threat:org:name

The name of the organization that the threat cluster is attributed to. It has the following property options set:

• Example: apt1

The property type is ou:name.

:org:names / risk:threat:org:names

An array of alternate names for the organization that the threat cluster is attributed to.

The property type is array. Its type has the following options set:

• type: ou:name

• sorted: True

• uniq: True

:goals / risk:threat:goals

The assessed goals of the threat cluster activity.

The property type is array. Its type has the following options set:

• type: ou:goal

• sorted: True

• uniq: True

:sophistication / risk:threat:sophistication

The assessed sophistication of the threat cluster.

The property type is meta:sophistication.

:techniques / risk:threat:techniques

Deprecated for scalability. Please use -(uses)> ou:technique. It has the following property options set:

• deprecated: True

The property type is array. Its type has the following options set:

• type: ou:technique

• sorted: True

• uniq: True

:merged:time / risk:threat:merged:time

The time that this threat cluster was merged into another.

The property type is time.

:merged:isnow / risk:threat:merged:isnow

The threat cluster that this cluster has been merged into.

The property type is risk:threat.

risk:threat:type:taxonomy

A taxonomy of threat types.

The base type for the form can be found at risk:threat:type:taxonomy.

Properties:

risk:tool:software

A software tool used in threat activity.

The base type for the form can be found at risk:tool:software.

Properties:

:tag / risk:tool:software:tag

The tag used to annotate nodes that are part of the tool subgraph. It has the following property options set:

• Example: rep.mandiant.tabcteng

The property type is syn:tag.

:desc / risk:tool:software:desc

A description of the tool’s use in threat activity.

The property type is str.

:type / risk:tool:software:type

An analyst specified taxonomy of software tool types.

The property type is risk:tool:software:taxonomy.

:availability / risk:tool:software:availability

The assessed availability of the tool.

The property type is risk:availability.

:sophistication / risk:tool:software:sophistication

The assessed sophistication of the tool.

The property type is meta:sophistication.

:reporter / risk:tool:software:reporter

The organization which reported the tool.

The property type is ou:org.

:reporter:name / risk:tool:software:reporter:name

The name of the organization which reported the tool.

The property type is ou:name.

:soft / risk:tool:software:soft

The authoritative software family of the tool.

The property type is it:prod:soft.

:soft:name / risk:tool:software:soft:name

The reported primary name of the tool.

The property type is it:prod:softname.

:soft:names / risk:tool:software:soft:names

An array of reported alterate names for the tool.

The property type is array. Its type has the following options set:

• type: it:prod:softname

• uniq: True

• sorted: True

:techniques / risk:tool:software:techniques

Deprecated for scalability. Please use -(uses)> ou:technique. It has the following property options set:

• deprecated: True

The property type is array. Its type has the following options set:

• type: ou:technique

• uniq: True

• sorted: True

risk:tool:software:taxonomy

A hierarchical taxonomy.

The base type for the form can be found at risk:tool:software:taxonomy.

Properties:

:title / risk:tool:software:taxonomy:title

A brief title of the definition.

The property type is str.

:summary / risk:tool:software:taxonomy:summary

A summary of the definition. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:sort / risk:tool:software:taxonomy:sort

A display sort order for siblings.

The property type is int.

:base / risk:tool:software:taxonomy:base

The base taxon. It has the following property options set:

• Read Only: True

The property type is taxon.

:depth / risk:tool:software:taxonomy:depth

The depth indexed from 0. It has the following property options set:

• Read Only: True

The property type is int.

:parent / risk:tool:software:taxonomy:parent

The taxonomy parent. It has the following property options set:

• Read Only: True

The property type is risk:tool:software:taxonomy.

risk:vuln

A unique vulnerability.

The base type for the form can be found at risk:vuln.

Properties:

:name / risk:vuln:name

A user specified name for the vulnerability.

The property type is str.

:type / risk:vuln:type

A user specified type for the vulnerability.

The property type is str.

:desc / risk:vuln:desc

A description of the vulnerability. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:mitigated / risk:vuln:mitigated

Set to true if a mitigation/fix is available for the vulnerability.

The property type is bool.

:exploited / risk:vuln:exploited

Set to true if the vulnerability has been exploited in the wild.

The property type is bool.

:timeline:discovered / risk:vuln:timeline:discovered

The earliest known discovery time for the vulnerability.

The property type is time. Its type has the following options set:

• ismin: True

:timeline:published / risk:vuln:timeline:published

The earliest known time the vulnerability was published.

The property type is time. Its type has the following options set:

• ismin: True

:timeline:vendor:notified / risk:vuln:timeline:vendor:notified

The earliest known vendor notification time for the vulnerability.

The property type is time. Its type has the following options set:

• ismin: True

:timeline:vendor:fixed / risk:vuln:timeline:vendor:fixed

The earliest known time the vendor issued a fix for the vulnerability.

The property type is time. Its type has the following options set:

• ismin: True

:timeline:exploited / risk:vuln:timeline:exploited

The earliest known time when the vulnerability was exploited in the wild.

The property type is time. Its type has the following options set:

• ismin: True

:cve / risk:vuln:cve

The CVE ID of the vulnerability.

The property type is it:sec:cve.

:cve:desc / risk:vuln:cve:desc

The description of the vulnerability according to the CVE database. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:cve:url / risk:vuln:cve:url

A URL linking this vulnerability to the CVE description.

The property type is inet:url.

:cve:references / risk:vuln:cve:references

An array of documentation URLs provided by the CVE database.

The property type is array. Its type has the following options set:

• type: inet:url

• uniq: True

• sorted: True

:nist:nvd:source / risk:vuln:nist:nvd:source

The name of the organization which reported the vulnerability to NIST.

The property type is ou:name.

:nist:nvd:published / risk:vuln:nist:nvd:published

The date the vulnerability was first published in the NVD.

The property type is time.

:nist:nvd:modified / risk:vuln:nist:nvd:modified

The date the vulnerability was last modified in the NVD.

The property type is time. Its type has the following options set:

• ismax: True

:cisa:kev:name / risk:vuln:cisa:kev:name

The name of the vulnerability according to the CISA KEV database.

The property type is str.

:cisa:kev:desc / risk:vuln:cisa:kev:desc

The description of the vulnerability according to the CISA KEV database.

The property type is str.

:cisa:kev:action / risk:vuln:cisa:kev:action

The action to mitigate the vulnerability according to the CISA KEV database.

The property type is str.

:cisa:kev:vendor / risk:vuln:cisa:kev:vendor

The vendor name listed in the CISA KEV database.

The property type is ou:name.

:cisa:kev:product / risk:vuln:cisa:kev:product

The product name listed in the CISA KEV database.

The property type is it:prod:softname.

:cisa:kev:added / risk:vuln:cisa:kev:added

The date the vulnerability was added to the CISA KEV database.

The property type is time.

:cisa:kev:duedate / risk:vuln:cisa:kev:duedate

The date the action is due according to the CISA KEV database.

The property type is time.

:cvss:av / risk:vuln:cvss:av

The CVSS Attack Vector (AV) value.

The property type is str. Its type has the following options set:

• enums: N,A,V,L

:cvss:ac / risk:vuln:cvss:ac

The CVSS Attack Complexity (AC) value. It has the following property options set:

• disp: {'enums': (('Low', 'L'), ('High', 'H'))}

The property type is str. Its type has the following options set:

• enums: L,H

:cvss:pr / risk:vuln:cvss:pr

The CVSS Privileges Required (PR) value. It has the following property options set:

• disp: {'enums': ({'title': 'None', 'value': 'N', 'doc': 'FIXME privs stuff'}, {'title': 'Low', 'value': 'L', 'doc': 'FIXME privs stuff'}, {'title': 'High', 'value': 'H', 'doc': 'FIXME privs stuff'})}

The property type is str. Its type has the following options set:

• enums: N,L,H

:cvss:ui / risk:vuln:cvss:ui

The CVSS User Interaction (UI) value.

The property type is str. Its type has the following options set:

• enums: N,R

:cvss:s / risk:vuln:cvss:s

The CVSS Scope (S) value.

The property type is str. Its type has the following options set:

• enums: U,C

:cvss:c / risk:vuln:cvss:c

The CVSS Confidentiality Impact (C) value.

The property type is str. Its type has the following options set:

• enums: N,L,H

:cvss:i / risk:vuln:cvss:i

The CVSS Integrity Impact (I) value.

The property type is str. Its type has the following options set:

• enums: N,L,H

:cvss:a / risk:vuln:cvss:a

The CVSS Availability Impact (A) value.

The property type is str. Its type has the following options set:

• enums: N,L,H

:cvss:e / risk:vuln:cvss:e

The CVSS Exploit Code Maturity (E) value.

The property type is str. Its type has the following options set:

• enums: X,U,P,F,H

:cvss:rl / risk:vuln:cvss:rl

The CVSS Remediation Level (RL) value.

The property type is str. Its type has the following options set:

• enums: X,O,T,W,U

:cvss:rc / risk:vuln:cvss:rc

The CVSS Report Confidence (AV) value.

The property type is str. Its type has the following options set:

• enums: X,U,R,C

:cvss:mav / risk:vuln:cvss:mav

The CVSS Environmental Attack Vector (MAV) value.

The property type is str. Its type has the following options set:

• enums: X,N,A,L,P

:cvss:mac / risk:vuln:cvss:mac

The CVSS Environmental Attack Complexity (MAC) value.

The property type is str. Its type has the following options set:

• enums: X,L,H

:cvss:mpr / risk:vuln:cvss:mpr

The CVSS Environmental Privileges Required (MPR) value.

The property type is str. Its type has the following options set:

• enums: X,N,L,H

:cvss:mui / risk:vuln:cvss:mui

The CVSS Environmental User Interaction (MUI) value.

The property type is str. Its type has the following options set:

• enums: X,N,R

:cvss:ms / risk:vuln:cvss:ms

The CVSS Environmental Scope (MS) value.

The property type is str. Its type has the following options set:

• enums: X,U,C

:cvss:mc / risk:vuln:cvss:mc

The CVSS Environmental Confidentiality Impact (MC) value.

The property type is str. Its type has the following options set:

• enums: X,N,L,H

:cvss:mi / risk:vuln:cvss:mi

The CVSS Environmental Integrity Impact (MI) value.

The property type is str. Its type has the following options set:

• enums: X,N,L,H

:cvss:ma / risk:vuln:cvss:ma

The CVSS Environmental Accessibility Impact (MA) value.

The property type is str. Its type has the following options set:

• enums: X,N,L,H

:cvss:cr / risk:vuln:cvss:cr

The CVSS Environmental Confidentiality Requirement (CR) value.

The property type is str. Its type has the following options set:

• enums: X,L,M,H

:cvss:ir / risk:vuln:cvss:ir

The CVSS Environmental Integrity Requirement (IR) value.

The property type is str. Its type has the following options set:

• enums: X,L,M,H

:cvss:ar / risk:vuln:cvss:ar

The CVSS Environmental Availability Requirement (AR) value.

The property type is str. Its type has the following options set:

• enums: X,L,M,H

:cvss:score / risk:vuln:cvss:score

The Overall CVSS Score value.

The property type is float.

:cvss:score:base / risk:vuln:cvss:score:base

The CVSS Base Score value.

The property type is float.

:cvss:score:temporal / risk:vuln:cvss:score:temporal

The CVSS Temporal Score value.

The property type is float.

:cvss:score:environmental / risk:vuln:cvss:score:environmental

The CVSS Environmental Score value.

The property type is float.

:cwes / risk:vuln:cwes

An array of MITRE CWE values that apply to the vulnerability.

The property type is array. Its type has the following options set:

• type: it:sec:cwe

• uniq: True

• sorted: True

rsa:key

An RSA keypair modulus and public exponent.

The base type for the form can be found at rsa:key.

Properties:

:mod / rsa:key:mod

The RSA key modulus. It has the following property options set:

• Read Only: True

The property type is hex.

:pub:exp / rsa:key:pub:exp

The public exponent of the key. It has the following property options set:

• Read Only: True

The property type is int.

:bits / rsa:key:bits

The length of the modulus in bits.

The property type is int.

:priv:exp / rsa:key:priv:exp

The private exponent of the key.

The property type is hex.

:priv:p / rsa:key:priv:p

One of the two private primes.

The property type is hex.

:priv:q / rsa:key:priv:q

One of the two private primes.

The property type is hex.

syn:cmd

A Synapse storm command.

The base type for the form can be found at syn:cmd.

Properties:

:doc / syn:cmd:doc

Description of the command. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str. Its type has the following options set:

• strip: True

:package / syn:cmd:package

Storm package which provided the command.

The property type is str. Its type has the following options set:

• strip: True

:svciden / syn:cmd:svciden

Storm service iden which provided the package.

The property type is guid. Its type has the following options set:

• strip: True

:input / syn:cmd:input

The list of forms accepted by the command as input. It has the following property options set:

• uniq: True

• sorted: True

• Read Only: True

The property type is array. Its type has the following options set:

• type: syn:form

:output / syn:cmd:output

The list of forms produced by the command as output. It has the following property options set:

• uniq: True

• sorted: True

• Read Only: True

The property type is array. Its type has the following options set:

• type: syn:form

:nodedata / syn:cmd:nodedata

The list of nodedata that may be added by the command. It has the following property options set:

• uniq: True

• sorted: True

• Read Only: True

The property type is array. Its type has the following options set:

• type: syn:nodedata

syn:cron

A Cortex cron job.

The base type for the form can be found at syn:cron.

Properties:

:doc / syn:cron:doc

A description of the cron job. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:name / syn:cron:name

A user friendly name/alias for the cron job.

The property type is str.

:storm / syn:cron:storm

The storm query executed by the cron job. It has the following property options set:

• Read Only: True

• disp: {'hint': 'text'}

The property type is str.

syn:form

A Synapse form used for representing nodes in the graph.

The base type for the form can be found at syn:form.

Properties:

:doc / syn:form:doc

The docstring for the form. It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• strip: True

:type / syn:form:type

Synapse type for this form. It has the following property options set:

• Read Only: True

The property type is syn:type.

:runt / syn:form:runt

Whether or not the form is runtime only. It has the following property options set:

• Read Only: True

The property type is bool.

syn:prop

A Synapse property.

The base type for the form can be found at syn:prop.

Properties:

:doc / syn:prop:doc

Description of the property definition.

The property type is str. Its type has the following options set:

• strip: True

:form / syn:prop:form

The form of the property. It has the following property options set:

• Read Only: True

The property type is syn:form.

:type / syn:prop:type

The synapse type for this property. It has the following property options set:

• Read Only: True

The property type is syn:type.

:relname / syn:prop:relname

Relative property name. It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• strip: True

:univ / syn:prop:univ

Specifies if a prop is universal. It has the following property options set:

• Read Only: True

The property type is bool.

:base / syn:prop:base

Base name of the property. It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• strip: True

:ro / syn:prop:ro

If the property is read-only after being set. It has the following property options set:

• Read Only: True

The property type is bool.

:extmodel / syn:prop:extmodel

If the property is an extended model property or not. It has the following property options set:

• Read Only: True

The property type is bool.

syn:splice

A splice from a layer.

The base type for the form can be found at syn:splice.

Properties:

:type / syn:splice:type

Type of splice. It has the following property options set:

• Read Only: True

The property type is str. Its type has the following options set:

• strip: True

:iden / syn:splice:iden

The iden of the node involved in the splice. It has the following property options set:

• Read Only: True

The property type is str.

:form / syn:splice:form

The form involved in the splice. It has the following property options set:

• Read Only: True

The property type is syn:form. Its type has the following options set:

• strip: True

:prop / syn:splice:prop

Property modified in the splice. It has the following property options set:

• Read Only: True

The property type is syn:prop. Its type has the following options set:

• strip: True

:tag / syn:splice:tag

Tag modified in the splice. It has the following property options set:

• Read Only: True

The property type is syn:tag. Its type has the following options set:

• strip: True

:valu / syn:splice:valu

The value being set in the splice. It has the following property options set:

• Read Only: True

The property type is data.

:oldv / syn:splice:oldv

The value before the splice. It has the following property options set:

• Read Only: True

The property type is data.

:user / syn:splice:user

The user who caused the splice. It has the following property options set:

• Read Only: True

The property type is guid.

:prov / syn:splice:prov

The provenance stack of the splice. It has the following property options set:

• Read Only: True

The property type is guid.

:time / syn:splice:time

The time the splice occurred. It has the following property options set:

• Read Only: True

The property type is time.

:splice / syn:splice:splice

The splice. It has the following property options set:

• Read Only: True

The property type is data.

syn:tag

The base type for a synapse tag.

The base type for the form can be found at syn:tag.

Properties:

:up / syn:tag:up

The parent tag for the tag. It has the following property options set:

• Read Only: True

The property type is syn:tag.

:isnow / syn:tag:isnow

Set to an updated tag if the tag has been renamed.

The property type is syn:tag.

:doc / syn:tag:doc

A short definition for the tag. It has the following property options set:

• disp: {'hint': 'text'}

The property type is str.

:doc:url / syn:tag:doc:url

A URL link to additional documentation about the tag.

The property type is inet:url.

:depth / syn:tag:depth

How deep the tag is in the hierarchy. It has the following property options set:

• Read Only: True

The property type is int.

:title / syn:tag:title

A display title for the tag.

The property type is str.

:base / syn:tag:base

The tag base name. Eg baz for foo.bar.baz . It has the following property options set:

• Read Only: True

The property type is str.

syn:tagprop

A user defined tag property.

The base type for the form can be found at syn:tagprop.

Properties:

:doc / syn:tagprop:doc

Description of the tagprop definition.

The property type is str. Its type has the following options set:

• strip: True

:type / syn:tagprop:type

The synapse type for this tagprop. It has the following property options set:

• Read Only: True

The property type is syn:type