Synapse Data Model - Forms

Forms

Forms are derived from types, or base types. Forms represent node types in the graph.

auth:access

An instance of using creds to access a resource.

The base type for the form can be found at auth:access.

Properties:

name

type

doc

:creds

auth:creds

The credentials used to attempt access.

:time

time

The time of the access attempt.

:success

bool

Set to true if the access was successful.

:person

ps:person

The person who attempted access.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

auth:creds

A unique set of credentials used to access a resource.

The base type for the form can be found at auth:creds.

Properties:

name

type

doc

opts

:email

inet:email

The email address used to identify the user.

:user

inet:user

The user name used to identify the user.

:phone

tel:phone

The phone number used to identify the user.

:passwd

inet:passwd

The password used to authenticate.

:passwdhash

it:auth:passwdhash

The password hash used to authenticate.

:account

it:account

The account that the creds allow access to.

:website

inet:url

The base URL of the website that the credentials allow access to.

:host

it:host

The host that the credentials allow access to.

:wifi:ssid

inet:wifi:ssid

The WiFi SSID that the credentials allow access to.

:web:acct

inet:web:acct

Deprecated. Use :service:account.

Deprecated: True

:service:account

inet:service:account

The service account that the credentials allow access to.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

belief:subscriber

A contact which subscribes to a belief system.

The base type for the form can be found at belief:subscriber.

Properties:

name

type

doc

:contact

ps:contact

The contact which subscribes to the belief system.

:system

belief:system

The belief system to which the contact subscribes.

:began

time

The time that the contact began to be a subscriber to the belief system.

:ended

time

The time when the contact ceased to be a subscriber to the belief system.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

belief:subscriber

-(follows)>

belief:tenet

The subscriber is assessed to generally adhere to the specific tenet.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

belief:system

A belief system such as an ideology, philosophy, or religion.

The base type for the form can be found at belief:system.

Properties:

name

type

doc

opts

:name

onespace: True
lower: True

The name of the belief system.

:desc

str

A description of the belief system.

Display: {'hint': 'text'}

:type

belief:system:type:taxonomy

A taxonometric type for the belief system.

:began

time

The time that the belief system was first observed.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

belief:system

-(has)>

belief:tenet

The belief system includes the tenet.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

belief:system:type:taxonomy

A hierarchical taxonomy of belief system types.

The base type for the form can be found at belief:system:type:taxonomy.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

belief:system:type:taxonomy

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

belief:tenet

A concrete tenet potentially shared by multiple belief systems.

The base type for the form can be found at belief:tenet.

Properties:

name

type

doc

opts

:name

onespace: True
lower: True

The name of the tenet.

:desc

str

A description of the tenet.

Display: {'hint': 'text'}

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

belief:subscriber

-(follows)>

belief:tenet

The subscriber is assessed to generally adhere to the specific tenet.

belief:system

-(has)>

belief:tenet

The belief system includes the tenet.

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

biz:bundle

A bundle allows construction of products which bundle instances of other products.

The base type for the form can be found at biz:bundle.

Properties:

name

type

doc

opts

:count

int

The number of instances of the product or service included in the bundle.

:price

econ:price

The price of the bundle.

:product

biz:product

The product included in the bundle.

:service

biz:service

The service included in the bundle.

:deal

biz:deal

Deprecated. Please use econ:receipt:item for instances of bundles being sold.

Deprecated: True

:purchase

econ:purchase

Deprecated. Please use econ:receipt:item for instances of bundles being sold.

Deprecated: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

biz:deal

A sales or procurement effort in pursuit of a purchase.

The base type for the form can be found at biz:deal.

Properties:

name

type

doc

opts

:id

strip: True

An identifier for the deal.

:title

str

A title for the deal.

:type

biz:dealtype

The type of deal.

Display: {'hint': 'taxonomy'}

:status

biz:dealstatus

The status of the deal.

Display: {'hint': 'taxonomy'}

:updated

time

The last time the deal had a significant update.

:contacted

time

The last time the contacts communicated about the deal.

:rfp

biz:rfp

The RFP that the deal is in response to.

:buyer

ps:contact

The primary contact information for the buyer.

:buyer:org

ou:org

The buyer org.

:buyer:orgname

ou:name

The reported ou:name of the buyer org.

:buyer:orgfqdn

inet:fqdn

The reported inet:fqdn of the buyer org.

:seller

ps:contact

The primary contact information for the seller.

:seller:org

ou:org

The seller org.

:seller:orgname

ou:name

The reported ou:name of the seller org.

:seller:orgfqdn

inet:fqdn

The reported inet:fqdn of the seller org.

:currency

econ:currency

The currency of econ:price values associated with the deal.

:buyer:budget

econ:price

The buyers budget for the eventual purchase.

:buyer:deadline

time

When the buyer intends to make a decision.

:offer:price

econ:price

The total price of the offered products.

:offer:expires

time

When the offer expires.

:purchase

econ:purchase

Records a purchase resulting from the deal.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

biz:dealstatus

A deal/rfp status taxonomy.

The base type for the form can be found at biz:dealstatus.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

biz:dealstatus

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

biz:dealtype

A deal type taxonomy.

The base type for the form can be found at biz:dealtype.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

biz:dealtype

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

biz:listing

A product or service being listed for sale at a given price by a specific seller.

The base type for the form can be found at biz:listing.

Properties:

name

type

doc

:seller

ps:contact

The contact information for the seller.

:product

biz:product

The product being offered.

:service

biz:service

The service being offered.

:current

bool

Set to true if the offer is still current.

:time

time

The first known offering of this product/service by the organization for the asking price.

:expires

time

Set if the offer has a known expiration date.

:price

econ:price

The asking price of the product or service.

:currency

econ:currency

The currency of the asking price.

:count:total

min: 0

The number of instances for sale.

:count:remaining

min: 0

The current remaining number of instances for sale.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

biz:prodtype

A product type taxonomy.

The base type for the form can be found at biz:prodtype.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

biz:prodtype

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

biz:product

A product which is available for purchase.

The base type for the form can be found at biz:product.

Properties:

name

type

doc

opts

:name

str

The name of the product.

:type

biz:prodtype

The type of product.

Display: {'hint': 'taxonomy'}

:summary

str

A brief summary of the product.

Display: {'hint': 'text'}

:maker

ps:contact

A contact for the maker of the product.

:madeby:org

ou:org

Deprecated. Please use biz:product:maker.

Deprecated: True

:madeby:orgname

ou:name

Deprecated. Please use biz:product:maker.

Deprecated: True

:madeby:orgfqdn

inet:fqdn

Deprecated. Please use biz:product:maker.

Deprecated: True

:price:retail

econ:price

The MSRP price of the product.

:price:bottom

econ:price

The minimum offered or observed price of the product.

:price:currency

econ:currency

The currency of the retail and bottom price properties.

:bundles

uniq: True
sorted: True

An array of bundles included with the product.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

biz:rfp

An RFP (Request for Proposal) soliciting proposals.

The base type for the form can be found at biz:rfp.

Properties:

name

type

doc

opts

:ext:id

str

An externally specified identifier for the RFP.

:title

str

The title of the RFP.

:summary

str

A brief summary of the RFP.

Display: {'hint': 'text'}

:status

biz:dealstatus

The status of the RFP.

Display: {'hint': 'enum'}

:url

inet:url

The official URL for the RFP.

:file

file:bytes

The RFP document.

:posted

time

The date/time that the RFP was posted.

:quesdue

time

The date/time that questions are due.

:propdue

time

The date/time that proposals are due.

:contact

ps:contact

The contact information given for the org requesting offers.

:purchases

uniq: True
sorted: True

Any known purchases that resulted from the RFP.

:requirements

type: ou:goal
uniq: True
sorted: True

A typed array which indexes each field.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

biz:service

A service which is performed by a specific organization.

The base type for the form can be found at biz:service.

Properties:

name

type

doc

opts

:provider

ps:contact

The contact info of the entity which performs the service.

:name

lower: True
onespace: True

The name of the service being performed.

:summary

str

A brief summary of the service.

Display: {'hint': 'text'}

:type

biz:service:type:taxonomy

A taxonomy of service types.

:launched

time

The time when the operator first made the service available.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

biz:stake

A stake or partial ownership in a company.

The base type for the form can be found at biz:stake.

Properties:

name

type

doc

:vitals

ou:vitals

The ou:vitals snapshot this stake is part of.

:org

ou:org

The resolved org.

:orgname

ou:name

The org name as reported by the source of the vitals.

:orgfqdn

inet:fqdn

The org FQDN as reported by the source of the vitals.

:name

str

An arbitrary name for this stake. Can be non-contact like “pool”.

:asof

time

The time the stake is being measured. Likely as part of an ou:vitals.

:shares

int

The number of shares represented by the stake.

:invested

econ:price

The amount of money invested in the cap table iteration.

:value

econ:price

The monetary value of the stake.

:percent

hugenum

The percentage ownership represented by this stake.

:owner

ps:contact

Contact information of the owner of the stake.

:purchase

econ:purchase

The purchase event for the stake.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:algorithm

A cryptographic algorithm name.

The base type for the form can be found at crypto:algorithm.

An example of crypto:algorithm:

  • aes256

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:currency:address

An individual crypto currency address.

The base type for the form can be found at crypto:currency:address.

An example of crypto:currency:address:

  • btc/1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2

Properties:

name

type

doc

opts

:coin

crypto:currency:coin

The crypto coin to which the address belongs.

Read Only: True

:seed

crypto:key

The cryptographic key and or password used to generate the address.

:iden

str

The coin specific address identifier.

Read Only: True

:desc

str

A free-form description of the address.

:contact

ps:contact

The primary contact for the crypto currency address.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:currency:block

An individual crypto currency block record on the blockchain.

The base type for the form can be found at crypto:currency:block.

Properties:

name

type

doc

opts

:coin

crypto:currency:coin

The coin/blockchain this block resides on.

Read Only: True

:offset

int

The index of this block.

Read Only: True

:hash

hex

The unique hash for the block.

:minedby

crypto:currency:address

The address which mined the block.

:time

time

Time timestamp embedded in the block by the miner.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:currency:client

A fused node representing a crypto currency address used by an Internet client.

The base type for the form can be found at crypto:currency:client.

An example of crypto:currency:client:

  • (1.2.3.4, (btc, 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2))

Properties:

name

type

doc

opts

:inetaddr

inet:client

The Internet client address observed using the crypto currency address.

Read Only: True

:coinaddr

crypto:currency:address

The crypto currency address observed in use by the Internet client.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:currency:coin

An individual crypto currency type.

The base type for the form can be found at crypto:currency:coin.

An example of crypto:currency:coin:

  • btc

Properties:

name

type

doc

:name

str

The full name of the crypto coin.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:currency:transaction

An individual crypto currency transaction recorded on the blockchain.

The base type for the form can be found at crypto:currency:transaction.

Properties:

name

type

doc

opts

:hash

hex

The unique transaction hash for the transaction.

:desc

str

An analyst specified description of the transaction.

:block

crypto:currency:block

The block which records the transaction.

:block:coin

crypto:currency:coin

The coin/blockchain of the block which records this transaction.

:block:offset

int

The offset of the block which records this transaction.

:success

bool

Set to true if the transaction was successfully executed and recorded.

:status:code

int

A coin specific status code which may represent an error reason.

:status:message

str

A coin specific status message which may contain an error reason.

:to

crypto:currency:address

The destination address of the transaction.

:from

crypto:currency:address

The source address of the transaction.

:inputs

sorted: True
uniq: True

Deprecated. Please use crypto:payment:input:transaction.

Deprecated: True

:outputs

sorted: True
uniq: True

Deprecated. Please use crypto:payment:output:transaction.

Deprecated: True

:fee

econ:price

The total fee paid to execute the transaction.

:value

econ:price

The total value of the transaction.

:time

time

The time this transaction was initiated.

:eth:gasused

int

The amount of gas used to execute this transaction.

:eth:gaslimit

int

The ETH gas limit specified for this transaction.

:eth:gasprice

econ:price

The gas price (in ETH) specified for this transaction.

:contract:input

file:bytes

Input value to a smart contract call.

:contract:output

file:bytes

Output value of a smart contract call.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:key

A cryptographic key and algorithm.

The base type for the form can be found at crypto:key.

Properties:

name

type

doc

opts

:algorithm

crypto:algorithm

The cryptographic algorithm which uses the key material.

Example: aes256

:mode

lower: True
onespace: True

The algorithm specific mode in use.

:iv

hex

The hex encoded initialization vector.

:iv:text

it:dev:str

Set only if the :iv property decodes to ASCII.

:public

hex

The hex encoded public key material if the algorithm has a public/private key pair.

:public:text

it:dev:str

Set only if the :public property decodes to ASCII.

:public:md5

hash:md5

The MD5 hash of the public key in raw binary form.

:public:sha1

hash:sha1

The SHA1 hash of the public key in raw binary form.

:public:sha256

hash:sha256

The SHA256 hash of the public key in raw binary form.

:private

hex

The hex encoded private key material. All symmetric keys are private.

:private:text

it:dev:str

Set only if the :private property decodes to ASCII.

:private:md5

hash:md5

The MD5 hash of the private key in raw binary form.

:private:sha1

hash:sha1

The SHA1 hash of the private key in raw binary form.

:private:sha256

hash:sha256

The SHA256 hash of the private key in raw binary form.

:seed:passwd

inet:passwd

The seed password used to generate the key material.

:seed:algorithm

crypto:algorithm

The algorithm used to generate the key from the seed password.

Example: pbkdf2

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:payment:input

A payment made into a transaction.

The base type for the form can be found at crypto:payment:input.

Properties:

name

type

doc

:transaction

crypto:currency:transaction

The transaction the payment was input to.

:address

crypto:currency:address

The address which paid into the transaction.

:value

econ:price

The value of the currency paid into the transaction.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:payment:output

A payment received from a transaction.

The base type for the form can be found at crypto:payment:output.

Properties:

name

type

doc

:transaction

crypto:currency:transaction

The transaction the payment was output from.

:address

crypto:currency:address

The address which received payment from the transaction.

:value

econ:price

The value of the currency received from the transaction.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:smart:contract

A smart contract.

The base type for the form can be found at crypto:smart:contract.

Properties:

name

type

doc

:transaction

crypto:currency:transaction

The transaction which created the contract.

:address

crypto:currency:address

The address of the contract.

:bytecode

file:bytes

The bytecode which implements the contract.

:token:name

str

The ERC-20 token name.

:token:symbol

str

The ERC-20 token symbol.

:token:totalsupply

hugenum

The ERC-20 totalSupply value.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:smart:effect:burntoken

A smart contract effect which destroys a non-fungible token.

The base type for the form can be found at crypto:smart:effect:burntoken.

Properties:

name

type

doc

:token

crypto:smart:token

The non-fungible token that was destroyed.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:smart:effect:edittokensupply

A smart contract effect which increases or decreases the supply of a fungible token.

The base type for the form can be found at crypto:smart:effect:edittokensupply.

Properties:

name

type

doc

:contract

crypto:smart:contract

The contract which defines the tokens.

:amount

hugenum

The number of tokens added or removed if negative.

:totalsupply

hugenum

The total supply of tokens after this modification.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:smart:effect:minttoken

A smart contract effect which creates a new non-fungible token.

The base type for the form can be found at crypto:smart:effect:minttoken.

Properties:

name

type

doc

:token

crypto:smart:token

The non-fungible token that was created.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:smart:effect:proxytoken

A smart contract effect which grants a non-owner address the ability to manipulate a specific non-fungible token.

The base type for the form can be found at crypto:smart:effect:proxytoken.

Properties:

name

type

doc

:owner

crypto:currency:address

The address granting proxy authority to manipulate non-fungible tokens.

:proxy

crypto:currency:address

The address granted proxy authority to manipulate non-fungible tokens.

:token

crypto:smart:token

The specific token being granted access to.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:smart:effect:proxytokenall

A smart contract effect which grants a non-owner address the ability to manipulate all non-fungible tokens of the owner.

The base type for the form can be found at crypto:smart:effect:proxytokenall.

Properties:

name

type

doc

:contract

crypto:smart:contract

The contract which defines the tokens.

:owner

crypto:currency:address

The address granting/denying proxy authority to manipulate all non-fungible tokens of the owner.

:proxy

crypto:currency:address

The address granted/denied proxy authority to manipulate all non-fungible tokens of the owner.

:approval

bool

The approval status.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:smart:effect:proxytokens

A smart contract effect which grants a non-owner address the ability to manipulate fungible tokens.

The base type for the form can be found at crypto:smart:effect:proxytokens.

Properties:

name

type

doc

:contract

crypto:smart:contract

The contract which defines the tokens.

:owner

crypto:currency:address

The address granting proxy authority to manipulate fungible tokens.

:proxy

crypto:currency:address

The address granted proxy authority to manipulate fungible tokens.

:amount

hex

The hex encoded amount of tokens the proxy is allowed to manipulate.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:smart:effect:transfertoken

A smart contract effect which transfers ownership of a non-fungible token.

The base type for the form can be found at crypto:smart:effect:transfertoken.

Properties:

name

type

doc

:token

crypto:smart:token

The non-fungible token that was transferred.

:from

crypto:currency:address

The address the NFT was transferred from.

:to

crypto:currency:address

The address the NFT was transferred to.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:smart:effect:transfertokens

A smart contract effect which transfers fungible tokens.

The base type for the form can be found at crypto:smart:effect:transfertokens.

Properties:

name

type

doc

:contract

crypto:smart:contract

The contract which defines the tokens.

:from

crypto:currency:address

The address the tokens were transferred from.

:to

crypto:currency:address

The address the tokens were transferred to.

:amount

hugenum

The number of tokens transferred.

:index

int

The order of the effect within the effects of one transaction.

:transaction

crypto:currency:transaction

The transaction where the smart contract was called.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:smart:token

A token managed by a smart contract.

The base type for the form can be found at crypto:smart:token.

Properties:

name

type

doc

opts

:contract

crypto:smart:contract

The smart contract which defines and manages the token.

Read Only: True

:tokenid

hugenum

The token ID.

Read Only: True

:owner

crypto:currency:address

The address which currently owns the token.

:nft:url

inet:url

The URL which hosts the NFT metadata.

:nft:meta

data

The raw NFT metadata.

:nft:meta:name

str

The name field from the NFT metadata.

:nft:meta:description

str

The description field from the NFT metadata.

Display: {'hint': 'text'}

:nft:meta:image

inet:url

The image URL from the NFT metadata.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:x509:cert

A unique X.509 certificate.

The base type for the form can be found at crypto:x509:cert.

Properties:

name

type

doc

:file

file:bytes

The file that the certificate metadata was parsed from.

:subject

str

The subject identifier, commonly in X.500/LDAP format, to which the certificate was issued.

:issuer

str

The Distinguished Name (DN) of the Certificate Authority (CA) which issued the certificate.

:issuer:cert

crypto:x509:cert

The certificate used by the issuer to sign this certificate.

:serial

zeropad: 40

The certificate serial number as a big endian hex value.

:version

enums: ((0, 'v1'), (2, 'v3'))

The version integer in the certificate. (ex. 2 == v3 ).

:validity:notbefore

time

The timestamp for the beginning of the certificate validity period.

:validity:notafter

time

The timestamp for the end of the certificate validity period.

:md5

hash:md5

The MD5 fingerprint for the certificate.

:sha1

hash:sha1

The SHA1 fingerprint for the certificate.

:sha256

hash:sha256

The SHA256 fingerprint for the certificate.

:rsa:key

rsa:key

The optional RSA public key associated with the certificate.

:algo

iso:oid

The X.509 signature algorithm OID.

:signature

hex

The hexadecimal representation of the digital signature.

:ext:sans

uniq: True
sorted: True

The Subject Alternate Names (SANs) listed in the certificate.

:ext:crls

uniq: True
sorted: True

A list of Subject Alternate Names (SANs) for Distribution Points.

:identities:fqdns

type: inet:fqdn
uniq: True
sorted: True

The fused list of FQDNs identified by the cert CN and SANs.

:identities:emails

uniq: True
sorted: True

The fused list of e-mail addresses identified by the cert CN and SANs.

:identities:ipv4s

type: inet:ipv4
uniq: True
sorted: True

The fused list of IPv4 addresses identified by the cert CN and SANs.

:identities:ipv6s

type: inet:ipv6
uniq: True
sorted: True

The fused list of IPv6 addresses identified by the cert CN and SANs.

:identities:urls

type: inet:url
uniq: True
sorted: True

The fused list of URLs identified by the cert CN and SANs.

:crl:urls

type: inet:url
uniq: True
sorted: True

The extracted URL values from the CRLs extension.

:selfsigned

bool

Whether this is a self-signed certificate.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:x509:crl

A unique X.509 Certificate Revocation List.

The base type for the form can be found at crypto:x509:crl.

Properties:

name

type

doc

:file

file:bytes

The file containing the CRL.

:url

inet:url

The URL where the CRL was published.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:x509:revoked

A revocation relationship between a CRL and an X.509 certificate.

The base type for the form can be found at crypto:x509:revoked.

Properties:

name

type

doc

opts

:crl

crypto:x509:crl

The CRL which revoked the certificate.

Read Only: True

:cert

crypto:x509:cert

The certificate revoked by the CRL.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

crypto:x509:signedfile

A digital signature relationship between an X.509 certificate and a file.

The base type for the form can be found at crypto:x509:signedfile.

Properties:

name

type

doc

opts

:cert

crypto:x509:cert

The certificate for the key which signed the file.

Read Only: True

:file

file:bytes

The file which was signed by the certificates key.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

doc:policy

Guiding principles used to reach a set of goals.

The base type for the form can be found at doc:policy.

Properties:

name

type

doc

:id

strip: True

The policy ID.

:name

lower: True
onespace: True

The policy name.

:type

doc:policy:type:taxonomy

The type of policy.

:text

str

The text of the policy.

:file

file:bytes

The file which contains the policy.

:created

time

The time that the policy was created.

:updated

time

The time that the policy was last updated.

:author

ps:contact

The contact information of the primary author.

:contributors

sorted: True
uniq: True

An array of contacts which contributed to the policy.

:version

it:semver

The version of the policy.

:supersedes

sorted: True
uniq: True

An array of policies which are superseded by this policy.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

doc:policy:type:taxonomy

A taxonomy of policy types.

The base type for the form can be found at doc:policy:type:taxonomy.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

doc:policy:type:taxonomy

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

doc:requirement

A single requirement, often defined by a standard.

The base type for the form can be found at doc:requirement.

Properties:

name

type

doc

opts

:summary

str

A summary of the requirement definition.

Display: {'hint': 'text'}

:optional

bool

Set to true if the requirement is optional as defined by the standard.

:priority

meta:priority

The priority of the requirement as defined by the standard.

:standard

doc:standard

The standard which defined the requirement.

:id

strip: True

The requirement ID.

:name

lower: True
onespace: True

The requirement name.

:type

doc:requirement:type:taxonomy

The type of requirement.

:text

str

The text of the requirement.

:file

file:bytes

The file which contains the requirement.

:created

time

The time that the requirement was created.

:updated

time

The time that the requirement was last updated.

:author

ps:contact

The contact information of the primary author.

:contributors

sorted: True
uniq: True

An array of contacts which contributed to the requirement.

:version

it:semver

The version of the requirement.

:supersedes

sorted: True
uniq: True

An array of requirements which are superseded by this requirement.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

doc:requirement:type:taxonomy

A taxonomy of requirement types.

The base type for the form can be found at doc:requirement:type:taxonomy.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

doc:requirement:type:taxonomy

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

doc:resume

A CV/resume document.

The base type for the form can be found at doc:resume.

Properties:

name

type

doc

opts

:contact

ps:contact

Contact information for subject of the resume.

:summary

str

The summary of qualifications from the resume.

Display: {'hint': 'text'}

:workhist

sorted: True
uniq: True

Work history described in the resume.

:education

sorted: True
uniq: True

Education experience described in the resume.

:achievements

sorted: True
uniq: True

Achievements described in the resume.

:id

strip: True

The resume ID.

:name

lower: True
onespace: True

The resume name.

:type

doc:resume:type:taxonomy

The type of resume.

:text

str

The text of the resume.

:file

file:bytes

The file which contains the resume.

:created

time

The time that the resume was created.

:updated

time

The time that the resume was last updated.

:author

ps:contact

The contact information of the primary author.

:contributors

sorted: True
uniq: True

An array of contacts which contributed to the resume.

:version

it:semver

The version of the resume.

:supersedes

sorted: True
uniq: True

An array of resumes which are superseded by this resume.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

doc:resume:type:taxonomy

A taxonomy of resume types.

The base type for the form can be found at doc:resume:type:taxonomy.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

doc:resume:type:taxonomy

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

doc:standard

A group of requirements which define how to implement a policy or goal.

The base type for the form can be found at doc:standard.

Properties:

name

type

doc

:policy

doc:policy

The policy which was used to derive the standard.

:id

strip: True

The standard ID.

:name

lower: True
onespace: True

The standard name.

:type

doc:standard:type:taxonomy

The type of standard.

:text

str

The text of the standard.

:file

file:bytes

The file which contains the standard.

:created

time

The time that the standard was created.

:updated

time

The time that the standard was last updated.

:author

ps:contact

The contact information of the primary author.

:contributors

sorted: True
uniq: True

An array of contacts which contributed to the standard.

:version

it:semver

The version of the standard.

:supersedes

sorted: True
uniq: True

An array of standards which are superseded by this standard.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

doc:standard:type:taxonomy

A taxonomy of standard types.

The base type for the form can be found at doc:standard:type:taxonomy.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

doc:standard:type:taxonomy

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:acct:balance

A snapshot of the balance of an account at a point in time.

The base type for the form can be found at econ:acct:balance.

Properties:

name

type

doc

:time

time

The time the balance was recorded.

:pay:card

econ:pay:card

The payment card holding the balance.

:crypto:address

crypto:currency:address

The crypto currency address holding the balance.

:amount

econ:price

The account balance at the time.

:currency

econ:currency

The currency of the balance amount.

:delta

econ:price

The change since last regular sample.

:total:received

econ:price

The total amount of currency received by the account.

:total:sent

econ:price

The total amount of currency sent from the account.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:acct:invoice

An invoice issued requesting payment.

The base type for the form can be found at econ:acct:invoice.

Properties:

name

type

doc

:issued

time

The time that the invoice was issued to the recipient.

:issuer

ps:contact

The contact information for the entity who issued the invoice.

:purchase

econ:purchase

The purchase that the invoice is requesting payment for.

:recipient

ps:contact

The contact information for the intended recipient of the invoice.

:due

time

The time by which the payment is due.

:paid

bool

Set to true if the invoice has been paid in full.

:amount

econ:price

The balance due.

:currency

econ:currency

The currency that the invoice specifies for payment.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:acct:payment

A payment or crypto currency transaction.

The base type for the form can be found at econ:acct:payment.

Properties:

name

type

doc

opts

:txnid

strip: True

A payment processor specific transaction id.

:fee

econ:price

The transaction fee paid by the recipient to the payment processor.

:from:cash

bool

Set to true if the payment input was in cash.

:to:instrument

econ:pay:instrument

The payment instrument which received funds from the payment.

:from:instrument

econ:pay:instrument

The payment instrument used to make the payment.

:from:account

econ:bank:account

Deprecated. Please use :from:instrument.

Deprecated: True

:from:pay:card

econ:pay:card

Deprecated. Please use :from:instrument.

Deprecated: True

:from:contract

ou:contract

A contract used as an aggregate payment source.

:from:coinaddr

crypto:currency:address

Deprecated. Please use :from:instrument.

Deprecated: True

:from:contact

ps:contact

Contact information for the entity making the payment.

:to:cash

bool

Set to true if the payment output was in cash.

:to:account

econ:bank:account

Deprecated. Please use :to:instrument.

Deprecated: True

:to:coinaddr

crypto:currency:address

Deprecated. Please use :to:instrument.

Deprecated: True

:to:contact

ps:contact

Contact information for the person/org being paid.

:to:contract

ou:contract

A contract used as an aggregate payment destination.

:time

time

The time the payment was processed.

:purchase

econ:purchase

The purchase which the payment was paying for.

:amount

econ:price

The amount of money transferred in the payment.

:currency

econ:currency

The currency of the payment.

:memo

str

A small note specified by the payer common in financial transactions.

:crypto:transaction

crypto:currency:transaction

A crypto currency transaction that initiated the payment.

:invoice

econ:acct:invoice

The invoice that the payment applies to.

:receipt

econ:acct:receipt

The receipt that was issued for the payment.

:place

geo:place

The place where the payment occurred.

:place:name

geo:name

The name of the place where the payment occurred.

:place:address

geo:address

The address of the place where the payment occurred.

:place:loc

loc

The loc of the place where the payment occurred.

:place:latlong

geo:latlong

The latlong where the payment occurred.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:bank:statement

-(has)>

econ:acct:payment

The bank statement includes the payment.

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:acct:receipt

A receipt issued as proof of payment.

The base type for the form can be found at econ:acct:receipt.

Properties:

name

type

doc

:issued

time

The time the receipt was issued.

:purchase

econ:purchase

The purchase that the receipt confirms payment for.

:issuer

ps:contact

The contact information for the entity who issued the receipt.

:recipient

ps:contact

The contact information for the entity who received the receipt.

:currency

econ:currency

The currency that the receipt uses to specify the price.

:amount

econ:price

The price that the receipt confirms was paid.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:acquired

Deprecated. Please use econ:purchase -(acquired)> *.

The base type for the form can be found at econ:acquired.

Properties:

name

type

doc

opts

:purchase

econ:purchase

The purchase event which acquired an item.

Read Only: True

:item

ndef

A reference to the item that was acquired.

Read Only: True

:item:form

str

The form of item purchased.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:bank:aba:rtn

An American Bank Association (ABA) routing transit number (RTN).

The base type for the form can be found at econ:bank:aba:rtn.

Properties:

name

type

doc

:bank

ou:org

The bank which was issued the ABA RTN.

:bank:name

ou:name

The name which is registered for this ABA RTN.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:bank:account

A bank account.

The base type for the form can be found at econ:bank:account.

Properties:

name

type

doc

:type

econ:bank:account:type:taxonomy

The type of bank account.

:aba:rtn

econ:bank:aba:rtn

The ABA routing transit number for the bank which issued the account.

:number

regex: [0-9]+

The account number.

:iban

econ:bank:iban

The IBAN for the account.

:issuer

ou:org

The bank which issued the account.

:issuer:name

ou:name

The name of the bank which issued the account.

:currency

econ:currency

The currency of the account balance.

:balance

econ:bank:balance

The most recently known bank balance information.

:contact

ps:contact

The primary contact for the bank account.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:bank:account:type:taxonomy

A bank account type taxonomy.

The base type for the form can be found at econ:bank:account:type:taxonomy.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:bank:balance

A balance contained by a bank account at a point in time.

The base type for the form can be found at econ:bank:balance.

Properties:

name

type

doc

:time

time

The time that the account balance was observed.

:amount

econ:price

The amount of currency available at the time.

:account

econ:bank:account

The bank account which contained the balance amount.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:bank:iban

An International Bank Account Number.

The base type for the form can be found at econ:bank:iban.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:bank:statement

A statement of bank account payment activity over a period of time.

The base type for the form can be found at econ:bank:statement.

Properties:

name

type

doc

:account

econ:bank:account

The bank account used to compute the statement.

:period

ival

The period that the statement includes.

:starting:balance

econ:price

The account balance at the beginning of the statement period.

:ending:balance

econ:price

The account balance at the end of the statement period.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

econ:bank:statement

-(has)>

econ:acct:payment

The bank statement includes the payment.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:bank:swift:bic

A Society for Worldwide Interbank Financial Telecommunication (SWIFT) Business Identifier Code (BIC).

The base type for the form can be found at econ:bank:swift:bic.

Properties:

name

type

doc

:business

ou:org

The business which is the registered owner of the SWIFT BIC.

:office

ps:contact

The branch or office which is specified in the last 3 digits of the SWIFT BIC.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:currency

The name of a system of money in general use.

The base type for the form can be found at econ:currency.

An example of econ:currency:

  • usd

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:fin:bar

A sample of the open, close, high, low prices of a security in a specific time window.

The base type for the form can be found at econ:fin:bar.

Properties:

name

type

doc

:security

econ:fin:security

The security measured by the bar.

:ival

ival

The interval of measurement.

:price:open

econ:price

The opening price of the security.

:price:close

econ:price

The closing price of the security.

:price:low

econ:price

The low price of the security.

:price:high

econ:price

The high price of the security.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:fin:exchange

A financial exchange where securities are traded.

The base type for the form can be found at econ:fin:exchange.

Properties:

name

type

doc

opts

:name

lower: True
strip: True

A simple name for the exchange.

Example: nasdaq

:org

ou:org

The organization that operates the exchange.

:currency

econ:currency

The currency used for all transactions in the exchange.

Example: usd

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:fin:security

A financial security which is typically traded on an exchange.

The base type for the form can be found at econ:fin:security.

Properties:

name

type

doc

:exchange

econ:fin:exchange

The exchange on which the security is traded.

:ticker

lower: True
strip: True

The identifier for this security within the exchange.

:type

lower: True
strip: True

A user defined type such as stock, bond, option, future, or forex.

:price

econ:price

The last known/available price of the security.

:time

time

The time of the last know price sample.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:fin:tick

A sample of the price of a security at a single moment in time.

The base type for the form can be found at econ:fin:tick.

Properties:

name

type

doc

:security

econ:fin:security

The security measured by the tick.

:time

time

The time the price was sampled.

:price

econ:price

The price of the security at the time.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:pay:card

A single payment card.

The base type for the form can be found at econ:pay:card.

Properties:

name

type

doc

:pan

econ:pay:pan

The payment card number.

:pan:mii

econ:pay:mii

The payment card MII.

:pan:iin

econ:pay:iin

The payment card IIN.

:name

ps:name

The name as it appears on the card.

:expr

time

The expiration date for the card.

:cvv

econ:pay:cvv

The Card Verification Value on the card.

:pin

econ:pay:pin

The Personal Identification Number on the card.

:account

econ:bank:account

A bank account associated with the payment card.

:contact

ps:contact

The primary contact for the payment card.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:pay:iin

An Issuer Id Number (IIN).

The base type for the form can be found at econ:pay:iin.

Properties:

name

type

doc

:org

ou:org

The issuer organization.

:name

lower: True

The registered name of the issuer.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:purchase

A purchase event.

The base type for the form can be found at econ:purchase.

Properties:

name

type

doc

:by:contact

ps:contact

The contact information used to make the purchase.

:from:contact

ps:contact

The contact information used to sell the item.

:time

time

The time of the purchase.

:place

geo:place

The place where the purchase took place.

:paid

bool

Set to True if the purchase has been paid in full.

:paid:time

time

The point in time where the purchase was paid in full.

:settled

time

The point in time where the purchase was settled.

:campaign

ou:campaign

The campaign that the purchase was in support of.

:price

econ:price

The econ:price of the purchase.

:currency

econ:currency

The econ:price of the purchase.

:listing

biz:listing

The purchase was made based on the given listing.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

econ:receipt:item

A line item included as part of a purchase.

The base type for the form can be found at econ:receipt:item.

Properties:

name

type

doc

:purchase

econ:purchase

The purchase that contains this line item.

:count

min: 1

The number of items included in this line item.

:price

econ:price

The total cost of this receipt line item.

:product

biz:product

The product being being purchased in this line item.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

edge:has

A digraph edge which records that N1 has N2.

The base type for the form can be found at edge:has.

Properties:

name

type

doc

opts

:n1

ndef

The node definition type for a (form,valu) compound field.

Read Only: True

:n1:form

str

The base string type.

Read Only: True

:n2

ndef

The node definition type for a (form,valu) compound field.

Read Only: True

:n2:form

str

The base string type.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

edge:refs

A digraph edge which records that N1 refers to or contains N2.

The base type for the form can be found at edge:refs.

Properties:

name

type

doc

opts

:n1

ndef

The node definition type for a (form,valu) compound field.

Read Only: True

:n1:form

str

The base string type.

Read Only: True

:n2

ndef

The node definition type for a (form,valu) compound field.

Read Only: True

:n2:form

str

The base string type.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

edge:wentto

A digraph edge which records that N1 went to N2 at a specific time.

The base type for the form can be found at edge:wentto.

Properties:

name

type

doc

opts

:n1

ndef

The node definition type for a (form,valu) compound field.

Read Only: True

:n1:form

str

The base string type.

Read Only: True

:n2

ndef

The node definition type for a (form,valu) compound field.

Read Only: True

:n2:form

str

The base string type.

Read Only: True

:time

time

A date/time value.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

edu:class

An instance of an edu:course taught at a given time.

The base type for the form can be found at edu:class.

Properties:

name

type

doc

:course

edu:course

The course being taught in the class.

:instructor

ps:contact

The primary instructor for the class.

:assistants

uniq: True
sorted: True

An array of assistant/co-instructor contacts.

:date:first

time

The date of the first day of class.

:date:last

time

The date of the last day of class.

:isvirtual

bool

Set if the class is known to be virtual.

:virtual:url

inet:url

The URL a student would use to attend the virtual class.

:virtual:provider

ps:contact

Contact info for the virtual infrastructure provider.

:place

geo:place

The place that the class is held.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

edu:course

A course of study taught by an org.

The base type for the form can be found at edu:course.

Properties:

name

type

doc

opts

:name

lower: True
onespace: True

The name of the course.

Example: organic chemistry for beginners

:desc

str

A brief course description.

:code

lower: True
strip: True

The course catalog number or designator.

Example: chem101

:institution

ps:contact

The org or department which teaches the course.

:prereqs

uniq: True
sorted: True

The pre-requisite courses for taking this course.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

entity:name

A name used to refer to an entity.

The base type for the form can be found at entity:name.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:archive:entry

An archive entry representing a file and metadata within a parent archive file.

The base type for the form can be found at file:archive:entry.

Properties:

name

type

doc

:parent

file:bytes

The parent archive file.

:file

file:bytes

The file contained within the archive.

:path

file:path

The file path of the archived file.

:user

inet:user

The name of the user who owns the archived file.

:added

time

The time that the file was added to the archive.

:created

time

The created time of the archived file.

:modified

time

The modified time of the archived file.

:comment

str

The comment field for the file entry within the archive.

:posix:uid

int

The POSIX UID of the user who owns the archived file.

:posix:gid

int

The POSIX GID of the group who owns the archived file.

:posix:perms

int

The POSIX permissions mask of the archived file.

:archived:size

int

The encoded or compressed size of the archived file within the parent.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:attachment

A file attachment.

The base type for the form can be found at file:attachment.

Properties:

name

type

doc

:name

file:path

The name of the attached file.

:text

str

Any text associated with the file such as alt-text for images.

:file

file:bytes

The file which was attached.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:base

A file name with no path.

The base type for the form can be found at file:base.

An example of file:base:

  • woot.exe

Properties:

name

type

doc

opts

:ext

str

The file extension (if any).

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:bytes

The file bytes type with SHA256 based primary property.

The base type for the form can be found at file:bytes.

Properties:

name

type

doc

:size

int

The file size in bytes.

:md5

hash:md5

The md5 hash of the file.

:sha1

hash:sha1

The sha1 hash of the file.

:sha256

hash:sha256

The sha256 hash of the file.

:sha512

hash:sha512

The sha512 hash of the file.

:name

file:base

The best known base name for the file.

:mime

file:mime

The “best” mime type name for the file.

:mime:x509:cn

str

The Common Name (CN) attribute of the x509 Subject.

:mime:pe:size

int

The size of the executable file according to the PE file header.

:mime:pe:imphash

hash:md5

The PE import hash of the file as calculated by pefile; https://github.com/erocarrera/pefile .

:mime:pe:compiled

time

The compile time of the file according to the PE header.

:mime:pe:pdbpath

file:path

The PDB string according to the PE.

:mime:pe:exports:time

time

The export time of the file according to the PE.

:mime:pe:exports:libname

str

The export library name according to the PE.

:mime:pe:richhdr

hash:sha256

The sha256 hash of the rich header bytes.

:exe:compiler

it:prod:softver

The software used to compile the file.

:exe:packer

it:prod:softver

The packer software used to encode the file.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

file:bytes

-(refs)>

it:dev:str

The source file contains the target string.

file:bytes

-(uses)>

math:algorithm

The file uses the algorithm.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:filepath

The fused knowledge of the association of a file:bytes node and a file:path.

The base type for the form can be found at file:filepath.

Properties:

name

type

doc

opts

:file

file:bytes

The file seen at a path.

Read Only: True

:path

file:path

The path a file was seen at.

Read Only: True

:path:dir

file:path

The parent directory.

Read Only: True

:path:base

file:base

The name of the file.

Read Only: True

:path:base:ext

str

The extension of the file name.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:ismime

Records one, of potentially multiple, mime types for a given file.

The base type for the form can be found at file:ismime.

Properties:

name

type

doc

opts

:file

file:bytes

The file node that is an instance of the named mime type.

Read Only: True

:mime

file:mime

The mime type of the file.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:mime

A file mime name string.

The base type for the form can be found at file:mime.

An example of file:mime:

  • text/plain

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:mime:gif

The GUID of a set of mime metadata for a .gif file.

The base type for the form can be found at file:mime:gif.

Properties:

name

type

doc

:desc

str

MIME specific description field extracted from metadata.

:comment

str

MIME specific comment field extracted from metadata.

:created

time

MIME specific creation timestamp extracted from metadata.

:imageid

str

MIME specific unique identifier extracted from metadata.

:author

ps:contact

MIME specific contact information extracted from metadata.

:latlong

geo:latlong

MIME specific lat/long information extracted from metadata.

:altitude

geo:altitude

MIME specific altitude information extracted from metadata.

:text

lower: True
onespace: True

The text contained within the image.

:file

file:bytes

The file that the mime info was parsed from.

:file:offs

int

The optional offset where the mime info was parsed from.

:file:data

data

A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:mime:jpg

The GUID of a set of mime metadata for a .jpg file.

The base type for the form can be found at file:mime:jpg.

Properties:

name

type

doc

:desc

str

MIME specific description field extracted from metadata.

:comment

str

MIME specific comment field extracted from metadata.

:created

time

MIME specific creation timestamp extracted from metadata.

:imageid

str

MIME specific unique identifier extracted from metadata.

:author

ps:contact

MIME specific contact information extracted from metadata.

:latlong

geo:latlong

MIME specific lat/long information extracted from metadata.

:altitude

geo:altitude

MIME specific altitude information extracted from metadata.

:text

lower: True
onespace: True

The text contained within the image.

:file

file:bytes

The file that the mime info was parsed from.

:file:offs

int

The optional offset where the mime info was parsed from.

:file:data

data

A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:mime:lnk

The GUID of the metadata pulled from a Windows shortcut or LNK file.

The base type for the form can be found at file:mime:lnk.

Properties:

name

type

doc

opts

:flags

int

The flags specified by the LNK header that control the structure of the LNK file.

:entry:primary

file:path

The primary file path contained within the FileEntry structure of the LNK file.

:entry:secondary

file:path

The secondary file path contained within the FileEntry structure of the LNK file.

:entry:extended

file:path

The extended file path contained within the extended FileEntry structure of the LNK file.

:entry:localized

file:path

The localized file path reconstructed from references within the extended FileEntry structure of the LNK file.

:entry:icon

file:path

The icon file path contained within the StringData structure of the LNK file.

:environment:path

file:path

The target file path contained within the EnvironmentVariableDataBlock structure of the LNK file.

:environment:icon

file:path

The icon file path contained within the IconEnvironmentDataBlock structure of the LNK file.

:iconindex

int

A resource index for an icon within an icon location.

:working

file:path

The working directory used when activating the link target.

:relative

strip: True

The relative target path string contained within the StringData structure of the LNK file.

:arguments

it:cmd

The command line arguments passed to the target file when the LNK file is activated.

:desc

str

The description of the LNK file contained within the StringData section of the LNK file.

Display: {'hint': 'text'}

:target:attrs

int

The attributes of the target file according to the LNK header.

:target:size

int

The size of the target file according to the LNK header. The LNK format specifies that this is only the lower 32 bits of the target file size.

:target:created

time

The creation time of the target file according to the LNK header.

:target:accessed

time

The access time of the target file according to the LNK header.

:target:written

time

The write time of the target file according to the LNK header.

:driveserial

int

The drive serial number of the volume the link target is stored on.

:machineid

it:hostname

The NetBIOS name of the machine where the link target was last located.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:mime:macho:loadcmd

A generic load command pulled from the Mach-O headers.

The base type for the form can be found at file:mime:macho:loadcmd.

Properties:

name

type

doc

:file

file:bytes

The Mach-O file containing the load command.

:type

enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))

The type of the load command.

:size

int

The size of the load command structure in bytes.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:mime:macho:section

A section inside a Mach-O binary denoting a named region of bytes inside a segment.

The base type for the form can be found at file:mime:macho:section.

Properties:

name

type

doc

:segment

file:mime:macho:segment

The Mach-O segment that contains this section.

:name

str

Name of the section.

:size

int

Size of the section in bytes.

:type

enums: ((0, 'regular'), (1, 'zero fill on demand'), (2, 'only literal C strings'), (3, 'only 4 byte literals'), (4, 'only 8 byte literals'), (5, 'only pointers to literals'), (6, 'only non-lazy symbol pointers'), (7, 'only lazy symbol pointers'), (8, 'only symbol stubs'), (9, 'only function pointers for init'), (10, 'only function pointers for fini'), (11, 'contains symbols to be coalesced'), (12, 'zero fill on deman (greater than 4gb)'), (13, 'only pairs of function pointers for interposing'), (14, 'only 16 byte literals'), (15, 'dtrace object format'), (16, 'only lazy symbols pointers to lazy dynamic libraries'))

The type of the section.

:sha256

hash:sha256

The sha256 hash of the bytes of the Mach-O section.

:offset

int

The file offset to the beginning of the section.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:mime:macho:segment

A named region of bytes inside a Mach-O binary.

The base type for the form can be found at file:mime:macho:segment.

Properties:

name

type

doc

:name

str

The name of the Mach-O segment.

:memsize

int

The size of the segment in bytes, when resident in memory, according to the load command structure.

:disksize

int

The size of the segment in bytes, when on disk, according to the load command structure.

:sha256

hash:sha256

The sha256 hash of the bytes of the segment.

:offset

int

The file offset to the beginning of the segment.

:file

file:bytes

The Mach-O file containing the load command.

:type

enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))

The type of the load command.

:size

int

The size of the load command structure in bytes.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:mime:macho:uuid

A specific load command denoting a UUID used to uniquely identify the Mach-O binary.

The base type for the form can be found at file:mime:macho:uuid.

Properties:

name

type

doc

:uuid

guid

The UUID of the Mach-O application (as defined in an LC_UUID load command).

:file

file:bytes

The Mach-O file containing the load command.

:type

enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))

The type of the load command.

:size

int

The size of the load command structure in bytes.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:mime:macho:version

A specific load command used to denote the version of the source used to build the Mach-O binary.

The base type for the form can be found at file:mime:macho:version.

Properties:

name

type

doc

:version

str

The version of the Mach-O file encoded in an LC_VERSION load command.

:file

file:bytes

The Mach-O file containing the load command.

:type

enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))

The type of the load command.

:size

int

The size of the load command structure in bytes.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:mime:msdoc

The GUID of a set of mime metadata for a Microsoft Word file.

The base type for the form can be found at file:mime:msdoc.

Properties:

name

type

doc

:title

str

The title extracted from Microsoft Office metadata.

:author

str

The author extracted from Microsoft Office metadata.

:subject

str

The subject extracted from Microsoft Office metadata.

:application

str

The creating_application extracted from Microsoft Office metadata.

:created

time

The create_time extracted from Microsoft Office metadata.

:lastsaved

time

The last_saved_time extracted from Microsoft Office metadata.

:file

file:bytes

The file that the mime info was parsed from.

:file:offs

int

The optional offset where the mime info was parsed from.

:file:data

data

A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:mime:msppt

The GUID of a set of mime metadata for a Microsoft Powerpoint file.

The base type for the form can be found at file:mime:msppt.

Properties:

name

type

doc

:title

str

The title extracted from Microsoft Office metadata.

:author

str

The author extracted from Microsoft Office metadata.

:subject

str

The subject extracted from Microsoft Office metadata.

:application

str

The creating_application extracted from Microsoft Office metadata.

:created

time

The create_time extracted from Microsoft Office metadata.

:lastsaved

time

The last_saved_time extracted from Microsoft Office metadata.

:file

file:bytes

The file that the mime info was parsed from.

:file:offs

int

The optional offset where the mime info was parsed from.

:file:data

data

A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:mime:msxls

The GUID of a set of mime metadata for a Microsoft Excel file.

The base type for the form can be found at file:mime:msxls.

Properties:

name

type

doc

:title

str

The title extracted from Microsoft Office metadata.

:author

str

The author extracted from Microsoft Office metadata.

:subject

str

The subject extracted from Microsoft Office metadata.

:application

str

The creating_application extracted from Microsoft Office metadata.

:created

time

The create_time extracted from Microsoft Office metadata.

:lastsaved

time

The last_saved_time extracted from Microsoft Office metadata.

:file

file:bytes

The file that the mime info was parsed from.

:file:offs

int

The optional offset where the mime info was parsed from.

:file:data

data

A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:mime:pe:export

The fused knowledge of a file:bytes node containing a pe named export.

The base type for the form can be found at file:mime:pe:export.

Properties:

name

type

doc

opts

:file

file:bytes

The file containing the export.

Read Only: True

:name

str

The name of the export in the file.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:mime:pe:resource

The fused knowledge of a file:bytes node containing a pe resource.

The base type for the form can be found at file:mime:pe:resource.

Properties:

name

type

doc

opts

:file

file:bytes

The file containing the resource.

Read Only: True

:type

pe:resource:type

The typecode for the resource.

Read Only: True

:langid

pe:langid

The language code for the resource.

Read Only: True

:resource

file:bytes

The sha256 hash of the resource bytes.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:mime:pe:section

The fused knowledge a file:bytes node containing a pe section.

The base type for the form can be found at file:mime:pe:section.

Properties:

name

type

doc

opts

:file

file:bytes

The file containing the section.

Read Only: True

:name

str

The textual name of the section.

Read Only: True

:sha256

hash:sha256

The sha256 hash of the section. Relocations must be zeroed before hashing.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:mime:pe:vsvers:info

knowledge of a file:bytes node containing vsvers info.

The base type for the form can be found at file:mime:pe:vsvers:info.

Properties:

name

type

doc

opts

:file

file:bytes

The file containing the vsversion keyval pair.

Read Only: True

:keyval

file:mime:pe:vsvers:keyval

The vsversion info keyval in this file:bytes node.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:mime:pe:vsvers:keyval

A key value pair found in a PE vsversion info structure.

The base type for the form can be found at file:mime:pe:vsvers:keyval.

Properties:

name

type

doc

opts

:name

str

The key for the vsversion keyval pair.

Read Only: True

:value

str

The value for the vsversion keyval pair.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:mime:png

The GUID of a set of mime metadata for a .png file.

The base type for the form can be found at file:mime:png.

Properties:

name

type

doc

:desc

str

MIME specific description field extracted from metadata.

:comment

str

MIME specific comment field extracted from metadata.

:created

time

MIME specific creation timestamp extracted from metadata.

:imageid

str

MIME specific unique identifier extracted from metadata.

:author

ps:contact

MIME specific contact information extracted from metadata.

:latlong

geo:latlong

MIME specific lat/long information extracted from metadata.

:altitude

geo:altitude

MIME specific altitude information extracted from metadata.

:text

lower: True
onespace: True

The text contained within the image.

:file

file:bytes

The file that the mime info was parsed from.

:file:offs

int

The optional offset where the mime info was parsed from.

:file:data

data

A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:mime:rtf

The GUID of a set of mime metadata for a .rtf file.

The base type for the form can be found at file:mime:rtf.

Properties:

name

type

doc

:guid

guid

The parsed GUID embedded in the .rtf file.

:file

file:bytes

The file that the mime info was parsed from.

:file:offs

int

The optional offset where the mime info was parsed from.

:file:data

data

A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:mime:tif

The GUID of a set of mime metadata for a .tif file.

The base type for the form can be found at file:mime:tif.

Properties:

name

type

doc

:desc

str

MIME specific description field extracted from metadata.

:comment

str

MIME specific comment field extracted from metadata.

:created

time

MIME specific creation timestamp extracted from metadata.

:imageid

str

MIME specific unique identifier extracted from metadata.

:author

ps:contact

MIME specific contact information extracted from metadata.

:latlong

geo:latlong

MIME specific lat/long information extracted from metadata.

:altitude

geo:altitude

MIME specific altitude information extracted from metadata.

:text

lower: True
onespace: True

The text contained within the image.

:file

file:bytes

The file that the mime info was parsed from.

:file:offs

int

The optional offset where the mime info was parsed from.

:file:data

data

A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:path

A normalized file path.

The base type for the form can be found at file:path.

An example of file:path:

  • c:/windows/system32/calc.exe

Properties:

name

type

doc

opts

:dir

file:path

The parent directory.

Read Only: True

:base

file:base

The file base name.

Read Only: True

:base:ext

str

The file extension.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:string

Deprecated. Please use the edge -(refs)> it:dev:str.

The base type for the form can be found at file:string.

Properties:

name

type

doc

opts

:file

file:bytes

The file containing the string.

Read Only: True

:string

str

The string contained in this file:bytes node.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

file:subfile

A parent file that fully contains the specified child file.

The base type for the form can be found at file:subfile.

Properties:

name

type

doc

opts

:parent

file:bytes

The parent file containing the child file.

Read Only: True

:child

file:bytes

The child file contained in the parent file.

Read Only: True

:name

file:base

Deprecated, please use the :path property.

Deprecated: True

:path

file:path

The path that the parent uses to refer to the child file.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

geo:name

An unstructured place name or address.

The base type for the form can be found at geo:name.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

geo:nloc

Records a node latitude/longitude in space-time.

The base type for the form can be found at geo:nloc.

Properties:

name

type

doc

opts

:ndef

ndef

The node with location in geospace and time.

Read Only: True

:ndef:form

str

The form of node referenced by the ndef.

Read Only: True

:latlong

geo:latlong

The latitude/longitude the node was observed.

Read Only: True

:time

time

The time the node was observed at location.

Read Only: True

:place

geo:place

The place corresponding to the latlong property.

:loc

loc

The geo-political location string for the node.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

geo:place

A GUID for a geographic place.

The base type for the form can be found at geo:place.

Properties:

name

type

doc

opts

:id

strip: True

A type specific identifier such as an airport ID.

:name

geo:name

The name of the place.

alts: ('names',)

:type

geo:place:taxonomy

The type of place.

:names

type: geo:name
sorted: True
uniq: True

An array of alternative place names.

:parent

geo:place

Deprecated. Please use a -(contains)> edge.

Deprecated: True

:desc

str

A long form description of the place.

:loc

loc

The geo-political location string for the node.

:address

geo:address

The street/mailing address for the place.

:geojson

geo:json

A GeoJSON representation of the place.

:latlong

geo:latlong

The lat/long position for the place.

:bbox

geo:bbox

A bounding box which encompasses the place.

:radius

geo:dist

An approximate radius to use for bounding box calculation.

:photo

file:bytes

The image file to use as the primary image of the place.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

geo:place

-(contains)>

geo:place

The source place completely contains the target place.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

geo:place

-(contains)>

geo:place

None

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

geo:place:taxonomy

A taxonomy of place types.

The base type for the form can be found at geo:place:taxonomy.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

geo:place:taxonomy

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

geo:telem

The geospatial position and physical characteristics of a node at a given time.

The base type for the form can be found at geo:telem.

Properties:

name

type

doc

opts

:time

time

The time that the telemetry measurements were taken.

:desc

str

A description of the telemetry sample.

:latlong

geo:latlong

Deprecated. Please use :place:latlong.

Deprecated: True

:accuracy

geo:dist

Deprecated. Please use :place:latlong:accuracy.

Deprecated: True

:node

ndef

The node that was observed at the associated time and place.

:phys:mass

mass

The mass of the object.

:phys:volume

geo:dist

The cubed volume of the object.

:phys:length

geo:dist

The length of the object.

:phys:width

geo:dist

The width of the object.

:phys:height

geo:dist

The height of the object.

:place

geo:place

The place where the object was located.

:place:loc

loc

The geopolitical location of the object.

:place:name

geo:name

The name of the place where the object was located.

:place:address

geo:address

The postal address of the place where the object was located.

:place:latlong

geo:latlong

The latlong where the object was located.

:place:latlong:accuracy

geo:dist

The accuracy of the latlong where the object was located.

:place:country

pol:country

The country where the object was located.

:place:country:code

pol:iso2

The country code where the object was located.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

gov:cn:icp

A Chinese Internet Content Provider ID.

The base type for the form can be found at gov:cn:icp.

Properties:

name

type

doc

:org

ou:org

The org with the Internet Content Provider ID.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

gov:cn:mucd

A Chinese PLA MUCD.

The base type for the form can be found at gov:cn:mucd.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

gov:us:cage

A Commercial and Government Entity (CAGE) code.

The base type for the form can be found at gov:us:cage.

Properties:

name

type

doc

:name0

ou:name

The name of the organization.

:name1

lower: True

Name Part 1.

:street

lower: True

The base string type.

:city

lower: True

The base string type.

:state

lower: True

The base string type.

:zip

gov:us:zip

A US Postal Zip Code.

:cc

pol:iso2

The 2 digit ISO 3166 country code.

:country

lower: True

The base string type.

:phone0

tel:phone

A phone number.

:phone1

tel:phone

A phone number.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

gov:us:ssn

A US Social Security Number (SSN).

The base type for the form can be found at gov:us:ssn.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

gov:us:zip

A US Postal Zip Code.

The base type for the form can be found at gov:us:zip.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

graph:cluster

A generic node, used in conjunction with Edge types, to cluster arbitrary nodes to a single node in the model.

The base type for the form can be found at graph:cluster.

Properties:

name

type

doc

:name

lower: True

A human friendly name for the cluster.

:desc

lower: True

A human friendly long form description for the cluster.

:type

lower: True

An optional type field used to group clusters.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

graph:edge

A generic digraph edge to show relationships outside the model.

The base type for the form can be found at graph:edge.

Properties:

name

type

doc

opts

:n1

ndef

The node definition type for a (form,valu) compound field.

Read Only: True

:n1:form

str

The base string type.

Read Only: True

:n2

ndef

The node definition type for a (form,valu) compound field.

Read Only: True

:n2:form

str

The base string type.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

graph:event

A generic event node to represent events outside the model.

The base type for the form can be found at graph:event.

Properties:

name

type

doc

:time

time

The time of the event.

:type

str

A arbitrary type string for the event.

:name

str

A name for the event.

:data

data

Arbitrary non-indexed msgpack data attached to the event.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

graph:node

A generic node used to represent objects outside the model.

The base type for the form can be found at graph:node.

Properties:

name

type

doc

:type

str

The type name for the non-model node.

:name

str

A human readable name for this record.

:data

data

Arbitrary non-indexed msgpack data attached to the node.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

graph:timeedge

A generic digraph time edge to show relationships outside the model.

The base type for the form can be found at graph:timeedge.

Properties:

name

type

doc

opts

:time

time

A date/time value.

Read Only: True

:n1

ndef

The node definition type for a (form,valu) compound field.

Read Only: True

:n1:form

str

The base string type.

Read Only: True

:n2

ndef

The node definition type for a (form,valu) compound field.

Read Only: True

:n2:form

str

The base string type.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

hash:md5

A hex encoded MD5 hash.

The base type for the form can be found at hash:md5.

An example of hash:md5:

  • d41d8cd98f00b204e9800998ecf8427e

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

hash:sha1

A hex encoded SHA1 hash.

The base type for the form can be found at hash:sha1.

An example of hash:sha1:

  • da39a3ee5e6b4b0d3255bfef95601890afd80709

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

hash:sha256

A hex encoded SHA256 hash.

The base type for the form can be found at hash:sha256.

An example of hash:sha256:

  • ad9f4fe922b61e674a09530831759843b1880381de686a43460a76864ca0340c

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

hash:sha384

A hex encoded SHA384 hash.

The base type for the form can be found at hash:sha384.

An example of hash:sha384:

  • d425f1394e418ce01ed1579069a8bfaa1da8f32cf823982113ccbef531fa36bda9987f389c5af05b5e28035242efab6c

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

hash:sha512

A hex encoded SHA512 hash.

The base type for the form can be found at hash:sha512.

An example of hash:sha512:

  • ca74fe2ff2d03b29339ad7d08ba21d192077fece1715291c7b43c20c9136cd132788239189f3441a87eb23ce2660aa243f334295902c904b5520f6e80ab91f11

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:asn

An Autonomous System Number (ASN).

The base type for the form can be found at inet:asn.

Properties:

name

type

doc

:name

lower: True

The name of the organization currently responsible for the ASN.

:owner

ou:org

The guid of the organization currently responsible for the ASN.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:asnet4

An Autonomous System Number (ASN) and its associated IPv4 address range.

The base type for the form can be found at inet:asnet4.

An example of inet:asnet4:

  • (54959, (1.2.3.4, 1.2.3.20))

Properties:

name

type

doc

opts

:asn

inet:asn

The Autonomous System Number (ASN) of the netblock.

Read Only: True

:net4

inet:net4

The IPv4 address range assigned to the ASN.

Read Only: True

:net4:min

inet:ipv4

The first IPv4 in the range assigned to the ASN.

Read Only: True

:net4:max

inet:ipv4

The last IPv4 in the range assigned to the ASN.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:asnet6

An Autonomous System Number (ASN) and its associated IPv6 address range.

The base type for the form can be found at inet:asnet6.

An example of inet:asnet6:

  • (54959, (ff::00, ff::02))

Properties:

name

type

doc

opts

:asn

inet:asn

The Autonomous System Number (ASN) of the netblock.

Read Only: True

:net6

inet:net6

The IPv6 address range assigned to the ASN.

Read Only: True

:net6:min

inet:ipv6

The first IPv6 in the range assigned to the ASN.

Read Only: True

:net6:max

inet:ipv6

The last IPv6 in the range assigned to the ASN.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:banner

A network protocol banner string presented by a server.

The base type for the form can be found at inet:banner.

Properties:

name

type

doc

opts

:server

inet:server

The server which presented the banner string.

Read Only: True

:server:ipv4

inet:ipv4

The IPv4 address of the server.

Read Only: True

:server:ipv6

inet:ipv6

The IPv6 address of the server.

Read Only: True

:server:port

inet:port

The network port.

Read Only: True

:text

it:dev:str

The banner text.

Read Only: True
Display: {'hint': 'text'}
Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:cidr4

An IPv4 address block in Classless Inter-Domain Routing (CIDR) notation.

The base type for the form can be found at inet:cidr4.

An example of inet:cidr4:

  • 1.2.3.0/24

Properties:

name

type

doc

opts

:broadcast

inet:ipv4

The broadcast IP address from the CIDR notation.

Read Only: True

:mask

int

The mask from the CIDR notation.

Read Only: True

:network

inet:ipv4

The network IP address from the CIDR notation.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:cidr6

An IPv6 address block in Classless Inter-Domain Routing (CIDR) notation.

The base type for the form can be found at inet:cidr6.

An example of inet:cidr6:

  • 2001:db8::/101

Properties:

name

type

doc

opts

:broadcast

inet:ipv6

The broadcast IP address from the CIDR notation.

Read Only: True

:mask

int

The mask from the CIDR notation.

Read Only: True

:network

inet:ipv6

The network IP address from the CIDR notation.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:client

A network client address.

The base type for the form can be found at inet:client.

An example of inet:client:

  • tcp://1.2.3.4:80

Properties:

name

type

doc

opts

:proto

lower: True

The network protocol of the client.

Read Only: True

:ipv4

inet:ipv4

The IPv4 of the client.

Read Only: True

:ipv6

inet:ipv6

The IPv6 of the client.

Read Only: True

:host

it:host

The it:host node for the client.

Read Only: True

:port

inet:port

The client tcp/udp port.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:dns:a

The result of a DNS A record lookup.

The base type for the form can be found at inet:dns:a.

An example of inet:dns:a:

  • (vertex.link,1.2.3.4)

Properties:

name

type

doc

opts

:fqdn

inet:fqdn

The domain queried for its DNS A record.

Read Only: True

:ipv4

inet:ipv4

The IPv4 address returned in the A record.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:dns:aaaa

The result of a DNS AAAA record lookup.

The base type for the form can be found at inet:dns:aaaa.

An example of inet:dns:aaaa:

  • (vertex.link,2607:f8b0:4004:809::200e)

Properties:

name

type

doc

opts

:fqdn

inet:fqdn

The domain queried for its DNS AAAA record.

Read Only: True

:ipv6

inet:ipv6

The IPv6 address returned in the AAAA record.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:dns:answer

A single answer from within a DNS reply.

The base type for the form can be found at inet:dns:answer.

Properties:

name

type

doc

:ttl

int

The base 64 bit signed integer type.

:request

inet:dns:request

A single instance of a DNS resolver request and optional reply info.

:a

inet:dns:a

The DNS A record returned by the lookup.

:ns

inet:dns:ns

The DNS NS record returned by the lookup.

:rev

inet:dns:rev

The DNS PTR record returned by the lookup.

:aaaa

inet:dns:aaaa

The DNS AAAA record returned by the lookup.

:rev6

inet:dns:rev6

The DNS PTR record returned by the lookup of an IPv6 address.

:cname

inet:dns:cname

The DNS CNAME record returned by the lookup.

:mx

inet:dns:mx

The DNS MX record returned by the lookup.

:mx:priority

int

The DNS MX record priority.

:soa

inet:dns:soa

The domain queried for its SOA record.

:txt

inet:dns:txt

The DNS TXT record returned by the lookup.

:time

time

The time that the DNS response was transmitted.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:dns:cname

The result of a DNS CNAME record lookup.

The base type for the form can be found at inet:dns:cname.

An example of inet:dns:cname:

  • (foo.vertex.link,vertex.link)

Properties:

name

type

doc

opts

:fqdn

inet:fqdn

The domain queried for its CNAME record.

Read Only: True

:cname

inet:fqdn

The domain returned in the CNAME record.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:dns:dynreg

A dynamic DNS registration.

The base type for the form can be found at inet:dns:dynreg.

Properties:

name

type

doc

:fqdn

inet:fqdn

The FQDN registered within a dynamic DNS provider.

:provider

ou:org

The organization which provides the dynamic DNS FQDN.

:provider:name

ou:name

The name of the organization which provides the dynamic DNS FQDN.

:provider:fqdn

inet:fqdn

The FQDN of the organization which provides the dynamic DNS FQDN.

:contact

ps:contact

The contact information of the registrant.

:created

time

The time that the dynamic DNS registration was first created.

:client

inet:client

The network client address used to register the dynamic FQDN.

:client:ipv4

inet:ipv4

The client IPv4 address used to register the dynamic FQDN.

:client:ipv6

inet:ipv6

The client IPv6 address used to register the dynamic FQDN.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:dns:mx

The result of a DNS MX record lookup.

The base type for the form can be found at inet:dns:mx.

An example of inet:dns:mx:

  • (vertex.link,mail.vertex.link)

Properties:

name

type

doc

opts

:fqdn

inet:fqdn

The domain queried for its MX record.

Read Only: True

:mx

inet:fqdn

The domain returned in the MX record.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:dns:ns

The result of a DNS NS record lookup.

The base type for the form can be found at inet:dns:ns.

An example of inet:dns:ns:

  • (vertex.link,ns.dnshost.com)

Properties:

name

type

doc

opts

:zone

inet:fqdn

The domain queried for its DNS NS record.

Read Only: True

:ns

inet:fqdn

The domain returned in the NS record.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:dns:query

A DNS query unique to a given client.

The base type for the form can be found at inet:dns:query.

An example of inet:dns:query:

  • (1.2.3.4, woot.com, 1)

Properties:

name

type

doc

opts

:client

inet:client

A network client address.

Read Only: True

:name

inet:dns:name

A DNS query name string. Likely an FQDN but not always.

Read Only: True

:name:ipv4

inet:ipv4

An IPv4 address.

:name:ipv6

inet:ipv6

An IPv6 address.

:name:fqdn

inet:fqdn

A Fully Qualified Domain Name (FQDN).

:type

int

The base 64 bit signed integer type.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:dns:request

A single instance of a DNS resolver request and optional reply info.

The base type for the form can be found at inet:dns:request.

Properties:

name

type

doc

:time

time

A date/time value.

:query

inet:dns:query

A DNS query unique to a given client.

:query:name

inet:dns:name

A DNS query name string. Likely an FQDN but not always.

:query:name:ipv4

inet:ipv4

An IPv4 address.

:query:name:ipv6

inet:ipv6

An IPv6 address.

:query:name:fqdn

inet:fqdn

A Fully Qualified Domain Name (FQDN).

:query:type

int

The base 64 bit signed integer type.

:server

inet:server

A network server address.

:reply:code

enums: ((0, 'NOERROR'), (1, 'FORMERR'), (2, 'SERVFAIL'), (3, 'NXDOMAIN'), (4, 'NOTIMP'), (5, 'REFUSED'), (6, 'YXDOMAIN'), (7, 'YXRRSET'), (8, 'NXRRSET'), (9, 'NOTAUTH'), (10, 'NOTZONE'), (11, 'DSOTYPENI'), (16, 'BADSIG'), (17, 'BADKEY'), (18, 'BADTIME'), (19, 'BADMODE'), (20, 'BADNAME'), (21, 'BADALG'), (22, 'BADTRUNC'), (23, 'BADCOOKIE'))
enums:strict: False

The DNS server response code.

:exe

file:bytes

The file containing the code that attempted the DNS lookup.

:proc

it:exec:proc

The process that attempted the DNS lookup.

:host

it:host

The host that attempted the DNS lookup.

:sandbox:file

file:bytes

The initial sample given to a sandbox environment to analyze.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:dns:rev

The transformed result of a DNS PTR record lookup.

The base type for the form can be found at inet:dns:rev.

An example of inet:dns:rev:

  • (1.2.3.4,vertex.link)

Properties:

name

type

doc

opts

:ipv4

inet:ipv4

The IPv4 address queried for its DNS PTR record.

Read Only: True

:fqdn

inet:fqdn

The domain returned in the PTR record.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:dns:rev6

The transformed result of a DNS PTR record for an IPv6 address.

The base type for the form can be found at inet:dns:rev6.

An example of inet:dns:rev6:

  • (2607:f8b0:4004:809::200e,vertex.link)

Properties:

name

type

doc

opts

:ipv6

inet:ipv6

The IPv6 address queried for its DNS PTR record.

Read Only: True

:fqdn

inet:fqdn

The domain returned in the PTR record.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:dns:soa

The result of a DNS SOA record lookup.

The base type for the form can be found at inet:dns:soa.

Properties:

name

type

doc

:fqdn

inet:fqdn

The domain queried for its SOA record.

:ns

inet:fqdn

The domain (MNAME) returned in the SOA record.

:email

inet:email

The email address (RNAME) returned in the SOA record.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:dns:txt

The result of a DNS TXT record lookup.

The base type for the form can be found at inet:dns:txt.

An example of inet:dns:txt:

  • (hehe.vertex.link,"fancy TXT record")

Properties:

name

type

doc

opts

:fqdn

inet:fqdn

The domain queried for its TXT record.

Read Only: True

:txt

str

The string returned in the TXT record.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:dns:wild:a

A DNS A wild card record and the IPv4 it resolves to.

The base type for the form can be found at inet:dns:wild:a.

Properties:

name

type

doc

opts

:fqdn

inet:fqdn

The domain containing a wild card record.

Read Only: True

:ipv4

inet:ipv4

The IPv4 address returned by wild card resolutions.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:dns:wild:aaaa

A DNS AAAA wild card record and the IPv6 it resolves to.

The base type for the form can be found at inet:dns:wild:aaaa.

Properties:

name

type

doc

opts

:fqdn

inet:fqdn

The domain containing a wild card record.

Read Only: True

:ipv6

inet:ipv6

The IPv6 address returned by wild card resolutions.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:download

An instance of a file downloaded from a server.

The base type for the form can be found at inet:download.

Properties:

name

type

doc

:time

time

The time the file was downloaded.

:fqdn

inet:fqdn

The FQDN used to resolve the server.

:file

file:bytes

The file that was downloaded.

:server

inet:server

The inet:addr of the server.

:server:host

it:host

The it:host node for the server.

:server:ipv4

inet:ipv4

The IPv4 of the server.

:server:ipv6

inet:ipv6

The IPv6 of the server.

:server:port

inet:port

The server tcp/udp port.

:server:proto

lower: True

The server network layer protocol.

:client

inet:client

The inet:addr of the client.

:client:host

it:host

The it:host node for the client.

:client:ipv4

inet:ipv4

The IPv4 of the client.

:client:ipv6

inet:ipv6

The IPv6 of the client.

:client:port

inet:port

The client tcp/udp port.

:client:proto

lower: True

The client network layer protocol.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:egress

A host using a specific network egress client address.

The base type for the form can be found at inet:egress.

Properties:

name

type

doc

:host

it:host

The host that used the network egress.

:host:iface

inet:iface

The interface which the host used to connect out via the egress.

:account

inet:service:account

The service account which used the client address to egress.

:client

inet:client

The client address the host used as a network egress.

:client:ipv4

inet:ipv4

The client IPv4 address the host used as a network egress.

:client:ipv6

inet:ipv6

The client IPv6 address the host used as a network egress.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:email

An e-mail address.

The base type for the form can be found at inet:email.

Properties:

name

type

doc

opts

:user

inet:user

The username of the email address.

Read Only: True

:fqdn

inet:fqdn

The domain of the email address.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:email:header

A unique email message header.

The base type for the form can be found at inet:email:header.

Properties:

name

type

doc

opts

:name

inet:email:header:name

The name of the email header.

Read Only: True

:value

str

The value of the email header.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:email:message

An individual email message delivered to an inbox.

The base type for the form can be found at inet:email:message.

Properties:

name

type

doc

opts

:id

strip: True

The ID parsed from the “message-id” header.

:to

inet:email

The email address of the recipient.

:from

inet:email

The email address of the sender.

:replyto

inet:email

The email address parsed from the “reply-to” header.

:cc

uniq: True
sorted: True

Email addresses parsed from the “cc” header.

:subject

str

The email message subject parsed from the “subject” header.

:body

str

The body of the email message.

Display: {'hint': 'text'}

:date

time

The time the email message was delivered.

:bytes

file:bytes

The file bytes which contain the email message.

:headers

An array of email headers from the message.

:received:from:ipv4

inet:ipv4

The sending SMTP server IPv4, potentially from the Received: header.

:received:from:ipv6

inet:ipv6

The sending SMTP server IPv6, potentially from the Received: header.

:received:from:fqdn

inet:fqdn

The sending server FQDN, potentially from the Received: header.

:flow

inet:flow

The inet:flow which delivered the message.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:email:message:attachment

A file which was attached to an email message.

The base type for the form can be found at inet:email:message:attachment.

Properties:

name

type

doc

opts

:message

inet:email:message

The message containing the attached file.

Read Only: True

:file

file:bytes

The attached file.

Read Only: True

:name

file:base

The name of the attached file.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:flow

An individual network connection between a given source and destination.

The base type for the form can be found at inet:flow.

Properties:

name

type

doc

opts

:time

time

The time the network connection was initiated.

:duration

int

The duration of the flow in seconds.

:from

guid

The ingest source file/iden. Used for reparsing.

:dst

inet:server

The destination address / port for a connection.

:dst:ipv4

inet:ipv4

The destination IPv4 address.

:dst:ipv6

inet:ipv6

The destination IPv6 address.

:dst:port

inet:port

The destination port.

:dst:proto

lower: True

The destination protocol.

:dst:host

it:host

The guid of the destination host.

:dst:proc

it:exec:proc

The guid of the destination process.

:dst:exe

file:bytes

The file (executable) that received the connection.

:dst:txfiles

sorted: True
uniq: True

An array of files sent by the destination host.

:dst:txcount

int

The number of packets sent by the destination host.

:dst:txbytes

int

The number of bytes sent by the destination host.

:dst:handshake

str

A text representation of the initial handshake sent by the server.

Display: {'hint': 'text'}

:src

inet:client

The source address / port for a connection.

:src:ipv4

inet:ipv4

The source IPv4 address.

:src:ipv6

inet:ipv6

The source IPv6 address.

:src:port

inet:port

The source port.

:src:proto

lower: True

The source protocol.

:src:host

it:host

The guid of the source host.

:src:proc

it:exec:proc

The guid of the source process.

:src:exe

file:bytes

The file (executable) that created the connection.

:src:txfiles

sorted: True
uniq: True

An array of files sent by the source host.

:src:txcount

int

The number of packets sent by the source host.

:src:txbytes

int

The number of bytes sent by the source host.

:tot:txcount

int

The number of packets sent in both directions.

:tot:txbytes

int

The number of bytes sent in both directions.

:src:handshake

str

A text representation of the initial handshake sent by the client.

Display: {'hint': 'text'}

:dst:cpes

uniq: True
sorted: True

An array of NIST CPEs identified on the destination host.

:dst:softnames

uniq: True
sorted: True

An array of software names identified on the destination host.

:src:cpes

uniq: True
sorted: True

An array of NIST CPEs identified on the source host.

:src:softnames

uniq: True
sorted: True

An array of software names identified on the source host.

:ip:proto

min: 0
max: 255

The IP protocol number of the flow.

:ip:tcp:flags

min: 0
max: 255

An aggregation of observed TCP flags commonly provided by flow APIs.

:sandbox:file

file:bytes

The initial sample given to a sandbox environment to analyze.

:src:ssl:cert

crypto:x509:cert

The x509 certificate sent by the client as part of an SSL/TLS negotiation.

:dst:ssl:cert

crypto:x509:cert

The x509 certificate sent by the server as part of an SSL/TLS negotiation.

:src:rdp:hostname

it:hostname

The hostname sent by the client as part of an RDP session setup.

:src:rdp:keyboard:layout

lower: True
onespace: True

The keyboard layout sent by the client as part of an RDP session setup.

:src:ssh:key

crypto:key

The key sent by the client as part of an SSH session setup.

:dst:ssh:key

crypto:key

The key sent by the server as part of an SSH session setup.

:capture:host

it:host

The host which captured the flow.

:raw

data

A raw record used to create the flow which may contain additional protocol details.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:fqdn

A Fully Qualified Domain Name (FQDN).

The base type for the form can be found at inet:fqdn.

An example of inet:fqdn:

  • vertex.link

Properties:

name

type

doc

opts

:domain

inet:fqdn

The parent domain for the FQDN.

Read Only: True

:host

lower: True

The host part of the FQDN.

Read Only: True

:issuffix

bool

True if the FQDN is considered a suffix.

:iszone

bool

True if the FQDN is considered a zone.

:zone

inet:fqdn

The zone level parent for this FQDN.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:group

A group name string.

The base type for the form can be found at inet:group.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:http:param

An HTTP request path query parameter.

The base type for the form can be found at inet:http:param.

Properties:

name

type

doc

opts

:name

lower: True

The name of the HTTP query parameter.

Read Only: True

:value

str

The value of the HTTP query parameter.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:http:request

A single HTTP request.

The base type for the form can be found at inet:http:request.

Properties:

name

type

doc

:method

str

The HTTP request method string.

:path

str

The requested HTTP path (without query parameters).

:url

inet:url

The reconstructed URL for the request if known.

:query

str

The HTTP query string which optionally follows the path.

:headers

An array of HTTP headers from the request.

:body

file:bytes

The body of the HTTP request.

:referer

inet:url

The referer URL parsed from the “Referer:” header in the request.

:cookies

sorted: True
uniq: True

An array of HTTP cookie values parsed from the “Cookies:” header in the request.

:response:time

time

A date/time value.

:response:code

int

The base 64 bit signed integer type.

:response:reason

str

The base string type.

:response:headers

An array of HTTP headers from the response.

:response:body

file:bytes

The file bytes type with SHA256 based primary property.

:session

inet:http:session

The HTTP session this request was part of.

:flow

inet:flow

The raw inet:flow containing the request.

:client

inet:client

The inet:addr of the client.

:client:ipv4

inet:ipv4

The server IPv4 address that the request was sent from.

:client:ipv6

inet:ipv6

The server IPv6 address that the request was sent from.

:client:host

it:host

The host that the request was sent from.

:server

inet:server

The inet:addr of the server.

:server:ipv4

inet:ipv4

The server IPv4 address that the request was sent to.

:server:ipv6

inet:ipv6

The server IPv6 address that the request was sent to.

:server:port

inet:port

The server port that the request was sent to.

:server:host

it:host

The host that the request was sent to.

:exe

file:bytes

The executable file which caused the activity.

:proc

it:exec:proc

The host process which caused the activity.

:thread

it:exec:thread

The host thread which caused the activity.

:host

it:host

The host on which the activity occurred.

:time

time

The time that the activity started.

:sandbox:file

file:bytes

The initial sample given to a sandbox environment to analyze.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:http:request:header

An HTTP request header.

The base type for the form can be found at inet:http:request:header.

Properties:

name

type

doc

opts

:name

inet:http:header:name

The name of the HTTP request header.

Read Only: True

:value

str

The value of the HTTP request header.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:http:response:header

An HTTP response header.

The base type for the form can be found at inet:http:response:header.

Properties:

name

type

doc

opts

:name

inet:http:header:name

The name of the HTTP response header.

Read Only: True

:value

str

The value of the HTTP response header.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:http:session

An HTTP session.

The base type for the form can be found at inet:http:session.

Properties:

name

type

doc

:contact

ps:contact

The ps:contact which owns the session.

:cookies

sorted: True
uniq: True

An array of cookies used to identify this specific session.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:iface

A network interface with a set of associated protocol addresses.

The base type for the form can be found at inet:iface.

Properties:

name

type

doc

opts

:host

it:host

The guid of the host the interface is associated with.

:name

strip: True

The interface name.

Example: eth0

:network

it:network

The guid of the it:network the interface connected to.

:type

lower: True

The free-form interface type.

:mac

inet:mac

The ethernet (MAC) address of the interface.

:ipv4

inet:ipv4

The IPv4 address of the interface.

:ipv6

inet:ipv6

The IPv6 address of the interface.

:phone

tel:phone

The telephone number of the interface.

:wifi:ssid

inet:wifi:ssid

The wifi SSID of the interface.

:wifi:bssid

inet:mac

The wifi BSSID of the interface.

:adid

it:adid

An advertising ID associated with the interface.

:mob:imei

tel:mob:imei

The IMEI of the interface.

:mob:imsi

tel:mob:imsi

The IMSI of the interface.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:ipv4

An IPv4 address.

The base type for the form can be found at inet:ipv4.

An example of inet:ipv4:

  • 1.2.3.4

Properties:

name

type

doc

:asn

inet:asn

The ASN to which the IPv4 address is currently assigned.

:latlong

geo:latlong

The best known latitude/longitude for the node.

:loc

loc

The geo-political location string for the IPv4.

:place

geo:place

The geo:place associated with the latlong property.

:type

str

The type of IP address (e.g., private, multicast, etc.).

:dns:rev

inet:fqdn

The most current DNS reverse lookup for the IPv4.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

inet:whois:iprec

-(ipwhois)>

inet:ipv4

The source IP whois record describes the target IPv4 address.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:ipv6

An IPv6 address.

The base type for the form can be found at inet:ipv6.

An example of inet:ipv6:

  • 2607:f8b0:4004:809::200e

Properties:

name

type

doc

:asn

inet:asn

The ASN to which the IPv6 address is currently assigned.

:ipv4

inet:ipv4

The mapped ipv4.

:latlong

geo:latlong

The last known latitude/longitude for the node.

:place

geo:place

The geo:place associated with the latlong property.

:dns:rev

inet:fqdn

The most current DNS reverse lookup for the IPv6.

:loc

loc

The geo-political location string for the IPv6.

:type

str

The type of IP address (e.g., private, multicast, etc.).

:scope

enums: reserved,interface-local,link-local,realm-local,admin-local,site-local,organization-local,global,unassigned

The IPv6 scope of the address (e.g., global, link-local, etc.).

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

inet:whois:iprec

-(ipwhois)>

inet:ipv6

The source IP whois record describes the target IPv6 address.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:mac

A 48-bit Media Access Control (MAC) address.

The base type for the form can be found at inet:mac.

An example of inet:mac:

  • aa:bb:cc:dd:ee:ff

Properties:

name

type

doc

:vendor

str

The vendor associated with the 24-bit prefix of a MAC address.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:passwd

A password string.

The base type for the form can be found at inet:passwd.

Properties:

name

type

doc

opts

:md5

hash:md5

The MD5 hash of the password.

Read Only: True

:sha1

hash:sha1

The SHA1 hash of the password.

Read Only: True

:sha256

hash:sha256

The SHA256 hash of the password.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:proto

A network protocol name.

The base type for the form can be found at inet:proto.

Properties:

name

type

doc

:port

inet:port

The default port this protocol typically uses if applicable.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:rfc2822:addr

An RFC 2822 Address field.

The base type for the form can be found at inet:rfc2822:addr.

An example of inet:rfc2822:addr:

  • "Visi Kenshoto" <visi@vertex.link>

Properties:

name

type

doc

opts

:name

ps:name

The name field parsed from an RFC 2822 address string.

Read Only: True

:email

inet:email

The email field parsed from an RFC 2822 address string.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:search:query

An instance of a search query issued to a search engine.

The base type for the form can be found at inet:search:query.

Properties:

name

type

doc

opts

:text

str

The search query text.

Display: {'hint': 'text'}

:time

time

The time the web search was issued.

:acct

inet:web:acct

The account that the query was issued as.

:host

it:host

The host that issued the query.

:engine

lower: True

A simple name for the search engine used.

Example: google

:request

inet:http:request

The HTTP request used to issue the query.

:account

inet:service:account

The account which initiated the action.

:success

bool

Set to true if the action was successful.

:rule

inet:service:rule

The rule which allowed or denied the action.

:error:code

strip: True

The platform specific error code if the action was unsuccessful.

:error:reason

strip: True

The platform specific friendly error reason if the action was unsuccessful.

:platform

inet:service:platform

The platform where the action was initiated.

:instance

inet:service:instance

The platform instance where the action was initiated.

:session

inet:service:session

The session which initiated the action.

:client

inet:client

The network address of the client which initiated the action.

:client:host

it:host

The client host which initiated the action.

:server

inet:server

The network address of the server which handled the action.

:server:host

it:host

The server host which handled the action.

:id

strip: True

A platform specific ID which identifies the node.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:search:result

A single result from a web search.

The base type for the form can be found at inet:search:result.

Properties:

name

type

doc

:query

inet:search:query

The search query that produced the result.

:title

lower: True

The title of the matching web page.

:rank

int

The rank/order of the query result.

:url

inet:url

The URL hosting the matching content.

:text

lower: True

Extracted/matched text from the matched content.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:server

A network server address.

The base type for the form can be found at inet:server.

An example of inet:server:

  • tcp://1.2.3.4:80

Properties:

name

type

doc

opts

:proto

lower: True

The network protocol of the server.

Read Only: True

:ipv4

inet:ipv4

The IPv4 of the server.

Read Only: True

:ipv6

inet:ipv6

The IPv6 of the server.

Read Only: True

:host

it:host

The it:host node for the server.

Read Only: True

:port

inet:port

The server tcp/udp port.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:servfile

A file hosted on a server for access over a network protocol.

The base type for the form can be found at inet:servfile.

Properties:

name

type

doc

opts

:file

file:bytes

The file hosted by the server.

Read Only: True

:server

inet:server

The inet:addr of the server.

Read Only: True

:server:proto

lower: True

The network protocol of the server.

Read Only: True

:server:ipv4

inet:ipv4

The IPv4 of the server.

Read Only: True

:server:ipv6

inet:ipv6

The IPv6 of the server.

Read Only: True

:server:host

it:host

The it:host node for the server.

Read Only: True

:server:port

inet:port

The server tcp/udp port.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:access

Represents a user access request to a service resource.

The base type for the form can be found at inet:service:access.

Properties:

name

type

doc

:resource

inet:service:resource

The resource which the account attempted to access.

:type

enums: ((10, 'create'), (30, 'read'), (40, 'update'), (50, 'delete'), (60, 'list'), (70, 'execute'))

The type of access requested.

:time

time

The time that the account initiated the action.

:account

inet:service:account

The account which initiated the action.

:success

bool

Set to true if the action was successful.

:rule

inet:service:rule

The rule which allowed or denied the action.

:error:code

strip: True

The platform specific error code if the action was unsuccessful.

:error:reason

strip: True

The platform specific friendly error reason if the action was unsuccessful.

:platform

inet:service:platform

The platform where the action was initiated.

:instance

inet:service:instance

The platform instance where the action was initiated.

:session

inet:service:session

The session which initiated the action.

:client

inet:client

The network address of the client which initiated the action.

:client:host

it:host

The client host which initiated the action.

:server

inet:server

The network address of the server which handled the action.

:server:host

it:host

The server host which handled the action.

:id

strip: True

A platform specific ID which identifies the node.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:account

An account within a service platform. Accounts may be instance specific.

The base type for the form can be found at inet:service:account.

Properties:

name

type

doc

:user

inet:user

The current user name of the account.

:email

inet:email

The current email address associated with the account.

:tenant

inet:service:tenant

The tenant which contains the account.

:profile

ps:contact

The primary contact information for the account.

:url

inet:url

The primary URL associated with the account.

:status

inet:service:object:status

The status of the account.

:period

ival

The period when the account existed.

:creator

inet:service:account

The service account which created the account.

:remover

inet:service:account

The service account which removed or decommissioned the account.

:id

strip: True

A platform specific ID which identifies the account.

:platform

inet:service:platform

The platform which defines the account.

:instance

inet:service:instance

The platform instance which defines the account.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:bucket

A file/blob storage object within a service architecture.

The base type for the form can be found at inet:service:bucket.

Properties:

name

type

doc

:name

onespace: True
lower: True

The name of the service resource.

:url

inet:url

The primary URL associated with the bucket.

:status

inet:service:object:status

The status of the bucket.

:period

ival

The period when the bucket existed.

:creator

inet:service:account

The service account which created the bucket.

:remover

inet:service:account

The service account which removed or decommissioned the bucket.

:id

strip: True

A platform specific ID which identifies the bucket.

:platform

inet:service:platform

The platform which defines the bucket.

:instance

inet:service:instance

The platform instance which defines the bucket.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:bucket:item

An individual file stored within a bucket.

The base type for the form can be found at inet:service:bucket:item.

Properties:

name

type

doc

:bucket

inet:service:bucket

The bucket which contains the item.

:file

file:bytes

The bytes stored within the bucket item.

:file:name

file:path

The name of the file stored in the bucket item.

:url

inet:url

The primary URL associated with the bucket item.

:status

inet:service:object:status

The status of the bucket item.

:period

ival

The period when the bucket item existed.

:creator

inet:service:account

The service account which created the bucket item.

:remover

inet:service:account

The service account which removed or decommissioned the bucket item.

:id

strip: True

A platform specific ID which identifies the bucket item.

:platform

inet:service:platform

The platform which defines the bucket item.

:instance

inet:service:instance

The platform instance which defines the bucket item.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:channel

A channel used to distribute messages.

The base type for the form can be found at inet:service:channel.

Properties:

name

type

doc

:name

onespace: True
lower: True

The name of the channel.

:period

ival

The time period where the channel was available.

:url

inet:url

The primary URL associated with the channel.

:status

inet:service:object:status

The status of the channel.

:creator

inet:service:account

The service account which created the channel.

:remover

inet:service:account

The service account which removed or decommissioned the channel.

:id

strip: True

A platform specific ID which identifies the channel.

:platform

inet:service:platform

The platform which defines the channel.

:instance

inet:service:instance

The platform instance which defines the channel.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:channel:member

Represents a service account being a member of a channel.

The base type for the form can be found at inet:service:channel:member.

Properties:

name

type

doc

:channel

inet:service:channel

The channel that the account was a member of.

:account

inet:service:account

The account that was a member of the channel.

:period

ival

The time period where the account was a member of the channel.

:url

inet:url

The primary URL associated with the channel membership.

:status

inet:service:object:status

The status of the channel membership.

:creator

inet:service:account

The service account which created the channel membership.

:remover

inet:service:account

The service account which removed or decommissioned the channel membership.

:id

strip: True

A platform specific ID which identifies the channel membership.

:platform

inet:service:platform

The platform which defines the channel membership.

:instance

inet:service:instance

The platform instance which defines the channel membership.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:emote

An emote or reaction by an account.

The base type for the form can be found at inet:service:emote.

Properties:

name

type

doc

opts

:about

inet:service:object

The node that the emote is about.

:text

strip: True

The unicode or emote text of the reaction.

Example: :partyparrot:

:url

inet:url

The primary URL associated with the emote.

:status

inet:service:object:status

The status of the emote.

:period

ival

The period when the emote existed.

:creator

inet:service:account

The service account which created the emote.

:remover

inet:service:account

The service account which removed or decommissioned the emote.

:id

strip: True

A platform specific ID which identifies the emote.

:platform

inet:service:platform

The platform which defines the emote.

:instance

inet:service:instance

The platform instance which defines the emote.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:group

A group or role which contains member accounts.

The base type for the form can be found at inet:service:group.

Properties:

name

type

doc

:name

inet:group

The name of the group on this platform.

:profile

ps:contact

Current detailed contact information for this group.

:url

inet:url

The primary URL associated with the group.

:status

inet:service:object:status

The status of the group.

:period

ival

The period when the group existed.

:creator

inet:service:account

The service account which created the group.

:remover

inet:service:account

The service account which removed or decommissioned the group.

:id

strip: True

A platform specific ID which identifies the group.

:platform

inet:service:platform

The platform which defines the group.

:instance

inet:service:instance

The platform instance which defines the group.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:group:member

Represents a service account being a member of a group.

The base type for the form can be found at inet:service:group:member.

Properties:

name

type

doc

:account

inet:service:account

The account that is a member of the group.

:group

inet:service:group

The group that the account is a member of.

:period

ival

The time period when the account was a member of the group.

:url

inet:url

The primary URL associated with the group membership.

:status

inet:service:object:status

The status of the group membership.

:creator

inet:service:account

The service account which created the group membership.

:remover

inet:service:account

The service account which removed or decommissioned the group membership.

:id

strip: True

A platform specific ID which identifies the group membership.

:platform

inet:service:platform

The platform which defines the group membership.

:instance

inet:service:instance

The platform instance which defines the group membership.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:instance

An instance of the platform such as Slack or Discord instances.

The base type for the form can be found at inet:service:instance.

Properties:

name

type

doc

opts

:id

strip: True

A platform specific ID to identify the service instance.

Example: B8ZS2

:platform

inet:service:platform

The platform which defines the service instance.

:url

inet:url

The primary URL which identifies the service instance.

Example: https://v.vtx.lk/slack

:name

lower: True
onespace: True

The name of the service instance.

Example: synapse users slack

:desc

str

A description of the service instance.

Display: {'hint': 'text'}

:period

ival

The time period where the instance existed.

:status

inet:service:object:status

The status of this instance.

:creator

inet:service:account

The service account which created the instance.

:owner

inet:service:account

The service account which owns the instance.

:tenant

inet:service:tenant

The tenant which contains the instance.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:login

A login event for a service account.

The base type for the form can be found at inet:service:login.

Properties:

name

type

doc

:method

inet:service:login:method:taxonomy

The type of authentication used for the login. For example “password” or “multifactor.sms”.

:time

time

The time that the account initiated the action.

:account

inet:service:account

The account which initiated the action.

:success

bool

Set to true if the action was successful.

:rule

inet:service:rule

The rule which allowed or denied the action.

:error:code

strip: True

The platform specific error code if the action was unsuccessful.

:error:reason

strip: True

The platform specific friendly error reason if the action was unsuccessful.

:platform

inet:service:platform

The platform where the action was initiated.

:instance

inet:service:instance

The platform instance where the action was initiated.

:session

inet:service:session

The session which initiated the action.

:client

inet:client

The network address of the client which initiated the action.

:client:host

it:host

The client host which initiated the action.

:server

inet:server

The network address of the server which handled the action.

:server:host

it:host

The server host which handled the action.

:id

strip: True

A platform specific ID which identifies the node.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:message

A message or post created by an account.

The base type for the form can be found at inet:service:message.

Properties:

name

type

doc

opts

:account

inet:service:account

The account which sent the message.

:to

inet:service:account

The destination account. Used for direct messages.

:url

inet:url

The URL where the message may be viewed.

:group

inet:service:group

The group that the message was sent to.

:channel

inet:service:channel

The channel that the message was sent to.

:thread

inet:service:thread

The thread which contains the message.

:public

bool

Set to true if the message is publicly visible.

:title

lower: True
onespace: True

The message title.

:text

str

The text body of the message.

Display: {'hint': 'text'}

:status

inet:service:object:status

The message status.

:replyto

inet:service:message

The message that this message was sent in reply to. Used for message threading.

:repost

inet:service:message

The original message reposted by this message.

:links

uniq: True
sorted: True

An array of links contained within the message.

:attachments

uniq: True
sorted: True

An array of files attached to the message.

:place

geo:place

The place that the message was sent from.

:place:name

geo:name

The name of the place that the message was sent from.

:client:address

inet:client

Deprecated. Please use :client.

Deprecated: True

:client:software

it:prod:softver

The client software version used to send the message.

:client:software:name

it:prod:softname

The name of the client software used to send the message.

:file

file:bytes

The raw file that the message was extracted from.

:type

inet:service:message:type:taxonomy

The type of message.

:time

time

The time that the account initiated the action.

:success

bool

Set to true if the action was successful.

:rule

inet:service:rule

The rule which allowed or denied the action.

:error:code

strip: True

The platform specific error code if the action was unsuccessful.

:error:reason

strip: True

The platform specific friendly error reason if the action was unsuccessful.

:platform

inet:service:platform

The platform where the action was initiated.

:instance

inet:service:instance

The platform instance where the action was initiated.

:session

inet:service:session

The session which initiated the action.

:client

inet:client

The network address of the client which initiated the action.

:client:host

it:host

The client host which initiated the action.

:server

inet:server

The network address of the server which handled the action.

:server:host

it:host

The server host which handled the action.

:id

strip: True

A platform specific ID which identifies the node.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:message:attachment

A file attachment included within a message.

The base type for the form can be found at inet:service:message:attachment.

Properties:

name

type

doc

:name

file:path

The name of the attached file.

:text

str

Any text associated with the file such as alt-text for images.

:file

file:bytes

The file which was attached to the message.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:message:type:taxonomy

A message type taxonomy.

The base type for the form can be found at inet:service:message:type:taxonomy.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

inet:service:message:type:taxonomy

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:permission

A permission which may be granted to a service account or role.

The base type for the form can be found at inet:service:permission.

Properties:

name

type

doc

:name

onespace: True
lower: True

The name of the permission.

:type

inet:service:permission:type:taxonomy

The type of permission.

:url

inet:url

The primary URL associated with the permission.

:status

inet:service:object:status

The status of the permission.

:period

ival

The period when the permission existed.

:creator

inet:service:account

The service account which created the permission.

:remover

inet:service:account

The service account which removed or decommissioned the permission.

:id

strip: True

A platform specific ID which identifies the permission.

:platform

inet:service:platform

The platform which defines the permission.

:instance

inet:service:instance

The platform instance which defines the permission.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:permission:type:taxonomy

A permission type taxonomy.

The base type for the form can be found at inet:service:permission:type:taxonomy.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

inet:service:permission:type:taxonomy

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:platform

A network platform which provides services.

The base type for the form can be found at inet:service:platform.

Properties:

name

type

doc

opts

:url

inet:url

The primary URL of the platform.

Example: https://twitter.com

:name

onespace: True
lower: True

A friendly name for the platform.

Example: twitter

:desc

str

A description of the service platform.

Display: {'hint': 'text'}

:provider

ou:org

The organization which operates the platform.

:provider:name

ou:name

The name of the organization which operates the platform.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:relationship

A relationship between two service objects.

The base type for the form can be found at inet:service:relationship.

Properties:

name

type

doc

opts

:source

inet:service:object

The source object.

:target

inet:service:object

The target object.

:type

inet:service:relationship:type:taxonomy

The type of relationship between the source and the target.

Example: follows

:url

inet:url

The primary URL associated with the relationship.

:status

inet:service:object:status

The status of the relationship.

:period

ival

The period when the relationship existed.

:creator

inet:service:account

The service account which created the relationship.

:remover

inet:service:account

The service account which removed or decommissioned the relationship.

:id

strip: True

A platform specific ID which identifies the relationship.

:platform

inet:service:platform

The platform which defines the relationship.

:instance

inet:service:instance

The platform instance which defines the relationship.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:relationship:type:taxonomy

A service object relationship type taxonomy.

The base type for the form can be found at inet:service:relationship:type:taxonomy.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

inet:service:relationship:type:taxonomy

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:resource

A generic resource provided by the service architecture.

The base type for the form can be found at inet:service:resource.

Properties:

name

type

doc

opts

:name

onespace: True
lower: True

The name of the service resource.

:desc

str

A description of the service resource.

Display: {'hint': 'text'}

:url

inet:url

The primary URL where the resource is available from the service.

:type

inet:service:resource:type:taxonomy

The resource type. For example “rpc.endpoint”.

:status

inet:service:object:status

The status of the resource.

:period

ival

The period when the resource existed.

:creator

inet:service:account

The service account which created the resource.

:remover

inet:service:account

The service account which removed or decommissioned the resource.

:id

strip: True

A platform specific ID which identifies the resource.

:platform

inet:service:platform

The platform which defines the resource.

:instance

inet:service:instance

The platform instance which defines the resource.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:resource:type:taxonomy

A taxonomy of inet service resource types.

The base type for the form can be found at inet:service:resource:type:taxonomy.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

inet:service:resource:type:taxonomy

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:rule

A rule which grants or denies a permission to a service account or role.

The base type for the form can be found at inet:service:rule.

Properties:

name

type

doc

:permission

inet:service:permission

The permission which is granted.

:denied

bool

Set to (true) to denote that the rule is an explicit deny.

:object

interface: inet:service:object

The object that the permission controls access to.

:grantee

forms: ('inet:service:account', 'inet:service:group')

The user or role which is granted the permission.

:url

inet:url

The primary URL associated with the rule.

:status

inet:service:object:status

The status of the rule.

:period

ival

The period when the rule existed.

:creator

inet:service:account

The service account which created the rule.

:remover

inet:service:account

The service account which removed or decommissioned the rule.

:id

strip: True

A platform specific ID which identifies the rule.

:platform

inet:service:platform

The platform which defines the rule.

:instance

inet:service:instance

The platform instance which defines the rule.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:mitigation

-(uses)>

inet:service:rule

The mitigation uses the service rule.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:session

An authenticated session.

The base type for the form can be found at inet:service:session.

Properties:

name

type

doc

:creator

inet:service:account

The account which authenticated to create the session.

:period

ival

The period where the session was valid.

:http:session

inet:http:session

The HTTP session associated with the service session.

:url

inet:url

The primary URL associated with the session.

:status

inet:service:object:status

The status of the session.

:remover

inet:service:account

The service account which removed or decommissioned the session.

:id

strip: True

A platform specific ID which identifies the session.

:platform

inet:service:platform

The platform which defines the session.

:instance

inet:service:instance

The platform instance which defines the session.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:subscription

A subscription to a service platform or instance.

The base type for the form can be found at inet:service:subscription.

Properties:

name

type

doc

:level

inet:service:subscription:level:taxonomy

A platform specific subscription level.

:pay:instrument

econ:pay:instrument

The primary payment instrument used to pay for the subscription.

:subscriber

inet:service:subscriber

The subscriber who owns the subscription.

:url

inet:url

The primary URL associated with the subscription.

:status

inet:service:object:status

The status of the subscription.

:period

ival

The period when the subscription existed.

:creator

inet:service:account

The service account which created the subscription.

:remover

inet:service:account

The service account which removed or decommissioned the subscription.

:id

strip: True

A platform specific ID which identifies the subscription.

:platform

inet:service:platform

The platform which defines the subscription.

:instance

inet:service:instance

The platform instance which defines the subscription.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:subscription:level:taxonomy

A taxonomy of platform specific subscription levels.

The base type for the form can be found at inet:service:subscription:level:taxonomy.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

inet:service:subscription:level:taxonomy

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:tenant

A tenant which groups accounts and instances.

The base type for the form can be found at inet:service:tenant.

Properties:

name

type

doc

:profile

ps:contact

The primary contact information for the tenant.

:url

inet:url

The primary URL associated with the tenant.

:status

inet:service:object:status

The status of the tenant.

:period

ival

The period when the tenant existed.

:creator

inet:service:account

The service account which created the tenant.

:remover

inet:service:account

The service account which removed or decommissioned the tenant.

:id

strip: True

A platform specific ID which identifies the tenant.

:platform

inet:service:platform

The platform which defines the tenant.

:instance

inet:service:instance

The platform instance which defines the tenant.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:service:thread

A message thread.

The base type for the form can be found at inet:service:thread.

Properties:

name

type

doc

:title

lower: True
onespace: True

The title of the thread.

:channel

inet:service:channel

The channel that contains the thread.

:message

inet:service:message

The message which initiated the thread.

:url

inet:url

The primary URL associated with the thread.

:status

inet:service:object:status

The status of the thread.

:period

ival

The period when the thread existed.

:creator

inet:service:account

The service account which created the thread.

:remover

inet:service:account

The service account which removed or decommissioned the thread.

:id

strip: True

A platform specific ID which identifies the thread.

:platform

inet:service:platform

The platform which defines the thread.

:instance

inet:service:instance

The platform instance which defines the thread.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:ssl:cert

Deprecated. Please use inet:tls:servercert or inet:tls:clientcert.

The base type for the form can be found at inet:ssl:cert.

Properties:

name

type

doc

opts

:file

file:bytes

The file bytes for the SSL certificate.

Read Only: True

:server

inet:server

The server that presented the SSL certificate.

Read Only: True

:server:ipv4

inet:ipv4

The SSL server IPv4 address.

Read Only: True

:server:ipv6

inet:ipv6

The SSL server IPv6 address.

Read Only: True

:server:port

inet:port

The SSL server listening port.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:ssl:jarmhash

A TLS JARM fingerprint hash.

The base type for the form can be found at inet:ssl:jarmhash.

Properties:

name

type

doc

opts

:ciphers

lower: True
strip: True
regex: ^[0-9a-f]{30}$

The encoded cipher and TLS version of the server.

Read Only: True

:extensions

lower: True
strip: True
regex: ^[0-9a-f]{32}$

The truncated SHA256 of the TLS server extensions.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:ssl:jarmsample

A JARM hash sample taken from a server.

The base type for the form can be found at inet:ssl:jarmsample.

Properties:

name

type

doc

opts

:jarmhash

inet:ssl:jarmhash

The JARM hash computed from the server responses.

Read Only: True

:server

inet:server

The server that was sampled to compute the JARM hash.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:tls:clientcert

An x509 certificate sent by a client for TLS.

The base type for the form can be found at inet:tls:clientcert.

An example of inet:tls:clientcert:

  • (1.2.3.4:443, 3fdf364e081c14997b291852d1f23868)

Properties:

name

type

doc

opts

:client

inet:client

The client associated with the x509 certificate.

Read Only: True

:cert

crypto:x509:cert

The x509 certificate sent by the client.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:tls:handshake

An instance of a TLS handshake between a server and client.

The base type for the form can be found at inet:tls:handshake.

Properties:

name

type

doc

:time

time

The time the handshake was initiated.

:flow

inet:flow

The raw inet:flow associated with the handshake.

:server

inet:server

The TLS server during the handshake.

:server:cert

crypto:x509:cert

The x509 certificate sent by the server during the handshake.

:server:fingerprint:ja3

hash:md5

The JA3S finger of the server.

:client

inet:client

The TLS client during the handshake.

:client:cert

crypto:x509:cert

The x509 certificate sent by the client during the handshake.

:client:fingerprint:ja3

hash:md5

The JA3 fingerprint of the client.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:tls:ja3:sample

A JA3 sample taken from a client.

The base type for the form can be found at inet:tls:ja3:sample.

Properties:

name

type

doc

opts

:client

inet:client

The client that was sampled to produce the JA3 hash.

Read Only: True

:ja3

hash:md5

The JA3 hash computed from the client’s TLS hello packet.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:tls:ja3s:sample

A JA3 sample taken from a server.

The base type for the form can be found at inet:tls:ja3s:sample.

Properties:

name

type

doc

opts

:server

inet:server

The server that was sampled to produce the JA3S hash.

Read Only: True

:ja3s

hash:md5

The JA3S hash computed from the server’s TLS hello packet.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:tls:servercert

An x509 certificate sent by a server for TLS.

The base type for the form can be found at inet:tls:servercert.

An example of inet:tls:servercert:

  • (1.2.3.4:443, c7437790af01ae1bb2f8f3b684c70bf8)

Properties:

name

type

doc

opts

:server

inet:server

The server associated with the x509 certificate.

Read Only: True

:cert

crypto:x509:cert

The x509 certificate sent by the server.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:tunnel

A specific sequence of hosts forwarding connections such as a VPN or proxy.

The base type for the form can be found at inet:tunnel.

Properties:

name

type

doc

:anon

bool

Indicates that this tunnel provides anonymization.

:type

inet:tunnel:type:taxonomy

The type of tunnel such as vpn or proxy.

:ingress

inet:server

The server where client traffic enters the tunnel.

:egress

inet:server

The server where client traffic leaves the tunnel.

:operator

ps:contact

The contact information for the tunnel operator.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:tunnel:type:taxonomy

A taxonomy of network tunnel types.

The base type for the form can be found at inet:tunnel:type:taxonomy.

Properties:

name

type

doc

opts

:title

str

A brief title of the definition.

:summary

str

Deprecated. Please use title/desc.

Deprecated: True
Display: {'hint': 'text'}

:desc

str

A definition of the taxonomy entry.

Display: {'hint': 'text'}

:sort

int

A display sort order for siblings.

:base

taxon

The base taxon.

Read Only: True

:depth

int

The depth indexed from 0.

Read Only: True

:parent

inet:tunnel:type:taxonomy

The taxonomy parent.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:url

A Universal Resource Locator (URL).

The base type for the form can be found at inet:url.

An example of inet:url:

  • http://www.woot.com/files/index.html

Properties:

name

type

doc

opts

:fqdn

inet:fqdn

The fqdn used in the URL (e.g., http://www.woot.com/page.html).

Read Only: True

:ipv4

inet:ipv4

The IPv4 address used in the URL (e.g., http://1.2.3.4/page.html).

Read Only: True

:ipv6

inet:ipv6

The IPv6 address used in the URL.

Read Only: True

:passwd

inet:passwd

The optional password used to access the URL.

Read Only: True

:base

str

The base scheme, user/pass, fqdn, port and path w/o parameters.

Read Only: True

:path

str

The path in the URL w/o parameters.

Read Only: True

:params

str

The URL parameter string.

Read Only: True

:port

inet:port

The port of the URL. URLs prefixed with http will be set to port 80 and URLs prefixed with https will be set to port 443 unless otherwise specified.

Read Only: True

:proto

lower: True

The protocol in the URL.

Read Only: True

:user

inet:user

The optional username used to access the URL.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:dev:repo

-(has)>

inet:url

The repo has content hosted at the URL.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:url:mirror

A URL mirror site.

The base type for the form can be found at inet:url:mirror.

Properties:

name

type

doc

opts

:of

inet:url

The URL being mirrored.

Read Only: True

:at

inet:url

The URL of the mirror.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:urlfile

A file hosted at a specific Universal Resource Locator (URL).

The base type for the form can be found at inet:urlfile.

Properties:

name

type

doc

opts

:url

inet:url

The URL where the file was hosted.

Read Only: True

:file

file:bytes

The file that was hosted at the URL.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:urlredir

A URL that redirects to another URL, such as via a URL shortening service or an HTTP 302 response.

The base type for the form can be found at inet:urlredir.

An example of inet:urlredir:

  • (http://foo.com/,http://bar.com/)

Properties:

name

type

doc

opts

:src

inet:url

The original/source URL before redirect.

Read Only: True

:src:fqdn

inet:fqdn

The FQDN within the src URL (if present).

Read Only: True

:dst

inet:url

The redirected/destination URL.

Read Only: True

:dst:fqdn

inet:fqdn

The FQDN within the dst URL (if present).

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:user

A username string.

The base type for the form can be found at inet:user.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:web:acct

An account with a given Internet-based site or service.

The base type for the form can be found at inet:web:acct.

An example of inet:web:acct:

  • twitter.com/invisig0th

Properties:

name

type

doc

opts

:avatar

file:bytes

The file representing the avatar (e.g., profile picture) for the account.

:banner

file:bytes

The file representing the banner for the account.

:dob

time

A self-declared date of birth for the account (if the account belongs to a person).

:email

inet:email

The email address associated with the account.

:linked:accts

uniq: True
sorted: True

Linked accounts specified in the account profile.

:latlong

geo:latlong

The last known latitude/longitude for the node.

:place

geo:place

The geo:place associated with the latlong property.

:loc

loc

A self-declared location for the account.

:name

inet:user

The localized name associated with the account (may be different from the account identifier, e.g., a display name).

:name:en

inet:user

The English version of the name associated with the (may be different from the account identifier, e.g., a display name).

Deprecated: True

:aliases

type: inet:user
uniq: True
sorted: True

An array of alternate names for the user.

:occupation

lower: True

A self-declared occupation for the account.

:passwd

inet:passwd

The current password for the account.

:phone

tel:phone

The phone number associated with the account.

:realname

ps:name

The localized version of the real name of the account owner / registrant.

:realname:en

ps:name

The English version of the real name of the account owner / registrant.

Deprecated: True

:signup

time

The date and time the account was registered.

:signup:client

inet:client

The client address used to sign up for the account.

:signup:client:ipv4

inet:ipv4

The IPv4 address used to sign up for the account.

:signup:client:ipv6

inet:ipv6

The IPv6 address used to sign up for the account.

:site

inet:fqdn

The site or service associated with the account.

Read Only: True

:tagline

str

The text of the account status or tag line.

:url

inet:url

The service provider URL where the account is hosted.

:user

inet:user

The unique identifier for the account (may be different from the common name or display name).

Read Only: True

:webpage

inet:url

A related URL specified by the account (e.g., a personal or company web page, blog, etc.).

:recovery:email

inet:email

An email address registered as a recovery email address for the account.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:web:action

An instance of an account performing an action at an Internet-based site or service.

The base type for the form can be found at inet:web:action.

Properties:

name

type

doc

:act

lower: True
strip: True

The action performed by the account.

:acct

inet:web:acct

The web account associated with the action.

:acct:site

inet:fqdn

The site or service associated with the account.

:acct:user

inet:user

The unique identifier for the account.

:time

time

The date and time the account performed the action.

:client

inet:client

The source client address of the action.

:client:ipv4

inet:ipv4

The source IPv4 address of the action.

:client:ipv6

inet:ipv6

The source IPv6 address of the action.

:loc

loc

The location of the user executing the web action.

:latlong

geo:latlong

The latlong of the user when executing the web action.

:place

geo:place

The geo:place of the user when executing the web action.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:web:attachment

An instance of a file being sent to a web service by an account.

The base type for the form can be found at inet:web:attachment.

Properties:

name

type

doc

opts

:acct

inet:web:acct

The account that uploaded the file.

:post

inet:web:post

The optional web post that the file was attached to.

:mesg

inet:web:mesg

The optional web message that the file was attached to.

:proto

inet:proto

The protocol used to transmit the file to the web service.

Example: https

:interactive

bool

Set to true if the upload was interactive. False if automated.

:file

file:bytes

The file that was sent.

:name

file:path

The name of the file at the time it was sent.

:time

time

The time the file was sent.

:client

inet:client

The client address which initiated the upload.

:client:ipv4

inet:ipv4

The IPv4 address of the client that initiated the upload.

:client:ipv6

inet:ipv6

The IPv6 address of the client that initiated the upload.

:place

geo:place

The place the file was sent from.

:place:loc

loc

The geopolitical location that the file was sent from.

:place:name

geo:name

The reported name of the place that the file was sent from.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:web:channel

A channel within a web service or instance such as slack or discord.

The base type for the form can be found at inet:web:channel.

Properties:

name

type

doc

opts

:url

inet:url

The primary URL used to identify the channel.

Example: https://app.slack.com/client/T2XK1223Y/C2XHHNDS7

:id

strip: True

The operator specified ID of this channel.

Example: C2XHHNDS7

:instance

inet:web:instance

The instance which contains the channel.

:name

strip: True

The visible name of the channel.

Example: general

:topic

strip: True

The visible topic of the channel.

Example: Synapse Discussion - Feel free to invite others!

:created

time

The time the channel was created.

:creator

inet:web:acct

The account which created the channel.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:web:chprofile

A change to a web account. Used to capture historical properties associated with an account, as opposed to current data in the inet:web:acct node.

The base type for the form can be found at inet:web:chprofile.

Properties:

name

type

doc

:acct

inet:web:acct

The web account associated with the change.

:acct:site

inet:fqdn

The site or service associated with the account.

:acct:user

inet:user

The unique identifier for the account.

:client

inet:client

The source address used to make the account change.

:client:ipv4

inet:ipv4

The source IPv4 address used to make the account change.

:client:ipv6

inet:ipv6

The source IPv6 address used to make the account change.

:time

time

The date and time when the account change occurred.

:pv

nodeprop

The prop=valu of the account property that was changed. Valu should be the old / original value, while the new value should be updated on the inet:web:acct form.

:pv:prop

str

The property that was changed.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:web:file

A file posted by a web account.

The base type for the form can be found at inet:web:file.

Properties:

name

type

doc

opts

:acct

inet:web:acct

The account that owns or is associated with the file.

Read Only: True

:acct:site

inet:fqdn

The site or service associated with the account.

Read Only: True

:acct:user

inet:user

The unique identifier for the account.

Read Only: True

:file

file:bytes

The file owned by or associated with the account.

Read Only: True

:name

file:base

The name of the file owned by or associated with the account.

:posted

time

Deprecated. Instance data belongs on inet:web:attachment.

Deprecated: True

:client

inet:client

Deprecated. Instance data belongs on inet:web:attachment.

Deprecated: True

:client:ipv4

inet:ipv4

Deprecated. Instance data belongs on inet:web:attachment.

Deprecated: True

:client:ipv6

inet:ipv6

Deprecated. Instance data belongs on inet:web:attachment.

Deprecated: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:web:follows

A web account follows or is connected to another web account.

The base type for the form can be found at inet:web:follows.

Properties:

name

type

doc

opts

:follower

inet:web:acct

The account following an account.

Read Only: True

:followee

inet:web:acct

The account followed by an account.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:web:group

A group hosted within or registered with a given Internet-based site or service.

The base type for the form can be found at inet:web:group.

An example of inet:web:group:

  • somesite.com/mycoolgroup

Properties:

name

type

doc

opts

:site

inet:fqdn

The site or service associated with the group.

Read Only: True

:id

inet:group

The site-specific unique identifier for the group (may be different from the common name or display name).

Read Only: True

:name

inet:group

The localized name associated with the group (may be different from the account identifier, e.g., a display name).

:aliases

uniq: True
sorted: True

An array of alternate names for the group.

:name:en

inet:group

The English version of the name associated with the group (may be different from the localized name).

Deprecated: True

:url

inet:url

The service provider URL where the group is hosted.

:avatar

file:bytes

The file representing the avatar (e.g., profile picture) for the group.

:desc

str

The text of the description of the group.

:webpage

inet:url

A related URL specified by the group (e.g., primary web site, etc.).

:loc

lower: True

A self-declared location for the group.

:latlong

geo:latlong

The last known latitude/longitude for the node.

:place

geo:place

The geo:place associated with the latlong property.

:signup

time

The date and time the group was created on the site.

:signup:client

inet:client

The client address used to create the group.

:signup:client:ipv4

inet:ipv4

The IPv4 address used to create the group.

:signup:client:ipv6

inet:ipv6

The IPv6 address used to create the group.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:web:hashtag

A hashtag used in a web post.

The base type for the form can be found at inet:web:hashtag.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:web:instance

An instance of a web service such as slack or discord.

The base type for the form can be found at inet:web:instance.

Properties:

name

type

doc

opts

:url

inet:url

The primary URL used to identify the instance.

Example: https://app.slack.com/client/T2XK1223Y

:id

strip: True

The operator specified ID of this instance.

Example: T2XK1223Y

:name

strip: True

The visible name of the instance.

Example: vertex synapse

:created

time

The time the instance was created.

:creator

inet:web:acct

The account which created the instance.

:owner

ou:org

The organization which created the instance.

:owner:fqdn

inet:fqdn

The FQDN of the organization which created the instance. Used for entity resolution.

Example: vertex.link

:owner:name

ou:name

The name of the organization which created the instance. Used for entity resolution.

Example: the vertex project, llc.

:operator

ou:org

The organization which operates the instance.

:operator:name

ou:name

The name of the organization which operates the instance. Used for entity resolution.

Example: slack

:operator:fqdn

inet:fqdn

The FQDN of the organization which operates the instance. Used for entity resolution.

Example: slack.com

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:web:logon

An instance of an account authenticating to an Internet-based site or service.

The base type for the form can be found at inet:web:logon.

Properties:

name

type

doc

:acct

inet:web:acct

The web account associated with the logon event.

:acct:site

inet:fqdn

The site or service associated with the account.

:acct:user

inet:user

The unique identifier for the account.

:time

time

The date and time the account logged into the service.

:client

inet:client

The source address of the logon.

:client:ipv4

inet:ipv4

The source IPv4 address of the logon.

:client:ipv6

inet:ipv6

The source IPv6 address of the logon.

:logout

time

The date and time the account logged out of the service.

:loc

loc

The location of the user executing the logon.

:latlong

geo:latlong

The latlong of the user executing the logon.

:place

geo:place

The geo:place of the user executing the logon.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:web:memb

Deprecated. Please use inet:web:member.

The base type for the form can be found at inet:web:memb.

Properties:

name

type

doc

opts

:acct

inet:web:acct

The account that is a member of the group.

Read Only: True

:group

inet:web:group

The group that the account is a member of.

Read Only: True

:title

lower: True

The title or status of the member (e.g., admin, new member, etc.).

:joined

time

The date / time the account joined the group.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:web:member

Represents a web account membership in a channel or group.

The base type for the form can be found at inet:web:member.

Properties:

name

type

doc

:acct

inet:web:acct

The account that is a member of the group or channel.

:group

inet:web:group

The group that the account is a member of.

:channel

inet:web:channel

The channel that the account is a member of.

:added

time

The date / time the account was added to the group or channel.

:removed

time

The date / time the account was removed from the group or channel.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:web:mesg

A message sent from one web account to another web account or channel.

The base type for the form can be found at inet:web:mesg.

An example of inet:web:mesg:

  • ((twitter.com, invisig0th), (twitter.com, gobbles), 20041012130220)

Properties:

name

type

doc

opts

:from

inet:web:acct

The web account that sent the message.

Read Only: True

:to

inet:web:acct

The web account that received the message.

Read Only: True

:client

inet:client

The source address of the message.

:client:ipv4

inet:ipv4

The source IPv4 address of the message.

:client:ipv6

inet:ipv6

The source IPv6 address of the message.

:time

time

The date and time at which the message was sent.

Read Only: True

:url

inet:url

The URL where the message is posted / visible.

:text

str

The text of the message.

Display: {'hint': 'text'}

:deleted

bool

The message was deleted.

:file

file:bytes

The file attached to or sent with the message.

:place

geo:place

The place that the message was reportedly sent from.

:place:name

geo:name

The name of the place that the message was reportedly sent from. Used for entity resolution.

:instance

inet:web:instance

The instance where the message was sent.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:web:post

A post made by a web account.

The base type for the form can be found at inet:web:post.

Properties:

name

type

doc

opts

:acct

inet:web:acct

The web account that made the post.

:acct:site

inet:fqdn

The site or service associated with the account.

:client

inet:client

The source address of the post.

:client:ipv4

inet:ipv4

The source IPv4 address of the post.

:client:ipv6

inet:ipv6

The source IPv6 address of the post.

:acct:user

inet:user

The unique identifier for the account.

:text

str

The text of the post.

Display: {'hint': 'text'}

:time

time

The date and time that the post was made.

:deleted

bool

The message was deleted by the poster.

:url

inet:url

The URL where the post is published / visible.

:file

file:bytes

The file that was attached to the post.

:replyto

inet:web:post

The post that this post is in reply to.

:repost

inet:web:post

The original post that this is a repost of.

:hashtags

uniq: True
sorted: True
split: ,

Hashtags mentioned within the post.

:mentions:users

uniq: True
sorted: True
split: ,

Accounts mentioned within the post.

:mentions:groups

uniq: True
sorted: True
split: ,

Groups mentioned within the post.

:loc

loc

The location that the post was reportedly sent from.

:place

geo:place

The place that the post was reportedly sent from.

:place:name

geo:name

The name of the place that the post was reportedly sent from. Used for entity resolution.

:latlong

geo:latlong

The place that the post was reportedly sent from.

:channel

inet:web:channel

The channel where the post was made.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:web:post:link

A link contained within post text.

The base type for the form can be found at inet:web:post:link.

Properties:

name

type

doc

:post

inet:web:post

The post containing the embedded link.

:url

inet:url

The url that the link forwards to.

:text

str

The displayed hyperlink text if it was not the raw URL.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:whois:contact

An individual contact from a domain whois record.

The base type for the form can be found at inet:whois:contact.

Properties:

name

type

doc

opts

:rec

inet:whois:rec

The whois record containing the contact data.

Read Only: True

:rec:fqdn

inet:fqdn

The domain associated with the whois record.

Read Only: True

:rec:asof

time

The date of the whois record.

Read Only: True

:type

lower: True

The contact type (e.g., registrar, registrant, admin, billing, tech, etc.).

Read Only: True

:id

lower: True

The ID associated with the contact.

:name

lower: True

The name of the contact.

:email

inet:email

The email address of the contact.

:orgname

ou:name

The name of the contact organization.

:address

lower: True

The content of the street address field(s) of the contact.

:city

lower: True

The content of the city field of the contact.

:state

lower: True

The content of the state field of the contact.

:country

lower: True

The two-letter country code of the contact.

:phone

tel:phone

The content of the phone field of the contact.

:fax

tel:phone

The content of the fax field of the contact.

:url

inet:url

The URL specified for the contact.

:whois:fqdn

inet:fqdn

The whois server FQDN for the given contact (most likely a registrar).

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:whois:email

An email address associated with an FQDN via whois registration text.

The base type for the form can be found at inet:whois:email.

Properties:

name

type

doc

opts

:fqdn

inet:fqdn

The domain with a whois record containing the email address.

Read Only: True

:email

inet:email

The email address associated with the domain whois record.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:whois:ipcontact

An individual contact from an IP block record.

The base type for the form can be found at inet:whois:ipcontact.

Properties:

name

type

doc

:contact

ps:contact

Contact information associated with a registration.

:asof

time

The date of the record.

:created

time

The “created” time from the record.

:updated

time

The “last updated” time from the record.

:role

lower: True

The primary role for the contact.

:roles

type: str
uniq: True
sorted: True

Additional roles assigned to the contact.

:asn

inet:asn

The associated Autonomous System Number (ASN).

:id

inet:whois:regid

The registry unique identifier (e.g. NET-74-0-0-0-1).

:links

type: inet:url
uniq: True
sorted: True

URLs provided with the record.

:status

lower: True

The state of the registered contact (e.g. validated, obscured).

:contacts

uniq: True
sorted: True

Additional contacts referenced by this contact.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:whois:ipquery

Query details used to retrieve an IP record.

The base type for the form can be found at inet:whois:ipquery.

Properties:

name

type

doc

:time

time

The time the request was made.

:url

inet:url

The query URL when using the HTTP RDAP Protocol.

:fqdn

inet:fqdn

The FQDN of the host server when using the legacy WHOIS Protocol.

:ipv4

inet:ipv4

The IPv4 address queried.

:ipv6

inet:ipv6

The IPv6 address queried.

:success

bool

Whether the host returned a valid response for the query.

:rec

inet:whois:iprec

The resulting record from the query.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:whois:iprec

An IPv4/IPv6 block registration record.

The base type for the form can be found at inet:whois:iprec.

Properties:

name

type

doc

opts

:net4

inet:net4

The IPv4 address range assigned.

:net4:min

inet:ipv4

The first IPv4 in the range assigned.

:net4:max

inet:ipv4

The last IPv4 in the range assigned.

:net6

inet:net6

The IPv6 address range assigned.

:net6:min

inet:ipv6

The first IPv6 in the range assigned.

:net6:max

inet:ipv6

The last IPv6 in the range assigned.

:asof

time

The date of the record.

:created

time

The “created” time from the record.

:updated

time

The “last updated” time from the record.

:text

lower: True

The full text of the record.

Display: {'hint': 'text'}

:desc

lower: True

Notes concerning the record.

Display: {'hint': 'text'}

:asn

inet:asn

The associated Autonomous System Number (ASN).

:id

inet:whois:regid

The registry unique identifier (e.g. NET-74-0-0-0-1).

:name

str

The name assigned to the network by the registrant.

:parentid

inet:whois:regid

The registry unique identifier of the parent whois record (e.g. NET-74-0-0-0-0).

:registrant

inet:whois:ipcontact

Deprecated. Add the registrant inet:whois:ipcontact to the :contacts array.

Deprecated: True

:contacts

uniq: True
sorted: True

Additional contacts from the record.

:country

lower: True
regex: ^[a-z]{2}$

The two-letter ISO 3166 country code.

:status

lower: True

The state of the registered network.

:type

lower: True

The classification of the registered network (e.g. direct allocation).

:links

type: inet:url
uniq: True
sorted: True

URLs provided with the record.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

inet:whois:iprec

-(ipwhois)>

inet:ipv4

The source IP whois record describes the target IPv4 address.

inet:whois:iprec

-(ipwhois)>

inet:ipv6

The source IP whois record describes the target IPv6 address.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:whois:rar

A domain registrar.

The base type for the form can be found at inet:whois:rar.

An example of inet:whois:rar:

  • godaddy, inc.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:whois:rec

A domain whois record.

The base type for the form can be found at inet:whois:rec.

Properties:

name

type

doc

opts

:fqdn

inet:fqdn

The domain associated with the whois record.

Read Only: True

:asof

time

The date of the whois record.

Read Only: True

:text

lower: True

The full text of the whois record.

Display: {'hint': 'text'}

:created

time

The “created” time from the whois record.

:updated

time

The “last updated” time from the whois record.

:expires

time

The “expires” time from the whois record.

:registrar

inet:whois:rar

The registrar name from the whois record.

:registrant

inet:whois:reg

The registrant name from the whois record.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:whois:recns

A nameserver associated with a domain whois record.

The base type for the form can be found at inet:whois:recns.

Properties:

name

type

doc

opts

:ns

inet:fqdn

A nameserver for a domain as listed in the domain whois record.

Read Only: True

:rec

inet:whois:rec

The whois record containing the nameserver data.

Read Only: True

:rec:fqdn

inet:fqdn

The domain associated with the whois record.

Read Only: True

:rec:asof

time

The date of the whois record.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:whois:reg

A domain registrant.

The base type for the form can be found at inet:whois:reg.

An example of inet:whois:reg:

  • woot hostmaster

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:whois:regid

The registry unique identifier of the registration record.

The base type for the form can be found at inet:whois:regid.

An example of inet:whois:regid:

  • NET-10-0-0-0-1

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:wifi:ap

An SSID/MAC address combination for a wireless access point.

The base type for the form can be found at inet:wifi:ap.

Properties:

name

type

doc

opts

:ssid

inet:wifi:ssid

The SSID for the wireless access point.

Read Only: True

:bssid

inet:mac

The MAC address for the wireless access point.

Read Only: True

:latlong

geo:latlong

The best known latitude/longitude for the wireless access point.

:accuracy

geo:dist

The reported accuracy of the latlong telemetry reading.

:channel

int

The WIFI channel that the AP was last observed operating on.

:encryption

lower: True
strip: True

The type of encryption used by the WIFI AP such as “wpa2”.

:place

geo:place

The geo:place associated with the latlong property.

:loc

loc

The geo-political location string for the wireless access point.

:org

ou:org

The organization that owns/operates the access point.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

inet:wifi:ssid

A WiFi service set identifier (SSID) name.

The base type for the form can be found at inet:wifi:ssid.

An example of inet:wifi:ssid:

  • The Vertex Project

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

iso:oid

An ISO Object Identifier string.

The base type for the form can be found at iso:oid.

Properties:

name

type

doc

:descr

str

A description of the value or meaning of the OID.

:identifier

str

The string identifier for the deepest tree element.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:account

A GUID that represents an account on a host or network.

The base type for the form can be found at it:account.

Properties:

name

type

doc

opts

:user

inet:user

The username associated with the account.

:contact

ps:contact

Additional contact information associated with this account.

:host

it:host

The host where the account is registered.

:domain

it:domain

The authentication domain where the account is registered.

:posix:uid

int

The user ID of the account.

Example: 1001

:posix:gid

int

The primary group ID of the account.

Example: 1001

:posix:gecos

int

The GECOS field for the POSIX account.

:posix:home

file:path

The path to the POSIX account’s home directory.

Example: /home/visi

:posix:shell

file:path

The path to the POSIX account’s default shell.

Example: /bin/bash

:windows:sid

it:os:windows:sid

The Microsoft Windows Security Identifier of the account.

:groups

type: it:group
uniq: True
sorted: True

An array of groups that the account is a member of.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:adid

An advertising identification string.

The base type for the form can be found at it:adid.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:app:snort:hit

An instance of a snort rule hit.

The base type for the form can be found at it:app:snort:hit.

Properties:

name

type

doc

:rule

it:app:snort:rule

The snort rule that matched the file.

:flow

inet:flow

The inet:flow that matched the snort rule.

:src

inet:addr

The source address of flow that caused the hit.

:src:ipv4

inet:ipv4

The source IPv4 address of the flow that caused the hit.

:src:ipv6

inet:ipv6

The source IPv6 address of the flow that caused the hit.

:src:port

inet:port

The source port of the flow that caused the hit.

:dst

inet:addr

The destination address of the trigger.

:dst:ipv4

inet:ipv4

The destination IPv4 address of the flow that caused the hit.

:dst:ipv6

inet:ipv6

The destination IPv4 address of the flow that caused the hit.

:dst:port

inet:port

The destination port of the flow that caused the hit.

:time

time

The time of the network flow that caused the hit.

:sensor

it:host

The sensor host node that produced the hit.

:version

it:semver

The version of the rule at the time of match.

:dropped

bool

Set to true if the network traffic was dropped due to the match.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:app:snort:rule

A snort rule.

The base type for the form can be found at it:app:snort:rule.

Properties:

name

type

doc

opts

:id

str

The snort rule id.

:text

str

The snort rule text.

Display: {'hint': 'text'}

:name

str

The name of the snort rule.

:desc

str

A brief description of the snort rule.

Display: {'hint': 'text'}

:engine

int

The snort engine ID which can parse and evaluate the rule text.

:version

it:semver

The current version of the rule.

:author

ps:contact

Contact info for the author of the rule.

:created

time

The time the rule was initially created.

:updated

time

The time the rule was most recently modified.

:enabled

bool

The rule enabled status to be used for snort evaluation engines.

:family

it:prod:softname

The name of the software family the rule is designed to detect.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:mitigation

-(uses)>

it:app:snort:rule

The mitigation uses the Snort rule.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:app:yara:match

A YARA rule match to a file.

The base type for the form can be found at it:app:yara:match.

Properties:

name

type

doc

opts

:rule

it:app:yara:rule

The YARA rule that matched the file.

Read Only: True

:file

file:bytes

The file that matched the YARA rule.

Read Only: True

:version

it:semver

The most recent version of the rule evaluated as a match.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:app:yara:netmatch

An instance of a YARA rule network hunting match.

The base type for the form can be found at it:app:yara:netmatch.

Properties:

name

type

doc

:rule

it:app:yara:rule

The YARA rule that triggered the match.

:version

it:semver

The most recent version of the rule evaluated as a match.

:node

forms: ('inet:fqdn', 'inet:ipv4', 'inet:ipv6', 'inet:url')

The node which matched the rule.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:app:yara:procmatch

An instance of a YARA rule match to a process.

The base type for the form can be found at it:app:yara:procmatch.

Properties:

name

type

doc

:rule

it:app:yara:rule

The YARA rule that matched the process.

:proc

it:exec:proc

The process that matched the YARA rule.

:time

time

The time that the YARA engine matched the process to the rule.

:version

it:semver

The most recent version of the rule evaluated as a match.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:app:yara:rule

A YARA rule unique identifier.

The base type for the form can be found at it:app:yara:rule.

Properties:

name

type

doc

opts

:text

str

The YARA rule text.

Display: {'hint': 'text', 'syntax': 'yara'}

:ext:id

str

The YARA rule ID from an external system.

:url

inet:url

A URL which documents the YARA rule.

:name

str

The name of the YARA rule.

:author

ps:contact

Contact info for the author of the YARA rule.

:version

it:semver

The current version of the rule.

:created

time

The time the YARA rule was initially created.

:updated

time

The time the YARA rule was most recently modified.

:enabled

bool

The rule enabled status to be used for YARA evaluation engines.

:family

it:prod:softname

The name of the software family the rule is designed to detect.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:mitigation

-(uses)>

it:app:yara:rule

The mitigation uses the YARA rule.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:auth:passwdhash

An instance of a password hash.

The base type for the form can be found at it:auth:passwdhash.

Properties:

name

type

doc

:salt

hex

The (optional) hex encoded salt value used to calculate the password hash.

:hash:md5

hash:md5

The MD5 password hash value.

:hash:sha1

hash:sha1

The SHA1 password hash value.

:hash:sha256

hash:sha256

The SHA256 password hash value.

:hash:sha512

hash:sha512

The SHA512 password hash value.

:hash:lm

hash:lm

The LM password hash value.

:hash:ntlm

hash:ntlm

The NTLM password hash value.

:passwd

inet:passwd

The (optional) clear text password for this password hash.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:av:filehit

Deprecated. Please use it:av:scan:result.

The base type for the form can be found at it:av:filehit.

Properties:

name

type

doc

opts

:file

file:bytes

The file that triggered the signature hit.

Read Only: True

:sig

it:av:sig

The signature that the file triggered on.

Read Only: True

:sig:name

it:av:signame

The signature name.

Read Only: True

:sig:soft

it:prod:soft

The anti-virus product which contains the signature.

Read Only: True

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:av:prochit

Deprecated. Please use it:av:scan:result.

The base type for the form can be found at it:av:prochit.

Properties:

name

type

doc

:proc

it:exec:proc

The file that triggered the signature hit.

:sig

it:av:sig

The signature that the file triggered on.

:time

time

The time that the AV engine detected the signature.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:av:scan:result

The result of running an antivirus scanner.

The base type for the form can be found at it:av:scan:result.

Properties:

name

type

doc

:time

time

The time the scan was run.

:verdict

enums: ((10, 'benign'), (20, 'unknown'), (30, 'suspicious'), (40, 'malicious'))

The scanner provided verdict for the scan.

:scanner

it:prod:softver

The scanner software used to produce the result.

:scanner:name

it:prod:softname

The name of the scanner software.

:signame

it:av:signame

The name of the signature returned by the scanner.

:categories

sorted: True
uniq: True
type: str
typeopts: {'lower': True, 'onespace': True}

A list of categories for the result returned by the scanner.

:target:file

file:bytes

The file that was scanned to produce the result.

:target:proc

it:exec:proc

The process that was scanned to produce the result.

:target:host

it:host

The host that was scanned to produce the result.

:target:fqdn

inet:fqdn

The FQDN that was scanned to produce the result.

:target:url

inet:url

The URL that was scanned to produce the result.

:target:ipv4

inet:ipv4

The IPv4 address that was scanned to produce the result.

:target:ipv6

inet:ipv6

The IPv6 address that was scanned to produce the result.

:multi:scan

it:av:scan:result

Set if this result was part of running multiple scanners.

:multi:count

min: 0

The total number of scanners which were run by a multi-scanner.

:multi:count:benign

min: 0

The number of scanners which returned a benign verdict.

:multi:count:unknown

min: 0

The number of scanners which returned a unknown/unsupported verdict.

:multi:count:suspicious

min: 0

The number of scanners which returned a suspicious verdict.

:multi:count:malicious

min: 0

The number of scanners which returned a malicious verdict.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:av:sig

Deprecated. Please use it:av:scan:result.

The base type for the form can be found at it:av:sig.

Properties:

name

type

doc

opts

:soft

it:prod:soft

The anti-virus product which contains the signature.

Read Only: True

:name

it:av:signame

The signature name.

Read Only: True

:desc

str

A free-form description of the signature.

Display: {'hint': 'text'}

:url

inet:url

A reference URL for information about the signature.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:av:signame

An antivirus signature name.

The base type for the form can be found at it:av:signame.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:cmd

A unique command-line string.

The base type for the form can be found at it:cmd.

An example of it:cmd:

  • foo.exe --dostuff bar

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:cmd:history

A single command executed within a session.

The base type for the form can be found at it:cmd:history.

Properties:

name

type

doc

:cmd

it:cmd

The command that was executed.

:session

it:cmd:session

The session that contains this history entry.

:time

time

The time that the command was executed.

:index

int

Used to order the commands when times are not available.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:cmd:session

A command line session with multiple commands run over time.

The base type for the form can be found at it:cmd:session.

Properties:

name

type

doc

:host

it:host

The host where the command line session was executed.

:proc

it:exec:proc

The process which was interpreting this command line session.

:period

ival

The period over which the command line session was running.

:file

file:bytes

The file containing the command history such as a .bash_history file.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:dev:int

A developer selected integer constant.

The base type for the form can be found at it:dev:int.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:dev:mutex

A string representing a mutex.

The base type for the form can be found at it:dev:mutex.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:dev:pipe

A string representing a named pipe.

The base type for the form can be found at it:dev:pipe.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:dev:regkey

A Windows registry key.

The base type for the form can be found at it:dev:regkey.

An example of it:dev:regkey:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:dev:regval

A Windows registry key/value pair.

The base type for the form can be found at it:dev:regval.

Properties:

name

type

doc

:key

it:dev:regkey

The Windows registry key.

:str

it:dev:str

The value of the registry key, if the value is a string.

:int

it:dev:int

The value of the registry key, if the value is an integer.

:bytes

file:bytes

The file representing the value of the registry key, if the value is binary data.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:dev:repo

A version control system instance.

The base type for the form can be found at it:dev:repo.

Properties:

name

type

doc

opts

:name

lower: True
strip: True

The name of the repository.

:desc

str

A free-form description of the repository.

Display: {'hint': 'text'}

:created

time

Deprecated. Please use :period.

Deprecated: True

:url

inet:url

The URL where the repository is hosted.

:type

it:dev:repo:type:taxonomy

The type of the version control system used.

Example: svn

:submodules

An array of other repos that this repo has as submodules, pinned at specific commits.

:status

inet:service:object:status

The status of the repository.

:period

ival

The period when the repository existed.

:creator

inet:service:account

The service account which created the repository.

:remover

inet:service:account

The service account which removed or decommissioned the repository.

:id

strip: True

A platform specific ID which identifies the repository.

:platform

inet:service:platform

The platform which defines the repository.

:instance

inet:service:instance

The platform instance which defines the repository.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

it:dev:repo

-(has)>

inet:url

The repo has content hosted at the URL.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:dev:repo:branch

A branch in a version control system instance.

The base type for the form can be found at it:dev:repo:branch.

Properties:

name

type

doc

opts

:parent

it:dev:repo:branch

The branch this branch was branched from.

:start

it:dev:repo:commit

The commit in the parent branch this branch was created at.

:name

strip: True

The name of the branch.

:url

inet:url

The URL where the branch is hosted.

:created

time

Deprecated. Please use :period.

Deprecated: True

:merged

time

The time this branch was merged back into its parent.

:deleted

time

Deprecated. Please use :period.

Deprecated: True

:status

inet:service:object:status

The status of the repository branch.

:period

ival

The period when the repository branch existed.

:creator

inet:service:account

The service account which created the repository branch.

:remover

inet:service:account

The service account which removed or decommissioned the repository branch.

:id

strip: True

A platform specific ID which identifies the repository branch.

:platform

inet:service:platform

The platform which defines the repository branch.

:instance

inet:service:instance

The platform instance which defines the repository branch.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:dev:repo:commit

A commit to a repository.

The base type for the form can be found at it:dev:repo:commit.

Properties:

name

type

doc

opts

:repo

it:dev:repo

The repository the commit lives in.

:parents

The commit or commits this commit is immediately based on.

:branch

it:dev:repo:branch

The name of the branch the commit was made to.

:mesg

str

The commit message describing the changes in the commit.

Display: {'hint': 'text'}

:id

strip: True

The version control system specific commit identifier.

:created

time

Deprecated. Please use :period.

Deprecated: True

:url

inet:url

The URL where the commit is hosted.

:status

inet:service:object:status

The status of the repository commit.

:period

ival

The period when the repository commit existed.

:creator

inet:service:account

The service account which created the repository commit.

:remover

inet:service:account

The service account which removed or decommissioned the repository commit.

:platform

inet:service:platform

The platform which defines the repository commit.

:instance

inet:service:instance

The platform instance which defines the repository commit.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:dev:repo:diff

A diff of a file being applied in a single commit.

The base type for the form can be found at it:dev:repo:diff.

Properties:

name

type

doc

:commit

it:dev:repo:commit

The commit that produced this diff.

:file

file:bytes

The file after the commit has been applied.

:path

file:path

The path to the file in the repo that the diff is being applied to.

:url

inet:url

The URL where the diff is hosted.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:dev:repo:diff:comment

A comment on a diff in a repository.

The base type for the form can be found at it:dev:repo:diff:comment.

Properties:

name

type

doc

opts

:diff

it:dev:repo:diff

The diff the comment is being added to.

:text

str

The body of the comment.

Display: {'hint': 'text'}

:replyto

it:dev:repo:diff:comment

The comment that this comment is replying to.

:line

int

The line in the file that is being commented on.

:offset

int

The offset in the line in the file that is being commented on.

:url

inet:url

The URL where the comment is hosted.

:created

time

Deprecated. Please use :period.

Deprecated: True

:updated

time

The time the comment was updated.

:status

inet:service:object:status

The status of the repository diff comment.

:period

ival

The period when the repository diff comment existed.

:creator

inet:service:account

The service account which created the repository diff comment.

:remover

inet:service:account

The service account which removed or decommissioned the repository diff comment.

:id

strip: True

A platform specific ID which identifies the repository diff comment.

:platform

inet:service:platform

The platform which defines the repository diff comment.

:instance

inet:service:instance

The platform instance which defines the repository diff comment.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:dev:repo:issue

An issue raised in a repository.

The base type for the form can be found at it:dev:repo:issue.

Properties:

name

type

doc

opts

:repo

it:dev:repo

The repo where the issue was logged.

:title

lower: True
strip: True

The title of the issue.

:desc

str

The text describing the issue.

Display: {'hint': 'text'}

:created

time

Deprecated. Please use :period.

Deprecated: True

:updated

time

The time the issue was updated.

:url

inet:url

The URL where the issue is hosted.

:id

strip: True

The ID of the issue in the repository system.

:status

inet:service:object:status

The status of the repository issue.

:period

ival

The period when the repository issue existed.

:creator

inet:service:account

The service account which created the repository issue.

:remover

inet:service:account

The service account which removed or decommissioned the repository issue.

:platform

inet:service:platform

The platform which defines the repository issue.

:instance

inet:service:instance

The platform instance which defines the repository issue.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:dev:repo:issue:comment

A comment on an issue in a repository.

The base type for the form can be found at it:dev:repo:issue:comment.

Properties:

name

type

doc

opts

:issue

it:dev:repo:issue

The issue thread that the comment was made in.

:text

str

The body of the comment.

Display: {'hint': 'text'}

:replyto

it:dev:repo:issue:comment

The comment that this comment is replying to.

:url

inet:url

The URL where the comment is hosted.

:created

time

Deprecated. Please use :period.

Deprecated: True

:updated

time

The time the comment was updated.

:status

inet:service:object:status

The status of the repository issue comment.

:period

ival

The period when the repository issue comment existed.

:creator

inet:service:account

The service account which created the repository issue comment.

:remover

inet:service:account

The service account which removed or decommissioned the repository issue comment.

:id

strip: True

A platform specific ID which identifies the repository issue comment.

:platform

inet:service:platform

The platform which defines the repository issue comment.

:instance

inet:service:instance

The platform instance which defines the repository issue comment.

Source Edges:

source

verb

target

doc

*

-(meets)>

ou:requirement

The requirement is met by the source node.

*

-(refs)>

*

The source node contains a reference to the target node.

*

-(seenat)>

geo:telem

Deprecated. Please use geo:telem:node.

Target Edges:

source

verb

target

doc

*

-(refs)>

*

None

econ:purchase

-(acquired)>

*

The purchase was used to acquire the target node.

it:app:snort:rule

-(detects)>

*

The snort rule is intended for use in detecting the target node.

it:app:yara:rule

-(detects)>

*

The YARA rule is intended for use in detecting the target node.

it:exec:query

-(found)>

*

The target node was returned as a result of running the query.

math:algorithm

-(generates)>

*

The target node was generated by the algorithm.

meta:feed

-(found)>

*

The meta:feed produced the target node.

meta:note

-(about)>

*

The meta:note is about the target node.

meta:rule

-(detects)>

*

The meta:rule is designed to detect instances of the target node.

meta:rule

-(matches)>

*

The meta:rule has matched on target node.

meta:source

-(seen)>

*

The meta:source observed the target node.

ou:campaign

-(targets)>

*

The campaign targeted the target nodes.

ou:campaign

-(uses)>

*

The campaign made use of the target node.

ou:contribution

-(includes)>

*

The contribution includes the specific node.

ou:org

-(has)>

*

The organization is or was in possession of the target node.

ou:org

-(owns)>

*

The organization owns or owned the target node.

ou:org

-(targets)>

*

The organization targets the target node.

ou:org

-(uses)>

*

The ou:org makes use of the target node.

plan:procedure:step

-(uses)>

*

The step in the procedure makes use of the target node.

ps:contact

-(has)>

*

The contact is or was in possession of the target node.

ps:contact

-(owns)>

*

The contact owns or owned the target node.

ps:person

-(has)>

*

The person is or was in possession of the target node.

ps:person

-(owns)>

*

The person owns or owned the target node.

risk:attack

-(targets)>

*

The attack targeted the target node.

risk:attack

-(uses)>

*

The attack used the target node to facilitate the attack.

risk:compromise

-(stole)>

*

The target node was stolen or copied as a result of the compromise.

risk:extortion

-(leveraged)>

*

The extortion event was based on attacker access to the target node.

risk:leak

-(leaked)>

*

The leak included the disclosure of the target node.

risk:outage

-(impacted)>

*

The outage event impacted the availability of the target node.

risk:threat

-(targets)>

*

The threat cluster targeted the target node.

risk:threat

-(uses)>

*

The threat cluster uses the target node.

risk:tool:software

-(uses)>

*

The tool uses the target node.

sci:evidence

-(has)>

*

The evidence includes observations from the target nodes.

sci:experiment

-(uses)>

*

The experiment used the target nodes when it was run.

sci:observation

-(has)>

*

The observations are summarized from the target nodes.

it:dev:repo:issue:label

A label applied to a repository issue.

The base type for the form can be found at it:dev:repo:issue:label.

Properties:

name

type

doc

opts

:issue

it:dev:repo:issue

The issue the label was applied to.

:label

it:dev:repo:label

The label that was applied to the issue.

:applied