Synapse Data Model - Forms

Forms

Forms are derived from types, or base types. Forms represent node types in the graph.

auth:access

An instance of using creds to access a resource.

The base type for the form can be found at auth:access.

Properties:

name	type	doc
:creds	auth:creds	The credentials used to attempt access.
:time	time	The time of the access attempt.
:success	bool	Set to true if the access was successful.
:person	ps:person	The person who attempted access.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

auth:creds

A unique set of credentials used to access a resource.

The base type for the form can be found at auth:creds.

Properties:

name	type	doc
:email	inet:email	The email address used to identify the user.
:user	inet:user	The user name used to identify the user.
:phone	tel:phone	The phone number used to identify the user.
:passwd	inet:passwd	The password used to authenticate.
:passwdhash	it:auth:passwdhash	The password hash used to authenticate.
:account	it:account	The account that the creds allow access to.
:website	inet:url	The base URL of the website that the credentials allow access to.
:host	it:host	The host that the credentials allow access to.
:wifi:ssid	inet:wifi:ssid	The WiFi SSID that the credentials allow access to.
:web:acct	inet:web:acct	The web account that the credentials allow access to.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

belief:subscriber

A contact which subscribes to a belief system.

The base type for the form can be found at belief:subscriber.

Properties:

name	type	doc
:contact	ps:contact	The contact which subscribes to the belief system.
:system	belief:system	The belief system to which the contact subscribes.
:began	time	The time that the contact began to be a subscriber to the belief system.
:ended	time	The time when the contact ceased to be a subscriber to the belief system.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
belief:subscriber	-(follows)>	belief:tenet	The subscriber is assessed to generally adhere to the specific tenet.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

belief:system

A belief system such as an ideology, philosophy, or religion.

The base type for the form can be found at belief:system.

Properties:

name	type	doc	opts
:name	str onespace: True lower: True	The name of the belief system.
:desc	str	A description of the belief system.	Display: {'hint': 'text'}
:type	belief:system:type:taxonomy	A taxonometric type for the belief system.
:began	time	The time that the belief system was first observed.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
belief:system	-(has)>	belief:tenet	The belief system includes the tenet.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

belief:system:type:taxonomy

A hierarchical taxonomy of belief system types.

The base type for the form can be found at belief:system:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	belief:system:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

belief:tenet

A concrete tenet potentially shared by multiple belief systems.

The base type for the form can be found at belief:tenet.

Properties:

name	type	doc	opts
:name	str onespace: True lower: True	The name of the tenet.
:desc	str	A description of the tenet.	Display: {'hint': 'text'}

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
belief:subscriber	-(follows)>	belief:tenet	The subscriber is assessed to generally adhere to the specific tenet.
belief:system	-(has)>	belief:tenet	The belief system includes the tenet.
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

biz:bundle

A bundle allows construction of products which bundle instances of other products.

The base type for the form can be found at biz:bundle.

Properties:

name	type	doc	opts
:count	int	The number of instances of the product or service included in the bundle.
:price	econ:price	The price of the bundle.
:product	biz:product	The product included in the bundle.
:service	biz:service	The service included in the bundle.
:deal	biz:deal	Deprecated. Please use econ:receipt:item for instances of bundles being sold.	Deprecated: True
:purchase	econ:purchase	Deprecated. Please use econ:receipt:item for instances of bundles being sold.	Deprecated: True

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

biz:deal

A sales or procurement effort in pursuit of a purchase.

The base type for the form can be found at biz:deal.

Properties:

name	type	doc	opts
:title	str	A title for the deal.
:type	biz:dealtype	The type of deal.	Display: {'hint': 'taxonomy'}
:status	biz:dealstatus	The status of the deal.	Display: {'hint': 'taxonomy'}
:updated	time	The last time the deal had a significant update.
:contacted	time	The last time the contacts communicated about the deal.
:rfp	biz:rfp	The RFP that the deal is in response to.
:buyer	ps:contact	The primary contact information for the buyer.
:buyer:org	ou:org	The buyer org.
:buyer:orgname	ou:name	The reported ou:name of the buyer org.
:buyer:orgfqdn	inet:fqdn	The reported inet:fqdn of the buyer org.
:seller	ps:contact	The primary contact information for the seller.
:seller:org	ou:org	The seller org.
:seller:orgname	ou:name	The reported ou:name of the seller org.
:seller:orgfqdn	inet:fqdn	The reported inet:fqdn of the seller org.
:currency	econ:currency	The currency of econ:price values associated with the deal.
:buyer:budget	econ:price	The buyers budget for the eventual purchase.
:buyer:deadline	time	When the buyer intends to make a decision.
:offer:price	econ:price	The total price of the offered products.
:offer:expires	time	When the offer expires.
:purchase	econ:purchase	Records a purchase resulting from the deal.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

biz:dealstatus

A deal/rfp status taxonomy.

The base type for the form can be found at biz:dealstatus.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	biz:dealstatus	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

biz:dealtype

A deal type taxonomy.

The base type for the form can be found at biz:dealtype.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	biz:dealtype	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

biz:listing

A product or service being listed for sale at a given price by a specific seller.

The base type for the form can be found at biz:listing.

Properties:

name	type	doc
:seller	ps:contact	The contact information for the seller.
:product	biz:product	The product being offered.
:service	biz:service	The service being offered.
:current	bool	Set to true if the offer is still current.
:time	time	The first known offering of this product/service by the organization for the asking price.
:expires	time	Set if the offer has a known expiration date.
:price	econ:price	The asking price of the product or service.
:currency	econ:currency	The currency of the asking price.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

biz:prodtype

A product type taxonomy.

The base type for the form can be found at biz:prodtype.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	biz:prodtype	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

biz:product

A product which is available for purchase.

The base type for the form can be found at biz:product.

Properties:

name	type	doc	opts
:name	str	The name of the product.
:type	biz:prodtype	The type of product.	Display: {'hint': 'taxonomy'}
:summary	str	A brief summary of the product.	Display: {'hint': 'text'}
:maker	ps:contact	A contact for the maker of the product.
:madeby:org	ou:org	Deprecated. Please use biz:product:maker.	Deprecated: True
:madeby:orgname	ou:name	Deprecated. Please use biz:product:maker.	Deprecated: True
:madeby:orgfqdn	inet:fqdn	Deprecated. Please use biz:product:maker.	Deprecated: True
:price:retail	econ:price	The MSRP price of the product.
:price:bottom	econ:price	The minimum offered or observed price of the product.
:price:currency	econ:currency	The currency of the retail and bottom price properties.
:bundles	array type: biz:bundle uniq: True sorted: True	An array of bundles included with the product.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

biz:rfp

An RFP (Request for Proposal) soliciting proposals.

The base type for the form can be found at biz:rfp.

Properties:

name	type	doc	opts
:ext:id	str	An externally specified identifier for the RFP.
:title	str	The title of the RFP.
:summary	str	A brief summary of the RFP.	Display: {'hint': 'text'}
:status	biz:dealstatus	The status of the RFP.	Display: {'hint': 'enum'}
:url	inet:url	The official URL for the RFP.
:file	file:bytes	The RFP document.
:posted	time	The date/time that the RFP was posted.
:quesdue	time	The date/time that questions are due.
:propdue	time	The date/time that proposals are due.
:contact	ps:contact	The contact information given for the org requesting offers.
:purchases	array type: econ:purchase uniq: True sorted: True	Any known purchases that resulted from the RFP.
:requirements	array type: ou:goal uniq: True sorted: True	A typed array which indexes each field.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

biz:service

A service which is performed by a specific organization.

The base type for the form can be found at biz:service.

Properties:

name	type	doc	opts
:provider	ps:contact	The contact info of the entity which performs the service.
:name	str lower: True onespace: True	The name of the service being performed.
:summary	str	A brief summary of the service.	Display: {'hint': 'text'}
:type	biz:service:type:taxonomy	A taxonomy of service types.
:launched	time	The time when the operator first made the service available.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

biz:stake

A stake or partial ownership in a company.

The base type for the form can be found at biz:stake.

Properties:

name	type	doc
:vitals	ou:vitals	The ou:vitals snapshot this stake is part of.
:org	ou:org	The resolved org.
:orgname	ou:name	The org name as reported by the source of the vitals.
:orgfqdn	inet:fqdn	The org FQDN as reported by the source of the vitals.
:name	str	An arbitrary name for this stake. Can be non-contact like “pool”.
:asof	time	The time the stake is being measured. Likely as part of an ou:vitals.
:shares	int	The number of shares represented by the stake.
:invested	econ:price	The amount of money invested in the cap table iteration.
:value	econ:price	The monetary value of the stake.
:percent	hugenum	The percentage ownership represented by this stake.
:owner	ps:contact	Contact information of the owner of the stake.
:purchase	econ:purchase	The purchase event for the stake.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:algorithm

A cryptographic algorithm name.

The base type for the form can be found at crypto:algorithm.

An example of crypto:algorithm:

• aes256

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:currency:address

An individual crypto currency address.

The base type for the form can be found at crypto:currency:address.

An example of crypto:currency:address:

• btc/1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2

Properties:

name	type	doc	opts
:coin	crypto:currency:coin	The crypto coin to which the address belongs.	Read Only: True
:seed	crypto:key	The cryptographic key and or password used to generate the address.
:iden	str	The coin specific address identifier.	Read Only: True
:desc	str	A free-form description of the address.
:contact	ps:contact	Contact information associated with the address.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:currency:block

An individual crypto currency block record on the blockchain.

The base type for the form can be found at crypto:currency:block.

Properties:

name	type	doc	opts
:coin	crypto:currency:coin	The coin/blockchain this block resides on.	Read Only: True
:offset	int	The index of this block.	Read Only: True
:hash	hex	The unique hash for the block.
:minedby	crypto:currency:address	The address which mined the block.
:time	time	Time timestamp embedded in the block by the miner.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:currency:client

A fused node representing a crypto currency address used by an Internet client.

The base type for the form can be found at crypto:currency:client.

An example of crypto:currency:client:

• (1.2.3.4, (btc, 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2))

Properties:

name	type	doc	opts
:inetaddr	inet:client	The Internet client address observed using the crypto currency address.	Read Only: True
:coinaddr	crypto:currency:address	The crypto currency address observed in use by the Internet client.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:currency:coin

An individual crypto currency type.

The base type for the form can be found at crypto:currency:coin.

An example of crypto:currency:coin:

• btc

Properties:

name	type	doc
:name	str	The full name of the crypto coin.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:currency:transaction

An individual crypto currency transaction recorded on the blockchain.

The base type for the form can be found at crypto:currency:transaction.

Properties:

name	type	doc	opts
:hash	hex	The unique transaction hash for the transaction.
:desc	str	An analyst specified description of the transaction.
:block	crypto:currency:block	The block which records the transaction.
:block:coin	crypto:currency:coin	The coin/blockchain of the block which records this transaction.
:block:offset	int	The offset of the block which records this transaction.
:success	bool	Set to true if the transaction was successfully executed and recorded.
:status:code	int	A coin specific status code which may represent an error reason.
:status:message	str	A coin specific status message which may contain an error reason.
:to	crypto:currency:address	The destination address of the transaction.
:from	crypto:currency:address	The source address of the transaction.
:inputs	array type: crypto:payment:input sorted: True uniq: True	Deprecated. Please use crypto:payment:input:transaction.	Deprecated: True
:outputs	array type: crypto:payment:output sorted: True uniq: True	Deprecated. Please use crypto:payment:output:transaction.	Deprecated: True
:fee	econ:price	The total fee paid to execute the transaction.
:value	econ:price	The total value of the transaction.
:time	time	The time this transaction was initiated.
:eth:gasused	int	The amount of gas used to execute this transaction.
:eth:gaslimit	int	The ETH gas limit specified for this transaction.
:eth:gasprice	econ:price	The gas price (in ETH) specified for this transaction.
:contract:input	file:bytes	Input value to a smart contract call.
:contract:output	file:bytes	Output value of a smart contract call.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:key

A cryptographic key and algorithm.

The base type for the form can be found at crypto:key.

Properties:

name	type	doc	opts
:algorithm	crypto:algorithm	The cryptographic algorithm which uses the key material.	Example: aes256
:mode	str lower: True onespace: True	The algorithm specific mode in use.
:iv	hex	The hex encoded initialization vector.
:public	hex	The hex encoded public key material if the algorithm has a public/private key pair.
:public:md5	hash:md5	The MD5 hash of the public key in raw binary form.
:public:sha1	hash:sha1	The SHA1 hash of the public key in raw binary form.
:public:sha256	hash:sha256	The SHA256 hash of the public key in raw binary form.
:private	hex	The hex encoded private key material. All symmetric keys are private.
:private:md5	hash:md5	The MD5 hash of the private key in raw binary form.
:private:sha1	hash:sha1	The SHA1 hash of the private key in raw binary form.
:private:sha256	hash:sha256	The SHA256 hash of the private key in raw binary form.
:seed:passwd	inet:passwd	The seed password used to generate the key material.
:seed:algorithm	crypto:algorithm	The algorithm used to generate the key from the seed password.	Example: pbkdf2

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:payment:input

A payment made into a transaction.

The base type for the form can be found at crypto:payment:input.

Properties:

name	type	doc
:transaction	crypto:currency:transaction	The transaction the payment was input to.
:address	crypto:currency:address	The address which paid into the transaction.
:value	econ:price	The value of the currency paid into the transaction.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:payment:output

A payment received from a transaction.

The base type for the form can be found at crypto:payment:output.

Properties:

name	type	doc
:transaction	crypto:currency:transaction	The transaction the payment was output from.
:address	crypto:currency:address	The address which received payment from the transaction.
:value	econ:price	The value of the currency received from the transaction.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:smart:contract

A smart contract.

The base type for the form can be found at crypto:smart:contract.

Properties:

name	type	doc
:transaction	crypto:currency:transaction	The transaction which created the contract.
:address	crypto:currency:address	The address of the contract.
:bytecode	file:bytes	The bytecode which implements the contract.
:token:name	str	The ERC-20 token name.
:token:symbol	str	The ERC-20 token symbol.
:token:totalsupply	hugenum	The ERC-20 totalSupply value.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:smart:effect:burntoken

A smart contract effect which destroys a non-fungible token.

The base type for the form can be found at crypto:smart:effect:burntoken.

Properties:

name	type	doc
:token	crypto:smart:token	The non-fungible token that was destroyed.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:smart:effect:edittokensupply

A smart contract effect which increases or decreases the supply of a fungible token.

The base type for the form can be found at crypto:smart:effect:edittokensupply.

Properties:

name	type	doc
:contract	crypto:smart:contract	The contract which defines the tokens.
:amount	hugenum	The number of tokens added or removed if negative.
:totalsupply	hugenum	The total supply of tokens after this modification.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:smart:effect:minttoken

A smart contract effect which creates a new non-fungible token.

The base type for the form can be found at crypto:smart:effect:minttoken.

Properties:

name	type	doc
:token	crypto:smart:token	The non-fungible token that was created.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:smart:effect:proxytoken

A smart contract effect which grants a non-owner address the ability to manipulate a specific non-fungible token.

The base type for the form can be found at crypto:smart:effect:proxytoken.

Properties:

name	type	doc
:owner	crypto:currency:address	The address granting proxy authority to manipulate non-fungible tokens.
:proxy	crypto:currency:address	The address granted proxy authority to manipulate non-fungible tokens.
:token	crypto:smart:token	The specific token being granted access to.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:smart:effect:proxytokenall

A smart contract effect which grants a non-owner address the ability to manipulate all non-fungible tokens of the owner.

The base type for the form can be found at crypto:smart:effect:proxytokenall.

Properties:

name	type	doc
:contract	crypto:smart:contract	The contract which defines the tokens.
:owner	crypto:currency:address	The address granting/denying proxy authority to manipulate all non-fungible tokens of the owner.
:proxy	crypto:currency:address	The address granted/denied proxy authority to manipulate all non-fungible tokens of the owner.
:approval	bool	The approval status.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:smart:effect:proxytokens

A smart contract effect which grants a non-owner address the ability to manipulate fungible tokens.

The base type for the form can be found at crypto:smart:effect:proxytokens.

Properties:

name	type	doc
:contract	crypto:smart:contract	The contract which defines the tokens.
:owner	crypto:currency:address	The address granting proxy authority to manipulate fungible tokens.
:proxy	crypto:currency:address	The address granted proxy authority to manipulate fungible tokens.
:amount	hex	The hex encoded amount of tokens the proxy is allowed to manipulate.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:smart:effect:transfertoken

A smart contract effect which transfers ownership of a non-fungible token.

The base type for the form can be found at crypto:smart:effect:transfertoken.

Properties:

name	type	doc
:token	crypto:smart:token	The non-fungible token that was transferred.
:from	crypto:currency:address	The address the NFT was transferred from.
:to	crypto:currency:address	The address the NFT was transferred to.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:smart:effect:transfertokens

A smart contract effect which transfers fungible tokens.

The base type for the form can be found at crypto:smart:effect:transfertokens.

Properties:

name	type	doc
:contract	crypto:smart:contract	The contract which defines the tokens.
:from	crypto:currency:address	The address the tokens were transferred from.
:to	crypto:currency:address	The address the tokens were transferred to.
:amount	hugenum	The number of tokens transferred.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:smart:token

A token managed by a smart contract.

The base type for the form can be found at crypto:smart:token.

Properties:

name	type	doc	opts
:contract	crypto:smart:contract	The smart contract which defines and manages the token.	Read Only: True
:tokenid	hugenum	The token ID.	Read Only: True
:owner	crypto:currency:address	The address which currently owns the token.
:nft:url	inet:url	The URL which hosts the NFT metadata.
:nft:meta	data	The raw NFT metadata.
:nft:meta:name	str	The name field from the NFT metadata.
:nft:meta:description	str	The description field from the NFT metadata.	Display: {'hint': 'text'}
:nft:meta:image	inet:url	The image URL from the NFT metadata.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:x509:cert

A unique X.509 certificate.

The base type for the form can be found at crypto:x509:cert.

Properties:

name	type	doc
:file	file:bytes	The file that the certificate metadata was parsed from.
:subject	str	The subject identifier, commonly in X.500/LDAP format, to which the certificate was issued.
:issuer	str	The Distinguished Name (DN) of the Certificate Authority (CA) which issued the certificate.
:issuer:cert	crypto:x509:cert	The certificate used by the issuer to sign this certificate.
:serial	hex zeropad: 40	The certificate serial number as a big endian hex value.
:version	int enums: ((0, 'v1'), (2, 'v3'))	The version integer in the certificate. (ex. 2 == v3 ).
:validity:notbefore	time	The timestamp for the beginning of the certificate validity period.
:validity:notafter	time	The timestamp for the end of the certificate validity period.
:md5	hash:md5	The MD5 fingerprint for the certificate.
:sha1	hash:sha1	The SHA1 fingerprint for the certificate.
:sha256	hash:sha256	The SHA256 fingerprint for the certificate.
:rsa:key	rsa:key	The optional RSA public key associated with the certificate.
:algo	iso:oid	The X.509 signature algorithm OID.
:signature	hex	The hexadecimal representation of the digital signature.
:ext:sans	array type: crypto:x509:san uniq: True sorted: True	The Subject Alternate Names (SANs) listed in the certificate.
:ext:crls	array type: crypto:x509:san uniq: True sorted: True	A list of Subject Alternate Names (SANs) for Distribution Points.
:identities:fqdns	array type: inet:fqdn uniq: True sorted: True	The fused list of FQDNs identified by the cert CN and SANs.
:identities:emails	array type: inet:email uniq: True sorted: True	The fused list of e-mail addresses identified by the cert CN and SANs.
:identities:ipv4s	array type: inet:ipv4 uniq: True sorted: True	The fused list of IPv4 addresses identified by the cert CN and SANs.
:identities:ipv6s	array type: inet:ipv6 uniq: True sorted: True	The fused list of IPv6 addresses identified by the cert CN and SANs.
:identities:urls	array type: inet:url uniq: True sorted: True	The fused list of URLs identified by the cert CN and SANs.
:crl:urls	array type: inet:url uniq: True sorted: True	The extracted URL values from the CRLs extension.
:selfsigned	bool	Whether this is a self-signed certificate.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:x509:crl

A unique X.509 Certificate Revocation List.

The base type for the form can be found at crypto:x509:crl.

Properties:

name	type	doc
:file	file:bytes	The file containing the CRL.
:url	inet:url	The URL where the CRL was published.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:x509:revoked

A revocation relationship between a CRL and an X.509 certificate.

The base type for the form can be found at crypto:x509:revoked.

Properties:

name	type	doc	opts
:crl	crypto:x509:crl	The CRL which revoked the certificate.	Read Only: True
:cert	crypto:x509:cert	The certificate revoked by the CRL.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

crypto:x509:signedfile

A digital signature relationship between an X.509 certificate and a file.

The base type for the form can be found at crypto:x509:signedfile.

Properties:

name	type	doc	opts
:cert	crypto:x509:cert	The certificate for the key which signed the file.	Read Only: True
:file	file:bytes	The file which was signed by the certificates key.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

econ:acct:balance

A snapshot of the balance of an account at a point in time.

The base type for the form can be found at econ:acct:balance.

Properties:

name	type	doc
:time	time	The time the balance was recorded.
:pay:card	econ:pay:card	The payment card holding the balance.
:crypto:address	crypto:currency:address	The crypto currency address holding the balance.
:amount	econ:price	The account balance at the time.
:currency	econ:currency	The currency of the balance amount.
:delta	econ:price	The change since last regular sample.
:total:received	econ:price	The total amount of currency received by the account.
:total:sent	econ:price	The total amount of currency sent from the account.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

econ:acct:payment

A payment or crypto currency transaction.

The base type for the form can be found at econ:acct:payment.

Properties:

name	type	doc
:txnid	str strip: True	A payment processor specific transaction id.
:fee	econ:price	The transaction fee paid by the recipient to the payment processor.
:from:pay:card	econ:pay:card	The payment card making the payment.
:from:contract	ou:contract	A contract used as an aggregate payment source.
:from:coinaddr	crypto:currency:address	The crypto currency address making the payment.
:from:contact	ps:contact	Contact information for the entity making the payment.
:to:coinaddr	crypto:currency:address	The crypto currency address receiving the payment.
:to:contact	ps:contact	Contact information for the person/org being paid.
:to:contract	ou:contract	A contract used as an aggregate payment destination.
:time	time	The time the payment was processed.
:purchase	econ:purchase	The purchase which the payment was paying for.
:amount	econ:price	The amount of money transferred in the payment.
:currency	econ:currency	The currency of the payment.
:memo	str	A small note specified by the payer common in financial transactions.
:crypto:transaction	crypto:currency:transaction	A crypto currency transaction that initiated the payment.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

econ:acquired

Deprecated. Please use econ:purchase -(acquired)> *.

The base type for the form can be found at econ:acquired.

Properties:

name	type	doc	opts
:purchase	econ:purchase	The purchase event which acquired an item.	Read Only: True
:item	ndef	A reference to the item that was acquired.	Read Only: True
:item:form	str	The form of item purchased.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

econ:fin:bar

A sample of the open, close, high, low prices of a security in a specific time window.

The base type for the form can be found at econ:fin:bar.

Properties:

name	type	doc
:security	econ:fin:security	The security measured by the bar.
:ival	ival	The interval of measurement.
:price:open	econ:price	The opening price of the security.
:price:close	econ:price	The closing price of the security.
:price:low	econ:price	The low price of the security.
:price:high	econ:price	The high price of the security.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

econ:fin:exchange

A financial exchange where securities are traded.

The base type for the form can be found at econ:fin:exchange.

Properties:

name	type	doc	opts
:name	str lower: True strip: True	A simple name for the exchange.	Example: nasdaq
:org	ou:org	The organization that operates the exchange.
:currency	econ:currency	The currency used for all transactions in the exchange.	Example: usd

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

econ:fin:security

A financial security which is typically traded on an exchange.

The base type for the form can be found at econ:fin:security.

Properties:

name	type	doc
:exchange	econ:fin:exchange	The exchange on which the security is traded.
:ticker	str lower: True strip: True	The identifier for this security within the exchange.
:type	str lower: True strip: True	A user defined type such as stock, bond, option, future, or forex.
:price	econ:price	The last known/available price of the security.
:time	time	The time of the last know price sample.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

econ:fin:tick

A sample of the price of a security at a single moment in time.

The base type for the form can be found at econ:fin:tick.

Properties:

name	type	doc
:security	econ:fin:security	The security measured by the tick.
:time	time	The time the price was sampled.
:price	econ:price	The price of the security at the time.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

econ:pay:card

A single payment card.

The base type for the form can be found at econ:pay:card.

Properties:

name	type	doc
:pan	econ:pay:pan	The payment card number.
:pan:mii	econ:pay:mii	The payment card MII.
:pan:iin	econ:pay:iin	The payment card IIN.
:name	ps:name	The name as it appears on the card.
:expr	time	The expiration date for the card.
:cvv	econ:pay:cvv	The Card Verification Value on the card.
:pin	econ:pay:pin	The Personal Identification Number on the card.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

econ:pay:iin

An Issuer Id Number (IIN).

The base type for the form can be found at econ:pay:iin.

Properties:

name	type	doc
:org	ou:org	The issuer organization.
:name	str lower: True	The registered name of the issuer.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

econ:purchase

A purchase event.

The base type for the form can be found at econ:purchase.

Properties:

name	type	doc
:by:contact	ps:contact	The contact information used to make the purchase.
:from:contact	ps:contact	The contact information used to sell the item.
:time	time	The time of the purchase.
:place	geo:place	The place where the purchase took place.
:paid	bool	Set to True if the purchase has been paid in full.
:paid:time	time	The point in time where the purchase was paid in full.
:settled	time	The point in time where the purchase was settled.
:campaign	ou:campaign	The campaign that the purchase was in support of.
:price	econ:price	The econ:price of the purchase.
:currency	econ:currency	The econ:price of the purchase.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

econ:receipt:item

A line item included as part of a purchase.

The base type for the form can be found at econ:receipt:item.

Properties:

name	type	doc
:purchase	econ:purchase	The purchase that contains this line item.
:count	int min: 1	The number of items included in this line item.
:price	econ:price	The total cost of this receipt line item.
:product	biz:product	The product being being purchased in this line item.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

edge:has

A digraph edge which records that N1 has N2.

The base type for the form can be found at edge:has.

Properties:

name	type	doc	opts
:n1	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n1:form	str	The base string type.	Read Only: True
:n2	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n2:form	str	The base string type.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

edge:refs

A digraph edge which records that N1 refers to or contains N2.

The base type for the form can be found at edge:refs.

Properties:

name	type	doc	opts
:n1	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n1:form	str	The base string type.	Read Only: True
:n2	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n2:form	str	The base string type.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

edge:wentto

A digraph edge which records that N1 went to N2 at a specific time.

The base type for the form can be found at edge:wentto.

Properties:

name	type	doc	opts
:n1	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n1:form	str	The base string type.	Read Only: True
:n2	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n2:form	str	The base string type.	Read Only: True
:time	time	A date/time value.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

edu:class

An instance of an edu:course taught at a given time.

The base type for the form can be found at edu:class.

Properties:

name	type	doc
:course	edu:course	The course being taught in the class.
:instructor	ps:contact	The primary instructor for the class.
:assistants	array type: ps:contact uniq: True sorted: True	An array of assistant/co-instructor contacts.
:date:first	time	The date of the first day of class.
:date:last	time	The date of the last day of class.
:isvirtual	bool	Set if the class is known to be virtual.
:virtual:url	inet:url	The URL a student would use to attend the virtual class.
:virtual:provider	ps:contact	Contact info for the virtual infrastructure provider.
:place	geo:place	The place that the class is held.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

edu:course

A course of study taught by an org.

The base type for the form can be found at edu:course.

Properties:

name	type	doc	opts
:name	str lower: True onespace: True	The name of the course.	Example: organic chemistry for beginners
:desc	str	A brief course description.
:code	str lower: True strip: True	The course catalog number or designator.	Example: chem101
:institution	ps:contact	The org or department which teaches the course.
:prereqs	array type: edu:course uniq: True sorted: True	The pre-requisite courses for taking this course.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:archive:entry

An archive entry representing a file and metadata within a parent archive file.

The base type for the form can be found at file:archive:entry.

Properties:

name	type	doc
:parent	file:bytes	The parent archive file.
:file	file:bytes	The file contained within the archive.
:path	file:path	The file path of the archived file.
:user	inet:user	The name of the user who owns the archived file.
:added	time	The time that the file was added to the archive.
:created	time	The created time of the archived file.
:modified	time	The modified time of the archived file.
:comment	str	The comment field for the file entry within the archive.
:posix:uid	int	The POSIX UID of the user who owns the archived file.
:posix:gid	int	The POSIX GID of the group who owns the archived file.
:posix:perms	int	The POSIX permissions mask of the archived file.
:archived:size	int	The encoded or compressed size of the archived file within the parent.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:base

A file name with no path.

The base type for the form can be found at file:base.

An example of file:base:

• woot.exe

Properties:

name	type	doc	opts
:ext	str	The file extension (if any).	Read Only: True

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:bytes

The file bytes type with SHA256 based primary property.

The base type for the form can be found at file:bytes.

Properties:

name	type	doc
:size	int	The file size in bytes.
:md5	hash:md5	The md5 hash of the file.
:sha1	hash:sha1	The sha1 hash of the file.
:sha256	hash:sha256	The sha256 hash of the file.
:sha512	hash:sha512	The sha512 hash of the file.
:name	file:base	The best known base name for the file.
:mime	file:mime	The “best” mime type name for the file.
:mime:x509:cn	str	The Common Name (CN) attribute of the x509 Subject.
:mime:pe:size	int	The size of the executable file according to the PE file header.
:mime:pe:imphash	hash:md5	The PE import hash of the file as calculated by pefile; https://github.com/erocarrera/pefile .
:mime:pe:compiled	time	The compile time of the file according to the PE header.
:mime:pe:pdbpath	file:path	The PDB string according to the PE.
:mime:pe:exports:time	time	The export time of the file according to the PE.
:mime:pe:exports:libname	str	The export library name according to the PE.
:mime:pe:richhdr	hash:sha256	The sha256 hash of the rich header bytes.
:exe:compiler	it:prod:softver	The software used to compile the file.
:exe:packer	it:prod:softver	The packer software used to encode the file.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:filepath

The fused knowledge of the association of a file:bytes node and a file:path.

The base type for the form can be found at file:filepath.

Properties:

name	type	doc	opts
:file	file:bytes	The file seen at a path.	Read Only: True
:path	file:path	The path a file was seen at.	Read Only: True
:path:dir	file:path	The parent directory.	Read Only: True
:path:base	file:base	The name of the file.	Read Only: True
:path:base:ext	str	The extension of the file name.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:ismime

Records one, of potentially multiple, mime types for a given file.

The base type for the form can be found at file:ismime.

Properties:

name	type	doc	opts
:file	file:bytes	The file node that is an instance of the named mime type.	Read Only: True
:mime	file:mime	The mime type of the file.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:mime

A file mime name string.

The base type for the form can be found at file:mime.

An example of file:mime:

• text/plain

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:mime:gif

The GUID of a set of mime metadata for a .gif file.

The base type for the form can be found at file:mime:gif.

Properties:

name	type	doc
:desc	str	MIME specific description field extracted from metadata.
:comment	str	MIME specific comment field extracted from metadata.
:created	time	MIME specific creation timestamp extracted from metadata.
:imageid	str	MIME specific unique identifier extracted from metadata.
:author	ps:contact	MIME specific contact information extracted from metadata.
:latlong	geo:latlong	MIME specific lat/long information extracted from metadata.
:altitude	geo:altitude	MIME specific altitude information extracted from metadata.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:mime:jpg

The GUID of a set of mime metadata for a .jpg file.

The base type for the form can be found at file:mime:jpg.

Properties:

name	type	doc
:desc	str	MIME specific description field extracted from metadata.
:comment	str	MIME specific comment field extracted from metadata.
:created	time	MIME specific creation timestamp extracted from metadata.
:imageid	str	MIME specific unique identifier extracted from metadata.
:author	ps:contact	MIME specific contact information extracted from metadata.
:latlong	geo:latlong	MIME specific lat/long information extracted from metadata.
:altitude	geo:altitude	MIME specific altitude information extracted from metadata.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:mime:macho:loadcmd

A generic load command pulled from the Mach-O headers.

The base type for the form can be found at file:mime:macho:loadcmd.

Properties:

name	type	doc
:file	file:bytes	The Mach-O file containing the load command.
:type	int enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))	The type of the load command.
:size	int	The size of the load command structure in bytes.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:mime:macho:section

A section inside a Mach-O binary denoting a named region of bytes inside a segment.

The base type for the form can be found at file:mime:macho:section.

Properties:

name	type	doc
:segment	file:mime:macho:segment	The Mach-O segment that contains this section.
:name	str	Name of the section.
:size	int	Size of the section in bytes.
:type	int enums: ((0, 'regular'), (1, 'zero fill on demand'), (2, 'only literal C strings'), (3, 'only 4 byte literals'), (4, 'only 8 byte literals'), (5, 'only pointers to literals'), (6, 'only non-lazy symbol pointers'), (7, 'only lazy symbol pointers'), (8, 'only symbol stubs'), (9, 'only function pointers for init'), (10, 'only function pointers for fini'), (11, 'contains symbols to be coalesced'), (12, 'zero fill on deman (greater than 4gb)'), (13, 'only pairs of function pointers for interposing'), (14, 'only 16 byte literals'), (15, 'dtrace object format'), (16, 'only lazy symbols pointers to lazy dynamic libraries'))	The type of the section.
:sha256	hash:sha256	The sha256 hash of the bytes of the Mach-O section.
:offset	int	The file offset to the beginning of the section.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:mime:macho:segment

A named region of bytes inside a Mach-O binary.

The base type for the form can be found at file:mime:macho:segment.

Properties:

name	type	doc
:name	str	The name of the Mach-O segment.
:memsize	int	The size of the segment in bytes, when resident in memory, according to the load command structure.
:disksize	int	The size of the segment in bytes, when on disk, according to the load command structure.
:sha256	hash:sha256	The sha256 hash of the bytes of the segment.
:offset	int	The file offset to the beginning of the segment.
:file	file:bytes	The Mach-O file containing the load command.
:type	int enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))	The type of the load command.
:size	int	The size of the load command structure in bytes.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:mime:macho:uuid

A specific load command denoting a UUID used to uniquely identify the Mach-O binary.

The base type for the form can be found at file:mime:macho:uuid.

Properties:

name	type	doc
:uuid	guid	The UUID of the Mach-O application (as defined in an LC_UUID load command).
:file	file:bytes	The Mach-O file containing the load command.
:type	int enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))	The type of the load command.
:size	int	The size of the load command structure in bytes.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:mime:macho:version

A specific load command used to denote the version of the source used to build the Mach-O binary.

The base type for the form can be found at file:mime:macho:version.

Properties:

name	type	doc
:version	str	The version of the Mach-O file encoded in an LC_VERSION load command.
:file	file:bytes	The Mach-O file containing the load command.
:type	int enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))	The type of the load command.
:size	int	The size of the load command structure in bytes.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:mime:msdoc

The GUID of a set of mime metadata for a Microsoft Word file.

The base type for the form can be found at file:mime:msdoc.

Properties:

name	type	doc
:title	str	The title extracted from Microsoft Office metadata.
:author	str	The author extracted from Microsoft Office metadata.
:subject	str	The subject extracted from Microsoft Office metadata.
:application	str	The creating_application extracted from Microsoft Office metadata.
:created	time	The create_time extracted from Microsoft Office metadata.
:lastsaved	time	The last_saved_time extracted from Microsoft Office metadata.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:mime:msppt

The GUID of a set of mime metadata for a Microsoft Powerpoint file.

The base type for the form can be found at file:mime:msppt.

Properties:

name	type	doc
:title	str	The title extracted from Microsoft Office metadata.
:author	str	The author extracted from Microsoft Office metadata.
:subject	str	The subject extracted from Microsoft Office metadata.
:application	str	The creating_application extracted from Microsoft Office metadata.
:created	time	The create_time extracted from Microsoft Office metadata.
:lastsaved	time	The last_saved_time extracted from Microsoft Office metadata.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:mime:msxls

The GUID of a set of mime metadata for a Microsoft Excel file.

The base type for the form can be found at file:mime:msxls.

Properties:

name	type	doc
:title	str	The title extracted from Microsoft Office metadata.
:author	str	The author extracted from Microsoft Office metadata.
:subject	str	The subject extracted from Microsoft Office metadata.
:application	str	The creating_application extracted from Microsoft Office metadata.
:created	time	The create_time extracted from Microsoft Office metadata.
:lastsaved	time	The last_saved_time extracted from Microsoft Office metadata.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:mime:pe:export

The fused knowledge of a file:bytes node containing a pe named export.

The base type for the form can be found at file:mime:pe:export.

Properties:

name	type	doc	opts
:file	file:bytes	The file containing the export.	Read Only: True
:name	str	The name of the export in the file.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:mime:pe:resource

The fused knowledge of a file:bytes node containing a pe resource.

The base type for the form can be found at file:mime:pe:resource.

Properties:

name	type	doc	opts
:file	file:bytes	The file containing the resource.	Read Only: True
:type	pe:resource:type	The typecode for the resource.	Read Only: True
:langid	pe:langid	The language code for the resource.	Read Only: True
:resource	file:bytes	The sha256 hash of the resource bytes.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:mime:pe:section

The fused knowledge a file:bytes node containing a pe section.

The base type for the form can be found at file:mime:pe:section.

Properties:

name	type	doc	opts
:file	file:bytes	The file containing the section.	Read Only: True
:name	str	The textual name of the section.	Read Only: True
:sha256	hash:sha256	The sha256 hash of the section. Relocations must be zeroed before hashing.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:mime:pe:vsvers:info

knowledge of a file:bytes node containing vsvers info.

The base type for the form can be found at file:mime:pe:vsvers:info.

Properties:

name	type	doc	opts
:file	file:bytes	The file containing the vsversion keyval pair.	Read Only: True
:keyval	file:mime:pe:vsvers:keyval	The vsversion info keyval in this file:bytes node.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:mime:pe:vsvers:keyval

A key value pair found in a PE vsversion info structure.

The base type for the form can be found at file:mime:pe:vsvers:keyval.

Properties:

name	type	doc	opts
:name	str	The key for the vsversion keyval pair.	Read Only: True
:value	str	The value for the vsversion keyval pair.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:mime:png

The GUID of a set of mime metadata for a .png file.

The base type for the form can be found at file:mime:png.

Properties:

name	type	doc
:desc	str	MIME specific description field extracted from metadata.
:comment	str	MIME specific comment field extracted from metadata.
:created	time	MIME specific creation timestamp extracted from metadata.
:imageid	str	MIME specific unique identifier extracted from metadata.
:author	ps:contact	MIME specific contact information extracted from metadata.
:latlong	geo:latlong	MIME specific lat/long information extracted from metadata.
:altitude	geo:altitude	MIME specific altitude information extracted from metadata.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:mime:rtf

The GUID of a set of mime metadata for a .rtf file.

The base type for the form can be found at file:mime:rtf.

Properties:

name	type	doc
:guid	guid	The parsed GUID embedded in the .rtf file.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.

file:mime:tif

The GUID of a set of mime metadata for a .tif file.

The base type for the form can be found at file:mime:tif.

Properties:

name	type	doc
:desc	str	MIME specific description field extracted from metadata.
:comment	str	MIME specific comment field extracted from metadata.
:created	time	MIME specific creation timestamp extracted from metadata.
:imageid	str	MIME specific unique identifier extracted from metadata.
:author	ps:contact	MIME specific contact information extracted from metadata.
:latlong	geo:latlong	MIME specific lat/long information extracted from metadata.
:altitude	geo:altitude	MIME specific altitude information extracted from metadata.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc