Synapse Data Model - Forms

Forms

Forms are derived from types, or base types. Forms represent node types in the graph.

auth:access

An instance of using creds to access a resource.

The base type for the form can be found at auth:access.

Properties:

name	type	doc
:creds	auth:creds	The credentials used to attempt access.
:time	time	The time of the access attempt.
:success	bool	Set to true if the access was successful.
:person	ps:person	The person who attempted access.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

auth:creds

A unique set of credentials used to access a resource.

The base type for the form can be found at auth:creds.

Properties:

name	type	doc
:email	inet:email	The email address used to identify the user.
:user	inet:user	The user name used to identify the user.
:phone	tel:phone	The phone number used to identify the user.
:passwd	inet:passwd	The password used to authenticate.
:passwdhash	it:auth:passwdhash	The password hash used to authenticate.
:account	it:account	The account that the creds allow access to.
:website	inet:url	The base URL of the website that the credentials allow access to.
:host	it:host	The host that the credentials allow access to.
:wifi:ssid	inet:wifi:ssid	The WiFi SSID that the credentials allow access to.
:web:acct	inet:web:acct	The web account that the credentials allow access to.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

belief:subscriber

A contact which subscribes to a belief system.

The base type for the form can be found at belief:subscriber.

Properties:

name	type	doc
:contact	ps:contact	The contact which subscribes to the belief system.
:system	belief:system	The belief system to which the contact subscribes.
:began	time	The time that the contact began to be a subscriber to the belief system.
:ended	time	The time when the contact ceased to be a subscriber to the belief system.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
belief:subscriber	-(follows)>	belief:tenet	The subscriber is assessed to generally adhere to the specific tenet.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

belief:system

A belief system such as an ideology, philosophy, or religion.

The base type for the form can be found at belief:system.

Properties:

name	type	doc	opts
:name	str onespace: True lower: True	The name of the belief system.
:desc	str	A description of the belief system.	Display: {'hint': 'text'}
:type	belief:system:type:taxonomy	A taxonometric type for the belief system.
:began	time	The time that the belief system was first observed.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
belief:system	-(has)>	belief:tenet	The belief system includes the tenet.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

belief:system:type:taxonomy

A hierarchical taxonomy of belief system types.

The base type for the form can be found at belief:system:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	belief:system:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

belief:tenet

A concrete tenet potentially shared by multiple belief systems.

The base type for the form can be found at belief:tenet.

Properties:

name	type	doc	opts
:name	str onespace: True lower: True	The name of the tenet.
:desc	str	A description of the tenet.	Display: {'hint': 'text'}

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
belief:subscriber	-(follows)>	belief:tenet	The subscriber is assessed to generally adhere to the specific tenet.
belief:system	-(has)>	belief:tenet	The belief system includes the tenet.
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

biz:bundle

A bundle allows construction of products which bundle instances of other products.

The base type for the form can be found at biz:bundle.

Properties:

name	type	doc	opts
:count	int	The number of instances of the product or service included in the bundle.
:price	econ:price	The price of the bundle.
:product	biz:product	The product included in the bundle.
:service	biz:service	The service included in the bundle.
:deal	biz:deal	Deprecated. Please use econ:receipt:item for instances of bundles being sold.	Deprecated: True
:purchase	econ:purchase	Deprecated. Please use econ:receipt:item for instances of bundles being sold.	Deprecated: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

biz:deal

A sales or procurement effort in pursuit of a purchase.

The base type for the form can be found at biz:deal.

Properties:

name	type	doc	opts
:title	str	A title for the deal.
:type	biz:dealtype	The type of deal.	Display: {'hint': 'taxonomy'}
:status	biz:dealstatus	The status of the deal.	Display: {'hint': 'taxonomy'}
:updated	time	The last time the deal had a significant update.
:contacted	time	The last time the contacts communicated about the deal.
:rfp	biz:rfp	The RFP that the deal is in response to.
:buyer	ps:contact	The primary contact information for the buyer.
:buyer:org	ou:org	The buyer org.
:buyer:orgname	ou:name	The reported ou:name of the buyer org.
:buyer:orgfqdn	inet:fqdn	The reported inet:fqdn of the buyer org.
:seller	ps:contact	The primary contact information for the seller.
:seller:org	ou:org	The seller org.
:seller:orgname	ou:name	The reported ou:name of the seller org.
:seller:orgfqdn	inet:fqdn	The reported inet:fqdn of the seller org.
:currency	econ:currency	The currency of econ:price values associated with the deal.
:buyer:budget	econ:price	The buyers budget for the eventual purchase.
:buyer:deadline	time	When the buyer intends to make a decision.
:offer:price	econ:price	The total price of the offered products.
:offer:expires	time	When the offer expires.
:purchase	econ:purchase	Records a purchase resulting from the deal.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

biz:dealstatus

A deal/rfp status taxonomy.

The base type for the form can be found at biz:dealstatus.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	biz:dealstatus	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

biz:dealtype

A deal type taxonomy.

The base type for the form can be found at biz:dealtype.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	biz:dealtype	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

biz:listing

A product or service being listed for sale at a given price by a specific seller.

The base type for the form can be found at biz:listing.

Properties:

name	type	doc
:seller	ps:contact	The contact information for the seller.
:product	biz:product	The product being offered.
:service	biz:service	The service being offered.
:current	bool	Set to true if the offer is still current.
:time	time	The first known offering of this product/service by the organization for the asking price.
:expires	time	Set if the offer has a known expiration date.
:price	econ:price	The asking price of the product or service.
:currency	econ:currency	The currency of the asking price.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

biz:prodtype

A product type taxonomy.

The base type for the form can be found at biz:prodtype.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	biz:prodtype	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

biz:product

A product which is available for purchase.

The base type for the form can be found at biz:product.

Properties:

name	type	doc	opts
:name	str	The name of the product.
:type	biz:prodtype	The type of product.	Display: {'hint': 'taxonomy'}
:summary	str	A brief summary of the product.	Display: {'hint': 'text'}
:maker	ps:contact	A contact for the maker of the product.
:madeby:org	ou:org	Deprecated. Please use biz:product:maker.	Deprecated: True
:madeby:orgname	ou:name	Deprecated. Please use biz:product:maker.	Deprecated: True
:madeby:orgfqdn	inet:fqdn	Deprecated. Please use biz:product:maker.	Deprecated: True
:price:retail	econ:price	The MSRP price of the product.
:price:bottom	econ:price	The minimum offered or observed price of the product.
:price:currency	econ:currency	The currency of the retail and bottom price properties.
:bundles	array type: biz:bundle uniq: True sorted: True	An array of bundles included with the product.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

biz:rfp

An RFP (Request for Proposal) soliciting proposals.

The base type for the form can be found at biz:rfp.

Properties:

name	type	doc	opts
:ext:id	str	An externally specified identifier for the RFP.
:title	str	The title of the RFP.
:summary	str	A brief summary of the RFP.	Display: {'hint': 'text'}
:status	biz:dealstatus	The status of the RFP.	Display: {'hint': 'enum'}
:url	inet:url	The official URL for the RFP.
:file	file:bytes	The RFP document.
:posted	time	The date/time that the RFP was posted.
:quesdue	time	The date/time that questions are due.
:propdue	time	The date/time that proposals are due.
:contact	ps:contact	The contact information given for the org requesting offers.
:purchases	array type: econ:purchase uniq: True sorted: True	Any known purchases that resulted from the RFP.
:requirements	array type: ou:goal uniq: True sorted: True	A typed array which indexes each field.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

biz:service

A service which is performed by a specific organization.

The base type for the form can be found at biz:service.

Properties:

name	type	doc	opts
:provider	ps:contact	The contact info of the entity which performs the service.
:name	str lower: True onespace: True	The name of the service being performed.
:summary	str	A brief summary of the service.	Display: {'hint': 'text'}
:type	biz:service:type:taxonomy	A taxonomy of service types.
:launched	time	The time when the operator first made the service available.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

biz:stake

A stake or partial ownership in a company.

The base type for the form can be found at biz:stake.

Properties:

name	type	doc
:vitals	ou:vitals	The ou:vitals snapshot this stake is part of.
:org	ou:org	The resolved org.
:orgname	ou:name	The org name as reported by the source of the vitals.
:orgfqdn	inet:fqdn	The org FQDN as reported by the source of the vitals.
:name	str	An arbitrary name for this stake. Can be non-contact like “pool”.
:asof	time	The time the stake is being measured. Likely as part of an ou:vitals.
:shares	int	The number of shares represented by the stake.
:invested	econ:price	The amount of money invested in the cap table iteration.
:value	econ:price	The monetary value of the stake.
:percent	hugenum	The percentage ownership represented by this stake.
:owner	ps:contact	Contact information of the owner of the stake.
:purchase	econ:purchase	The purchase event for the stake.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:algorithm

A cryptographic algorithm name.

The base type for the form can be found at crypto:algorithm.

An example of crypto:algorithm:

• aes256

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:currency:address

An individual crypto currency address.

The base type for the form can be found at crypto:currency:address.

An example of crypto:currency:address:

• btc/1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2

Properties:

name	type	doc	opts
:coin	crypto:currency:coin	The crypto coin to which the address belongs.	Read Only: True
:seed	crypto:key	The cryptographic key and or password used to generate the address.
:iden	str	The coin specific address identifier.	Read Only: True
:desc	str	A free-form description of the address.
:contact	ps:contact	Contact information associated with the address.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:currency:block

An individual crypto currency block record on the blockchain.

The base type for the form can be found at crypto:currency:block.

Properties:

name	type	doc	opts
:coin	crypto:currency:coin	The coin/blockchain this block resides on.	Read Only: True
:offset	int	The index of this block.	Read Only: True
:hash	hex	The unique hash for the block.
:minedby	crypto:currency:address	The address which mined the block.
:time	time	Time timestamp embedded in the block by the miner.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:currency:client

A fused node representing a crypto currency address used by an Internet client.

The base type for the form can be found at crypto:currency:client.

An example of crypto:currency:client:

• (1.2.3.4, (btc, 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2))

Properties:

name	type	doc	opts
:inetaddr	inet:client	The Internet client address observed using the crypto currency address.	Read Only: True
:coinaddr	crypto:currency:address	The crypto currency address observed in use by the Internet client.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:currency:coin

An individual crypto currency type.

The base type for the form can be found at crypto:currency:coin.

An example of crypto:currency:coin:

• btc

Properties:

name	type	doc
:name	str	The full name of the crypto coin.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:currency:transaction

An individual crypto currency transaction recorded on the blockchain.

The base type for the form can be found at crypto:currency:transaction.

Properties:

name	type	doc	opts
:hash	hex	The unique transaction hash for the transaction.
:desc	str	An analyst specified description of the transaction.
:block	crypto:currency:block	The block which records the transaction.
:block:coin	crypto:currency:coin	The coin/blockchain of the block which records this transaction.
:block:offset	int	The offset of the block which records this transaction.
:success	bool	Set to true if the transaction was successfully executed and recorded.
:status:code	int	A coin specific status code which may represent an error reason.
:status:message	str	A coin specific status message which may contain an error reason.
:to	crypto:currency:address	The destination address of the transaction.
:from	crypto:currency:address	The source address of the transaction.
:inputs	array type: crypto:payment:input sorted: True uniq: True	Deprecated. Please use crypto:payment:input:transaction.	Deprecated: True
:outputs	array type: crypto:payment:output sorted: True uniq: True	Deprecated. Please use crypto:payment:output:transaction.	Deprecated: True
:fee	econ:price	The total fee paid to execute the transaction.
:value	econ:price	The total value of the transaction.
:time	time	The time this transaction was initiated.
:eth:gasused	int	The amount of gas used to execute this transaction.
:eth:gaslimit	int	The ETH gas limit specified for this transaction.
:eth:gasprice	econ:price	The gas price (in ETH) specified for this transaction.
:contract:input	file:bytes	Input value to a smart contract call.
:contract:output	file:bytes	Output value of a smart contract call.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:key

A cryptographic key and algorithm.

The base type for the form can be found at crypto:key.

Properties:

name	type	doc	opts
:algorithm	crypto:algorithm	The cryptographic algorithm which uses the key material.	Example: aes256
:mode	str lower: True onespace: True	The algorithm specific mode in use.
:iv	hex	The hex encoded initialization vector.
:public	hex	The hex encoded public key material if the algorithm has a public/private key pair.
:public:md5	hash:md5	The MD5 hash of the public key in raw binary form.
:public:sha1	hash:sha1	The SHA1 hash of the public key in raw binary form.
:public:sha256	hash:sha256	The SHA256 hash of the public key in raw binary form.
:private	hex	The hex encoded private key material. All symmetric keys are private.
:private:md5	hash:md5	The MD5 hash of the private key in raw binary form.
:private:sha1	hash:sha1	The SHA1 hash of the private key in raw binary form.
:private:sha256	hash:sha256	The SHA256 hash of the private key in raw binary form.
:seed:passwd	inet:passwd	The seed password used to generate the key material.
:seed:algorithm	crypto:algorithm	The algorithm used to generate the key from the seed password.	Example: pbkdf2

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:payment:input

A payment made into a transaction.

The base type for the form can be found at crypto:payment:input.

Properties:

name	type	doc
:transaction	crypto:currency:transaction	The transaction the payment was input to.
:address	crypto:currency:address	The address which paid into the transaction.
:value	econ:price	The value of the currency paid into the transaction.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:payment:output

A payment received from a transaction.

The base type for the form can be found at crypto:payment:output.

Properties:

name	type	doc
:transaction	crypto:currency:transaction	The transaction the payment was output from.
:address	crypto:currency:address	The address which received payment from the transaction.
:value	econ:price	The value of the currency received from the transaction.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:smart:contract

A smart contract.

The base type for the form can be found at crypto:smart:contract.

Properties:

name	type	doc
:transaction	crypto:currency:transaction	The transaction which created the contract.
:address	crypto:currency:address	The address of the contract.
:bytecode	file:bytes	The bytecode which implements the contract.
:token:name	str	The ERC-20 token name.
:token:symbol	str	The ERC-20 token symbol.
:token:totalsupply	hugenum	The ERC-20 totalSupply value.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:smart:effect:burntoken

A smart contract effect which destroys a non-fungible token.

The base type for the form can be found at crypto:smart:effect:burntoken.

Properties:

name	type	doc
:token	crypto:smart:token	The non-fungible token that was destroyed.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:smart:effect:edittokensupply

A smart contract effect which increases or decreases the supply of a fungible token.

The base type for the form can be found at crypto:smart:effect:edittokensupply.

Properties:

name	type	doc
:contract	crypto:smart:contract	The contract which defines the tokens.
:amount	hugenum	The number of tokens added or removed if negative.
:totalsupply	hugenum	The total supply of tokens after this modification.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:smart:effect:minttoken

A smart contract effect which creates a new non-fungible token.

The base type for the form can be found at crypto:smart:effect:minttoken.

Properties:

name	type	doc
:token	crypto:smart:token	The non-fungible token that was created.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:smart:effect:proxytoken

A smart contract effect which grants a non-owner address the ability to manipulate a specific non-fungible token.

The base type for the form can be found at crypto:smart:effect:proxytoken.

Properties:

name	type	doc
:owner	crypto:currency:address	The address granting proxy authority to manipulate non-fungible tokens.
:proxy	crypto:currency:address	The address granted proxy authority to manipulate non-fungible tokens.
:token	crypto:smart:token	The specific token being granted access to.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:smart:effect:proxytokenall

A smart contract effect which grants a non-owner address the ability to manipulate all non-fungible tokens of the owner.

The base type for the form can be found at crypto:smart:effect:proxytokenall.

Properties:

name	type	doc
:contract	crypto:smart:contract	The contract which defines the tokens.
:owner	crypto:currency:address	The address granting/denying proxy authority to manipulate all non-fungible tokens of the owner.
:proxy	crypto:currency:address	The address granted/denied proxy authority to manipulate all non-fungible tokens of the owner.
:approval	bool	The approval status.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:smart:effect:proxytokens

A smart contract effect which grants a non-owner address the ability to manipulate fungible tokens.

The base type for the form can be found at crypto:smart:effect:proxytokens.

Properties:

name	type	doc
:contract	crypto:smart:contract	The contract which defines the tokens.
:owner	crypto:currency:address	The address granting proxy authority to manipulate fungible tokens.
:proxy	crypto:currency:address	The address granted proxy authority to manipulate fungible tokens.
:amount	hex	The hex encoded amount of tokens the proxy is allowed to manipulate.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:smart:effect:transfertoken

A smart contract effect which transfers ownership of a non-fungible token.

The base type for the form can be found at crypto:smart:effect:transfertoken.

Properties:

name	type	doc
:token	crypto:smart:token	The non-fungible token that was transferred.
:from	crypto:currency:address	The address the NFT was transferred from.
:to	crypto:currency:address	The address the NFT was transferred to.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:smart:effect:transfertokens

A smart contract effect which transfers fungible tokens.

The base type for the form can be found at crypto:smart:effect:transfertokens.

Properties:

name	type	doc
:contract	crypto:smart:contract	The contract which defines the tokens.
:from	crypto:currency:address	The address the tokens were transferred from.
:to	crypto:currency:address	The address the tokens were transferred to.
:amount	hugenum	The number of tokens transferred.
:index	int	The order of the effect within the effects of one transaction.
:transaction	crypto:currency:transaction	The transaction where the smart contract was called.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:smart:token

A token managed by a smart contract.

The base type for the form can be found at crypto:smart:token.

Properties:

name	type	doc	opts
:contract	crypto:smart:contract	The smart contract which defines and manages the token.	Read Only: True
:tokenid	hugenum	The token ID.	Read Only: True
:owner	crypto:currency:address	The address which currently owns the token.
:nft:url	inet:url	The URL which hosts the NFT metadata.
:nft:meta	data	The raw NFT metadata.
:nft:meta:name	str	The name field from the NFT metadata.
:nft:meta:description	str	The description field from the NFT metadata.	Display: {'hint': 'text'}
:nft:meta:image	inet:url	The image URL from the NFT metadata.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:x509:cert

A unique X.509 certificate.

The base type for the form can be found at crypto:x509:cert.

Properties:

name	type	doc
:file	file:bytes	The file that the certificate metadata was parsed from.
:subject	str	The subject identifier, commonly in X.500/LDAP format, to which the certificate was issued.
:issuer	str	The Distinguished Name (DN) of the Certificate Authority (CA) which issued the certificate.
:issuer:cert	crypto:x509:cert	The certificate used by the issuer to sign this certificate.
:serial	hex zeropad: 40	The certificate serial number as a big endian hex value.
:version	int enums: ((0, 'v1'), (2, 'v3'))	The version integer in the certificate. (ex. 2 == v3 ).
:validity:notbefore	time	The timestamp for the beginning of the certificate validity period.
:validity:notafter	time	The timestamp for the end of the certificate validity period.
:md5	hash:md5	The MD5 fingerprint for the certificate.
:sha1	hash:sha1	The SHA1 fingerprint for the certificate.
:sha256	hash:sha256	The SHA256 fingerprint for the certificate.
:rsa:key	rsa:key	The optional RSA public key associated with the certificate.
:algo	iso:oid	The X.509 signature algorithm OID.
:signature	hex	The hexadecimal representation of the digital signature.
:ext:sans	array type: crypto:x509:san uniq: True sorted: True	The Subject Alternate Names (SANs) listed in the certificate.
:ext:crls	array type: crypto:x509:san uniq: True sorted: True	A list of Subject Alternate Names (SANs) for Distribution Points.
:identities:fqdns	array type: inet:fqdn uniq: True sorted: True	The fused list of FQDNs identified by the cert CN and SANs.
:identities:emails	array type: inet:email uniq: True sorted: True	The fused list of e-mail addresses identified by the cert CN and SANs.
:identities:ipv4s	array type: inet:ipv4 uniq: True sorted: True	The fused list of IPv4 addresses identified by the cert CN and SANs.
:identities:ipv6s	array type: inet:ipv6 uniq: True sorted: True	The fused list of IPv6 addresses identified by the cert CN and SANs.
:identities:urls	array type: inet:url uniq: True sorted: True	The fused list of URLs identified by the cert CN and SANs.
:crl:urls	array type: inet:url uniq: True sorted: True	The extracted URL values from the CRLs extension.
:selfsigned	bool	Whether this is a self-signed certificate.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:x509:crl

A unique X.509 Certificate Revocation List.

The base type for the form can be found at crypto:x509:crl.

Properties:

name	type	doc
:file	file:bytes	The file containing the CRL.
:url	inet:url	The URL where the CRL was published.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:x509:revoked

A revocation relationship between a CRL and an X.509 certificate.

The base type for the form can be found at crypto:x509:revoked.

Properties:

name	type	doc	opts
:crl	crypto:x509:crl	The CRL which revoked the certificate.	Read Only: True
:cert	crypto:x509:cert	The certificate revoked by the CRL.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

crypto:x509:signedfile

A digital signature relationship between an X.509 certificate and a file.

The base type for the form can be found at crypto:x509:signedfile.

Properties:

name	type	doc	opts
:cert	crypto:x509:cert	The certificate for the key which signed the file.	Read Only: True
:file	file:bytes	The file which was signed by the certificates key.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:acct:balance

A snapshot of the balance of an account at a point in time.

The base type for the form can be found at econ:acct:balance.

Properties:

name	type	doc
:time	time	The time the balance was recorded.
:pay:card	econ:pay:card	The payment card holding the balance.
:crypto:address	crypto:currency:address	The crypto currency address holding the balance.
:amount	econ:price	The account balance at the time.
:currency	econ:currency	The currency of the balance amount.
:delta	econ:price	The change since last regular sample.
:total:received	econ:price	The total amount of currency received by the account.
:total:sent	econ:price	The total amount of currency sent from the account.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:acct:invoice

An invoice issued requesting payment.

The base type for the form can be found at econ:acct:invoice.

Properties:

name	type	doc
:issued	time	The time that the invoice was issued to the recipient.
:issuer	ps:contact	The contact information for the entity who issued the invoice.
:purchase	econ:purchase	The purchase that the invoice is requesting payment for.
:recipient	ps:contact	The contact information for the intended recipient of the invoice.
:due	time	The time by which the payment is due.
:paid	bool	Set to true if the invoice has been paid in full.
:amount	econ:price	The balance due.
:currency	econ:currency	The currency that the invoice specifies for payment.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:acct:payment

A payment or crypto currency transaction.

The base type for the form can be found at econ:acct:payment.

Properties:

name	type	doc
:txnid	str strip: True	A payment processor specific transaction id.
:fee	econ:price	The transaction fee paid by the recipient to the payment processor.
:from:account	econ:bank:account	The bank account which made the payment.
:from:pay:card	econ:pay:card	The payment card making the payment.
:from:contract	ou:contract	A contract used as an aggregate payment source.
:from:coinaddr	crypto:currency:address	The crypto currency address making the payment.
:from:contact	ps:contact	Contact information for the entity making the payment.
:to:account	econ:bank:account	The bank account which received the payment.
:to:coinaddr	crypto:currency:address	The crypto currency address receiving the payment.
:to:contact	ps:contact	Contact information for the person/org being paid.
:to:contract	ou:contract	A contract used as an aggregate payment destination.
:time	time	The time the payment was processed.
:purchase	econ:purchase	The purchase which the payment was paying for.
:amount	econ:price	The amount of money transferred in the payment.
:currency	econ:currency	The currency of the payment.
:memo	str	A small note specified by the payer common in financial transactions.
:crypto:transaction	crypto:currency:transaction	A crypto currency transaction that initiated the payment.
:invoice	econ:acct:invoice	The invoice that the payment applies to.
:receipt	econ:acct:receipt	The receipt that was issued for the payment.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:bank:statement	-(has)>	econ:acct:payment	The bank statement includes the payment.
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:acct:receipt

A receipt issued as proof of payment.

The base type for the form can be found at econ:acct:receipt.

Properties:

name	type	doc
:issued	time	The time the receipt was issued.
:purchase	econ:purchase	The purchase that the receipt confirms payment for.
:issuer	ps:contact	The contact information for the entity who issued the receipt.
:recipient	ps:contact	The contact information for the entity who received the receipt.
:currency	econ:currency	The currency that the receipt uses to specify the price.
:amount	econ:price	The price that the receipt confirms was paid.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:acquired

Deprecated. Please use econ:purchase -(acquired)> *.

The base type for the form can be found at econ:acquired.

Properties:

name	type	doc	opts
:purchase	econ:purchase	The purchase event which acquired an item.	Read Only: True
:item	ndef	A reference to the item that was acquired.	Read Only: True
:item:form	str	The form of item purchased.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:bank:aba:rtn

An American Bank Association (ABA) routing transit number (RTN).

The base type for the form can be found at econ:bank:aba:rtn.

Properties:

name	type	doc
:bank	ou:org	The bank which was issued the ABA RTN.
:bank:name	ou:name	The name which is registered for this ABA RTN.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:bank:account

A bank account.

The base type for the form can be found at econ:bank:account.

Properties:

name	type	doc
:type	econ:bank:account:type:taxonomy	The type of bank account.
:aba:rtn	econ:bank:aba:rtn	The ABA routing transit number for the bank which issued the account.
:number	str regex: [0-9]+	The account number.
:iban	econ:bank:iban	The IBAN for the account.
:contact	ps:contact	The contact information associated with the bank account.
:issuer	ou:org	The bank which issued the account.
:issuer:name	ou:name	The name of the bank which issued the account.
:currency	econ:currency	The currency of the account balance.
:balance	econ:bank:balance	The most recently known bank balance information.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:bank:account:type:taxonomy

A bank account type taxonomy.

The base type for the form can be found at econ:bank:account:type:taxonomy.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:bank:balance

A balance contained by a bank account at a point in time.

The base type for the form can be found at econ:bank:balance.

Properties:

name	type	doc
:time	time	The time that the account balance was observed.
:amount	econ:price	The amount of currency available at the time.
:account	econ:bank:account	The bank account which contained the balance amount.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:bank:iban

An International Bank Account Number.

The base type for the form can be found at econ:bank:iban.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:bank:statement

A statement of bank account payment activity over a period of time.

The base type for the form can be found at econ:bank:statement.

Properties:

name	type	doc
:account	econ:bank:account	The bank account used to compute the statement.
:period	ival	The period that the statement includes.
:starting:balance	econ:price	The account balance at the beginning of the statement period.
:ending:balance	econ:price	The account balance at the end of the statement period.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
econ:bank:statement	-(has)>	econ:acct:payment	The bank statement includes the payment.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:bank:swift:bic

A Society for Worldwide Interbank Financial Telecommunication (SWIFT) Business Identifier Code (BIC).

The base type for the form can be found at econ:bank:swift:bic.

Properties:

name	type	doc
:business	ou:org	The business which is the registered owner of the SWIFT BIC.
:office	ps:contact	The branch or office which is specified in the last 3 digits of the SWIFT BIC.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:fin:bar

A sample of the open, close, high, low prices of a security in a specific time window.

The base type for the form can be found at econ:fin:bar.

Properties:

name	type	doc
:security	econ:fin:security	The security measured by the bar.
:ival	ival	The interval of measurement.
:price:open	econ:price	The opening price of the security.
:price:close	econ:price	The closing price of the security.
:price:low	econ:price	The low price of the security.
:price:high	econ:price	The high price of the security.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:fin:exchange

A financial exchange where securities are traded.

The base type for the form can be found at econ:fin:exchange.

Properties:

name	type	doc	opts
:name	str lower: True strip: True	A simple name for the exchange.	Example: nasdaq
:org	ou:org	The organization that operates the exchange.
:currency	econ:currency	The currency used for all transactions in the exchange.	Example: usd

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:fin:security

A financial security which is typically traded on an exchange.

The base type for the form can be found at econ:fin:security.

Properties:

name	type	doc
:exchange	econ:fin:exchange	The exchange on which the security is traded.
:ticker	str lower: True strip: True	The identifier for this security within the exchange.
:type	str lower: True strip: True	A user defined type such as stock, bond, option, future, or forex.
:price	econ:price	The last known/available price of the security.
:time	time	The time of the last know price sample.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:fin:tick

A sample of the price of a security at a single moment in time.

The base type for the form can be found at econ:fin:tick.

Properties:

name	type	doc
:security	econ:fin:security	The security measured by the tick.
:time	time	The time the price was sampled.
:price	econ:price	The price of the security at the time.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:pay:card

A single payment card.

The base type for the form can be found at econ:pay:card.

Properties:

name	type	doc
:pan	econ:pay:pan	The payment card number.
:pan:mii	econ:pay:mii	The payment card MII.
:pan:iin	econ:pay:iin	The payment card IIN.
:name	ps:name	The name as it appears on the card.
:expr	time	The expiration date for the card.
:cvv	econ:pay:cvv	The Card Verification Value on the card.
:pin	econ:pay:pin	The Personal Identification Number on the card.
:account	econ:bank:account	A bank account associated with the payment card.
:contact	ps:contact	The contact information associated with the payment card.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:pay:iin

An Issuer Id Number (IIN).

The base type for the form can be found at econ:pay:iin.

Properties:

name	type	doc
:org	ou:org	The issuer organization.
:name	str lower: True	The registered name of the issuer.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:purchase

A purchase event.

The base type for the form can be found at econ:purchase.

Properties:

name	type	doc
:by:contact	ps:contact	The contact information used to make the purchase.
:from:contact	ps:contact	The contact information used to sell the item.
:time	time	The time of the purchase.
:place	geo:place	The place where the purchase took place.
:paid	bool	Set to True if the purchase has been paid in full.
:paid:time	time	The point in time where the purchase was paid in full.
:settled	time	The point in time where the purchase was settled.
:campaign	ou:campaign	The campaign that the purchase was in support of.
:price	econ:price	The econ:price of the purchase.
:currency	econ:currency	The econ:price of the purchase.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

econ:receipt:item

A line item included as part of a purchase.

The base type for the form can be found at econ:receipt:item.

Properties:

name	type	doc
:purchase	econ:purchase	The purchase that contains this line item.
:count	int min: 1	The number of items included in this line item.
:price	econ:price	The total cost of this receipt line item.
:product	biz:product	The product being being purchased in this line item.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

edge:has

A digraph edge which records that N1 has N2.

The base type for the form can be found at edge:has.

Properties:

name	type	doc	opts
:n1	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n1:form	str	The base string type.	Read Only: True
:n2	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n2:form	str	The base string type.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

edge:refs

A digraph edge which records that N1 refers to or contains N2.

The base type for the form can be found at edge:refs.

Properties:

name	type	doc	opts
:n1	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n1:form	str	The base string type.	Read Only: True
:n2	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n2:form	str	The base string type.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

edge:wentto

A digraph edge which records that N1 went to N2 at a specific time.

The base type for the form can be found at edge:wentto.

Properties:

name	type	doc	opts
:n1	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n1:form	str	The base string type.	Read Only: True
:n2	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n2:form	str	The base string type.	Read Only: True
:time	time	A date/time value.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

edu:class

An instance of an edu:course taught at a given time.

The base type for the form can be found at edu:class.

Properties:

name	type	doc
:course	edu:course	The course being taught in the class.
:instructor	ps:contact	The primary instructor for the class.
:assistants	array type: ps:contact uniq: True sorted: True	An array of assistant/co-instructor contacts.
:date:first	time	The date of the first day of class.
:date:last	time	The date of the last day of class.
:isvirtual	bool	Set if the class is known to be virtual.
:virtual:url	inet:url	The URL a student would use to attend the virtual class.
:virtual:provider	ps:contact	Contact info for the virtual infrastructure provider.
:place	geo:place	The place that the class is held.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

edu:course

A course of study taught by an org.

The base type for the form can be found at edu:course.

Properties:

name	type	doc	opts
:name	str lower: True onespace: True	The name of the course.	Example: organic chemistry for beginners
:desc	str	A brief course description.
:code	str lower: True strip: True	The course catalog number or designator.	Example: chem101
:institution	ps:contact	The org or department which teaches the course.
:prereqs	array type: edu:course uniq: True sorted: True	The pre-requisite courses for taking this course.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:archive:entry

An archive entry representing a file and metadata within a parent archive file.

The base type for the form can be found at file:archive:entry.

Properties:

name	type	doc
:parent	file:bytes	The parent archive file.
:file	file:bytes	The file contained within the archive.
:path	file:path	The file path of the archived file.
:user	inet:user	The name of the user who owns the archived file.
:added	time	The time that the file was added to the archive.
:created	time	The created time of the archived file.
:modified	time	The modified time of the archived file.
:comment	str	The comment field for the file entry within the archive.
:posix:uid	int	The POSIX UID of the user who owns the archived file.
:posix:gid	int	The POSIX GID of the group who owns the archived file.
:posix:perms	int	The POSIX permissions mask of the archived file.
:archived:size	int	The encoded or compressed size of the archived file within the parent.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:base

A file name with no path.

The base type for the form can be found at file:base.

An example of file:base:

• woot.exe

Properties:

name	type	doc	opts
:ext	str	The file extension (if any).	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:bytes

The file bytes type with SHA256 based primary property.

The base type for the form can be found at file:bytes.

Properties:

name	type	doc
:size	int	The file size in bytes.
:md5	hash:md5	The md5 hash of the file.
:sha1	hash:sha1	The sha1 hash of the file.
:sha256	hash:sha256	The sha256 hash of the file.
:sha512	hash:sha512	The sha512 hash of the file.
:name	file:base	The best known base name for the file.
:mime	file:mime	The “best” mime type name for the file.
:mime:x509:cn	str	The Common Name (CN) attribute of the x509 Subject.
:mime:pe:size	int	The size of the executable file according to the PE file header.
:mime:pe:imphash	hash:md5	The PE import hash of the file as calculated by pefile; https://github.com/erocarrera/pefile .
:mime:pe:compiled	time	The compile time of the file according to the PE header.
:mime:pe:pdbpath	file:path	The PDB string according to the PE.
:mime:pe:exports:time	time	The export time of the file according to the PE.
:mime:pe:exports:libname	str	The export library name according to the PE.
:mime:pe:richhdr	hash:sha256	The sha256 hash of the rich header bytes.
:exe:compiler	it:prod:softver	The software used to compile the file.
:exe:packer	it:prod:softver	The packer software used to encode the file.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:filepath

The fused knowledge of the association of a file:bytes node and a file:path.

The base type for the form can be found at file:filepath.

Properties:

name	type	doc	opts
:file	file:bytes	The file seen at a path.	Read Only: True
:path	file:path	The path a file was seen at.	Read Only: True
:path:dir	file:path	The parent directory.	Read Only: True
:path:base	file:base	The name of the file.	Read Only: True
:path:base:ext	str	The extension of the file name.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:ismime

Records one, of potentially multiple, mime types for a given file.

The base type for the form can be found at file:ismime.

Properties:

name	type	doc	opts
:file	file:bytes	The file node that is an instance of the named mime type.	Read Only: True
:mime	file:mime	The mime type of the file.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime

A file mime name string.

The base type for the form can be found at file:mime.

An example of file:mime:

• text/plain

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:gif

The GUID of a set of mime metadata for a .gif file.

The base type for the form can be found at file:mime:gif.

Properties:

name	type	doc
:desc	str	MIME specific description field extracted from metadata.
:comment	str	MIME specific comment field extracted from metadata.
:created	time	MIME specific creation timestamp extracted from metadata.
:imageid	str	MIME specific unique identifier extracted from metadata.
:author	ps:contact	MIME specific contact information extracted from metadata.
:latlong	geo:latlong	MIME specific lat/long information extracted from metadata.
:altitude	geo:altitude	MIME specific altitude information extracted from metadata.
:text	str lower: True onespace: True	The text contained within the image.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:jpg

The GUID of a set of mime metadata for a .jpg file.

The base type for the form can be found at file:mime:jpg.

Properties:

name	type	doc
:desc	str	MIME specific description field extracted from metadata.
:comment	str	MIME specific comment field extracted from metadata.
:created	time	MIME specific creation timestamp extracted from metadata.
:imageid	str	MIME specific unique identifier extracted from metadata.
:author	ps:contact	MIME specific contact information extracted from metadata.
:latlong	geo:latlong	MIME specific lat/long information extracted from metadata.
:altitude	geo:altitude	MIME specific altitude information extracted from metadata.
:text	str lower: True onespace: True	The text contained within the image.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:macho:loadcmd

A generic load command pulled from the Mach-O headers.

The base type for the form can be found at file:mime:macho:loadcmd.

Properties:

name	type	doc
:file	file:bytes	The Mach-O file containing the load command.
:type	int enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))	The type of the load command.
:size	int	The size of the load command structure in bytes.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:macho:section

A section inside a Mach-O binary denoting a named region of bytes inside a segment.

The base type for the form can be found at file:mime:macho:section.

Properties:

name	type	doc
:segment	file:mime:macho:segment	The Mach-O segment that contains this section.
:name	str	Name of the section.
:size	int	Size of the section in bytes.
:type	int enums: ((0, 'regular'), (1, 'zero fill on demand'), (2, 'only literal C strings'), (3, 'only 4 byte literals'), (4, 'only 8 byte literals'), (5, 'only pointers to literals'), (6, 'only non-lazy symbol pointers'), (7, 'only lazy symbol pointers'), (8, 'only symbol stubs'), (9, 'only function pointers for init'), (10, 'only function pointers for fini'), (11, 'contains symbols to be coalesced'), (12, 'zero fill on deman (greater than 4gb)'), (13, 'only pairs of function pointers for interposing'), (14, 'only 16 byte literals'), (15, 'dtrace object format'), (16, 'only lazy symbols pointers to lazy dynamic libraries'))	The type of the section.
:sha256	hash:sha256	The sha256 hash of the bytes of the Mach-O section.
:offset	int	The file offset to the beginning of the section.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:macho:segment

A named region of bytes inside a Mach-O binary.

The base type for the form can be found at file:mime:macho:segment.

Properties:

name	type	doc
:name	str	The name of the Mach-O segment.
:memsize	int	The size of the segment in bytes, when resident in memory, according to the load command structure.
:disksize	int	The size of the segment in bytes, when on disk, according to the load command structure.
:sha256	hash:sha256	The sha256 hash of the bytes of the segment.
:offset	int	The file offset to the beginning of the segment.
:file	file:bytes	The Mach-O file containing the load command.
:type	int enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))	The type of the load command.
:size	int	The size of the load command structure in bytes.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:macho:uuid

A specific load command denoting a UUID used to uniquely identify the Mach-O binary.

The base type for the form can be found at file:mime:macho:uuid.

Properties:

name	type	doc
:uuid	guid	The UUID of the Mach-O application (as defined in an LC_UUID load command).
:file	file:bytes	The Mach-O file containing the load command.
:type	int enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))	The type of the load command.
:size	int	The size of the load command structure in bytes.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:macho:version

A specific load command used to denote the version of the source used to build the Mach-O binary.

The base type for the form can be found at file:mime:macho:version.

Properties:

name	type	doc
:version	str	The version of the Mach-O file encoded in an LC_VERSION load command.
:file	file:bytes	The Mach-O file containing the load command.
:type	int enums: ((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))	The type of the load command.
:size	int	The size of the load command structure in bytes.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:msdoc

The GUID of a set of mime metadata for a Microsoft Word file.

The base type for the form can be found at file:mime:msdoc.

Properties:

name	type	doc
:title	str	The title extracted from Microsoft Office metadata.
:author	str	The author extracted from Microsoft Office metadata.
:subject	str	The subject extracted from Microsoft Office metadata.
:application	str	The creating_application extracted from Microsoft Office metadata.
:created	time	The create_time extracted from Microsoft Office metadata.
:lastsaved	time	The last_saved_time extracted from Microsoft Office metadata.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:msppt

The GUID of a set of mime metadata for a Microsoft Powerpoint file.

The base type for the form can be found at file:mime:msppt.

Properties:

name	type	doc
:title	str	The title extracted from Microsoft Office metadata.
:author	str	The author extracted from Microsoft Office metadata.
:subject	str	The subject extracted from Microsoft Office metadata.
:application	str	The creating_application extracted from Microsoft Office metadata.
:created	time	The create_time extracted from Microsoft Office metadata.
:lastsaved	time	The last_saved_time extracted from Microsoft Office metadata.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:msxls

The GUID of a set of mime metadata for a Microsoft Excel file.

The base type for the form can be found at file:mime:msxls.

Properties:

name	type	doc
:title	str	The title extracted from Microsoft Office metadata.
:author	str	The author extracted from Microsoft Office metadata.
:subject	str	The subject extracted from Microsoft Office metadata.
:application	str	The creating_application extracted from Microsoft Office metadata.
:created	time	The create_time extracted from Microsoft Office metadata.
:lastsaved	time	The last_saved_time extracted from Microsoft Office metadata.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:pe:export

The fused knowledge of a file:bytes node containing a pe named export.

The base type for the form can be found at file:mime:pe:export.

Properties:

name	type	doc	opts
:file	file:bytes	The file containing the export.	Read Only: True
:name	str	The name of the export in the file.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:pe:resource

The fused knowledge of a file:bytes node containing a pe resource.

The base type for the form can be found at file:mime:pe:resource.

Properties:

name	type	doc	opts
:file	file:bytes	The file containing the resource.	Read Only: True
:type	pe:resource:type	The typecode for the resource.	Read Only: True
:langid	pe:langid	The language code for the resource.	Read Only: True
:resource	file:bytes	The sha256 hash of the resource bytes.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:pe:section

The fused knowledge a file:bytes node containing a pe section.

The base type for the form can be found at file:mime:pe:section.

Properties:

name	type	doc	opts
:file	file:bytes	The file containing the section.	Read Only: True
:name	str	The textual name of the section.	Read Only: True
:sha256	hash:sha256	The sha256 hash of the section. Relocations must be zeroed before hashing.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:pe:vsvers:info

knowledge of a file:bytes node containing vsvers info.

The base type for the form can be found at file:mime:pe:vsvers:info.

Properties:

name	type	doc	opts
:file	file:bytes	The file containing the vsversion keyval pair.	Read Only: True
:keyval	file:mime:pe:vsvers:keyval	The vsversion info keyval in this file:bytes node.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:pe:vsvers:keyval

A key value pair found in a PE vsversion info structure.

The base type for the form can be found at file:mime:pe:vsvers:keyval.

Properties:

name	type	doc	opts
:name	str	The key for the vsversion keyval pair.	Read Only: True
:value	str	The value for the vsversion keyval pair.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:png

The GUID of a set of mime metadata for a .png file.

The base type for the form can be found at file:mime:png.

Properties:

name	type	doc
:desc	str	MIME specific description field extracted from metadata.
:comment	str	MIME specific comment field extracted from metadata.
:created	time	MIME specific creation timestamp extracted from metadata.
:imageid	str	MIME specific unique identifier extracted from metadata.
:author	ps:contact	MIME specific contact information extracted from metadata.
:latlong	geo:latlong	MIME specific lat/long information extracted from metadata.
:altitude	geo:altitude	MIME specific altitude information extracted from metadata.
:text	str lower: True onespace: True	The text contained within the image.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:rtf

The GUID of a set of mime metadata for a .rtf file.

The base type for the form can be found at file:mime:rtf.

Properties:

name	type	doc
:guid	guid	The parsed GUID embedded in the .rtf file.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:mime:tif

The GUID of a set of mime metadata for a .tif file.

The base type for the form can be found at file:mime:tif.

Properties:

name	type	doc
:desc	str	MIME specific description field extracted from metadata.
:comment	str	MIME specific comment field extracted from metadata.
:created	time	MIME specific creation timestamp extracted from metadata.
:imageid	str	MIME specific unique identifier extracted from metadata.
:author	ps:contact	MIME specific contact information extracted from metadata.
:latlong	geo:latlong	MIME specific lat/long information extracted from metadata.
:altitude	geo:altitude	MIME specific altitude information extracted from metadata.
:text	str lower: True onespace: True	The text contained within the image.
:file	file:bytes	The file that the mime info was parsed from.
:file:offs	int	The optional offset where the mime info was parsed from.
:file:data	data	A mime specific arbitrary data structure for non-indexed data.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:path

A normalized file path.

The base type for the form can be found at file:path.

An example of file:path:

• c:/windows/system32/calc.exe

Properties:

name	type	doc	opts
:dir	file:path	The parent directory.	Read Only: True
:base	file:base	The file base name.	Read Only: True
:base:ext	str	The file extension.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:string

Deprecated. Please use the edge -(refs)> it:dev:str.

The base type for the form can be found at file:string.

Properties:

name	type	doc	opts
:file	file:bytes	The file containing the string.	Read Only: True
:string	str	The string contained in this file:bytes node.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

file:subfile

A parent file that fully contains the specified child file.

The base type for the form can be found at file:subfile.

Properties:

name	type	doc	opts
:parent	file:bytes	The parent file containing the child file.	Read Only: True
:child	file:bytes	The child file contained in the parent file.	Read Only: True
:name	file:base	Deprecated, please use the :path property.	Deprecated: True
:path	file:path	The path that the parent uses to refer to the child file.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

geo:name

An unstructured place name or address.

The base type for the form can be found at geo:name.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

geo:nloc

Records a node latitude/longitude in space-time.

The base type for the form can be found at geo:nloc.

Properties:

name	type	doc	opts
:ndef	ndef	The node with location in geospace and time.	Read Only: True
:ndef:form	str	The form of node referenced by the ndef.	Read Only: True
:latlong	geo:latlong	The latitude/longitude the node was observed.	Read Only: True
:time	time	The time the node was observed at location.	Read Only: True
:place	geo:place	The place corresponding to the latlong property.
:loc	loc	The geo-political location string for the node.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

geo:place

A GUID for a geographic place.

The base type for the form can be found at geo:place.

Properties:

name	type	doc	opts
:name	geo:name	The name of the place.
:type	geo:place:taxonomy	The type of place.
:names	array type: geo:name sorted: True uniq: True	An array of alternative place names.
:parent	geo:place	Deprecated. Please use a -(contains)> edge.	Deprecated: True
:desc	str	A long form description of the place.
:loc	loc	The geo-political location string for the node.
:address	geo:address	The street/mailing address for the place.
:geojson	geo:json	A GeoJSON representation of the place.
:latlong	geo:latlong	The lat/long position for the place.
:bbox	geo:bbox	A bounding box which encompasses the place.
:radius	geo:dist	An approximate radius to use for bounding box calculation.
:photo	file:bytes	The image file to use as the primary image of the place.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
geo:place	-(contains)>	geo:place	The source place completely contains the target place.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
geo:place	-(contains)>	geo:place	None
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

geo:place:taxonomy

A taxonomy of place types.

The base type for the form can be found at geo:place:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	geo:place:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

geo:telem

A geospatial position of a node at a given time. The node should be linked via -(seenat)> edges.

The base type for the form can be found at geo:telem.

Properties:

name	type	doc
:time	time	The time that the node was at the position.
:desc	str	A description of the telemetry sample.
:latlong	geo:latlong	The latitude/longitude reading at the time.
:accuracy	geo:dist	The reported accuracy of the latlong telemetry reading.
:place	geo:place	The place which includes the latlong value.
:place:name	geo:name	The purported place name. Used for entity resolution.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

gov:cn:icp

A Chinese Internet Content Provider ID.

The base type for the form can be found at gov:cn:icp.

Properties:

name	type	doc
:org	ou:org	The org with the Internet Content Provider ID.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

gov:cn:mucd

A Chinese PLA MUCD.

The base type for the form can be found at gov:cn:mucd.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

gov:us:cage

A Commercial and Government Entity (CAGE) code.

The base type for the form can be found at gov:us:cage.

Properties:

name	type	doc
:name0	ou:name	The name of the organization.
:name1	str lower: True	Name Part 1.
:street	str lower: True	The base string type.
:city	str lower: True	The base string type.
:state	str lower: True	The base string type.
:zip	gov:us:zip	A US Postal Zip Code.
:cc	pol:iso2	The 2 digit ISO 3166 country code.
:country	str lower: True	The base string type.
:phone0	tel:phone	A phone number.
:phone1	tel:phone	A phone number.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

gov:us:ssn

A US Social Security Number (SSN).

The base type for the form can be found at gov:us:ssn.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

gov:us:zip

A US Postal Zip Code.

The base type for the form can be found at gov:us:zip.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

graph:cluster

A generic node, used in conjunction with Edge types, to cluster arbitrary nodes to a single node in the model.

The base type for the form can be found at graph:cluster.

Properties:

name	type	doc
:name	str lower: True	A human friendly name for the cluster.
:desc	str lower: True	A human friendly long form description for the cluster.
:type	str lower: True	An optional type field used to group clusters.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

graph:edge

A generic digraph edge to show relationships outside the model.

The base type for the form can be found at graph:edge.

Properties:

name	type	doc	opts
:n1	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n1:form	str	The base string type.	Read Only: True
:n2	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n2:form	str	The base string type.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

graph:event

A generic event node to represent events outside the model.

The base type for the form can be found at graph:event.

Properties:

name	type	doc
:time	time	The time of the event.
:type	str	A arbitrary type string for the event.
:name	str	A name for the event.
:data	data	Arbitrary non-indexed msgpack data attached to the event.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

graph:node

A generic node used to represent objects outside the model.

The base type for the form can be found at graph:node.

Properties:

name	type	doc
:type	str	The type name for the non-model node.
:name	str	A human readable name for this record.
:data	data	Arbitrary non-indexed msgpack data attached to the node.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

graph:timeedge

A generic digraph time edge to show relationships outside the model.

The base type for the form can be found at graph:timeedge.

Properties:

name	type	doc	opts
:time	time	A date/time value.	Read Only: True
:n1	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n1:form	str	The base string type.	Read Only: True
:n2	ndef	The node definition type for a (form,valu) compound field.	Read Only: True
:n2:form	str	The base string type.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

hash:md5

A hex encoded MD5 hash.

The base type for the form can be found at hash:md5.

An example of hash:md5:

• d41d8cd98f00b204e9800998ecf8427e

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

hash:sha1

A hex encoded SHA1 hash.

The base type for the form can be found at hash:sha1.

An example of hash:sha1:

• da39a3ee5e6b4b0d3255bfef95601890afd80709

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

hash:sha256

A hex encoded SHA256 hash.

The base type for the form can be found at hash:sha256.

An example of hash:sha256:

• ad9f4fe922b61e674a09530831759843b1880381de686a43460a76864ca0340c

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

hash:sha384

A hex encoded SHA384 hash.

The base type for the form can be found at hash:sha384.

An example of hash:sha384:

• d425f1394e418ce01ed1579069a8bfaa1da8f32cf823982113ccbef531fa36bda9987f389c5af05b5e28035242efab6c

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

hash:sha512

A hex encoded SHA512 hash.

The base type for the form can be found at hash:sha512.

An example of hash:sha512:

• ca74fe2ff2d03b29339ad7d08ba21d192077fece1715291c7b43c20c9136cd132788239189f3441a87eb23ce2660aa243f334295902c904b5520f6e80ab91f11

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:asn

An Autonomous System Number (ASN).

The base type for the form can be found at inet:asn.

Properties:

name	type	doc
:name	str lower: True	The name of the organization currently responsible for the ASN.
:owner	ou:org	The guid of the organization currently responsible for the ASN.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:asnet4

An Autonomous System Number (ASN) and its associated IPv4 address range.

The base type for the form can be found at inet:asnet4.

An example of inet:asnet4:

• (54959, (1.2.3.4, 1.2.3.20))

Properties:

name	type	doc	opts
:asn	inet:asn	The Autonomous System Number (ASN) of the netblock.	Read Only: True
:net4	inet:net4	The IPv4 address range assigned to the ASN.	Read Only: True
:net4:min	inet:ipv4	The first IPv4 in the range assigned to the ASN.	Read Only: True
:net4:max	inet:ipv4	The last IPv4 in the range assigned to the ASN.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:asnet6

An Autonomous System Number (ASN) and its associated IPv6 address range.

The base type for the form can be found at inet:asnet6.

An example of inet:asnet6:

• (54959, (ff::00, ff::02))

Properties:

name	type	doc	opts
:asn	inet:asn	The Autonomous System Number (ASN) of the netblock.	Read Only: True
:net6	inet:net6	The IPv6 address range assigned to the ASN.	Read Only: True
:net6:min	inet:ipv6	The first IPv6 in the range assigned to the ASN.	Read Only: True
:net6:max	inet:ipv6	The last IPv6 in the range assigned to the ASN.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:banner

A network protocol banner string presented by a server.

The base type for the form can be found at inet:banner.

Properties:

name	type	doc	opts
:server	inet:server	The server which presented the banner string.	Read Only: True
:server:ipv4	inet:ipv4	The IPv4 address of the server.	Read Only: True
:server:ipv6	inet:ipv6	The IPv6 address of the server.	Read Only: True
:server:port	inet:port	The network port.	Read Only: True
:text	it:dev:str	The banner text.	Read Only: True Display: {'hint': 'text'}

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:cidr4

An IPv4 address block in Classless Inter-Domain Routing (CIDR) notation.

The base type for the form can be found at inet:cidr4.

An example of inet:cidr4:

• 1.2.3.0/24

Properties:

name	type	doc	opts
:broadcast	inet:ipv4	The broadcast IP address from the CIDR notation.	Read Only: True
:mask	int	The mask from the CIDR notation.	Read Only: True
:network	inet:ipv4	The network IP address from the CIDR notation.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:cidr6

An IPv6 address block in Classless Inter-Domain Routing (CIDR) notation.

The base type for the form can be found at inet:cidr6.

An example of inet:cidr6:

• 2001:db8::/101

Properties:

name	type	doc	opts
:broadcast	inet:ipv6	The broadcast IP address from the CIDR notation.	Read Only: True
:mask	int	The mask from the CIDR notation.	Read Only: True
:network	inet:ipv6	The network IP address from the CIDR notation.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:client

A network client address.

The base type for the form can be found at inet:client.

An example of inet:client:

• tcp://1.2.3.4:80

Properties:

name	type	doc	opts
:proto	str lower: True	The network protocol of the client.	Read Only: True
:ipv4	inet:ipv4	The IPv4 of the client.	Read Only: True
:ipv6	inet:ipv6	The IPv6 of the client.	Read Only: True
:host	it:host	The it:host node for the client.	Read Only: True
:port	inet:port	The client tcp/udp port.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:a

The result of a DNS A record lookup.

The base type for the form can be found at inet:dns:a.

An example of inet:dns:a:

• (vertex.link,1.2.3.4)

Properties:

name	type	doc	opts
:fqdn	inet:fqdn	The domain queried for its DNS A record.	Read Only: True
:ipv4	inet:ipv4	The IPv4 address returned in the A record.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:aaaa

The result of a DNS AAAA record lookup.

The base type for the form can be found at inet:dns:aaaa.

An example of inet:dns:aaaa:

• (vertex.link,2607:f8b0:4004:809::200e)

Properties:

name	type	doc	opts
:fqdn	inet:fqdn	The domain queried for its DNS AAAA record.	Read Only: True
:ipv6	inet:ipv6	The IPv6 address returned in the AAAA record.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:answer

A single answer from within a DNS reply.

The base type for the form can be found at inet:dns:answer.

Properties:

name	type	doc
:ttl	int	The base 64 bit signed integer type.
:request	inet:dns:request	A single instance of a DNS resolver request and optional reply info.
:a	inet:dns:a	The DNS A record returned by the lookup.
:ns	inet:dns:ns	The DNS NS record returned by the lookup.
:rev	inet:dns:rev	The DNS PTR record returned by the lookup.
:aaaa	inet:dns:aaaa	The DNS AAAA record returned by the lookup.
:rev6	inet:dns:rev6	The DNS PTR record returned by the lookup of an IPv6 address.
:cname	inet:dns:cname	The DNS CNAME record returned by the lookup.
:mx	inet:dns:mx	The DNS MX record returned by the lookup.
:mx:priority	int	The DNS MX record priority.
:soa	inet:dns:soa	The domain queried for its SOA record.
:txt	inet:dns:txt	The DNS TXT record returned by the lookup.
:time	time	The time that the DNS response was transmitted.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:cname

The result of a DNS CNAME record lookup.

The base type for the form can be found at inet:dns:cname.

An example of inet:dns:cname:

• (foo.vertex.link,vertex.link)

Properties:

name	type	doc	opts
:fqdn	inet:fqdn	The domain queried for its CNAME record.	Read Only: True
:cname	inet:fqdn	The domain returned in the CNAME record.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:dynreg

A dynamic DNS registration.

The base type for the form can be found at inet:dns:dynreg.

Properties:

name	type	doc
:fqdn	inet:fqdn	The FQDN registered within a dynamic DNS provider.
:provider	ou:org	The organization which provides the dynamic DNS FQDN.
:provider:name	ou:name	The name of the organization which provides the dynamic DNS FQDN.
:provider:fqdn	inet:fqdn	The FQDN of the organization which provides the dynamic DNS FQDN.
:contact	ps:contact	The contact information of the registrant.
:created	time	The time that the dynamic DNS registration was first created.
:client	inet:client	The network client address used to register the dynamic FQDN.
:client:ipv4	inet:ipv4	The client IPv4 address used to register the dynamic FQDN.
:client:ipv6	inet:ipv6	The client IPv6 address used to register the dynamic FQDN.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:mx

The result of a DNS MX record lookup.

The base type for the form can be found at inet:dns:mx.

An example of inet:dns:mx:

• (vertex.link,mail.vertex.link)

Properties:

name	type	doc	opts
:fqdn	inet:fqdn	The domain queried for its MX record.	Read Only: True
:mx	inet:fqdn	The domain returned in the MX record.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:ns

The result of a DNS NS record lookup.

The base type for the form can be found at inet:dns:ns.

An example of inet:dns:ns:

• (vertex.link,ns.dnshost.com)

Properties:

name	type	doc	opts
:zone	inet:fqdn	The domain queried for its DNS NS record.	Read Only: True
:ns	inet:fqdn	The domain returned in the NS record.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:query

A DNS query unique to a given client.

The base type for the form can be found at inet:dns:query.

An example of inet:dns:query:

• (1.2.3.4, woot.com, 1)

Properties:

name	type	doc	opts
:client	inet:client	A network client address.	Read Only: True
:name	inet:dns:name	A DNS query name string. Likely an FQDN but not always.	Read Only: True
:name:ipv4	inet:ipv4	An IPv4 address.
:name:ipv6	inet:ipv6	An IPv6 address.
:name:fqdn	inet:fqdn	A Fully Qualified Domain Name (FQDN).
:type	int	The base 64 bit signed integer type.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:request

A single instance of a DNS resolver request and optional reply info.

The base type for the form can be found at inet:dns:request.

Properties:

name	type	doc
:time	time	A date/time value.
:query	inet:dns:query	A DNS query unique to a given client.
:query:name	inet:dns:name	A DNS query name string. Likely an FQDN but not always.
:query:name:ipv4	inet:ipv4	An IPv4 address.
:query:name:ipv6	inet:ipv6	An IPv6 address.
:query:name:fqdn	inet:fqdn	A Fully Qualified Domain Name (FQDN).
:query:type	int	The base 64 bit signed integer type.
:server	inet:server	A network server address.
:reply:code	int	The DNS server response code.
:exe	file:bytes	The file containing the code that attempted the DNS lookup.
:proc	it:exec:proc	The process that attempted the DNS lookup.
:host	it:host	The host that attempted the DNS lookup.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:rev

The transformed result of a DNS PTR record lookup.

The base type for the form can be found at inet:dns:rev.

An example of inet:dns:rev:

• (1.2.3.4,vertex.link)

Properties:

name	type	doc	opts
:ipv4	inet:ipv4	The IPv4 address queried for its DNS PTR record.	Read Only: True
:fqdn	inet:fqdn	The domain returned in the PTR record.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:rev6

The transformed result of a DNS PTR record for an IPv6 address.

The base type for the form can be found at inet:dns:rev6.

An example of inet:dns:rev6:

• (2607:f8b0:4004:809::200e,vertex.link)

Properties:

name	type	doc	opts
:ipv6	inet:ipv6	The IPv6 address queried for its DNS PTR record.	Read Only: True
:fqdn	inet:fqdn	The domain returned in the PTR record.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:soa

The result of a DNS SOA record lookup.

The base type for the form can be found at inet:dns:soa.

Properties:

name	type	doc
:fqdn	inet:fqdn	The domain queried for its SOA record.
:ns	inet:fqdn	The domain (MNAME) returned in the SOA record.
:email	inet:email	The email address (RNAME) returned in the SOA record.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:txt

The result of a DNS MX record lookup.

The base type for the form can be found at inet:dns:txt.

An example of inet:dns:txt:

• (hehe.vertex.link,"fancy TXT record")

Properties:

name	type	doc	opts
:fqdn	inet:fqdn	The domain queried for its TXT record.	Read Only: True
:txt	str	The string returned in the TXT record.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:wild:a

A DNS A wild card record and the IPv4 it resolves to.

The base type for the form can be found at inet:dns:wild:a.

Properties:

name	type	doc	opts
:fqdn	inet:fqdn	The domain containing a wild card record.	Read Only: True
:ipv4	inet:ipv4	The IPv4 address returned by wild card resolutions.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:dns:wild:aaaa

A DNS AAAA wild card record and the IPv6 it resolves to.

The base type for the form can be found at inet:dns:wild:aaaa.

Properties:

name	type	doc	opts
:fqdn	inet:fqdn	The domain containing a wild card record.	Read Only: True
:ipv6	inet:ipv6	The IPv6 address returned by wild card resolutions.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:download

An instance of a file downloaded from a server.

The base type for the form can be found at inet:download.

Properties:

name	type	doc
:time	time	The time the file was downloaded.
:fqdn	inet:fqdn	The FQDN used to resolve the server.
:file	file:bytes	The file that was downloaded.
:server	inet:server	The inet:addr of the server.
:server:host	it:host	The it:host node for the server.
:server:ipv4	inet:ipv4	The IPv4 of the server.
:server:ipv6	inet:ipv6	The IPv6 of the server.
:server:port	inet:port	The server tcp/udp port.
:server:proto	str lower: True	The server network layer protocol.
:client	inet:client	The inet:addr of the client.
:client:host	it:host	The it:host node for the client.
:client:ipv4	inet:ipv4	The IPv4 of the client.
:client:ipv6	inet:ipv6	The IPv6 of the client.
:client:port	inet:port	The client tcp/udp port.
:client:proto	str lower: True	The client network layer protocol.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:egress

A host using a specific network egress client address.

The base type for the form can be found at inet:egress.

Properties:

name	type	doc
:host	it:host	The host that used the network egress.
:client	inet:client	The client address the host used as a network egress.
:client:ipv4	inet:ipv4	The client IPv4 address the host used as a network egress.
:client:ipv6	inet:ipv6	The client IPv6 address the host used as a network egress.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:email

An e-mail address.

The base type for the form can be found at inet:email.

Properties:

name	type	doc	opts
:user	inet:user	The username of the email address.	Read Only: True
:fqdn	inet:fqdn	The domain of the email address.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:email:header

A unique email message header.

The base type for the form can be found at inet:email:header.

Properties:

name	type	doc	opts
:name	inet:email:header:name	The name of the email header.	Read Only: True
:value	str	The value of the email header.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:email:message

An individual email message delivered to an inbox.

The base type for the form can be found at inet:email:message.

Properties:

name	type	doc	opts
:to	inet:email	The email address of the recipient.
:from	inet:email	The email address of the sender.
:replyto	inet:email	The email address parsed from the “reply-to” header.
:cc	array type: inet:email uniq: True sorted: True	Email addresses parsed from the “cc” header.
:subject	str	The email message subject parsed from the “subject” header.
:body	str	The body of the email message.	Display: {'hint': 'text'}
:date	time	The time the email message was delivered.
:bytes	file:bytes	The file bytes which contain the email message.
:headers	array type: inet:email:header	An array of email headers from the message.
:received:from:ipv4	inet:ipv4	The sending SMTP server IPv4, potentially from the Received: header.
:received:from:ipv6	inet:ipv6	The sending SMTP server IPv6, potentially from the Received: header.
:received:from:fqdn	inet:fqdn	The sending server FQDN, potentially from the Received: header.
:flow	inet:flow	The inet:flow which delivered the message.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:email:message:attachment

A file which was attached to an email message.

The base type for the form can be found at inet:email:message:attachment.

Properties:

name	type	doc	opts
:message	inet:email:message	The message containing the attached file.	Read Only: True
:file	file:bytes	The attached file.	Read Only: True
:name	file:base	The name of the attached file.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:email:message:link

A url/link embedded in an email message.

The base type for the form can be found at inet:email:message:link.

Properties:

name	type	doc	opts
:message	inet:email:message	The message containing the embedded link.	Read Only: True
:url	inet:url	The url contained within the email message.	Read Only: True
:text	str	The displayed hyperlink text if it was not the raw URL.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:flow

An individual network connection between a given source and destination.

The base type for the form can be found at inet:flow.

Properties:

name	type	doc	opts
:time	time	The time the network connection was initiated.
:duration	int	The duration of the flow in seconds.
:from	guid	The ingest source file/iden. Used for reparsing.
:dst	inet:server	The destination address / port for a connection.
:dst:ipv4	inet:ipv4	The destination IPv4 address.
:dst:ipv6	inet:ipv6	The destination IPv6 address.
:dst:port	inet:port	The destination port.
:dst:proto	str lower: True	The destination protocol.
:dst:host	it:host	The guid of the destination host.
:dst:proc	it:exec:proc	The guid of the destination process.
:dst:exe	file:bytes	The file (executable) that received the connection.
:dst:txcount	int	The number of packets sent by the destination host.
:dst:txbytes	int	The number of bytes sent by the destination host.
:dst:handshake	str	A text representation of the initial handshake sent by the server.	Display: {'hint': 'text'}
:src	inet:client	The source address / port for a connection.
:src:ipv4	inet:ipv4	The source IPv4 address.
:src:ipv6	inet:ipv6	The source IPv6 address.
:src:port	inet:port	The source port.
:src:proto	str lower: True	The source protocol.
:src:host	it:host	The guid of the source host.
:src:proc	it:exec:proc	The guid of the source process.
:src:exe	file:bytes	The file (executable) that created the connection.
:src:txcount	int	The number of packets sent by the source host.
:src:txbytes	int	The number of bytes sent by the source host.
:tot:txcount	int	The number of packets sent in both directions.
:tot:txbytes	int	The number of bytes sent in both directions.
:src:handshake	str	A text representation of the initial handshake sent by the client.	Display: {'hint': 'text'}
:dst:cpes	array type: it:sec:cpe uniq: True sorted: True	An array of NIST CPEs identified on the destination host.
:dst:softnames	array type: it:prod:softname uniq: True sorted: True	An array of software names identified on the destination host.
:src:cpes	array type: it:sec:cpe uniq: True sorted: True	An array of NIST CPEs identified on the source host.
:src:softnames	array type: it:prod:softname uniq: True sorted: True	An array of software names identified on the source host.
:ip:proto	int min: 0 max: 255	The IP protocol number of the flow.
:ip:tcp:flags	int min: 0 max: 255	An aggregation of observed TCP flags commonly provided by flow APIs.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.
:src:ssl:cert	crypto:x509:cert	The x509 certificate sent by the client as part of an SSL/TLS negotiation.
:dst:ssl:cert	crypto:x509:cert	The x509 certificate sent by the server as part of an SSL/TLS negotiation.
:src:rdp:hostname	it:hostname	The hostname sent by the client as part of an RDP session setup.
:src:rdp:keyboard:layout	str lower: True onespace: True	The keyboard layout sent by the client as part of an RDP session setup.
:src:ssh:key	crypto:key	The key sent by the client as part of an SSH session setup.
:dst:ssh:key	crypto:key	The key sent by the server as part of an SSH session setup.
:raw	data	A raw record used to create the flow which may contain additional protocol details.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:fqdn

A Fully Qualified Domain Name (FQDN).

The base type for the form can be found at inet:fqdn.

An example of inet:fqdn:

• vertex.link

Properties:

name	type	doc	opts
:domain	inet:fqdn	The parent domain for the FQDN.	Read Only: True
:host	str lower: True	The host part of the FQDN.	Read Only: True
:issuffix	bool	True if the FQDN is considered a suffix.
:iszone	bool	True if the FQDN is considered a zone.
:zone	inet:fqdn	The zone level parent for this FQDN.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:group

A group name string.

The base type for the form can be found at inet:group.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:http:cookie

An individual HTTP cookie string.

The base type for the form can be found at inet:http:cookie.

An example of inet:http:cookie:

• PHPSESSID=el4ukv0kqbvoirg7nkp4dncpk3

Properties:

name	type	doc
:name	str	The name of the cookie preceding the equal sign.
:value	str	The value of the cookie after the equal sign if present.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:http:param

An HTTP request path query parameter.

The base type for the form can be found at inet:http:param.

Properties:

name	type	doc	opts
:name	str lower: True	The name of the HTTP query parameter.	Read Only: True
:value	str	The value of the HTTP query parameter.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:http:request

A single HTTP request.

The base type for the form can be found at inet:http:request.

Properties:

name	type	doc
:method	str	The HTTP request method string.
:path	str	The requested HTTP path (without query parameters).
:url	inet:url	The reconstructed URL for the request if known.
:query	str	The HTTP query string which optionally follows the path.
:headers	array type: inet:http:request:header	An array of HTTP headers from the request.
:body	file:bytes	The body of the HTTP request.
:referer	inet:url	The referer URL parsed from the “Referer:” header in the request.
:cookies	array type: inet:http:cookie sorted: True uniq: True	An array of HTTP cookie values parsed from the “Cookies:” header in the request.
:response:time	time	A date/time value.
:response:code	int	The base 64 bit signed integer type.
:response:reason	str	The base string type.
:response:headers	array type: inet:http:response:header	An array of HTTP headers from the response.
:response:body	file:bytes	The file bytes type with SHA256 based primary property.
:session	inet:http:session	The HTTP session this request was part of.
:flow	inet:flow	The raw inet:flow containing the request.
:client	inet:client	The inet:addr of the client.
:client:ipv4	inet:ipv4	The server IPv4 address that the request was sent from.
:client:ipv6	inet:ipv6	The server IPv6 address that the request was sent from.
:client:host	it:host	The host that the request was sent from.
:server	inet:server	The inet:addr of the server.
:server:ipv4	inet:ipv4	The server IPv4 address that the request was sent to.
:server:ipv6	inet:ipv6	The server IPv6 address that the request was sent to.
:server:port	inet:port	The server port that the request was sent to.
:server:host	it:host	The host that the request was sent to.
:exe	file:bytes	The executable file which caused the activity.
:proc	it:exec:proc	The host process which caused the activity.
:thread	it:exec:thread	The host thread which caused the activity.
:host	it:host	The host on which the activity occurred.
:time	time	The time that the activity started.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:http:request:header

An HTTP request header.

The base type for the form can be found at inet:http:request:header.

Properties:

name	type	doc	opts
:name	inet:http:header:name	The name of the HTTP request header.	Read Only: True
:value	str	The value of the HTTP request header.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:http:response:header

An HTTP response header.

The base type for the form can be found at inet:http:response:header.

Properties:

name	type	doc	opts
:name	inet:http:header:name	The name of the HTTP response header.	Read Only: True
:value	str	The value of the HTTP response header.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:http:session

An HTTP session.

The base type for the form can be found at inet:http:session.

Properties:

name	type	doc
:contact	ps:contact	The ps:contact which owns the session.
:cookies	array type: inet:http:cookie sorted: True uniq: True	An array of cookies used to identify this specific session.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:iface

A network interface with a set of associated protocol addresses.

The base type for the form can be found at inet:iface.

Properties:

name	type	doc
:host	it:host	The guid of the host the interface is associated with.
:network	it:network	The guid of the it:network the interface connected to.
:type	str lower: True	The free-form interface type.
:mac	inet:mac	The ethernet (MAC) address of the interface.
:ipv4	inet:ipv4	The IPv4 address of the interface.
:ipv6	inet:ipv6	The IPv6 address of the interface.
:phone	tel:phone	The telephone number of the interface.
:wifi:ssid	inet:wifi:ssid	The wifi SSID of the interface.
:wifi:bssid	inet:mac	The wifi BSSID of the interface.
:adid	it:adid	An advertising ID associated with the interface.
:mob:imei	tel:mob:imei	The IMEI of the interface.
:mob:imsi	tel:mob:imsi	The IMSI of the interface.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:ipv4

An IPv4 address.

The base type for the form can be found at inet:ipv4.

An example of inet:ipv4:

• 1.2.3.4

Properties:

name	type	doc
:asn	inet:asn	The ASN to which the IPv4 address is currently assigned.
:latlong	geo:latlong	The best known latitude/longitude for the node.
:loc	loc	The geo-political location string for the IPv4.
:place	geo:place	The geo:place associated with the latlong property.
:type	str	The type of IP address (e.g., private, multicast, etc.).
:dns:rev	inet:fqdn	The most current DNS reverse lookup for the IPv4.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
inet:whois:iprec	-(ipwhois)>	inet:ipv4	The source IP whois record describes the target IPv4 address.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:ipv6

An IPv6 address.

The base type for the form can be found at inet:ipv6.

An example of inet:ipv6:

• 2607:f8b0:4004:809::200e

Properties:

name	type	doc
:asn	inet:asn	The ASN to which the IPv6 address is currently assigned.
:ipv4	inet:ipv4	The mapped ipv4.
:latlong	geo:latlong	The last known latitude/longitude for the node.
:place	geo:place	The geo:place associated with the latlong property.
:dns:rev	inet:fqdn	The most current DNS reverse lookup for the IPv6.
:loc	loc	The geo-political location string for the IPv6.
:type	str	The type of IP address (e.g., private, multicast, etc.).
:scope	str enums: reserved,interface-local,link-local,realm-local,admin-local,site-local,organization-local,global,unassigned	The IPv6 scope of the address (e.g., global, link-local, etc.).

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
inet:whois:iprec	-(ipwhois)>	inet:ipv6	The source IP whois record describes the target IPv6 address.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:mac

A 48-bit Media Access Control (MAC) address.

The base type for the form can be found at inet:mac.

An example of inet:mac:

• aa:bb:cc:dd:ee:ff

Properties:

name	type	doc
:vendor	str	The vendor associated with the 24-bit prefix of a MAC address.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:passwd

A password string.

The base type for the form can be found at inet:passwd.

Properties:

name	type	doc	opts
:md5	hash:md5	The MD5 hash of the password.	Read Only: True
:sha1	hash:sha1	The SHA1 hash of the password.	Read Only: True
:sha256	hash:sha256	The SHA256 hash of the password.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:proto

A network protocol name.

The base type for the form can be found at inet:proto.

Properties:

name	type	doc
:port	inet:port	The default port this protocol typically uses if applicable.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:rfc2822:addr

An RFC 2822 Address field.

The base type for the form can be found at inet:rfc2822:addr.

An example of inet:rfc2822:addr:

• "Visi Kenshoto" <visi@vertex.link>

Properties:

name	type	doc	opts
:name	ps:name	The name field parsed from an RFC 2822 address string.	Read Only: True
:email	inet:email	The email field parsed from an RFC 2822 address string.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:search:query

An instance of a search query issued to a search engine.

The base type for the form can be found at inet:search:query.

Properties:

name	type	doc	opts
:text	str	The search query text.	Display: {'hint': 'text'}
:time	time	The time the web search was issued.
:acct	inet:web:acct	The account that the query was issued as.
:host	it:host	The host that issued the query.
:engine	str lower: True	A simple name for the search engine used.	Example: google
:request	inet:http:request	The HTTP request used to issue the query.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:search:result

A single result from a web search.

The base type for the form can be found at inet:search:result.

Properties:

name	type	doc
:query	inet:search:query	The search query that produced the result.
:title	str lower: True	The title of the matching web page.
:rank	int	The rank/order of the query result.
:url	inet:url	The URL hosting the matching content.
:text	str lower: True	Extracted/matched text from the matched content.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:server

A network server address.

The base type for the form can be found at inet:server.

An example of inet:server:

• tcp://1.2.3.4:80

Properties:

name	type	doc	opts
:proto	str lower: True	The network protocol of the server.	Read Only: True
:ipv4	inet:ipv4	The IPv4 of the server.	Read Only: True
:ipv6	inet:ipv6	The IPv6 of the server.	Read Only: True
:host	it:host	The it:host node for the server.	Read Only: True
:port	inet:port	The server tcp/udp port.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:servfile

A file hosted on a server for access over a network protocol.

The base type for the form can be found at inet:servfile.

Properties:

name	type	doc	opts
:file	file:bytes	The file hosted by the server.	Read Only: True
:server	inet:server	The inet:addr of the server.	Read Only: True
:server:proto	str lower: True	The network protocol of the server.	Read Only: True
:server:ipv4	inet:ipv4	The IPv4 of the server.	Read Only: True
:server:ipv6	inet:ipv6	The IPv6 of the server.	Read Only: True
:server:host	it:host	The it:host node for the server.	Read Only: True
:server:port	inet:port	The server tcp/udp port.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:ssl:cert

Deprecated. Please use inet:tls:servercert or inet:tls:clientcert.

The base type for the form can be found at inet:ssl:cert.

Properties:

name	type	doc	opts
:file	file:bytes	The file bytes for the SSL certificate.	Read Only: True
:server	inet:server	The server that presented the SSL certificate.	Read Only: True
:server:ipv4	inet:ipv4	The SSL server IPv4 address.	Read Only: True
:server:ipv6	inet:ipv6	The SSL server IPv6 address.	Read Only: True
:server:port	inet:port	The SSL server listening port.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:ssl:jarmhash

A TLS JARM fingerprint hash.

The base type for the form can be found at inet:ssl:jarmhash.

Properties:

name	type	doc	opts
:ciphers	str lower: True strip: True regex: ^[0-9a-f]{30}$	The encoded cipher and TLS version of the server.	Read Only: True
:extensions	str lower: True strip: True regex: ^[0-9a-f]{32}$	The truncated SHA256 of the TLS server extensions.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:ssl:jarmsample

A JARM hash sample taken from a server.

The base type for the form can be found at inet:ssl:jarmsample.

Properties:

name	type	doc	opts
:jarmhash	inet:ssl:jarmhash	The JARM hash computed from the server responses.	Read Only: True
:server	inet:server	The server that was sampled to compute the JARM hash.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:tls:clientcert

An x509 certificate sent by a client for TLS.

The base type for the form can be found at inet:tls:clientcert.

An example of inet:tls:clientcert:

• (1.2.3.4:443, 3fdf364e081c14997b291852d1f23868)

Properties:

name	type	doc	opts
:client	inet:client	The client associated with the x509 certificate.	Read Only: True
:cert	crypto:x509:cert	The x509 certificate sent by the client.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:tls:handshake

An instance of a TLS handshake between a server and client.

The base type for the form can be found at inet:tls:handshake.

Properties:

name	type	doc
:time	time	The time the handshake was initiated.
:flow	inet:flow	The raw inet:flow associated with the handshake.
:server	inet:server	The TLS server during the handshake.
:server:cert	crypto:x509:cert	The x509 certificate sent by the server during the handshake.
:server:fingerprint:ja3	hash:md5	The JA3S finger of the server.
:client	inet:client	The TLS client during the handshake.
:client:cert	crypto:x509:cert	The x509 certificate sent by the client during the handshake.
:client:fingerprint:ja3	hash:md5	The JA3 fingerprint of the client.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:tls:ja3:sample

A JA3 sample taken from a client.

The base type for the form can be found at inet:tls:ja3:sample.

Properties:

name	type	doc	opts
:client	inet:client	The client that was sampled to produce the JA3 hash.	Read Only: True
:ja3	hash:md5	The JA3 hash computed from the client’s TLS hello packet.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:tls:ja3s:sample

A JA3 sample taken from a server.

The base type for the form can be found at inet:tls:ja3s:sample.

Properties:

name	type	doc	opts
:server	inet:server	The server that was sampled to produce the JA3S hash.	Read Only: True
:ja3s	hash:md5	The JA3S hash computed from the server’s TLS hello packet.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:tls:servercert

An x509 certificate sent by a server for TLS.

The base type for the form can be found at inet:tls:servercert.

An example of inet:tls:servercert:

• (1.2.3.4:443, c7437790af01ae1bb2f8f3b684c70bf8)

Properties:

name	type	doc	opts
:server	inet:server	The server associated with the x509 certificate.	Read Only: True
:cert	crypto:x509:cert	The x509 certificate sent by the server.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:tunnel

A specific sequence of hosts forwarding connections such as a VPN or proxy.

The base type for the form can be found at inet:tunnel.

Properties:

name	type	doc
:anon	bool	Indicates that this tunnel provides anonymization.
:type	inet:tunnel:type:taxonomy	The type of tunnel such as vpn or proxy.
:ingress	inet:server	The server where client traffic enters the tunnel.
:egress	inet:server	The server where client traffic leaves the tunnel.
:operator	ps:contact	The contact information for the tunnel operator.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:tunnel:type:taxonomy

A taxonomy of network tunnel types.

The base type for the form can be found at inet:tunnel:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	inet:tunnel:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:url

A Universal Resource Locator (URL).

The base type for the form can be found at inet:url.

An example of inet:url:

• http://www.woot.com/files/index.html

Properties:

name	type	doc	opts
:fqdn	inet:fqdn	The fqdn used in the URL (e.g., http://www.woot.com/page.html).	Read Only: True
:ipv4	inet:ipv4	The IPv4 address used in the URL (e.g., http://1.2.3.4/page.html).	Read Only: True
:ipv6	inet:ipv6	The IPv6 address used in the URL.	Read Only: True
:passwd	inet:passwd	The optional password used to access the URL.	Read Only: True
:base	str	The base scheme, user/pass, fqdn, port and path w/o parameters.	Read Only: True
:path	str	The path in the URL w/o parameters.	Read Only: True
:params	str	The URL parameter string.	Read Only: True
:port	inet:port	The port of the URL. URLs prefixed with http will be set to port 80 and URLs prefixed with https will be set to port 443 unless otherwise specified.	Read Only: True
:proto	str lower: True	The protocol in the URL.	Read Only: True
:user	inet:user	The optional username used to access the URL.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:url:mirror

A URL mirror site.

The base type for the form can be found at inet:url:mirror.

Properties:

name	type	doc	opts
:of	inet:url	The URL being mirrored.	Read Only: True
:at	inet:url	The URL of the mirror.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:urlfile

A file hosted at a specific Universal Resource Locator (URL).

The base type for the form can be found at inet:urlfile.

Properties:

name	type	doc	opts
:url	inet:url	The URL where the file was hosted.	Read Only: True
:file	file:bytes	The file that was hosted at the URL.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:urlredir

A URL that redirects to another URL, such as via a URL shortening service or an HTTP 302 response.

The base type for the form can be found at inet:urlredir.

An example of inet:urlredir:

• (http://foo.com/,http://bar.com/)

Properties:

name	type	doc	opts
:src	inet:url	The original/source URL before redirect.	Read Only: True
:src:fqdn	inet:fqdn	The FQDN within the src URL (if present).	Read Only: True
:dst	inet:url	The redirected/destination URL.	Read Only: True
:dst:fqdn	inet:fqdn	The FQDN within the dst URL (if present).	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:user

A username string.

The base type for the form can be found at inet:user.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:acct

An account with a given Internet-based site or service.

The base type for the form can be found at inet:web:acct.

An example of inet:web:acct:

• twitter.com/invisig0th

Properties:

name	type	doc	opts
:avatar	file:bytes	The file representing the avatar (e.g., profile picture) for the account.
:banner	file:bytes	The file representing the banner for the account.
:dob	time	A self-declared date of birth for the account (if the account belongs to a person).
:email	inet:email	The email address associated with the account.
:linked:accts	array type: inet:web:acct uniq: True sorted: True	Linked accounts specified in the account profile.
:latlong	geo:latlong	The last known latitude/longitude for the node.
:place	geo:place	The geo:place associated with the latlong property.
:loc	loc	A self-declared location for the account.
:name	inet:user	The localized name associated with the account (may be different from the account identifier, e.g., a display name).
:name:en	inet:user	The English version of the name associated with the (may be different from the account identifier, e.g., a display name).	Deprecated: True
:aliases	array type: inet:user uniq: True sorted: True	An array of alternate names for the user.
:occupation	str lower: True	A self-declared occupation for the account.
:passwd	inet:passwd	The current password for the account.
:phone	tel:phone	The phone number associated with the account.
:realname	ps:name	The localized version of the real name of the account owner / registrant.
:realname:en	ps:name	The English version of the real name of the account owner / registrant.	Deprecated: True
:signup	time	The date and time the account was registered.
:signup:client	inet:client	The client address used to sign up for the account.
:signup:client:ipv4	inet:ipv4	The IPv4 address used to sign up for the account.
:signup:client:ipv6	inet:ipv6	The IPv6 address used to sign up for the account.
:site	inet:fqdn	The site or service associated with the account.	Read Only: True
:tagline	str	The text of the account status or tag line.
:url	inet:url	The service provider URL where the account is hosted.
:user	inet:user	The unique identifier for the account (may be different from the common name or display name).	Read Only: True
:webpage	inet:url	A related URL specified by the account (e.g., a personal or company web page, blog, etc.).
:recovery:email	inet:email	An email address registered as a recovery email address for the account.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:action

An instance of an account performing an action at an Internet-based site or service.

The base type for the form can be found at inet:web:action.

Properties:

name	type	doc
:act	str lower: True strip: True	The action performed by the account.
:acct	inet:web:acct	The web account associated with the action.
:acct:site	inet:fqdn	The site or service associated with the account.
:acct:user	inet:user	The unique identifier for the account.
:time	time	The date and time the account performed the action.
:client	inet:client	The source client address of the action.
:client:ipv4	inet:ipv4	The source IPv4 address of the action.
:client:ipv6	inet:ipv6	The source IPv6 address of the action.
:loc	loc	The location of the user executing the web action.
:latlong	geo:latlong	The latlong of the user when executing the web action.
:place	geo:place	The geo:place of the user when executing the web action.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:attachment

An instance of a file being sent to a web service by an account.

The base type for the form can be found at inet:web:attachment.

Properties:

name	type	doc	opts
:acct	inet:web:acct	The account that uploaded the file.
:post	inet:web:post	The optional web post that the file was attached to.
:mesg	inet:web:mesg	The optional web message that the file was attached to.
:proto	inet:proto	The protocol used to transmit the file to the web service.	Example: https
:interactive	bool	Set to true if the upload was interactive. False if automated.
:file	file:bytes	The file that was sent.
:name	file:path	The name of the file at the time it was sent.
:time	time	The time the file was sent.
:client	inet:client	The client address which initiated the upload.
:client:ipv4	inet:ipv4	The IPv4 address of the client that initiated the upload.
:client:ipv6	inet:ipv6	The IPv6 address of the client that initiated the upload.
:place	geo:place	The place the file was sent from.
:place:loc	loc	The geopolitical location that the file was sent from.
:place:name	geo:name	The reported name of the place that the file was sent from.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:channel

A channel within a web service or instance such as slack or discord.

The base type for the form can be found at inet:web:channel.

Properties:

name	type	doc	opts
:url	inet:url	The primary URL used to identify the channel.	Example: https://app.slack.com/client/T2XK1223Y/C2XHHNDS7
:id	str strip: True	The operator specified ID of this channel.	Example: C2XHHNDS7
:instance	inet:web:instance	The instance which contains the channel.
:name	str strip: True	The visible name of the channel.	Example: general
:topic	str strip: True	The visible topic of the channel.	Example: Synapse Discussion - Feel free to invite others!
:created	time	The time the channel was created.
:creator	inet:web:acct	The account which created the channel.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:chprofile

A change to a web account. Used to capture historical properties associated with an account, as opposed to current data in the inet:web:acct node.

The base type for the form can be found at inet:web:chprofile.

Properties:

name	type	doc
:acct	inet:web:acct	The web account associated with the change.
:acct:site	inet:fqdn	The site or service associated with the account.
:acct:user	inet:user	The unique identifier for the account.
:client	inet:client	The source address used to make the account change.
:client:ipv4	inet:ipv4	The source IPv4 address used to make the account change.
:client:ipv6	inet:ipv6	The source IPv6 address used to make the account change.
:time	time	The date and time when the account change occurred.
:pv	nodeprop	The prop=valu of the account property that was changed. Valu should be the old / original value, while the new value should be updated on the inet:web:acct form.
:pv:prop	str	The property that was changed.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:file

A file posted by a web account.

The base type for the form can be found at inet:web:file.

Properties:

name	type	doc	opts
:acct	inet:web:acct	The account that owns or is associated with the file.	Read Only: True
:acct:site	inet:fqdn	The site or service associated with the account.	Read Only: True
:acct:user	inet:user	The unique identifier for the account.	Read Only: True
:file	file:bytes	The file owned by or associated with the account.	Read Only: True
:name	file:base	The name of the file owned by or associated with the account.
:posted	time	Deprecated. Instance data belongs on inet:web:attachment.	Deprecated: True
:client	inet:client	Deprecated. Instance data belongs on inet:web:attachment.	Deprecated: True
:client:ipv4	inet:ipv4	Deprecated. Instance data belongs on inet:web:attachment.	Deprecated: True
:client:ipv6	inet:ipv6	Deprecated. Instance data belongs on inet:web:attachment.	Deprecated: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:follows

A web account follows or is connected to another web account.

The base type for the form can be found at inet:web:follows.

Properties:

name	type	doc	opts
:follower	inet:web:acct	The account following an account.	Read Only: True
:followee	inet:web:acct	The account followed by an account.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:group

A group hosted within or registered with a given Internet-based site or service.

The base type for the form can be found at inet:web:group.

An example of inet:web:group:

• somesite.com/mycoolgroup

Properties:

name	type	doc	opts
:site	inet:fqdn	The site or service associated with the group.	Read Only: True
:id	inet:group	The site-specific unique identifier for the group (may be different from the common name or display name).	Read Only: True
:name	inet:group	The localized name associated with the group (may be different from the account identifier, e.g., a display name).
:aliases	array type: inet:group uniq: True sorted: True	An array of alternate names for the group.
:name:en	inet:group	The English version of the name associated with the group (may be different from the localized name).	Deprecated: True
:url	inet:url	The service provider URL where the group is hosted.
:avatar	file:bytes	The file representing the avatar (e.g., profile picture) for the group.
:desc	str	The text of the description of the group.
:webpage	inet:url	A related URL specified by the group (e.g., primary web site, etc.).
:loc	str lower: True	A self-declared location for the group.
:latlong	geo:latlong	The last known latitude/longitude for the node.
:place	geo:place	The geo:place associated with the latlong property.
:signup	time	The date and time the group was created on the site.
:signup:client	inet:client	The client address used to create the group.
:signup:client:ipv4	inet:ipv4	The IPv4 address used to create the group.
:signup:client:ipv6	inet:ipv6	The IPv6 address used to create the group.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:hashtag

A hashtag used in a web post.

The base type for the form can be found at inet:web:hashtag.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:instance

An instance of a web service such as slack or discord.

The base type for the form can be found at inet:web:instance.

Properties:

name	type	doc	opts
:url	inet:url	The primary URL used to identify the instance.	Example: https://app.slack.com/client/T2XK1223Y
:id	str strip: True	The operator specified ID of this instance.	Example: T2XK1223Y
:name	str strip: True	The visible name of the instance.	Example: vertex synapse
:created	time	The time the instance was created.
:creator	inet:web:acct	The account which created the instance.
:owner	ou:org	The organization which created the instance.
:owner:fqdn	inet:fqdn	The FQDN of the organization which created the instance. Used for entity resolution.	Example: vertex.link
:owner:name	ou:name	The name of the organization which created the instance. Used for entity resolution.	Example: the vertex project, llc.
:operator	ou:org	The organization which operates the instance.
:operator:name	ou:name	The name of the organization which operates the instance. Used for entity resolution.	Example: slack
:operator:fqdn	inet:fqdn	The FQDN of the organization which operates the instance. Used for entity resolution.	Example: slack.com

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:logon

An instance of an account authenticating to an Internet-based site or service.

The base type for the form can be found at inet:web:logon.

Properties:

name	type	doc
:acct	inet:web:acct	The web account associated with the logon event.
:acct:site	inet:fqdn	The site or service associated with the account.
:acct:user	inet:user	The unique identifier for the account.
:time	time	The date and time the account logged into the service.
:client	inet:client	The source address of the logon.
:client:ipv4	inet:ipv4	The source IPv4 address of the logon.
:client:ipv6	inet:ipv6	The source IPv6 address of the logon.
:logout	time	The date and time the account logged out of the service.
:loc	loc	The location of the user executing the logon.
:latlong	geo:latlong	The latlong of the user executing the logon.
:place	geo:place	The geo:place of the user executing the logon.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:memb

Deprecated. Please use inet:web:member.

The base type for the form can be found at inet:web:memb.

Properties:

name	type	doc	opts
:acct	inet:web:acct	The account that is a member of the group.	Read Only: True
:group	inet:web:group	The group that the account is a member of.	Read Only: True
:title	str lower: True	The title or status of the member (e.g., admin, new member, etc.).
:joined	time	The date / time the account joined the group.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:member

Represents a web account membership in a channel or group.

The base type for the form can be found at inet:web:member.

Properties:

name	type	doc
:acct	inet:web:acct	The account that is a member of the group or channel.
:group	inet:web:group	The group that the account is a member of.
:channel	inet:web:channel	The channel that the account is a member of.
:added	time	The date / time the account was added to the group or channel.
:removed	time	The date / time the account was removed from the group or channel.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:mesg

A message sent from one web account to another web account or channel.

The base type for the form can be found at inet:web:mesg.

An example of inet:web:mesg:

• ((twitter.com, invisig0th), (twitter.com, gobbles), 20041012130220)

Properties:

name	type	doc	opts
:from	inet:web:acct	The web account that sent the message.	Read Only: True
:to	inet:web:acct	The web account that received the message.	Read Only: True
:client	inet:client	The source address of the message.
:client:ipv4	inet:ipv4	The source IPv4 address of the message.
:client:ipv6	inet:ipv6	The source IPv6 address of the message.
:time	time	The date and time at which the message was sent.	Read Only: True
:url	inet:url	The URL where the message is posted / visible.
:text	str	The text of the message.	Display: {'hint': 'text'}
:deleted	bool	The message was deleted.
:file	file:bytes	The file attached to or sent with the message.
:place	geo:place	The place that the message was reportedly sent from.
:place:name	geo:name	The name of the place that the message was reportedly sent from. Used for entity resolution.
:instance	inet:web:instance	The instance where the message was sent.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:post

A post made by a web account.

The base type for the form can be found at inet:web:post.

Properties:

name	type	doc	opts
:acct	inet:web:acct	The web account that made the post.
:acct:site	inet:fqdn	The site or service associated with the account.
:client	inet:client	The source address of the post.
:client:ipv4	inet:ipv4	The source IPv4 address of the post.
:client:ipv6	inet:ipv6	The source IPv6 address of the post.
:acct:user	inet:user	The unique identifier for the account.
:text	str	The text of the post.	Display: {'hint': 'text'}
:time	time	The date and time that the post was made.
:deleted	bool	The message was deleted by the poster.
:url	inet:url	The URL where the post is published / visible.
:file	file:bytes	The file that was attached to the post.
:replyto	inet:web:post	The post that this post is in reply to.
:repost	inet:web:post	The original post that this is a repost of.
:hashtags	array type: inet:web:hashtag uniq: True sorted: True split: ,	Hashtags mentioned within the post.
:mentions:users	array type: inet:web:acct uniq: True sorted: True split: ,	Accounts mentioned within the post.
:mentions:groups	array type: inet:web:group uniq: True sorted: True split: ,	Groups mentioned within the post.
:loc	loc	The location that the post was reportedly sent from.
:place	geo:place	The place that the post was reportedly sent from.
:place:name	geo:name	The name of the place that the post was reportedly sent from. Used for entity resolution.
:latlong	geo:latlong	The place that the post was reportedly sent from.
:channel	inet:web:channel	The channel where the post was made.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:web:post:link

A link contained within post text.

The base type for the form can be found at inet:web:post:link.

Properties:

name	type	doc
:post	inet:web:post	The post containing the embedded link.
:url	inet:url	The url that the link forwards to.
:text	str	The displayed hyperlink text if it was not the raw URL.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:whois:contact

An individual contact from a domain whois record.

The base type for the form can be found at inet:whois:contact.

Properties:

name	type	doc	opts
:rec	inet:whois:rec	The whois record containing the contact data.	Read Only: True
:rec:fqdn	inet:fqdn	The domain associated with the whois record.	Read Only: True
:rec:asof	time	The date of the whois record.	Read Only: True
:type	str lower: True	The contact type (e.g., registrar, registrant, admin, billing, tech, etc.).	Read Only: True
:id	str lower: True	The ID associated with the contact.
:name	str lower: True	The name of the contact.
:email	inet:email	The email address of the contact.
:orgname	ou:name	The name of the contact organization.
:address	str lower: True	The content of the street address field(s) of the contact.
:city	str lower: True	The content of the city field of the contact.
:state	str lower: True	The content of the state field of the contact.
:country	str lower: True	The two-letter country code of the contact.
:phone	tel:phone	The content of the phone field of the contact.
:fax	tel:phone	The content of the fax field of the contact.
:url	inet:url	The URL specified for the contact.
:whois:fqdn	inet:fqdn	The whois server FQDN for the given contact (most likely a registrar).

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:whois:email

An email address associated with an FQDN via whois registration text.

The base type for the form can be found at inet:whois:email.

Properties:

name	type	doc	opts
:fqdn	inet:fqdn	The domain with a whois record containing the email address.	Read Only: True
:email	inet:email	The email address associated with the domain whois record.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:whois:ipcontact

An individual contact from an IP block record.

The base type for the form can be found at inet:whois:ipcontact.

Properties:

name	type	doc
:contact	ps:contact	Contact information associated with a registration.
:asof	time	The date of the record.
:created	time	The “created” time from the record.
:updated	time	The “last updated” time from the record.
:role	str lower: True	The primary role for the contact.
:roles	array type: str uniq: True sorted: True	Additional roles assigned to the contact.
:asn	inet:asn	The associated Autonomous System Number (ASN).
:id	inet:whois:regid	The registry unique identifier (e.g. NET-74-0-0-0-1).
:links	array type: inet:url uniq: True sorted: True	URLs provided with the record.
:status	str lower: True	The state of the registered contact (e.g. validated, obscured).
:contacts	array type: inet:whois:ipcontact uniq: True sorted: True	Additional contacts referenced by this contact.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:whois:ipquery

Query details used to retrieve an IP record.

The base type for the form can be found at inet:whois:ipquery.

Properties:

name	type	doc
:time	time	The time the request was made.
:url	inet:url	The query URL when using the HTTP RDAP Protocol.
:fqdn	inet:fqdn	The FQDN of the host server when using the legacy WHOIS Protocol.
:ipv4	inet:ipv4	The IPv4 address queried.
:ipv6	inet:ipv6	The IPv6 address queried.
:success	bool	Whether the host returned a valid response for the query.
:rec	inet:whois:iprec	The resulting record from the query.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:whois:iprec

An IPv4/IPv6 block registration record.

The base type for the form can be found at inet:whois:iprec.

Properties:

name	type	doc	opts
:net4	inet:net4	The IPv4 address range assigned.
:net4:min	inet:ipv4	The first IPv4 in the range assigned.
:net4:max	inet:ipv4	The last IPv4 in the range assigned.
:net6	inet:net6	The IPv6 address range assigned.
:net6:min	inet:ipv6	The first IPv6 in the range assigned.
:net6:max	inet:ipv6	The last IPv6 in the range assigned.
:asof	time	The date of the record.
:created	time	The “created” time from the record.
:updated	time	The “last updated” time from the record.
:text	str lower: True	The full text of the record.	Display: {'hint': 'text'}
:desc	str lower: True	Notes concerning the record.	Display: {'hint': 'text'}
:asn	inet:asn	The associated Autonomous System Number (ASN).
:id	inet:whois:regid	The registry unique identifier (e.g. NET-74-0-0-0-1).
:name	str	The name assigned to the network by the registrant.
:parentid	inet:whois:regid	The registry unique identifier of the parent whois record (e.g. NET-74-0-0-0-0).
:registrant	inet:whois:ipcontact	Deprecated. Add the registrant inet:whois:ipcontact to the :contacts array.	Deprecated: True
:contacts	array type: inet:whois:ipcontact uniq: True sorted: True	Additional contacts from the record.
:country	str lower: True regex: ^[a-z]{2}$	The two-letter ISO 3166 country code.
:status	str lower: True	The state of the registered network.
:type	str lower: True	The classification of the registered network (e.g. direct allocation).
:links	array type: inet:url uniq: True sorted: True	URLs provided with the record.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
inet:whois:iprec	-(ipwhois)>	inet:ipv4	The source IP whois record describes the target IPv4 address.
inet:whois:iprec	-(ipwhois)>	inet:ipv6	The source IP whois record describes the target IPv6 address.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:whois:rar

A domain registrar.

The base type for the form can be found at inet:whois:rar.

An example of inet:whois:rar:

• godaddy, inc.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:whois:rec

A domain whois record.

The base type for the form can be found at inet:whois:rec.

Properties:

name	type	doc	opts
:fqdn	inet:fqdn	The domain associated with the whois record.	Read Only: True
:asof	time	The date of the whois record.	Read Only: True
:text	str lower: True	The full text of the whois record.	Display: {'hint': 'text'}
:created	time	The “created” time from the whois record.
:updated	time	The “last updated” time from the whois record.
:expires	time	The “expires” time from the whois record.
:registrar	inet:whois:rar	The registrar name from the whois record.
:registrant	inet:whois:reg	The registrant name from the whois record.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:whois:recns

A nameserver associated with a domain whois record.

The base type for the form can be found at inet:whois:recns.

Properties:

name	type	doc	opts
:ns	inet:fqdn	A nameserver for a domain as listed in the domain whois record.	Read Only: True
:rec	inet:whois:rec	The whois record containing the nameserver data.	Read Only: True
:rec:fqdn	inet:fqdn	The domain associated with the whois record.	Read Only: True
:rec:asof	time	The date of the whois record.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:whois:reg

A domain registrant.

The base type for the form can be found at inet:whois:reg.

An example of inet:whois:reg:

• woot hostmaster

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:whois:regid

The registry unique identifier of the registration record.

The base type for the form can be found at inet:whois:regid.

An example of inet:whois:regid:

• NET-10-0-0-0-1

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:wifi:ap

An SSID/MAC address combination for a wireless access point.

The base type for the form can be found at inet:wifi:ap.

Properties:

name	type	doc	opts
:ssid	inet:wifi:ssid	The SSID for the wireless access point.	Read Only: True
:bssid	inet:mac	The MAC address for the wireless access point.	Read Only: True
:latlong	geo:latlong	The best known latitude/longitude for the wireless access point.
:accuracy	geo:dist	The reported accuracy of the latlong telemetry reading.
:channel	int	The WIFI channel that the AP was last observed operating on.
:encryption	str lower: True strip: True	The type of encryption used by the WIFI AP such as “wpa2”.
:place	geo:place	The geo:place associated with the latlong property.
:loc	loc	The geo-political location string for the wireless access point.
:org	ou:org	The organization that owns/operates the access point.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

inet:wifi:ssid

A WiFi service set identifier (SSID) name.

The base type for the form can be found at inet:wifi:ssid.

An example of inet:wifi:ssid:

• The Vertex Project

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

iso:oid

An ISO Object Identifier string.

The base type for the form can be found at iso:oid.

Properties:

name	type	doc
:descr	str	A description of the value or meaning of the OID.
:identifier	str	The string identifier for the deepest tree element.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:account

A GUID that represents an account on a host or network.

The base type for the form can be found at it:account.

Properties:

name	type	doc	opts
:user	inet:user	The username associated with the account.
:contact	ps:contact	Additional contact information associated with this account.
:host	it:host	The host where the account is registered.
:domain	it:domain	The authentication domain where the account is registered.
:posix:uid	int	The user ID of the account.	Example: 1001
:posix:gid	int	The primary group ID of the account.	Example: 1001
:posix:gecos	int	The GECOS field for the POSIX account.
:posix:home	file:path	The path to the POSIX account’s home directory.	Example: /home/visi
:posix:shell	file:path	The path to the POSIX account’s default shell.	Example: /bin/bash
:windows:sid	it:os:windows:sid	The Microsoft Windows Security Identifier of the account.
:groups	array type: it:group uniq: True sorted: True	An array of groups that the account is a member of.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:adid

An advertising identification string.

The base type for the form can be found at it:adid.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:app:snort:hit

An instance of a snort rule hit.

The base type for the form can be found at it:app:snort:hit.

Properties:

name	type	doc
:rule	it:app:snort:rule	The snort rule that matched the file.
:flow	inet:flow	The inet:flow that matched the snort rule.
:src	inet:addr	The source address of flow that caused the hit.
:src:ipv4	inet:ipv4	The source IPv4 address of the flow that caused the hit.
:src:ipv6	inet:ipv6	The source IPv6 address of the flow that caused the hit.
:src:port	inet:port	The source port of the flow that caused the hit.
:dst	inet:addr	The destination address of the trigger.
:dst:ipv4	inet:ipv4	The destination IPv4 address of the flow that caused the hit.
:dst:ipv6	inet:ipv6	The destination IPv4 address of the flow that caused the hit.
:dst:port	inet:port	The destination port of the flow that caused the hit.
:time	time	The time of the network flow that caused the hit.
:sensor	it:host	The sensor host node that produced the hit.
:version	it:semver	The version of the rule at the time of match.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:app:snort:rule

A snort rule.

The base type for the form can be found at it:app:snort:rule.

Properties:

name	type	doc	opts
:id	str	The snort rule id.
:text	str	The snort rule text.	Display: {'hint': 'text'}
:name	str	The name of the snort rule.
:desc	str	A brief description of the snort rule.	Display: {'hint': 'text'}
:engine	int	The snort engine ID which can parse and evaluate the rule text.
:version	it:semver	The current version of the rule.
:author	ps:contact	Contact info for the author of the rule.
:created	time	The time the rule was initially created.
:updated	time	The time the rule was most recently modified.
:enabled	bool	The rule enabled status to be used for snort evaluation engines.
:family	it:prod:softname	The name of the software family the rule is designed to detect.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:app:yara:match

A YARA rule match to a file.

The base type for the form can be found at it:app:yara:match.

Properties:

name	type	doc	opts
:rule	it:app:yara:rule	The YARA rule that matched the file.	Read Only: True
:file	file:bytes	The file that matched the YARA rule.	Read Only: True
:version	it:semver	The most recent version of the rule evaluated as a match.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:app:yara:procmatch

An instance of a YARA rule match to a process.

The base type for the form can be found at it:app:yara:procmatch.

Properties:

name	type	doc
:rule	it:app:yara:rule	The YARA rule that matched the file.
:proc	it:exec:proc	The process that matched the YARA rule.
:time	time	The time that the YARA engine matched the process to the rule.
:version	it:semver	The most recent version of the rule evaluated as a match.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:app:yara:rule

A YARA rule unique identifier.

The base type for the form can be found at it:app:yara:rule.

Properties:

name	type	doc	opts
:text	str	The YARA rule text.	Display: {'hint': 'text', 'syntax': 'yara'}
:ext:id	str	The YARA rule ID from an external system.
:url	inet:url	A URL which documents the YARA rule.
:name	str	The name of the YARA rule.
:author	ps:contact	Contact info for the author of the YARA rule.
:version	it:semver	The current version of the rule.
:created	time	The time the YARA rule was initially created.
:updated	time	The time the YARA rule was most recently modified.
:enabled	bool	The rule enabled status to be used for YARA evaluation engines.
:family	it:prod:softname	The name of the software family the rule is designed to detect.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:auth:passwdhash

An instance of a password hash.

The base type for the form can be found at it:auth:passwdhash.

Properties:

name	type	doc
:salt	hex	The (optional) hex encoded salt value used to calculate the password hash.
:hash:md5	hash:md5	The MD5 password hash value.
:hash:sha1	hash:sha1	The SHA1 password hash value.
:hash:sha256	hash:sha256	The SHA256 password hash value.
:hash:sha512	hash:sha512	The SHA512 password hash value.
:hash:lm	hash:lm	The LM password hash value.
:hash:ntlm	hash:ntlm	The NTLM password hash value.
:passwd	inet:passwd	The (optional) clear text password for this password hash.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:av:filehit

Deprecated. Please use it:av:scan:result.

The base type for the form can be found at it:av:filehit.

Properties:

name	type	doc	opts
:file	file:bytes	The file that triggered the signature hit.	Read Only: True
:sig	it:av:sig	The signature that the file triggered on.	Read Only: True
:sig:name	it:av:signame	The signature name.	Read Only: True
:sig:soft	it:prod:soft	The anti-virus product which contains the signature.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:av:prochit

Deprecated. Please use it:av:scan:result.

The base type for the form can be found at it:av:prochit.

Properties:

name	type	doc
:proc	it:exec:proc	The file that triggered the signature hit.
:sig	it:av:sig	The signature that the file triggered on.
:time	time	The time that the AV engine detected the signature.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:av:scan:result

The result of running an antivirus scanner.

The base type for the form can be found at it:av:scan:result.

Properties:

name	type	doc
:time	time	The time the scan was run.
:verdict	int enums: ((10, 'benign'), (20, 'unknown'), (30, 'suspicious'), (40, 'malicious'))	The scanner provided verdict for the scan.
:scanner	it:prod:softver	The scanner software used to produce the result.
:scanner:name	it:prod:softname	The name of the scanner software.
:signame	it:av:signame	The name of the signature returned by the scanner.
:target:file	file:bytes	The file that was scanned to produce the result.
:target:proc	it:exec:proc	The process that was scanned to produce the result.
:target:host	it:host	The host that was scanned to produce the result.
:target:fqdn	inet:fqdn	The FQDN that was scanned to produce the result.
:target:url	inet:url	The URL that was scanned to produce the result.
:target:ipv4	inet:ipv4	The IPv4 address that was scanned to produce the result.
:target:ipv6	inet:ipv6	The IPv6 address that was scanned to produce the result.
:multi:scan	it:av:scan:result	Set if this result was part of running multiple scanners.
:multi:count	int min: 0	The total number of scanners which were run by a multi-scanner.
:multi:count:benign	int min: 0	The number of scanners which returned a benign verdict.
:multi:count:unknown	int min: 0	The number of scanners which returned a unknown/unsupported verdict.
:multi:count:suspicious	int min: 0	The number of scanners which returned a suspicious verdict.
:multi:count:malicious	int min: 0	The number of scanners which returned a malicious verdict.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:av:sig

Deprecated. Please use it:av:scan:result.

The base type for the form can be found at it:av:sig.

Properties:

name	type	doc	opts
:soft	it:prod:soft	The anti-virus product which contains the signature.	Read Only: True
:name	it:av:signame	The signature name.	Read Only: True
:desc	str	A free-form description of the signature.	Display: {'hint': 'text'}
:url	inet:url	A reference URL for information about the signature.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:av:signame

An antivirus signature name.

The base type for the form can be found at it:av:signame.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:cmd

A unique command-line string.

The base type for the form can be found at it:cmd.

An example of it:cmd:

• foo.exe --dostuff bar

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:int

A developer selected integer constant.

The base type for the form can be found at it:dev:int.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:mutex

A string representing a mutex.

The base type for the form can be found at it:dev:mutex.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:pipe

A string representing a named pipe.

The base type for the form can be found at it:dev:pipe.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:regkey

A Windows registry key.

The base type for the form can be found at it:dev:regkey.

An example of it:dev:regkey:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:regval

A Windows registry key/value pair.

The base type for the form can be found at it:dev:regval.

Properties:

name	type	doc
:key	it:dev:regkey	The Windows registry key.
:str	it:dev:str	The value of the registry key, if the value is a string.
:int	it:dev:int	The value of the registry key, if the value is an integer.
:bytes	file:bytes	The file representing the value of the registry key, if the value is binary data.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:repo

A version control system instance.

The base type for the form can be found at it:dev:repo.

Properties:

name	type	doc	opts
:name	str lower: True strip: True	The name of the repository.
:desc	str	A free-form description of the repository.	Display: {'hint': 'text'}
:created	time	When the repository was created.
:url	inet:url	A URL where the repository is hosted.
:type	it:dev:repo:type:taxonomy	The type of the version control system used.	Example: svn
:submodules	array type: it:dev:repo:commit	An array of other repos that this repo has as submodules, pinned at specific commits.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:repo:branch

A branch in a version control system instance.

The base type for the form can be found at it:dev:repo:branch.

Properties:

name	type	doc
:parent	it:dev:repo:branch	The branch this branch was branched from.
:start	it:dev:repo:commit	The commit in the parent branch this branch was created at.
:name	str strip: True	The name of the branch.
:url	inet:url	The URL where the branch is hosted.
:created	time	The time this branch was created.
:merged	time	The time this branch was merged back into its parent.
:deleted	time	The time this branch was deleted.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:repo:commit

A commit to a repository.

The base type for the form can be found at it:dev:repo:commit.

Properties:

name	type	doc	opts
:repo	it:dev:repo	The repository the commit lives in.
:parents	array type: it:dev:repo:commit	The commit or commits this commit is immediately based on.
:branch	it:dev:repo:branch	The name of the branch the commit was made to.
:mesg	str	The commit message describing the changes in the commit.	Display: {'hint': 'text'}
:id	str	The version control system specific commit identifier.
:created	time	The time the commit was made.
:url	inet:url	The URL where the commit is hosted.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:repo:diff

A diff of a file being applied in a single commit.

The base type for the form can be found at it:dev:repo:diff.

Properties:

name	type	doc
:commit	it:dev:repo:commit	The commit that produced this diff.
:file	file:bytes	The file after the commit has been applied.
:path	file:path	The path to the file in the repo that the diff is being applied to.
:url	inet:url	The URL where the diff is hosted.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:repo:diff:comment

A comment on a diff in a repository.

The base type for the form can be found at it:dev:repo:diff:comment.

Properties:

name	type	doc	opts
:diff	it:dev:repo:diff	The diff the comment is being added to.
:text	str	The body of the comment.	Display: {'hint': 'text'}
:replyto	it:dev:repo:diff:comment	The comment that this comment is replying to.
:line	int	The line in the file that is being commented on.
:offset	int	The offset in the line in the file that is being commented on.
:url	inet:url	The URL where the comment is hosted.
:created	time	The time the comment was created.
:updated	time	The time the comment was updated.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:repo:issue

An issue raised in a repository.

The base type for the form can be found at it:dev:repo:issue.

Properties:

name	type	doc	opts
:repo	it:dev:repo	The repo where the issue was logged.
:title	str lower: True strip: True	The title of the issue.
:desc	str	The text describing the issue.	Display: {'hint': 'text'}
:created	time	The time the issue was created.
:updated	time	The time the issue was updated.
:url	inet:url	The URL where the issue is hosted.
:id	str strip: True	The ID of the issue in the repository system.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:repo:issue:comment

A comment on an issue in a repository.

The base type for the form can be found at it:dev:repo:issue:comment.

Properties:

name	type	doc	opts
:issue	it:dev:repo:issue	The issue thread that the comment was made in.
:text	str	The body of the comment.	Display: {'hint': 'text'}
:replyto	it:dev:repo:issue:comment	The comment that this comment is replying to.
:url	inet:url	The URL where the comment is hosted.
:created	time	The time the comment was created.
:updated	time	The time the comment was updated.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:repo:issue:label

A label applied to a repository issue.

The base type for the form can be found at it:dev:repo:issue:label.

Properties:

name	type	doc
:issue	it:dev:repo:issue	The issue the label was applied to.
:label	it:dev:repo:label	The label that was applied to the issue.
:applied	time	The time the label was applied.
:removed	time	The time the label was removed.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:repo:label

A developer selected label.

The base type for the form can be found at it:dev:repo:label.

Properties:

name	type	doc	opts
:id	str strip: True	The ID of the label.
:title	str lower: True strip: True	The human friendly name of the label.
:desc	str	The description of the label.	Display: {'hint': 'text'}

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:repo:remote

A remote repo that is tracked for changes/branches/etc.

The base type for the form can be found at it:dev:repo:remote.

Properties:

name	type	doc	opts
:name	str lower: True onespace: True	The name the repo is using for the remote repo.	Example: origin
:url	inet:url	The URL the repo is using to access the remote repo.
:repo	it:dev:repo	The repo that is tracking the remote repo.
:remote	it:dev:repo	The instance of the remote repo.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:repo:type:taxonomy

A version control system type taxonomy.

The base type for the form can be found at it:dev:repo:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	it:dev:repo:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:dev:str

A developer selected string.

The base type for the form can be found at it:dev:str.

Properties:

name	type	doc
:norm	str lower: True	Lower case normalized version of the it:dev:str.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:domain

A logical boundary of authentication and configuration such as a windows domain.

The base type for the form can be found at it:domain.

Properties:

name	type	doc
:name	str lower: True onespace: True	The name of the domain.
:desc	str	A brief description of the domain.
:org	ou:org	The org that operates the given domain.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:exec:bind

An instance of a host binding a listening port.

The base type for the form can be found at it:exec:bind.

Properties:

name	type	doc
:proc	it:exec:proc	The host process which caused the activity.
:host	it:host	The host on which the activity occurred.
:exe	file:bytes	The executable file which caused the activity.
:time	time	The time that the activity started.
:server	inet:server	The inet:addr of the server when binding the port.
:server:ipv4	inet:ipv4	The IPv4 address specified to bind().
:server:ipv6	inet:ipv6	The IPv6 address specified to bind().
:server:port	inet:port	The bound (listening) TCP port.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.
:thread	it:exec:thread	The host thread which caused the activity.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:exec:file:add

An instance of a host adding a file to a filesystem.

The base type for the form can be found at it:exec:file:add.

Properties:

name	type	doc	opts
:proc	it:exec:proc	The host process which caused the activity.
:host	it:host	The host on which the activity occurred.
:exe	file:bytes	The executable file which caused the activity.
:time	time	The time that the activity started.
:path	file:path	The path where the file was created.
:path:dir	file:path	The parent directory of the file path (parsed from :path).	Read Only: True
:path:ext	str lower: True strip: True	The file extension of the file name (parsed from :path).	Read Only: True
:path:base	file:base	The final component of the file path (parsed from :path).	Read Only: True
:file	file:bytes	The file that was created.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.
:thread	it:exec:thread	The host thread which caused the activity.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:exec:file:del

An instance of a host deleting a file from a filesystem.

The base type for the form can be found at it:exec:file:del.

Properties:

name	type	doc	opts
:proc	it:exec:proc	The host process which caused the activity.
:host	it:host	The host on which the activity occurred.
:exe	file:bytes	The executable file which caused the activity.
:time	time	The time that the activity started.
:path	file:path	The path where the file was deleted.
:path:dir	file:path	The parent directory of the file path (parsed from :path).	Read Only: True
:path:ext	str lower: True strip: True	The file extension of the file name (parsed from :path).	Read Only: True
:path:base	file:base	The final component of the file path (parsed from :path).	Read Only: True
:file	file:bytes	The file that was deleted.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.
:thread	it:exec:thread	The host thread which caused the activity.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:exec:file:read

An instance of a host reading a file from a filesystem.

The base type for the form can be found at it:exec:file:read.

Properties:

name	type	doc	opts
:proc	it:exec:proc	The host process which caused the activity.
:host	it:host	The host on which the activity occurred.
:exe	file:bytes	The executable file which caused the activity.
:time	time	The time that the activity started.
:path	file:path	The path where the file was read.
:path:dir	file:path	The parent directory of the file path (parsed from :path).	Read Only: True
:path:ext	str lower: True strip: True	The file extension of the file name (parsed from :path).	Read Only: True
:path:base	file:base	The final component of the file path (parsed from :path).	Read Only: True
:file	file:bytes	The file that was read.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.
:thread	it:exec:thread	The host thread which caused the activity.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:exec:file:write

An instance of a host writing a file to a filesystem.

The base type for the form can be found at it:exec:file:write.

Properties:

name	type	doc	opts
:proc	it:exec:proc	The host process which caused the activity.
:host	it:host	The host on which the activity occurred.
:exe	file:bytes	The executable file which caused the activity.
:time	time	The time that the activity started.
:path	file:path	The path where the file was written to/modified.
:path:dir	file:path	The parent directory of the file path (parsed from :path).	Read Only: True
:path:ext	str lower: True strip: True	The file extension of the file name (parsed from :path).	Read Only: True
:path:base	file:base	The final component of the file path (parsed from :path).	Read Only: True
:file	file:bytes	The file that was modified.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.
:thread	it:exec:thread	The host thread which caused the activity.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:exec:loadlib

A library load event in a process.

The base type for the form can be found at it:exec:loadlib.

Properties:

name	type	doc
:proc	it:exec:proc	The host process which caused the activity.
:va	int	The base memory address where the library was loaded in the process.
:loaded	time	The time the library was loaded.
:unloaded	time	The time the library was unloaded.
:path	file:path	The path that the library was loaded from.
:file	file:bytes	The library file that was loaded.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.
:exe	file:bytes	The executable file which caused the activity.
:thread	it:exec:thread	The host thread which caused the activity.
:host	it:host	The host on which the activity occurred.
:time	time	The time that the activity started.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:exec:mmap

A memory mapped segment located in a process.

The base type for the form can be found at it:exec:mmap.

Properties:

name	type	doc
:proc	it:exec:proc	The host process which caused the activity.
:va	int	The base memory address where the map was created in the process.
:size	int	The size of the memory map in bytes.
:perms:read	bool	True if the mmap is mapped with read permissions.
:perms:write	bool	True if the mmap is mapped with write permissions.
:perms:execute	bool	True if the mmap is mapped with execute permissions.
:created	time	The time the memory map was created.
:deleted	time	The time the memory map was deleted.
:path	file:path	The file path if the mmap is a mapped view of a file.
:hash:sha256	hash:sha256	A SHA256 hash of the memory map. Bytes may optionally be present in the axon.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.
:exe	file:bytes	The executable file which caused the activity.
:thread	it:exec:thread	The host thread which caused the activity.
:host	it:host	The host on which the activity occurred.
:time	time	The time that the activity started.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:exec:mutex

A mutex created by a process at runtime.

The base type for the form can be found at it:exec:mutex.

Properties:

name	type	doc
:proc	it:exec:proc	The host process which caused the activity.
:host	it:host	The host on which the activity occurred.
:exe	file:bytes	The executable file which caused the activity.
:time	time	The time that the activity started.
:name	it:dev:mutex	The mutex string.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.
:thread	it:exec:thread	The host thread which caused the activity.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:exec:pipe

A named pipe created by a process at runtime.

The base type for the form can be found at it:exec:pipe.

Properties:

name	type	doc
:proc	it:exec:proc	The host process which caused the activity.
:host	it:host	The host on which the activity occurred.
:exe	file:bytes	The executable file which caused the activity.
:time	time	The time that the activity started.
:name	it:dev:pipe	The named pipe string.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.
:thread	it:exec:thread	The host thread which caused the activity.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:exec:proc

A process executing on a host. May be an actual (e.g., endpoint) or virtual (e.g., malware sandbox) host.

The base type for the form can be found at it:exec:proc.

Properties:

name	type	doc	opts
:host	it:host	The host on which the activity occurred.
:exe	file:bytes	The executable file which caused the activity.
:cmd	it:cmd	The command string used to launch the process, including any command line parameters.	Display: {'hint': 'text'}
:pid	int	The process ID.
:time	time	The time that the activity started.
:name	str	The display name specified by the process.
:exited	time	The time the process exited.
:exitcode	int	The exit code for the process.
:user	inet:user	The user name of the process owner.	Deprecated: True
:account	it:account	The account of the process owner.
:path	file:path	The path to the executable of the process.
:path:base	file:base	The file basename of the executable of the process.
:src:exe	file:path	Deprecated. Create :src:proc and set :path.	Deprecated: True
:src:proc	it:exec:proc	The process which created the process.
:killedby	it:exec:proc	The process which killed this process.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.
:proc	it:exec:proc	The host process which caused the activity.
:thread	it:exec:thread	The host thread which caused the activity.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:exec:query

An instance of an executed query.

The base type for the form can be found at it:exec:query.

Properties:

name	type	doc
:text	it:query	The query string that was executed.
:opts	data	An opaque JSON object containing query parameters and options.
:api:url	inet:url	The URL of the API endpoint the query was sent to.
:language	str lower: True onespace: True	The name of the language that the query is expressed in.
:offset	int	The offset of the last record consumed from the query.
:exe	file:bytes	The executable file which caused the activity.
:proc	it:exec:proc	The host process which caused the activity.
:thread	it:exec:thread	The host thread which caused the activity.
:host	it:host	The host on which the activity occurred.
:time	time	The time that the activity started.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:exec:reg:del

An instance of a host deleting a registry key.

The base type for the form can be found at it:exec:reg:del.

Properties:

name	type	doc
:proc	it:exec:proc	The host process which caused the activity.
:host	it:host	The host on which the activity occurred.
:exe	file:bytes	The executable file which caused the activity.
:time	time	The time that the activity started.
:reg	it:dev:regval	The registry key or value that was deleted.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.
:thread	it:exec:thread	The host thread which caused the activity.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:exec:reg:get

An instance of a host getting a registry key.

The base type for the form can be found at it:exec:reg:get.

Properties:

name	type	doc
:proc	it:exec:proc	The host process which caused the activity.
:host	it:host	The host on which the activity occurred.
:exe	file:bytes	The executable file which caused the activity.
:time	time	The time that the activity started.
:reg	it:dev:regval	The registry key or value that was read.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.
:thread	it:exec:thread	The host thread which caused the activity.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:exec:reg:set

An instance of a host creating or setting a registry key.

The base type for the form can be found at it:exec:reg:set.

Properties:

name	type	doc
:proc	it:exec:proc	The host process which caused the activity.
:host	it:host	The host on which the activity occurred.
:exe	file:bytes	The executable file which caused the activity.
:time	time	The time that the activity started.
:reg	it:dev:regval	The registry key or value that was written to.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.
:thread	it:exec:thread	The host thread which caused the activity.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:exec:thread

A thread executing in a process.

The base type for the form can be found at it:exec:thread.

Properties:

name	type	doc
:proc	it:exec:proc	The host process which caused the activity.
:created	time	The time the thread was created.
:exited	time	The time the thread exited.
:exitcode	int	The exit code or return value for the thread.
:src:proc	it:exec:proc	An external process which created the thread.
:src:thread	it:exec:thread	The thread which created this thread.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.
:exe	file:bytes	The executable file which caused the activity.
:thread	it:exec:thread	The host thread which caused the activity.
:host	it:host	The host on which the activity occurred.
:time	time	The time that the activity started.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:exec:url

An instance of a host requesting a URL.

The base type for the form can be found at it:exec:url.

Properties:

name	type	doc
:proc	it:exec:proc	The host process which caused the activity.
:browser	it:prod:softver	The software version of the browser.
:host	it:host	The host on which the activity occurred.
:exe	file:bytes	The executable file which caused the activity.
:time	time	The time that the activity started.
:url	inet:url	The URL that was requested.
:page:pdf	file:bytes	The rendered DOM saved as a PDF file.
:page:html	file:bytes	The rendered DOM saved as an HTML file.
:page:image	file:bytes	The rendered DOM saved as an image.
:http:request	inet:http:request	The HTTP request made to retrieve the initial URL contents.
:client	inet:client	The address of the client during the URL retrieval.
:client:ipv4	inet:ipv4	The IPv4 of the client during the URL retrieval.
:client:ipv6	inet:ipv6	The IPv6 of the client during the URL retrieval.
:client:port	inet:port	The client port during the URL retrieval.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.
:thread	it:exec:thread	The host thread which caused the activity.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:fs:file

A file on a host.

The base type for the form can be found at it:fs:file.

Properties:

name	type	doc	opts
:host	it:host	The host containing the file.
:path	file:path	The path for the file.
:path:dir	file:path	The parent directory of the file path (parsed from :path).	Read Only: True
:path:ext	str lower: True strip: True	The file extension of the file name (parsed from :path).	Read Only: True
:path:base	file:base	The final component of the file path (parsed from :path).	Read Only: True
:file	file:bytes	The file on the host.
:ctime	time	The file creation time.
:mtime	time	The file modification time.
:atime	time	The file access time.
:user	inet:user	The owner of the file.
:group	inet:user	The group owner of the file.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:group

A GUID that represents a group on a host or network.

The base type for the form can be found at it:group.

Properties:

name	type	doc	opts
:name	str lower: True onespace: True	The name of the group.
:desc	str	A brief description of the group.
:host	it:host	The host where the group is registered.
:domain	it:domain	The authentication domain where the group is registered.
:groups	array type: it:group uniq: True sorted: True	Groups that are a member of this group.
:posix:gid	int	The primary group ID of the account.	Example: 1001
:windows:sid	it:os:windows:sid	The Microsoft Windows Security Identifier of the group.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:host

A GUID that represents a host or system.

The base type for the form can be found at it:host.

Properties:

name	type	doc	opts
:name	it:hostname	The name of the host or system.
:desc	str	A free-form description of the host.
:domain	it:domain	The authentication domain that the host is a member of.
:ipv4	inet:ipv4	The last known ipv4 address for the host.
:latlong	geo:latlong	The last known location for the host.
:place	geo:place	The place where the host resides.
:loc	loc	The geo-political location string for the node.
:os	it:prod:softver	The operating system of the host.
:os:name	it:prod:softname	A software product name for the host operating system. Used for entity resolution.
:hardware	it:prod:hardware	The hardware specification for this host.
:manu	str	Please use :hardware:make.	Deprecated: True
:model	str	Please use :hardware:model.	Deprecated: True
:serial	str	The serial number of the host.
:operator	ps:contact	The operator of the host.
:org	ou:org	The org that operates the given host.
:ext:id	str	An external identifier for the host.
:keyboard:layout	str lower: True onespace: True	The primary keyboard layout configured on the host.
:keyboard:language	lang:language	The primary keyboard input language configured on the host.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:hostname

The name of a host or system.

The base type for the form can be found at it:hostname.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:hostsoft

A version of a software product which is present on a given host.

The base type for the form can be found at it:hostsoft.

Properties:

name	type	doc	opts
:host	it:host	Host with the software.	Read Only: True
:softver	it:prod:softver	Software on the host.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:hosturl

A url hosted on or served by a host or system.

The base type for the form can be found at it:hosturl.

Properties:

name	type	doc	opts
:host	it:host	Host serving a url.	Read Only: True
:url	inet:url	URL available on the host.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:log:event

A GUID representing an individual log event.

The base type for the form can be found at it:log:event.

Properties:

name	type	doc	opts
:mesg	str	The log message text.
:type	it:log:event:type:taxonomy	A taxonometric type for the log event.	Example: windows.eventlog.securitylog
:severity	int enums: ((10, 'debug'), (20, 'info'), (30, 'notice'), (40, 'warning'), (50, 'err'), (60, 'crit'), (70, 'alert'), (80, 'emerg'))	A log level integer that increases with severity.
:data	data	A raw JSON record of the log event.
:ext:id	str	An external id that uniquely identifies this log entry.
:product	it:prod:softver	The software which produced the log entry.
:exe	file:bytes	The executable file which caused the activity.
:proc	it:exec:proc	The host process which caused the activity.
:thread	it:exec:thread	The host thread which caused the activity.
:host	it:host	The host on which the activity occurred.
:time	time	The time that the activity started.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:log:event:type:taxonomy

A taxonomy of log event types.

The base type for the form can be found at it:log:event:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	it:log:event:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:logon

A GUID that represents an individual logon/logoff event.

The base type for the form can be found at it:logon.

Properties:

name	type	doc
:time	time	The time the logon occurred.
:success	bool	Set to false to indicate an unsuccessful logon attempt.
:logoff:time	time	The time the logon session ended.
:host	it:host	The host that the account logged in to.
:account	it:account	The account that logged in.
:creds	auth:creds	The credentials that were used for the logon.
:duration	duration	The duration of the logon session.
:client:host	it:host	The host where the logon originated.
:client:ipv4	inet:ipv4	The IPv4 where the logon originated.
:client:ipv6	inet:ipv6	The IPv6 where the logon originated.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:mitre:attack:campaign

A MITRE ATT&CK Campaign ID.

The base type for the form can be found at it:mitre:attack:campaign.

An example of it:mitre:attack:campaign:

• C0028

Properties:

name	type	doc	opts
:name	ou:campname	The primary name for the ATT&CK campaign.
:names	array type: ou:campname uniq: True sorted: True	An array of alternate names for the ATT&CK campaign.
:desc	str strip: True	A description of the ATT&CK campaign.	Display: {'hint': 'text'}
:url	inet:url	The URL that documents the ATT&CK campaign.
:groups	array type: it:mitre:attack:group uniq: True sorted: True split: ,	An array of ATT&CK group IDs attributed to the campaign.
:software	array type: it:mitre:attack:software uniq: True sorted: True split: ,	An array of ATT&CK software IDs used in the campaign.
:techniques	array type: it:mitre:attack:technique uniq: True sorted: True split: ,	An array of ATT&CK technique IDs used in the campaign.
:matrices	array type: it:mitre:attack:matrix uniq: True sorted: True split: ,	The ATT&CK matrices which define the campaign.
:references	array type: inet:url uniq: True	An array of URLs that document the ATT&CK campaign.
:period	ival	The time interval when the campaign was active.
:created	time	The time that the campaign was created by MITRE.
:updated	time	The time that the campaign was last updated by MITRE.
:tag	syn:tag	Deprecated. Please use ou:campaign:tag.	Deprecated: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:mitre:attack:flow

A MITRE ATT&CK Flow diagram.

The base type for the form can be found at it:mitre:attack:flow.

Properties:

name	type	doc
:name	str	The name of the attack-flow diagram.
:data	data schema: {'$schema': 'https://json-schema.org/draft/2020-12/schema', '$id': 'https://center-for-threat-informed-defense.github.io/attack-flow/schema/attack-flow-schema-2.0.0.json', 'title': 'Attack Flow STIX 2.1 Extension', 'description': 'This schema is the normative definition of the STIX 2.1 extension `extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4`. It extends STIX with additional STIX Data Objects (SDOs) that model Attack Flow concepts.', 'type': 'object', 'unevaluatedProperties': False, 'allOf': ({'$ref': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/core.json'},), 'properties': {'type': {'const': 'bundle'}, 'objects': {'type': 'array', 'items': {'$comment': 'Try each of the Attack Flow types in order, eventually falling through to the STIX common object definition.', 'if': {'type': 'object', 'properties': {'type': {'type': 'string', 'const': 'attack-flow'}}}, 'then': {'$ref': 'https://center-for-threat-informed-defense.github.io/attack-flow/schema/attack-flow-schema-2.0.0.json#/$defs/attack-flow'}, 'else': {'if': {'type': 'object', 'properties': {'type': {'type': 'string', 'const': 'attack-action'}}}, 'then': {'$ref': 'https://center-for-threat-informed-defense.github.io/attack-flow/schema/attack-flow-schema-2.0.0.json#/$defs/attack-action'}, 'else': {'if': {'type': 'object', 'properties': {'type': {'type': 'string', 'const': 'attack-asset'}}}, 'then': {'$ref': 'https://center-for-threat-informed-defense.github.io/attack-flow/schema/attack-flow-schema-2.0.0.json#/$defs/attack-asset'}, 'else': {'if': {'type': 'object', 'properties': {'type': {'type': 'string', 'const': 'attack-condition'}}}, 'then': {'$ref': 'https://center-for-threat-informed-defense.github.io/attack-flow/schema/attack-flow-schema-2.0.0.json#/$defs/attack-condition'}, 'else': {'if': {'type': 'object', 'properties': {'type': {'type': 'string', 'const': 'attack-operator'}}}, 'then': {'$ref': 'https://center-for-threat-informed-defense.github.io/attack-flow/schema/attack-flow-schema-2.0.0.json#/$defs/attack-operator'}, 'else': {'$comment': 'All Attack Flow SDOs implement the required common properties.', '$ref': 'http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/core.json'}}}}}}, '$comment': "Attack Flow documents MUST have ONLY ONE 'attack-flow' type. That is enforced here with the 'contains', 'minContains', and 'maxContains'", 'contains': {'$ref': 'https://center-for-threat-informed-defense.github.io/attack-flow/schema/attack-flow-schema-2.0.0.json#/$defs/attack-flow'}, 'minContains': 1, 'maxContains': 1}}, '$defs': {'attack-flow': {'description': 'Every Attack Flow document **MUST** contain exactly one ``attack-flow object. It provides metadata for name and description, starting points for the flow of actions, and can be referenced from other STIX objects.’, ‘type’: ‘object’, ‘allOf’: ({‘$ref’: ‘http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/core.json’},), ‘properties’: {‘type’: {‘description’: ‘The type MUST be attack-flow.’, ‘type’: ‘string’, ‘const’: ‘attack-flow’}, ‘spec_version’: {‘description’: ‘The version MUST be 2.1.’, ‘type’: ‘string’, ‘const’: ‘2.1’}, ‘name’: {‘description’: ‘The name of the Attack Flow.’, ‘type’: ‘string’}, ‘description’: {‘description’: ‘A description of the overall Attack Flow.’, ‘type’: ‘string’}, ‘scope’: {‘description’: ‘Indicates what type of behavior the Attack Flow describes: a specific incident, a campaign, etc.’, ‘type’: ‘string’, ‘enum’: (‘incident’, ‘campaign’, ‘threat-actor’, ‘malware’, ‘other’)}, ‘start_refs’: {‘description’: ‘A list of objects that start the flow.’, ‘type’: ‘array’, ‘items’: {‘allOf’: ({‘$ref’: ‘http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json’}, {‘pattern’: ‘^(attack-action|attack-condition)–‘})}, ‘minItems’: 1}, ‘extensions’: {‘$ref’: ‘https://center-for-threat-informed-defense.github.io/attack-flow/schema/attack-flow-schema-2.0.0.json#/$defs/extensions’}}, ‘required’: (‘type’, ‘spec_version’, ‘name’, ‘start_refs’, ‘scope’, ‘extensions’), ‘x-exampleObject’: ‘attack-flow–e9ec3a4b-f787-4e81-a3d9-4cfe017ebc2f’}, ‘attack-action’: {‘description’: ‘An attack-action object represents the execution of a particular technique, i.e. a discrete unit of adverary behavior.’, ‘type’: ‘object’, ‘allOf’: ({‘$ref’: ‘http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/core.json’},), ‘properties’: {‘type’: {‘description’: ‘The type MUST be attack-action.’, ‘type’: ‘string’, ‘const’: ‘attack-action’}, ‘spec_version’: {‘description’: ‘The version MUST be 2.1.’, ‘type’: ‘string’, ‘const’: ‘2.1’}, ‘name’: {‘description’: ‘The name of the technique, or if a specific technique is not known, then the name of the tactic.’, ‘type’: ‘string’}, ‘tactic_id’: {‘description’: ‘A tactic identifier or shortname that may reference an authoritative collection of tactics, e.g. ATT&CK.’, ‘type’: ‘string’}, ‘tactic_ref’: {‘description’: “A reference to the tactic’s STIX representation. For ATT&CK, this should be an x-mitre-tactic object.”, ‘allOf’: ({‘$ref’: ‘http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json’},)}, ‘technique_id’: {‘description’: ‘A technique identifier or shortname that may reference an authoritative collection of techniques, e.g. ATT&CK.’, ‘type’: ‘string’}, ‘technique_ref’: {‘description’: “A reference to the technique’s STIX representation.”, ‘allOf’: ({‘$ref’: ‘http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json’}, {‘pattern’: ‘^attack-pattern–‘})}, ‘description’: {‘description’: ‘A description of the adversary behavior, e.g. what they did, how they did it, and why. This field may contain prose as well as technical information, but consider using command_ref for providing technical details about technique execution.’, ‘type’: ‘string’}, ‘execution_start’: {‘description’: ‘Timestamp indicating when the execution of this action began.’, ‘$ref’: ‘https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/timestamp.json’}, ‘execution_end’: {‘description’: ‘Timestamp indicating when the execution of this action ended.’, ‘$ref’: ‘https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/timestamp.json’}, ‘command_ref’: {‘description’: ‘Describe tools or commands executed by the attacker by referring to a STIX Process object, which can represent commands, environment variables, process image, etc.’, ‘allOf’: ({‘$ref’: ‘http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json’}, {‘pattern’: ‘^process–‘})}, ‘asset_refs’: {‘description’: ‘The assets involved in this action, i.e. where this action modifies or depends on the state of the asset.’, ‘type’: ‘array’, ‘items’: {‘allOf’: ({‘$ref’: ‘http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json’}, {‘pattern’: ‘^(attack-asset)–‘})}, ‘minItems’: 1}, ‘effect_refs’: {‘description’: ‘The potential effects that result from executing this action. (See: effects.)’, ‘type’: ‘array’, ‘items’: {‘allOf’: ({‘$ref’: ‘http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json’}, {‘pattern’: ‘^(attack-action|attack-operator|attack-condition)–‘})}, ‘minItems’: 1}, ‘extensions’: {‘$ref’: ‘https://center-for-threat-informed-defense.github.io/attack-flow/schema/attack-flow-schema-2.0.0.json#/$defs/extensions’}}, ‘required’: (‘type’, ‘spec_version’, ‘name’, ‘extensions’), ‘x-exampleObject’: ‘attack-action–37345417-3ee0-4e11-b421-1d4be68e6f15’}, ‘attack-asset’: {‘description’: ‘An asset is any object that is the subject or target of an action. Assets can be technical assets (such as machines and data) or non-technical assets such as people and physical systems. Actions typically either modify or depend upon the state of an asset in some way.nnNote that assets are not applicable in all contexts. For example, public threat reports may not include enough detail to represent the assets in a flow, or the flow might represent aggregate behavior (at the campaign or actor level) for which it does not make sense to specify an asset. Assets should be used to add context to a flow when the underlying intelligence contains sufficient detail to do so.’, ‘type’: ‘object’, ‘allOf’: ({‘$ref’: ‘http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/core.json’},), ‘properties’: {‘type’: {‘description’: ‘The type MUST be attack-asset.’, ‘type’: ‘string’, ‘const’: ‘attack-asset’}, ‘spec_version’: {‘description’: ‘The version MUST be 2.1.’, ‘type’: ‘string’, ‘const’: ‘2.1’}, ‘name’: {‘description’: ‘An name for the asset.’, ‘type’: ‘string’}, ‘description’: {‘description’: ‘A description of the asset.’, ‘type’: ‘string’}, ‘object_ref’: {‘description’: ‘A reference to any STIX data object (i.e. SDO) or observable (i.e. SCO) that contains structured data about this asset.’, ‘$ref’: ‘http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json’}, ‘extensions’: {‘$ref’: ‘https://center-for-threat-informed-defense.github.io/attack-flow/schema/attack-flow-schema-2.0.0.json#/$defs/extensions’}}, ‘required’: (‘type’, ‘spec_version’, ‘name’, ‘extensions’), ‘x-exampleObject’: ‘attack-asset–f7edf4aa-29ec-47aa-b4f6-c42dfbe2ac20’}, ‘attack-condition’: {‘description’: “An attack-condition object represents some possible condition, outcome, or state that could occur. Conditions can be used to split flows based on the success or failure of an action, or to provide further description of an action’s results.”, ‘type’: ‘object’, ‘allOf’: ({‘$ref’: ‘http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/core.json’},), ‘properties’: {‘type’: {‘description’: ‘The type MUST be attack-condition.’, ‘type’: ‘string’, ‘const’: ‘attack-condition’}, ‘spec_version’: {‘description’: ‘The version MUST be 2.1.’, ‘type’: ‘string’, ‘const’: ‘2.1’}, ‘description’: {‘description’: ‘The condition that is evaluated, usually based on the success or failure of the preceding action.’, ‘type’: ‘string’}, ‘pattern’: {‘description’: ‘(This is an experimental feature.) The detection pattern for this condition may be expressed as a STIX Pattern or another appropriate language such as SNORT, YARA, etc.’, ‘type’: ‘string’}, ‘pattern_type’: {‘description’: ‘(This is an experimental feature.) The pattern langauge used in this condition. The value for this property should come from the STIX pattern-type-ov open vocabulary.’, ‘type’: ‘string’}, ‘pattern_version’: {‘description’: ‘(This is an experimental feature.) The version of the pattern language used for the data in the pattern property. For the STIX Pattern language, the default value is determined by the spec_version of the condition object.’, ‘type’: ‘string’}, ‘on_true_refs’: {‘description’: ‘When the condition is true, the flow continues to these objects.’, ‘type’: ‘array’, ‘items’: {‘allOf’: ({‘$ref’: ‘http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json’}, {‘pattern’: ‘^(attack-action|attack-operator|attack-condition)–‘})}, ‘minItems’: 1}, ‘on_false_refs’: {‘description’: ‘When the condition is false, the flow continues to these objects. (If there are no objects, then the flow halts at this node.)’, ‘type’: ‘array’, ‘items’: {‘allOf’: ({‘$ref’: ‘http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json’}, {‘pattern’: ‘^(attack-action|attack-operator|attack-condition)–‘})}, ‘minItems’: 1}, ‘extensions’: {‘$ref’: ‘https://center-for-threat-informed-defense.github.io/attack-flow/schema/attack-flow-schema-2.0.0.json#/$defs/extensions’}}, ‘required’: (‘type’, ‘spec_version’, ‘description’, ‘extensions’), ‘x-exampleObject’: ‘attack-condition–7e809f5b-319a-4b3f-82fe-e4dc09af5088’}, ‘attack-operator’: {‘description’: ‘An attack-operator object joins multiple attack paths together using boolean logic.’, ‘type’: ‘object’, ‘allOf’: ({‘$ref’: ‘http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/core.json’},), ‘properties’: {‘type’: {‘description’: ‘The type MUST be attack-operator.’, ‘type’: ‘string’, ‘const’: ‘attack-operator’}, ‘spec_version’: {‘description’: ‘The version MUST be 2.1.’, ‘type’: ‘string’, ‘const’: ‘2.1’}, ‘operator’: {‘description’: ‘The logical operator to apply to the input effects.’, ‘type’: ‘string’, ‘enum’: (‘AND’, ‘OR’)}, ‘effect_refs’: {‘description’: ‘The effects, outcomes, or states that result when this operator evaluates to true. If the operator evaluates to false, then the flow halts. (See: effects.)’, ‘type’: ‘array’, ‘items’: {‘allOf’: ({‘$ref’: ‘http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json’}, {‘pattern’: ‘^(attack-action|attack-operator|attack-condition)–‘})}, ‘minItems’: 1}, ‘extensions’: {‘$ref’: ‘https://center-for-threat-informed-defense.github.io/attack-flow/schema/attack-flow-schema-2.0.0.json#/$defs/extensions’}}, ‘required’: (‘type’, ‘spec_version’, ‘operator’, ‘extensions’), ‘x-exampleObject’: ‘attack-operator–609d7adf-a3d2-44e8-82de-4b30e3fb97be’}, ‘extensions’: {‘type’: ‘object’, ‘properties’: {‘extension-definition–fb9c968a-745b-4ade-9b25-c324172197f4’: {‘type’: ‘object’, ‘properties’: {‘extension_type’: {‘type’: ‘string’, ‘const’: ‘new-sdo’}}, ‘required’: (‘extension_type’,)}}, ‘required’: (‘extension-definition–fb9c968a-745b-4ade-9b25-c324172197f4’,)}}}``	The ATT&CK Flow diagram. Schema version 2.0.0 enforced.
:created	time	The time that the diagram was created.
:updated	time	The time that the diagram was last updated.
:author:user	syn:user	The Synapse user that created the node.
:author:contact	ps:contact	The contact information for the author of the ATT&CK Flow diagram.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:mitre:attack:group

A MITRE ATT&CK Group ID.

The base type for the form can be found at it:mitre:attack:group.

An example of it:mitre:attack:group:

• G0100

Properties:

name	type	doc	opts
:org	ou:org	Used to map an ATT&CK group to a synapse ou:org.
:name	ou:name	The primary name for the ATT&CK group.
:names	array type: ou:name uniq: True sorted: True	An array of alternate names for the ATT&CK group.
:desc	str	A description of the ATT&CK group.	Display: {'hint': 'text'}
:isnow	it:mitre:attack:group	If deprecated, this field may contain the current value for the group.
:url	inet:url	The URL that documents the ATT&CK group.
:tag	syn:tag	Deprecated. Please use a risk:threat:tag.	Deprecated: True
:references	array type: inet:url uniq: True	An array of URLs that document the ATT&CK group.
:techniques	array type: it:mitre:attack:technique uniq: True sorted: True split: ,	An array of ATT&CK technique IDs used by the group.
:software	array type: it:mitre:attack:software uniq: True sorted: True split: ,	An array of ATT&CK software IDs used by the group.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:mitre:attack:mitigation

A MITRE ATT&CK Mitigation ID.

The base type for the form can be found at it:mitre:attack:mitigation.

An example of it:mitre:attack:mitigation:

• M1036

Properties:

name	type	doc	opts
:name	str lower: True onespace: True	The primary name for the ATT&CK mitigation.
:matrix	it:mitre:attack:matrix	The ATT&CK matrix which defines the mitigation.
:desc	str strip: True	A description of the ATT&CK mitigation.	Display: {'hint': 'text'}
:url	inet:url	The URL that documents the ATT&CK mitigation.
:tag	syn:tag	Deprecated. Please use risk:mitigation:tag.	Deprecated: True
:references	array type: inet:url uniq: True	An array of URLs that document the ATT&CK mitigation.
:addresses	array type: it:mitre:attack:technique uniq: True sorted: True split: ,	An array of ATT&CK technique IDs addressed by the mitigation.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:mitre:attack:software

A MITRE ATT&CK Software ID.

The base type for the form can be found at it:mitre:attack:software.

An example of it:mitre:attack:software:

• S0154

Properties:

name	type	doc	opts
:software	it:prod:soft	Used to map an ATT&CK software to a synapse it:prod:soft.
:name	it:prod:softname	The primary name for the ATT&CK software.
:names	array type: it:prod:softname uniq: True sorted: True	Associated names for the ATT&CK software.
:desc	str strip: True	A description of the ATT&CK software.	Display: {'hint': 'text'}
:isnow	it:mitre:attack:software	If deprecated, this field may contain the current value for the software.
:url	inet:url	The URL that documents the ATT&CK software.
:tag	syn:tag	Deprecated. Please use risk:tool:software:tag.	Deprecated: True
:references	array type: inet:url uniq: True	An array of URLs that document the ATT&CK software.
:techniques	array type: it:mitre:attack:technique uniq: True sorted: True split: ,	An array of techniques used by the software.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:mitre:attack:tactic

A MITRE ATT&CK Tactic ID.

The base type for the form can be found at it:mitre:attack:tactic.

An example of it:mitre:attack:tactic:

• TA0040

Properties:

name	type	doc	opts
:name	str strip: True	The primary name for the ATT&CK tactic.
:matrix	it:mitre:attack:matrix	The ATT&CK matrix which defines the tactic.
:desc	str	A description of the ATT&CK tactic.	Display: {'hint': 'text'}
:url	inet:url	The URL that documents the ATT&CK tactic.
:tag	syn:tag	Deprecated.	Deprecated: True
:references	array type: inet:url uniq: True	An array of URLs that document the ATT&CK tactic.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:mitre:attack:technique

A MITRE ATT&CK Technique ID.

The base type for the form can be found at it:mitre:attack:technique.

An example of it:mitre:attack:technique:

• T1548

Properties:

name	type	doc	opts
:name	str lower: True onespace: True	The primary name for the ATT&CK technique.
:matrix	it:mitre:attack:matrix	The ATT&CK matrix which defines the technique.
:status	it:mitre:attack:status	The status of this ATT&CK technique.
:isnow	it:mitre:attack:technique	If deprecated, this field may contain the current value for the technique.
:desc	str strip: True	A description of the ATT&CK technique.	Display: {'hint': 'text'}
:url	inet:url	The URL that documents the ATT&CK technique.
:tag	syn:tag	Deprecated. Please use ou:technique:tag.	Deprecated: True
:references	array type: inet:url uniq: True	An array of URLs that document the ATT&CK technique.
:parent	it:mitre:attack:technique	The parent ATT&CK technique on this sub-technique.
:tactics	array type: it:mitre:attack:tactic uniq: True sorted: True split: ,	An array of ATT&CK tactics that include this technique.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:network

A GUID that represents a logical network.

The base type for the form can be found at it:network.

Properties:

name	type	doc
:name	str lower: True onespace: True	The name of the network.
:desc	str	A brief description of the network.
:org	ou:org	The org that owns/operates the network.
:net4	inet:net4	The optional contiguous IPv4 address range of this network.
:net6	inet:net6	The optional contiguous IPv6 address range of this network.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:os:android:aaid

An android advertising identification string.

The base type for the form can be found at it:os:android:aaid.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:os:android:ibroadcast

The given software broadcasts the given Android intent.

The base type for the form can be found at it:os:android:ibroadcast.

Properties:

name	type	doc	opts
:app	it:prod:softver	The app software which broadcasts the android intent.	Read Only: True
:intent	it:os:android:intent	The android intent which is broadcast by the app.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:os:android:ilisten

The given software listens for an android intent.

The base type for the form can be found at it:os:android:ilisten.

Properties:

name	type	doc	opts
:app	it:prod:softver	The app software which listens for the android intent.	Read Only: True
:intent	it:os:android:intent	The android intent which is listened for by the app.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:os:android:intent

An android intent string.

The base type for the form can be found at it:os:android:intent.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:os:android:perm

An android permission string.

The base type for the form can be found at it:os:android:perm.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:os:android:reqperm

The given software requests the android permission.

The base type for the form can be found at it:os:android:reqperm.

Properties:

name	type	doc	opts
:app	it:prod:softver	The android app which requests the permission.	Read Only: True
:perm	it:os:android:perm	The android permission requested by the app.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:os:ios:idfa

An iOS advertising identification string.

The base type for the form can be found at it:os:ios:idfa.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:prod:component

A specific instance of an it:prod:hardware most often as part of an it:host.

The base type for the form can be found at it:prod:component.

Properties:

name	type	doc
:hardware	it:prod:hardware	The hardware specification of this component.
:serial	str	The serial number of this component.
:host	it:host	The it:host which has this component installed.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:prod:hardware

A specification for a piece of IT hardware.

The base type for the form can be found at it:prod:hardware.

Properties:

name	type	doc	opts
:name	str lower: True onespace: True	The display name for this hardware specification.
:type	it:prod:hardwaretype	The type of hardware.
:desc	str	A brief description of the hardware.	Display: {'hint': 'text'}
:cpe	it:sec:cpe	The NIST CPE 2.3 string specifying this hardware.
:make	ou:name	The name of the organization which manufactures this hardware.
:model	str lower: True onespace: True	The model name or number for this hardware specification.
:version	str lower: True onespace: True	Version string associated with this hardware specification.
:released	time	The initial release date for this hardware.
:parts	array type: it:prod:hardware uniq: True sorted: True	An array of it:prod:hardware parts included in this hardware specification.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:prod:hardwaretype

An IT hardware type taxonomy.

The base type for the form can be found at it:prod:hardwaretype.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	it:prod:hardwaretype	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:prod:soft

A software product.

The base type for the form can be found at it:prod:soft.

Properties:

name	type	doc	opts
:name	it:prod:softname	Name of the software.
:type	it:prod:soft:taxonomy	The software type.
:names	array type: it:prod:softname uniq: True sorted: True	Observed/variant names for this software.
:desc	str	A description of the software.	Display: {'hint': 'text'}
:desc:short	str lower: True	A short description of the software.
:cpe	it:sec:cpe	The NIST CPE 2.3 string specifying this software.
:author	ps:contact	The contact information of the org or person who authored the software.
:author:org	ou:org	Deprecated. Please use :author to link to a ps:contact.	Deprecated: True
:author:acct	inet:web:acct	Deprecated. Please use :author to link to a ps:contact.	Deprecated: True
:author:email	inet:email	Deprecated. Please use :author to link to a ps:contact.	Deprecated: True
:author:person	ps:person	Deprecated. Please use :author to link to a ps:contact.	Deprecated: True
:url	inet:url	URL relevant for the software.
:isos	bool	Set to True if the software is an operating system.
:islib	bool	Set to True if the software is a library.
:techniques	array type: ou:technique sorted: True uniq: True	Deprecated for scalability. Please use -(uses)> ou:technique.	Deprecated: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
it:prod:soft	-(uses)>	ou:technique	The software uses the technique.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:prod:soft:taxonomy

A software type taxonomy.

The base type for the form can be found at it:prod:soft:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	it:prod:soft:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:prod:softfile

A file is distributed by a specific software version.

The base type for the form can be found at it:prod:softfile.

Properties:

name	type	doc	opts
:soft	it:prod:softver	The software which distributes the file.	Read Only: True
:file	file:bytes	The file distributed by the software.	Read Only: True
:path	file:path	The default installation path of the file.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:prod:softid

An identifier issued to a given host by a specific software application.

The base type for the form can be found at it:prod:softid.

Properties:

name	type	doc
:id	str	The ID issued by the software to the host.
:host	it:host	The host which was issued the ID by the software.
:soft	it:prod:softver	The software which issued the ID to the host.
:soft:name	it:prod:softname	The name of the software which issued the ID to the host.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:prod:softlib

A software version contains a library software version.

The base type for the form can be found at it:prod:softlib.

Properties:

name	type	doc	opts
:soft	it:prod:softver	The software version that contains the library.	Read Only: True
:lib	it:prod:softver	The library software version.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:prod:softname

A software product name.

The base type for the form can be found at it:prod:softname.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:prod:softos

The software version is known to be compatible with the given os software version.

The base type for the form can be found at it:prod:softos.

Properties:

name	type	doc	opts
:soft	it:prod:softver	The software which can run on the operating system.	Read Only: True
:os	it:prod:softver	The operating system which the software can run on.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:prod:softreg

A registry entry is created by a specific software version.

The base type for the form can be found at it:prod:softreg.

Properties:

name	type	doc	opts
:softver	it:prod:softver	The software which creates the registry entry.	Read Only: True
:regval	it:dev:regval	The registry entry created by the software.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:prod:softver

A specific version of a software product.

The base type for the form can be found at it:prod:softver.

Properties:

name	type	doc	opts
:software	it:prod:soft	Software associated with this version instance.
:software:name	str lower: True strip: True	Deprecated. Please use it:prod:softver:name.	Deprecated: True
:name	it:prod:softname	Name of the software version.
:names	array type: it:prod:softname uniq: True sorted: True	Observed/variant names for this software version.
:desc	str	A description of the software.	Display: {'hint': 'text'}
:cpe	it:sec:cpe	The NIST CPE 2.3 string specifying this software version.
:cves	array type: it:sec:cve uniq: True sorted: True	A list of CVEs that apply to this software version.
:vers	it:dev:str	Version string associated with this version instance.
:vers:norm	str lower: True	Normalized version of the version string.
:arch	it:dev:str	Software architecture.
:released	time	Timestamp for when this version of the software was released.
:semver	it:semver	System normalized semantic version number.
:semver:major	int	Version major number.
:semver:minor	int	Version minor number.
:semver:patch	int	Version patch number.
:semver:pre	str	Semver prerelease string.
:semver:build	str	Semver build string.
:url	inet:url	URL where a specific version of the software is available from.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:query

A unique query string.

The base type for the form can be found at it:query.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:reveng:filefunc

An instance of a function in an executable.

The base type for the form can be found at it:reveng:filefunc.

Properties:

name	type	doc	opts
:function	it:reveng:function	The guid matching the function.	Read Only: True
:file	file:bytes	The file that contains the function.	Read Only: True
:va	int	The virtual address of the first codeblock of the function.
:rank	int	The function rank score used to evaluate if it exhibits interesting behavior.
:complexity	int	The complexity of the function.
:funccalls	array type: it:reveng:filefunc uniq: True sorted: True	Other function calls within the scope of the function.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:reveng:funcstr

A reference to a string inside a function.

The base type for the form can be found at it:reveng:funcstr.

Properties:

name	type	doc	opts
:function	it:reveng:function	The guid matching the function.	Read Only: True
:string	str	The string that the function references.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:reveng:function

A function inside an executable.

The base type for the form can be found at it:reveng:function.

Properties:

name	type	doc
:name	str	The name of the function.
:description	str	Notes concerning the function.
:impcalls	array type: it:reveng:impfunc uniq: True sorted: True	Calls to imported library functions within the scope of the function.
:strings	array type: it:dev:str uniq: True	An array of strings referenced within the function.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:reveng:impfunc

A function from an imported library.

The base type for the form can be found at it:reveng:impfunc.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:screenshot

A screenshot of a host.

The base type for the form can be found at it:screenshot.

Properties:

name	type	doc	opts
:image	file:bytes	The image file.
:desc	str	A brief description of the screenshot.	Display: {'hint': 'text'}
:exe	file:bytes	The executable file which caused the activity.
:proc	it:exec:proc	The host process which caused the activity.
:thread	it:exec:thread	The host thread which caused the activity.
:host	it:host	The host on which the activity occurred.
:time	time	The time that the activity started.
:sandbox:file	file:bytes	The initial sample given to a sandbox environment to analyze.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:sec:c2:config

An extracted C2 config from an executable.

The base type for the form can be found at it:sec:c2:config.

Properties:

name	type	doc
:family	it:prod:softname	The name of the software family which uses the config.
:file	file:bytes	The file that the C2 config was extracted from.
:decoys	array type: inet:url	An array of URLs used as decoy connections to obfuscate the C2 servers.
:servers	array type: inet:url	An array of connection URLs built from host/port/passwd combinations.
:proxies	array type: inet:url	An array of proxy URLs used to communicate with the C2 server.
:listens	array type: inet:url	An array of listen URLs that the software should bind.
:dns:resolvers	array type: inet:server	An array of inet:servers to use when resolving DNS names.
:mutex	it:dev:mutex	The mutex that the software uses to prevent multiple-installations.
:campaigncode	it:dev:str	The operator selected string used to identify the campaign or group of targets.
:crypto:key	crypto:key	Static key material used to encrypt C2 communications.
:connect:delay	duration	The time delay from first execution to connecting to the C2 server.
:connect:interval	duration	The configured duration to sleep between connections to the C2 server.
:raw	data	A JSON blob containing the raw config extracted from the binary.
:http:headers	array type: inet:http:header	An array of HTTP headers that the sample should transmit to the C2 server.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:sec:cpe

A NIST CPE 2.3 Formatted String.

The base type for the form can be found at it:sec:cpe.

Properties:

name	type	doc	opts
:v2_2	it:sec:cpe:v2_2	The CPE 2.2 string which is equivalent to the primary property.
:part	str lower: True strip: True	The “part” field from the CPE 2.3 string.	Read Only: True
:vendor	ou:name	The “vendor” field from the CPE 2.3 string.	Read Only: True
:product	str lower: True strip: True	The “product” field from the CPE 2.3 string.	Read Only: True
:version	str lower: True strip: True	The “version” field from the CPE 2.3 string.	Read Only: True
:update	str lower: True strip: True	The “update” field from the CPE 2.3 string.	Read Only: True
:edition	str lower: True strip: True	The “edition” field from the CPE 2.3 string.	Read Only: True
:language	str lower: True strip: True	The “language” field from the CPE 2.3 string.	Read Only: True
:sw_edition	str lower: True strip: True	The “sw_edition” field from the CPE 2.3 string.	Read Only: True
:target_sw	str lower: True strip: True	The “target_sw” field from the CPE 2.3 string.	Read Only: True
:target_hw	str lower: True strip: True	The “target_hw” field from the CPE 2.3 string.	Read Only: True
:other	str lower: True strip: True	The “other” field from the CPE 2.3 string.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:sec:cve

A vulnerability as designated by a Common Vulnerabilities and Exposures (CVE) number.

The base type for the form can be found at it:sec:cve.

An example of it:sec:cve:

• cve-2012-0158

Properties:

name	type	doc	opts
:desc	str	Deprecated. Please use risk:vuln:cve:desc.	Deprecated: True
:url	inet:url	Deprecated. Please use risk:vuln:cve:url.	Deprecated: True
:references	array type: inet:url uniq: True sorted: True	Deprecated. Please use risk:vuln:cve:references.	Deprecated: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:sec:cwe

NIST NVD Common Weaknesses Enumeration Specification.

The base type for the form can be found at it:sec:cwe.

An example of it:sec:cwe:

• CWE-120

Properties:

name	type	doc	opts
:name	str	The CWE description field.	Example: Buffer Copy without Checking Size of Input (Classic Buffer Overflow)
:desc	str	The CWE description field.	Display: {'hint': 'text'}
:url	inet:url	A URL linking this CWE to a full description.
:parents	array type: it:sec:cwe uniq: True sorted: True split: ,	An array of ChildOf CWE Relationships.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:sec:metrics

A node used to track metrics of an organization’s infosec program.

The base type for the form can be found at it:sec:metrics.

Properties:

name	type	doc
:org	ou:org	The organization whose security program is being measured.
:org:name	ou:name	The organization name. Used for entity resolution.
:org:fqdn	inet:fqdn	The organization FQDN. Used for entity resolution.
:period	ival	The time period used to compute the metrics.
:alerts:meantime:triage	duration	The mean time to triage alerts generated within the time period.
:alerts:count	int	The total number of alerts generated within the time period.
:alerts:falsepos	int	The number of alerts generated within the time period that were determined to be false positives.
:assets:hosts	int	The total number of hosts within scope for the information security program.
:assets:users	int	The total number of users within scope for the information security program.
:assets:vulns:count	int	The number of asset vulnerabilities being tracked at the end of the time period.
:assets:vulns:preexisting	int	The number of asset vulnerabilities being tracked at the beginning of the time period.
:assets:vulns:discovered	int	The number of asset vulnerabilities discovered during the time period.
:assets:vulns:mitigated	int	The number of asset vulnerabilities mitigated during the time period.
:assets:vulns:meantime:mitigate	duration	The mean time to mitigate for vulnerable assets mitigated during the time period.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:sec:stix:bundle

A STIX bundle.

The base type for the form can be found at it:sec:stix:bundle.

Properties:

name	type	doc
:id	str	The id field from the STIX bundle.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:sec:stix:indicator

A STIX indicator pattern.

The base type for the form can be found at it:sec:stix:indicator.

Properties:

name	type	doc
:id	str	The STIX id field from the indicator pattern.
:name	str	The name of the STIX indicator pattern.
:pattern	str	The STIX indicator pattern text.
:created	time	The time that the indicator pattern was first created.
:updated	time	The time that the indicator pattern was last modified.
:labels	array type: str uniq: True sorted: True	The label strings embedded in the STIX indicator pattern.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:sec:vuln:scan

An instance of running a vulnerability scan.

The base type for the form can be found at it:sec:vuln:scan.

Properties:

name	type	doc	opts
:time	time	The time that the scan was started.
:desc	str	Description of the scan and scope.	Display: {'hint': 'text'}
:ext:id	str	An externally generated ID for the scan.
:ext:url	inet:url	An external URL which documents the scan.
:software	it:prod:softver	The scanning software used.
:software:name	it:prod:softname	The name of the scanner software.
:operator	ps:contact	Contact information for the scan operator.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

it:sec:vuln:scan:result

A vulnerability scan result for an asset.

The base type for the form can be found at it:sec:vuln:scan:result.

Properties:

name	type	doc
:scan	it:sec:vuln:scan	The scan that discovered the vulnerability in the asset.
:vuln	risk:vuln	The vulnerability detected in the asset.
:asset	ndef	The node which is vulnerable.
:desc	str	A description of the vulnerability and how it was detected in the asset.
:time	time	The time that the scan result was produced.
:ext:id	str	An externally generated ID for the scan result.
:ext:url	inet:url	An external URL which documents the scan result.
:mitigation	risk:mitigation	The mitigation used to address this asset vulnerability.
:mitigated	time	The time that the vulnerability in the asset was mitigated.
:priority	meta:priority	The priority of mitigating the vulnerability.
:severity	meta:severity	The severity of the vulnerability in the asset. Use “none” for no vulnerability discovered.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

lang:idiom

Deprecated. Please use lang:translation.

The base type for the form can be found at lang:idiom.

Properties:

name	type	doc	opts
:url	inet:url	Authoritative URL for the idiom.
:desc:en	str	English description.	Display: {'hint': 'text'}

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

lang:language

A specific written or spoken language.

The base type for the form can be found at lang:language.

Properties:

name	type	doc
:code	lang:code	The language code for this language.
:name	lang:name	The primary name of the language.
:names	array type: lang:name sorted: True uniq: True	An array of alternative names for the language.
:skill	ps:skill	The skill used to annotate proficiency in the language.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

lang:name

A name used to refer to a language.

The base type for the form can be found at lang:name.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

lang:trans

Deprecated. Please use lang:translation.

The base type for the form can be found at lang:trans.

Properties:

name	type	doc	opts
:text:en	str	English translation.	Display: {'hint': 'text'}
:desc:en	str	English description.	Display: {'hint': 'text'}

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

lang:translation

A translation of text from one language to another.

The base type for the form can be found at lang:translation.

Properties:

name	type	doc	opts
:input	str	The input text.	Example: hola
:input:lang	lang:code	The input language code.
:output	str	The output text.	Example: hi
:output:lang	lang:code	The output language code.
:desc	str	A description of the meaning of the output.	Example: A standard greeting
:engine	it:prod:softver	The translation engine version used.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

mat:item

A GUID assigned to a material object.

The base type for the form can be found at mat:item.

Properties:

name	type	doc
:name	str lower: True	The name of the material item.
:type	mat:type	The taxonomy type of the item.
:spec	mat:spec	The specification which defines this item.
:place	geo:place	The most recent place the item is known to reside.
:latlong	geo:latlong	The last known lat/long location of the node.
:loc	loc	The geo-political location string for the node.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

mat:itemimage

The base type for compound node fields.

The base type for the form can be found at mat:itemimage.

Properties:

name	type	doc	opts
:item	mat:item	The item contained within the image file.	Read Only: True
:file	file:bytes	The file containing an image of the item.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

mat:spec

A GUID assigned to a material specification.

The base type for the form can be found at mat:spec.

Properties:

name	type	doc
:name	str lower: True	The name of the material specification.
:type	mat:type	The taxonomy type for the specification.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

mat:specimage

The base type for compound node fields.

The base type for the form can be found at mat:specimage.

Properties:

name	type	doc	opts
:spec	mat:spec	The spec contained within the image file.	Read Only: True
:file	file:bytes	The file containing an image of the spec.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

media:news

A GUID for a news article or report.

The base type for the form can be found at media:news.

Properties:

name	type	doc	opts
:url	inet:url	The (optional) URL where the news was published.	Example: http://cnn.com/news/mars-lander.html
:url:fqdn	inet:fqdn	The FQDN within the news URL.	Example: cnn.com
:type	media:news:taxonomy	A taxonomy for the type of reporting or news.
:file	file:bytes	The (optional) file blob containing or published as the news.
:title	str lower: True	Title/Headline for the news.	Example: mars lander reaches mars Display: {'hint': 'text'}
:summary	str	A brief summary of the news item.	Example: lorum ipsum Display: {'hint': 'text'}
:publisher	ou:org	The organization which published the news.
:publisher:name	ou:name	The name of the publishing org used to publish the news.
:published	time	The date the news item was published.	Example: 20161201180433
:updated	time ismax: True	The last time the news item was updated.	Example: 20161201180433
:org	ou:alias	Deprecated. Please use :publisher:name.	Deprecated: True
:author	ps:name	Deprecated. Please use :authors array of ps:contact nodes.	Deprecated: True
:authors	array type: ps:contact split: , uniq: True sorted: True	An array of authors of the news item.
:rss:feed	inet:url	The RSS feed that published the news.
:ext:id	str	An external identifier specified by the publisher.
:topics	array type: media:topic uniq: True sorted: True	An array of relevant topics discussed in the report.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

media:news:taxonomy

A taxonomy of types or sources of news.

The base type for the form can be found at media:news:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	media:news:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

media:topic

A topic string.

The base type for the form can be found at media:topic.

Properties:

name	type	doc
:desc	str	A brief description of the topic.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

meta:event

An analytically relevant event in a curated timeline.

The base type for the form can be found at meta:event.

Properties:

name	type	doc	opts
:timeline	meta:timeline	The timeline containing the event.
:title	str	A title for the event.
:summary	str	A prose summary of the event.	Display: {'hint': 'text'}
:time	time	The time that the event occurred.
:duration	duration	The duration of the event.
:type	meta:event:taxonomy	Type of event.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

meta:event:taxonomy

A taxonomy of event types for meta:event nodes.

The base type for the form can be found at meta:event:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	meta:event:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

meta:note

An analyst note about nodes linked with -(about)> edges.

The base type for the form can be found at meta:note.

Properties:

name	type	doc	opts
:type	meta:note:type:taxonomy	The note type.
:text	str	The analyst authored note text.	Display: {'hint': 'text', 'syntax': 'markdown'}
:author	ps:contact	The contact information of the author.
:creator	syn:user	The synapse user who authored the note.
:created	time	The time the note was created.
:updated	time	The time the note was updated.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
meta:note	-(about)>	*	The meta:note is about the target node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

meta:note:type:taxonomy

An analyst note type taxonomy.

The base type for the form can be found at meta:note:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	meta:note:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

meta:rule

A generic rule linked to matches with -(matches)> edges.

The base type for the form can be found at meta:rule.

Properties:

name	type	doc	opts
:name	str lower: True onespace: True	A name for the rule.
:desc	str	A description of the rule.	Display: {'hint': 'text'}
:text	str	The text of the rule logic.	Display: {'hint': 'text'}
:author	ps:contact	The contact information of the rule author.
:created	time	The time the rule was initially created.
:updated	time	The time the rule was most recently modified.
:url	inet:url	A URL which documents the rule.
:ext:id	str	An external identifier for the rule.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:ruleset	-(has)>	meta:rule	The meta:ruleset includes the meta:rule.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

meta:ruleset

A set of rules linked with -(has)> edges.

The base type for the form can be found at meta:ruleset.

Properties:

name	type	doc	opts
:name	str lower: True onespace: True	A name for the ruleset.
:desc	str	A description of the ruleset.	Display: {'hint': 'text'}
:author	ps:contact	The contact information of the ruleset author.
:created	time	The time the ruleset was initially created.
:updated	time	The time the ruleset was most recently modified.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
meta:ruleset	-(has)>	meta:rule	The meta:ruleset includes the meta:rule.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

meta:seen

Annotates that the data in a node was obtained from or observed by a given source.

The base type for the form can be found at meta:seen.

Properties:

name	type	doc	opts
:source	meta:source	The source which observed or provided the node.	Read Only: True
:node	ndef	The node which was observed by or received from the source.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

meta:source

A data source unique identifier.

The base type for the form can be found at meta:source.

Properties:

name	type	doc
:name	str lower: True	A human friendly name for the source.
:type	str lower: True	An optional type field used to group sources.
:url	inet:url	A URL which documents the meta source.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
meta:source	-(seen)>	*	The meta:source observed the target node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

meta:timeline

A curated timeline of analytically relevant events.

The base type for the form can be found at meta:timeline.

Properties:

name	type	doc	opts
:title	str	A title for the timeline.	Example: The history of the Vertex Project
:summary	str	A prose summary of the timeline.	Display: {'hint': 'text'}
:type	meta:timeline:taxonomy	The type of timeline.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

meta:timeline:taxonomy

A taxonomy of timeline types for meta:timeline nodes.

The base type for the form can be found at meta:timeline:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	meta:timeline:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:attendee

A node representing a person attending a meeting, conference, or event.

The base type for the form can be found at ou:attendee.

Properties:

name	type	doc
:person	ps:contact	The contact information for the person who attended the event.
:arrived	time	The time when the person arrived.
:departed	time	The time when the person departed.
:roles	array type: ou:role split: , uniq: True sorted: True	List of the roles the person had at the event.
:meet	ou:meet	The meeting that the person attended.
:conference	ou:conference	The conference that the person attended.
:conference:event	ou:conference:event	The conference event that the person attended.
:contest	ou:contest	The contest that the person attended.
:preso	ou:preso	The presentation that the person attended.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:award

An award issued by an organization.

The base type for the form can be found at ou:award.

Properties:

name	type	doc	opts
:name	str lower: True onespace: True	The name of the award.	Example: Bachelors of Science
:type	str lower: True onespace: True	The type of award.	Example: certification
:org	ou:org	The organization which issues the award.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:campaign

Represents an org’s activity in pursuit of a goal.

The base type for the form can be found at ou:campaign.

Properties:

name	type	doc	opts
:org	ou:org	The org carrying out the campaign.
:org:name	ou:name	The name of the org responsible for the campaign. Used for entity resolution.
:org:fqdn	inet:fqdn	The FQDN of the org responsible for the campaign. Used for entity resolution.
:goal	ou:goal	The assessed primary goal of the campaign.
:actors	array type: ps:contact split: , uniq: True sorted: True	Actors who participated in the campaign.
:goals	array type: ou:goal split: , uniq: True sorted: True	Additional assessed goals of the campaign.
:success	bool	Records the success/failure status of the campaign if known.
:name	ou:campname	A terse name of the campaign.	Example: operation overlord
:names	array type: ou:campname sorted: True uniq: True	An array of alternate names for the campaign.
:reporter	ou:org	The organization reporting on the campaign.
:reporter:name	ou:name	The name of the organization reporting on the campaign.
:type	str	Deprecated. Use the :camptype taxonomy.	Deprecated: True
:sophistication	meta:sophistication	The assessed sophistication of the campaign.
:timeline	meta:timeline	A timeline of significant events related to the campaign.
:camptype	ou:camptype	The campaign type taxonomy.	Display: {'hint': 'taxonomy'}
:desc	str	A description of the campaign.	Display: {'hint': 'text'}
:period	ival	The time interval when the organization was running the campaign.
:cost	econ:price	The actual cost to the organization.
:budget	econ:price	The budget allocated by the organization to execute the campaign.
:currency	econ:currency	The currency used to record econ:price properties.
:goal:revenue	econ:price	A goal for revenue resulting from the campaign.
:result:revenue	econ:price	The revenue resulting from the campaign.
:goal:pop	int	A goal for the number of people affected by the campaign.
:result:pop	int	The count of people affected by the campaign.
:team	ou:team	The org team responsible for carrying out the campaign.
:conflict	ou:conflict	The conflict in which this campaign is a primary participant.
:techniques	array type: ou:technique sorted: True uniq: True	Deprecated for scalability. Please use -(uses)> ou:technique.	Deprecated: True
:tag	syn:tag	The tag used to annotate nodes that are associated with the campaign.
:mitre:attack:campaign	it:mitre:attack:campaign	A mapping to a MITRE ATT&CK campaign if applicable.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	ou:technique	The campaign used the technique.
ou:campaign	-(uses)>	*	The campaign made use of the target node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:campname

A campaign name.

The base type for the form can be found at ou:campname.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:camptype

An campaign type taxonomy.

The base type for the form can be found at ou:camptype.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	ou:camptype	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:conference

A conference with a name and sponsoring org.

The base type for the form can be found at ou:conference.

Properties:

name	type	doc	opts
:org	ou:org	The org which created/managed the conference.
:organizer	ps:contact	Contact information for the primary organizer of the conference.
:sponsors	array type: ps:contact uniq: True sorted: True	An array of contacts which sponsored the conference.
:name	str lower: True	The full name of the conference.	Example: decfon 2017
:desc	str lower: True	A description of the conference.	Example: annual cybersecurity conference Display: {'hint': 'text'}
:base	str lower: True strip: True	The base name which is shared by all conference instances.	Example: defcon
:start	time	The conference start date / time.
:end	time	The conference end date / time.
:place	geo:place	The geo:place node where the conference was held.
:url	inet:url	The inet:url node for the conference website.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:conference:attendee

Deprecated. Please use ou:attendee.

The base type for the form can be found at ou:conference:attendee.

Properties:

name	type	doc	opts
:conference	ou:conference	The conference which was attended.	Read Only: True
:person	ps:person	The person who attended the conference.	Read Only: True
:arrived	time	The time when a person arrived to the conference.
:departed	time	The time when a person departed from the conference.
:role:staff	bool	The person worked as staff at the conference.
:role:speaker	bool	The person was a speaker or presenter at the conference.
:roles	array type: str uniq: True sorted: True	List of the roles the person had at the conference.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:conference:event

A conference event with a name and associated conference.

The base type for the form can be found at ou:conference:event.

Properties:

name	type	doc	opts
:conference	ou:conference	The conference to which the event is associated.	Read Only: True
:organizer	ps:contact	Contact information for the primary organizer of the event.
:sponsors	array type: ps:contact uniq: True sorted: True	An array of contacts which sponsored the event.
:place	geo:place	The geo:place where the event occurred.
:name	str lower: True	The name of the conference event.	Example: foobar conference dinner
:desc	str lower: True	A description of the conference event.	Example: foobar conference networking dinner at ridge hotel Display: {'hint': 'text'}
:url	inet:url	The inet:url node for the conference event website.
:contact	ps:contact	Contact info for the event.
:start	time	The event start date / time.
:end	time	The event end date / time.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:conference:event:attendee

Deprecated. Please use ou:attendee.

The base type for the form can be found at ou:conference:event:attendee.

Properties:

name	type	doc	opts
:event	ou:conference:event	The conference event which was attended.	Read Only: True
:person	ps:person	The person who attended the conference event.	Read Only: True
:arrived	time	The time when a person arrived to the conference event.
:departed	time	The time when a person departed from the conference event.
:roles	array type: str uniq: True sorted: True	List of the roles the person had at the conference event.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:conflict

Represents a conflict where two or more campaigns have mutually exclusive goals.

The base type for the form can be found at ou:conflict.

Properties:

name	type	doc
:name	str onespace: True	The name of the conflict.
:started	time	The time the conflict began.
:ended	time	The time the conflict ended.
:timeline	meta:timeline	A timeline of significant events related to the conflict.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:contest

A competitive event resulting in a ranked set of participants.

The base type for the form can be found at ou:contest.

Properties:

name	type	doc	opts
:name	str lower: True onespace: True	The name of the contest.	Example: defcon ctf 2020
:type	str lower: True onespace: True	The type of contest.	Example: cyber ctf
:family	str lower: True onespace: True	A name for a series of recurring contests.	Example: defcon ctf
:desc	str lower: True	A description of the contest.	Example: the capture-the-flag event hosted at defcon 2020 Display: {'hint': 'text'}
:url	inet:url	The contest website URL.
:start	time	The contest start date / time.
:end	time	The contest end date / time.
:loc	loc	The geopolitical affiliation of the contest.
:place	geo:place	The geo:place where the contest was held.
:latlong	geo:latlong	The latlong where the contest was held.
:conference	ou:conference	The conference that the contest is associated with.
:contests	array type: ou:contest split: , uniq: True sorted: True	An array of sub-contests that contributed to the rankings.
:sponsors	array type: ps:contact split: , uniq: True sorted: True	Contact information for contest sponsors.
:organizers	array type: ps:contact split: , uniq: True sorted: True	Contact information for contest organizers.
:participants	array type: ps:contact split: , uniq: True sorted: True	Contact information for contest participants.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:contest:result

The results from a single contest participant.

The base type for the form can be found at ou:contest:result.

Properties:

name	type	doc	opts
:contest	ou:contest	The contest.	Read Only: True
:participant	ps:contact	The participant.	Read Only: True
:rank	int	The rank order of the participant.
:score	int	The score of the participant.
:url	inet:url	The contest result website URL.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:contract

An contract between multiple entities.

The base type for the form can be found at ou:contract.

Properties:

name	type	doc	opts
:title	str	A terse title for the contract.
:type	ou:conttype	The type of contract.
:sponsor	ps:contact	The contract sponsor.
:parties	array type: ps:contact uniq: True sorted: True	The non-sponsor entities bound by the contract.
:document	file:bytes	The best/current contract document.
:signed	time	The date that the contract signing was complete.
:begins	time	The date that the contract goes into effect.
:expires	time	The date that the contract expires.
:completed	time	The date that the contract was completed.
:terminated	time	The date that the contract was terminated.
:award:price	econ:price	The value of the contract at time of award.
:budget:price	econ:price	The amount of money budgeted for the contract.
:currency	econ:currency	The currency of the econ:price values.
:purchase	econ:purchase	Purchase details of the contract.
:requirements	array type: ou:goal uniq: True sorted: True	The requirements levied upon the parties.
:types	array type: ou:contract:type split: , uniq: True sorted: True	A list of types that apply to the contract.	Deprecated: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:contribution

Represents a specific instance of contributing material support to a campaign.

The base type for the form can be found at ou:contribution.

Properties:

name	type	doc
:from	ps:contact	The contact information of the contributor.
:campaign	ou:campaign	The campaign receiving the contribution.
:value	econ:price	The assessed value of the contribution.
:currency	econ:currency	The currency used for the assessed value.
:time	time	The time the contribution occurred.
:material:spec	mat:spec	The specification of material items contributed.
:material:count	int	The number of material items contributed.
:monetary:payment	econ:acct:payment	Payment details for a monetary contribution.
:personnel:count	int	Number of personnel contributed to the campaign.
:personnel:jobtitle	ou:jobtitle	Title or designation for the contributed personnel.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
ou:contribution	-(includes)>	*	The contribution includes the specific node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:conttype

A contract type taxonomy.

The base type for the form can be found at ou:conttype.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	ou:conttype	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:employment

An employment type taxonomy.

The base type for the form can be found at ou:employment.

An example of ou:employment:

• fulltime.salary

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	ou:employment	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:goal

An assessed or stated goal which may be abstract or org specific.

The base type for the form can be found at ou:goal.

Properties:

name	type	doc	opts
:name	ou:goalname	A terse name for the goal.
:names	array type: ou:goalname sorted: True uniq: True	An array of alternate names for the goal. Used to merge/resolve goals.
:type	ou:goal:type:taxonomy	A type taxonomy entry for the goal.
:desc	str	A description of the goal.	Display: {'hint': 'text'}
:prev	ou:goal	Deprecated. Please use ou:goal:type taxonomy.	Deprecated: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:goal:type:taxonomy

A taxonomy of goal types.

The base type for the form can be found at ou:goal:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	ou:goal:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:goalname

A goal name.

The base type for the form can be found at ou:goalname.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:hasalias

The knowledge that an organization has an alias.

The base type for the form can be found at ou:hasalias.

Properties:

name	type	doc	opts
:org	ou:org	The org guid which has the alias.	Read Only: True
:alias	ou:alias	Alias for the organization.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:hasgoal

Deprecated. Please use ou:org:goals.

The base type for the form can be found at ou:hasgoal.

Properties:

name	type	doc	opts
:org	ou:org	The org which has the goal.	Read Only: True
:goal	ou:goal	The goal which the org has.	Read Only: True
:stated	bool	Set to true/false if the goal is known to be self stated.
:window	ival	Set if a goal has a limited time window.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:id:number

A unique id number issued by a specific organization.

The base type for the form can be found at ou:id:number.

Properties:

name	type	doc	opts
:type	ou:id:type	The type of org id.	Read Only: True
:value	ou:id:value	The value of org id.	Read Only: True
:status	str lower: True strip: True	A freeform status such as valid, suspended, expired.
:issued	time	The time at which the org issued the ID number.
:expires	time	The time at which the ID number expires.
:issuer	ps:contact	The contact information of the office which issued the ID number.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:id:type

A type of id number issued by an org.

The base type for the form can be found at ou:id:type.

Properties:

name	type	doc
:org	ou:org	The org which issues id numbers of this type.
:name	str	The friendly name of the id number type.
:url	inet:url	The official URL of the issuer.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:id:update

A status update to an org:id:number.

The base type for the form can be found at ou:id:update.

Properties:

name	type	doc
:number	ou:id:number	The id number that was updated.
:status	str strip: True lower: True	The updated status of the id number.
:time	time	The date/time that the id number was updated.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:industry

An industry classification type.

The base type for the form can be found at ou:industry.

Properties:

name	type	doc	opts
:name	ou:industryname	The name of the industry.
:type	ou:industry:type:taxonomy	A taxonomy entry for the industry.
:names	array type: ou:industryname uniq: True sorted: True	An array of alternative names for the industry.
:subs	array type: ou:industry split: , uniq: True sorted: True	Deprecated. Please use ou:industry:type taxonomy.	Deprecated: True
:sic	array type: ou:sic split: , uniq: True sorted: True	An array of SIC codes that map to the industry.
:naics	array type: ou:naics split: , uniq: True sorted: True	An array of NAICS codes that map to the industry.
:isic	array type: ou:isic split: , uniq: True sorted: True	An array of ISIC codes that map to the industry.
:desc	str	A description of the industry.	Display: {'hint': 'text'}

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	ou:industry	The attack targeted the industry.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	ou:industry	The threat cluster targets the industry.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:industryname

The name of an industry.

The base type for the form can be found at ou:industryname.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:jobtitle

A title for a position within an org.

The base type for the form can be found at ou:jobtitle.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:jobtype

A taxonomy of job types.

The base type for the form can be found at ou:jobtype.

An example of ou:jobtype:

• it.dev.python

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	ou:jobtype	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:meet

An informal meeting of people which has no title or sponsor. See also: ou:conference.

The base type for the form can be found at ou:meet.

Properties:

name	type	doc
:name	str lower: True	A human friendly name for the meeting.
:start	time	The date / time the meet starts.
:end	time	The date / time the meet ends.
:place	geo:place	The geo:place node where the meet was held.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:meet:attendee

Deprecated. Please use ou:attendee.

The base type for the form can be found at ou:meet:attendee.

Properties:

name	type	doc	opts
:meet	ou:meet	The meeting which was attended.	Read Only: True
:person	ps:person	The person who attended the meeting.	Read Only: True
:arrived	time	The time when a person arrived to the meeting.
:departed	time	The time when a person departed from the meeting.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:member

Deprecated. Please use ou:position.

The base type for the form can be found at ou:member.

Properties:

name	type	doc	opts
:org	ou:org	The GUID of the org the person is a member of.	Read Only: True
:person	ps:person	The GUID of the person that is a member of an org.	Read Only: True
:title	str lower: True strip: True	The persons normalized title.
:start	time ismin: True	Earliest known association of the person with the org.
:end	time ismax: True	Most recent known association of the person with the org.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:name

The name of an organization. This may be a formal name or informal name of the organization.

The base type for the form can be found at ou:name.

An example of ou:name:

• acme corporation

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:opening

A job/work opening within an org.

The base type for the form can be found at ou:opening.

Properties:

name	type	doc
:org	ou:org	The org which has the opening.
:orgname	ou:name	The name of the organization as listed in the opening.
:orgfqdn	inet:fqdn	The FQDN of the organization as listed in the opening.
:posted	time	The date/time that the job opening was posted.
:removed	time	The date/time that the job opening was removed.
:postings	array type: inet:url uniq: True sorted: True	URLs where the opening is listed.
:contact	ps:contact	The contact details to inquire about the opening.
:loc	loc	The geopolitical boundary of the opening.
:jobtype	ou:jobtype	The job type taxonomy.
:employment	ou:employment	The type of employment.
:jobtitle	ou:jobtitle	The title of the opening.
:remote	bool	Set to true if the opening will allow a fully remote worker.
:yearlypay	econ:price	The yearly income associated with the opening.
:paycurrency	econ:currency	The currency that the yearly pay was delivered in.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:org

A GUID for a human organization such as a company or military unit.

The base type for the form can be found at ou:org.

Properties:

name	type	doc	opts
:loc	loc	Location for an organization.
:name	ou:name	The localized name of an organization.
:type	str lower: True strip: True	The type of organization.	Deprecated: True
:orgtype	ou:orgtype	The type of organization.	Display: {'hint': 'taxonomy'}
:vitals	ou:vitals	The most recent/accurate ou:vitals for the org.
:desc	str	A description of the org.	Display: {'hint': 'text'}
:logo	file:bytes	An image file representing the logo for the organization.
:names	array type: ou:name uniq: True sorted: True	A list of alternate names for the organization.
:alias	ou:alias	The default alias for an organization.
:phone	tel:phone	The primary phone number for the organization.
:sic	ou:sic	The Standard Industrial Classification code for the organization.	Deprecated: True
:naics	ou:naics	The North American Industry Classification System code for the organization.	Deprecated: True
:industries	array type: ou:industry uniq: True sorted: True	The industries associated with the org.
:us:cage	gov:us:cage	The Commercial and Government Entity (CAGE) code for the organization.
:founded	time	The date on which the org was founded.
:dissolved	time	The date on which the org was dissolved.
:url	inet:url	The primary url for the organization.
:subs	array type: ou:org uniq: True sorted: True	An set of sub-organizations.
:orgchart	ou:position	The root node for an orgchart made up ou:position nodes.
:hq	ps:contact	A collection of contact information for the “main office” of an org.
:locations	array type: ps:contact uniq: True sorted: True	An array of contacts for facilities operated by the org.
:country	pol:country	The organization’s country of origin.
:country:code	pol:iso2	The 2 digit ISO 3166 country code for the organization’s country of origin.
:dns:mx	array type: inet:fqdn uniq: True sorted: True	An array of MX domains used by email addresses issued by the org.
:techniques	array type: ou:technique sorted: True uniq: True	Deprecated for scalability. Please use -(uses)> ou:technique.	Deprecated: True
:goals	array type: ou:goal sorted: True uniq: True	The assessed goals of the organization.
:tag	syn:tag	A base tag used to encode assessments made by the organization.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	ou:technique	The org uses the technique.
ou:org	-(uses)>	*	The ou:org makes use of the target node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:org:has

An org owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time.

The base type for the form can be found at ou:org:has.

Properties:

name	type	doc	opts
:org	ou:org	The org who owns or controls the object or resource.	Read Only: True
:node	ndef	The object or resource that is owned or controlled by the org.	Read Only: True
:node:form	str	The form of the object or resource that is owned or controlled by the org.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:orgnet4

An organization’s IPv4 netblock.

The base type for the form can be found at ou:orgnet4.

Properties:

name	type	doc	opts
:org	ou:org	The org guid which owns the netblock.	Read Only: True
:net	inet:net4	Netblock owned by the organization.	Read Only: True
:name	str lower: True strip: True	The name that the organization assigns to this netblock.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:orgnet6

An organization’s IPv6 netblock.

The base type for the form can be found at ou:orgnet6.

Properties:

name	type	doc	opts
:org	ou:org	The org guid which owns the netblock.	Read Only: True
:net	inet:net6	Netblock owned by the organization.	Read Only: True
:name	str lower: True strip: True	The name that the organization assigns to this netblock.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:orgtype

An org type taxonomy.

The base type for the form can be found at ou:orgtype.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	ou:orgtype	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:position

A position within an org. May be organized into an org chart.

The base type for the form can be found at ou:position.

Properties:

name	type	doc
:org	ou:org	The org which has the position.
:team	ou:team	The team that the position is a member of.
:contact	ps:contact	The contact info for the person who holds the position.
:title	str lower: True onespace: True	The title of the position.
:reports	array type: ou:position uniq: True sorted: True	An array of positions which report to this position.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:preso

A webinar, conference talk, or other type of presentation.

The base type for the form can be found at ou:preso.

Properties:

name	type	doc	opts
:organizer	ps:contact	Contact information for the primary organizer of the presentation.
:sponsors	array type: ps:contact uniq: True sorted: True	A set of contacts which sponsored the presentation.
:presenters	array type: ps:contact uniq: True sorted: True	A set of contacts which gave the presentation.
:title	str lower: True	The full name of the presentation.	Example: Synapse 101 - 2021/06/22
:desc	str lower: True	A description of the presentation.	Display: {'hint': 'text'}
:time	time	The scheduled presentation start time.
:duration	duration	The scheduled duration of the presentation.
:loc	loc	The geopolitical location string for where the presentation was given.
:place	geo:place	The geo:place node where the presentation was held.
:deck:url	inet:url	The URL hosting a copy of the presentation materials.
:deck:file	file:bytes	A file containing the presentation materials.
:attendee:url	inet:url	The URL visited by live attendees of the presentation.
:recording:url	inet:url	The URL hosting a recording of the presentation.
:recording:file	file:bytes	A file containing a recording of the presentation.
:conference	ou:conference	The conference which hosted the presentation.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:requirement

A specific requirement.

The base type for the form can be found at ou:requirement.

Properties:

name	type	doc	opts
:name	str lower: True onespace: True	A name for the requirement.
:text	str	The text of the stated requirement.	Display: {'hint': 'text'}
:optional	bool	Set to true if the requirement is optional.
:priority	meta:priority	The priority of the requirement.
:goal	ou:goal	The goal that the requirement is designed to achieve.
:active	bool	Set to true if the requirement is currently active.
:issued	time	The time that the requirement was first issued.
:period	ival	The time window where the goal must be met. Can be ongoing.
:issuer	ps:contact	The contact information of the entity which issued the requirement.
:assignee	ps:contact	The contact information of the entity which is assigned to meet the requirement.
:deps	array type: ou:requirement sorted: True uniq: True	A list of sub-requirements which must be met to complete the requirement.
:deps:min	int min: 0	The minimum number dependant requirements which must be met. If unset, assume all must be met.

Source Edges:

source	verb	target	doc
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:suborg

Any parent/child relationship between two orgs. May represent ownership, organizational structure, etc.

The base type for the form can be found at ou:suborg.

Properties:

name	type	doc	opts
:org	ou:org	The org which owns the sub organization.	Read Only: True
:sub	ou:org	The sub org which owned by the org.	Read Only: True
:perc	int min: 0 max: 100	The optional percentage of sub which is owned by org.
:founded	time	The date on which the suborg relationship was founded.
:dissolved	time	The date on which the suborg relationship was dissolved.
:current	bool	Bool indicating if the suborg relationship still current.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:team

A GUID for a team within an organization.

The base type for the form can be found at ou:team.

Properties:

name	type	doc
:org	ou:org	A GUID for a human organization such as a company or military unit.
:name	ou:name	The name of an organization. This may be a formal name or informal name of the organization.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:technique

A specific technique used to achieve a goal.

The base type for the form can be found at ou:technique.

Properties:

name	type	doc	opts
:name	str lower: True onespace: True	The normalized name of the technique.
:type	ou:technique:taxonomy	The taxonomy classification of the technique.
:sophistication	meta:sophistication	The assessed sophistication of the technique.
:desc	str	A description of the technique.	Display: {'hint': 'text'}
:tag	syn:tag	The tag used to annotate nodes where the technique was employed.
:mitre:attack:technique	it:mitre:attack:technique	A mapping to a MITRE ATT&CK technique if applicable.
:reporter	ou:org	The organization reporting on the technique.
:reporter:name	ou:name	The name of the organization reporting on the technique.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
it:prod:soft	-(uses)>	ou:technique	The software uses the technique.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	ou:technique	The campaign used the technique.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	ou:technique	The org uses the technique.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	ou:technique	The attacker used the technique in the attack.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:compromise	-(uses)>	ou:technique	The attacker used the technique in the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:extortion	-(uses)>	ou:technique	The attacker used the technique to extort the victim.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:mitigation	-(addresses)>	ou:technique	The mitigation addresses the technique.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	ou:technique	The threat cluster uses the technique.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	ou:technique	The tool uses the technique.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:technique:taxonomy

An analyst defined taxonomy to classify techniques in different disciplines.

The base type for the form can be found at ou:technique:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	ou:technique:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:user

A user name within an organization.

The base type for the form can be found at ou:user.

Properties:

name	type	doc	opts
:org	ou:org	The org guid which owns the netblock.	Read Only: True
:user	inet:user	The username associated with the organization.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ou:vitals

Vital statistics about an org for a given time period.

The base type for the form can be found at ou:vitals.

Properties:

name	type	doc
:asof	time	The time that the vitals represent.
:org	ou:org	The resolved org.
:orgname	ou:name	The org name as reported by the source of the vitals.
:orgfqdn	inet:fqdn	The org FQDN as reported by the source of the vitals.
:currency	econ:currency	The currency of the econ:price values.
:costs	econ:price	The costs/expenditures over the period.
:revenue	econ:price	The gross revenue over the period.
:profit	econ:price	The net profit over the period.
:valuation	econ:price	The assessed value of the org.
:shares	int	The number of shares outstanding.
:population	int	The population of the org.
:delta:costs	econ:price	The change in costs over last period.
:delta:revenue	econ:price	The change in revenue over last period.
:delta:profit	econ:price	The change in profit over last period.
:delta:valuation	econ:price	The change in valuation over last period.
:delta:population	int	The change in population over last period.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

pol:candidate

A candidate for office in a specific race.

The base type for the form can be found at pol:candidate.

Properties:

name	type	doc
:contact	ps:contact	The contact information of the candidate.
:race	pol:race	The race the candidate is participating in.
:campaign	ou:campaign	The official campaign to elect the candidate.
:winner	bool	Records the outcome of the race.
:party	ou:org	The declared political party of the candidate.
:incumbent	bool	Set to true if the candidate is an incumbent in this race.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

pol:country

A GUID for a country.

The base type for the form can be found at pol:country.

Properties:

name	type	doc	opts
:flag	file:bytes	A thumbnail image of the flag of the country.
:iso2	pol:iso2	The 2 digit ISO 3166 country code.
:iso3	pol:iso3	The 3 digit ISO 3166 country code.
:isonum	pol:isonum	The ISO integer country code.
:pop	int	Deprecated. Please use :vitals::population.	Deprecated: True
:tld	inet:fqdn	A Fully Qualified Domain Name (FQDN).
:name	geo:name	The name of the country.
:names	array type: geo:name uniq: True sorted: True	An array of alternate or localized names for the country.
:government	ou:org	The ou:org node which represents the government of the country.
:place	geo:place	A geo:place node representing the geospatial properties of the country.
:founded	time	The date that the country was founded.
:dissolved	time	The date that the country was dissolved.
:vitals	pol:vitals	The most recent known vitals for the country.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

pol:election

An election involving one or more races for office.

The base type for the form can be found at pol:election.

Properties:

name	type	doc	opts
:name	str onespace: True lower: True	The name of the election.	Example: 2022 united states congressional midterm election
:time	time	The date of the election.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

pol:immigration:status

A node which tracks the immigration status of a contact.

The base type for the form can be found at pol:immigration:status.

Properties:

name	type	doc	opts
:contact	ps:contact	The contact information for the immigration status record.
:country	pol:country	The country that the contact is/has immigrated to.
:type	pol:immigration:status:type:taxonomy	A taxonomy entry for the immigration status type.	Example: citizen.naturalized
:state	str enums: requested,active,rejected,revoked,renounced	The state of the immigration status.
:began	time	The time when the status was granted to the contact.
:ended	time	The time when the status no longer applied to the contact.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

pol:immigration:status:type:taxonomy

A taxonomy of immigration types.

The base type for the form can be found at pol:immigration:status:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	pol:immigration:status:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

pol:office

An elected or appointed office.

The base type for the form can be found at pol:office.

Properties:

name	type	doc	opts
:title	ou:jobtitle	The title of the political office.	Example: united states senator
:position	ou:position	The position this office holds in the org chart for the governing body.
:termlimit	int	The maximum number of times a single person may hold the office.
:govbody	ou:org	The governmental body which contains the office.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

pol:pollingplace

An official place where ballots may be cast for a specific election.

The base type for the form can be found at pol:pollingplace.

Properties:

name	type	doc
:election	pol:election	The election that the polling place is designated for.
:name	geo:name	The name of the polling place at the time of the election. This may differ from the official place name.
:place	geo:place	The place where votes were cast.
:opens	time	The time that the polling place is scheduled to open.
:closes	time	The time that the polling place is scheduled to close.
:opened	time	The time that the polling place opened.
:closed	time	The time that the polling place closed.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

pol:race

An individual race for office.

The base type for the form can be found at pol:race.

Properties:

name	type	doc
:election	pol:election	The election that includes the race.
:office	pol:office	The political office that the candidates in the race are running for.
:voters	int	The number of eligible voters for this race.
:turnout	int	The number of individuals who voted in this race.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

pol:term

A term in office held by a specific individual.

The base type for the form can be found at pol:term.

Properties:

name	type	doc
:office	pol:office	The office held for the term.
:start	time	The start of the term of office.
:end	time	The end of the term of office.
:race	pol:race	The race that determined who held office during the term.
:contact	ps:contact	The contact information of the person who held office during the term.
:party	ou:org	The political party of the person who held office during the term.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

pol:vitals

A set of vital statistics about a country.

The base type for the form can be found at pol:vitals.

Properties:

name	type	doc
:country	pol:country	The country that the statistics are about.
:asof	time	The time that the vitals were measured.
:area	geo:area	The area of the country.
:population	int	The total number of people living in the country.
:currency	econ:currency	The national currency.
:econ:currency	econ:currency	The currency used to record price properties.
:econ:gdp	econ:price	The gross domestic product of the country.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

proj:attachment

A file attachment added to a ticket or comment.

The base type for the form can be found at proj:attachment.

Properties:

name	type	doc
:name	file:base	The name of the file that was attached.
:file	file:bytes	The file that was attached.
:creator	syn:user	The synapse user who added the attachment.
:created	time	The time the attachment was added.
:ticket	proj:ticket	The ticket the attachment was added to.
:comment	proj:comment	The comment the attachment was added to.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

proj:comment

A user comment on a ticket.

The base type for the form can be found at proj:comment.

Properties:

name	type	doc
:creator	syn:user	The synapse user who added the comment.
:created	time	The time the comment was added.
:updated	time ismax: True	The last time the comment was updated.
:ticket	proj:ticket	The ticket the comment was added to.
:text	str	The text of the comment.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

proj:epic

A collection of tickets related to a topic.

The base type for the form can be found at proj:epic.

Properties:

name	type	doc
:name	str onespace: True	The name of the epic.
:project	proj:project	The project containing the epic.
:creator	syn:user	The synapse user who created the epic.
:created	time	The time the epic was created.
:updated	time ismax: True	The last time the epic was updated.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

proj:project

A project in a ticketing system.

The base type for the form can be found at proj:project.

Properties:

name	type	doc	opts
:name	str lower: True onespace: True	The project name.
:type	proj:project:type:taxonomy	The project type.
:desc	str	The project description.	Display: {'hint': 'text'}
:creator	syn:user	The synapse user who created the project.
:created	time	The time the project was created.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

proj:project:type:taxonomy

A type taxonomy for projects.

The base type for the form can be found at proj:project:type:taxonomy.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

proj:sprint

A timeboxed period to complete a set amount of work.

The base type for the form can be found at proj:sprint.

Properties:

name	type	doc
:name	str lower: True onespace: True	The name of the sprint.
:status	str enums: planned,current,completed	The sprint status.
:project	proj:project	The project containing the sprint.
:creator	syn:user	The synapse user who created the sprint.
:created	time	The date the sprint was created.
:period	ival	The interval for the sprint.
:desc	str	A description of the sprint.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

proj:ticket

A ticket in a ticketing system.

The base type for the form can be found at proj:ticket.

Properties:

name	type	doc
:project	proj:project	The project containing the ticket.
:ext:id	str strip: True	A ticket ID from an external system.
:ext:url	inet:url	A URL to the ticket in an external system.
:ext:creator	ps:contact	Ticket creator contact information from an external system.
:ext:assignee	ps:contact	Ticket assignee contact information from an external system.
:epic	proj:epic	The epic that includes the ticket.
:created	time	The time the ticket was created.
:updated	time ismax: True	The last time the ticket was updated.
:name	str onespace: True	The name of the ticket.
:desc	str	A description of the ticket.
:points	int	Optional SCRUM style story points value.
:status	int enums: ((0, 'new'), (10, 'in validation'), (20, 'in backlog'), (30, 'in sprint'), (40, 'in progress'), (50, 'in review'), (60, 'completed'), (70, 'done'), (80, 'blocked'))	The ticket completion status.
:sprint	proj:sprint	The sprint that contains the ticket.
:priority	int enums: ((0, 'none'), (10, 'lowest'), (20, 'low'), (30, 'medium'), (40, 'high'), (50, 'highest'))	The priority of the ticket.
:type	str lower: True strip: True	The type of ticket. (eg story / bug).
:creator	syn:user	The synapse user who created the ticket.
:assignee	syn:user	The synapse user who the ticket is assigned to.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ps:achievement

An instance of an individual receiving an award.

The base type for the form can be found at ps:achievement.

Properties:

name	type	doc
:awardee	ps:contact	The recipient of the award.
:award	ou:award	The award bestowed on the awardee.
:awarded	time	The date the award was granted to the awardee.
:expires	time	The date the award or certification expires.
:revoked	time	The date the award was revoked by the org.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ps:contact

A GUID for a contact info record.

The base type for the form can be found at ps:contact.

Properties:

name	type	doc	opts
:org	ou:org	The org which this contact represents.
:type	ps:contact:type:taxonomy	The type of contact which may be used for entity resolution.
:asof	time	A date/time value.	date: The time this contact was created or modified.
:person	ps:person	The ps:person GUID which owns this contact.
:vitals	ps:vitals	The most recent known vitals for the contact.
:name	ps:name	The person name listed for the contact.
:desc	str	A description of this contact.
:title	ou:jobtitle	The job/org title listed for this contact.
:photo	file:bytes	The photo listed for this contact.
:orgname	ou:name	The listed org/company name for this contact.
:orgfqdn	inet:fqdn	The listed org/company FQDN for this contact.
:user	inet:user	The username or handle for this contact.
:web:acct	inet:web:acct	The social media account for this contact.
:web:group	inet:web:group	A web group representing this contact.
:birth:place	geo:place	A fully resolved place of birth for this contact.
:birth:place:loc	loc	The loc of the place of birth of this contact.
:birth:place:name	geo:name	The name of the place of birth of this contact.
:death:place	geo:place	A fully resolved place of death for this contact.
:death:place:loc	loc	The loc of the place of death of this contact.
:death:place:name	geo:name	The name of the place of death of this contact.
:dob	time	The date of birth for this contact.
:dod	time	The date of death for this contact.
:url	inet:url	The home or main site for this contact.
:email	inet:email	The main email address for this contact.
:email:work	inet:email	The work email address for this contact.
:loc	loc	Best known contact geopolitical location.
:address	geo:address	The street address listed for the contact.	Display: {'hint': 'text'}
:place	geo:place	The place associated with this contact.
:place:name	geo:name	The reported name of the place associated with this contact.
:phone	tel:phone	The main phone number for this contact.
:phone:fax	tel:phone	The fax number for this contact.
:phone:work	tel:phone	The work phone number for this contact.
:id:number	ou:id:number	An ID number issued by an org and associated with this contact.
:adid	it:adid	A Advertising ID associated with this contact.
:imid	tel:mob:imid	An IMID associated with the contact.
:imid:imei	tel:mob:imei	An IMEI associated with the contact.
:imid:imsi	tel:mob:imsi	An IMSI associated with the contact.
:names	array type: ps:name uniq: True sorted: True	An array of associated names/aliases for the person.
:orgnames	array type: ou:name uniq: True sorted: True	An array of associated names/aliases for the organization.
:emails	array type: inet:email uniq: True sorted: True	An array of secondary/associated email addresses.
:web:accts	array type: inet:web:acct uniq: True sorted: True	An array of secondary/associated web accounts.
:id:numbers	array type: ou:id:number uniq: True sorted: True	An array of secondary/associated IDs.
:users	array type: inet:user uniq: True sorted: True	An array of secondary/associated user names.
:crypto:address	crypto:currency:address	A crypto currency address associated with the contact.
:lang	lang:language	The language specified for the contact.
:langs	array type: lang:language	An array of alternative languages specified for the contact.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ps:contact:type:taxonomy

A taxonomy of contact types.

The base type for the form can be found at ps:contact:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	ps:contact:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ps:contactlist

A GUID for a list of associated contacts.

The base type for the form can be found at ps:contactlist.

Properties:

name	type	doc
:contacts	array type: ps:contact uniq: True split: , sorted: True	The array of contacts contained in the list.
:source:host	it:host	The host from which the contact list was extracted.
:source:file	file:bytes	The file from which the contact list was extracted.
:source:acct	inet:web:acct	The web account from which the contact list was extracted.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ps:education

A period of education for an individual.

The base type for the form can be found at ps:education.

Properties:

name	type	doc
:student	ps:contact	The contact of the person being educated.
:institution	ps:contact	The contact info for the org providing educational services.
:attended:first	time	The first date the student attended a class.
:attended:last	time	The last date the student attended a class.
:classes	array type: edu:class uniq: True sorted: True	The classes attended by the student.
:achievement	ps:achievement	The achievement awarded to the individual.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ps:name

An arbitrary, lower spaced string with normalized whitespace.

The base type for the form can be found at ps:name.

An example of ps:name:

• robert grey

Properties:

name	type	doc
:sur	ps:tokn	The surname part of the name.
:middle	ps:tokn	The middle name part of the name.
:given	ps:tokn	The given name part of the name.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ps:person

A GUID for a person.

The base type for the form can be found at ps:person.

Properties:

name	type	doc	opts
:dob	time	The date on which the person was born.
:dod	time	The date on which the person died.
:img	file:bytes	Deprecated: use ps:person:photo.	Deprecated: True
:photo	file:bytes	The primary image of a person.
:nick	inet:user	A username commonly used by the person.
:vitals	ps:vitals	The most recent known vitals for the person.
:name	ps:name	The localized name for the person.
:name:sur	ps:tokn	The surname of the person.
:name:middle	ps:tokn	The middle name of the person.
:name:given	ps:tokn	The given name of the person.
:names	array type: ps:name uniq: True sorted: True	Variations of the name for the person.
:nicks	array type: inet:user uniq: True sorted: True	Usernames used by the person.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ps:person:has

A person owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time.

The base type for the form can be found at ps:person:has.

Properties:

name	type	doc	opts
:person	ps:person	The person who owns or controls the object or resource.	Read Only: True
:node	ndef	The object or resource that is owned or controlled by the person.	Read Only: True
:node:form	str	The form of the object or resource that is owned or controlled by the person.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ps:persona

A GUID for a suspected person.

The base type for the form can be found at ps:persona.

Properties:

name	type	doc
:person	ps:person	The real person behind the persona.
:dob	time	The Date of Birth (DOB) if known.
:img	file:bytes	The primary image of a suspected person.
:nick	inet:user	A username commonly used by the suspected person.
:name	ps:name	The localized name for the suspected person.
:name:sur	ps:tokn	The surname of the suspected person.
:name:middle	ps:tokn	The middle name of the suspected person.
:name:given	ps:tokn	The given name of the suspected person.
:names	array type: ps:name uniq: True sorted: True	Variations of the name for a persona.
:nicks	array type: inet:user uniq: True sorted: True	Usernames used by the persona.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ps:persona:has

A persona owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time.

The base type for the form can be found at ps:persona:has.

Properties:

name	type	doc	opts
:persona	ps:persona	The persona who owns or controls the object or resource.	Read Only: True
:node	ndef	The object or resource that is owned or controlled by the persona.	Read Only: True
:node:form	str	The form of the object or resource that is owned or controlled by the persona.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ps:proficiency

The assessment that a given contact possesses a specific skill.

The base type for the form can be found at ps:proficiency.

Properties:

name	type	doc
:skill	ps:skill	The skill in which the contact is proficient.
:contact	ps:contact	The contact which is proficient in the skill.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ps:skill

A specific skill which a person or organization may have.

The base type for the form can be found at ps:skill.

Properties:

name	type	doc
:name	str lower: True onespace: True	The name of the skill.
:type	ps:skill:type:taxonomy	The type of skill as a taxonomy.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ps:skill:type:taxonomy

A taxonomy of skill types.

The base type for the form can be found at ps:skill:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	ps:skill:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ps:tokn

A single name element (potentially given or sur).

The base type for the form can be found at ps:tokn.

An example of ps:tokn:

• robert

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ps:vitals

Statistics and demographic data about a person or contact.

The base type for the form can be found at ps:vitals.

Properties:

name	type	doc
:asof	time	The time the vitals were gathered or computed.
:contact	ps:contact	The contact that the vitals are about.
:person	ps:person	The person that the vitals are about.
:height	geo:dist	The height of the person or contact.
:weight	mass	The weight of the person or contact.
:econ:currency	econ:currency	The currency that the price values are recorded using.
:econ:net:worth	econ:price	The net worth of the contact.
:econ:annual:income	econ:price	The yearly income of the contact.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

ps:workhist

A GUID representing entry in a contact’s work history.

The base type for the form can be found at ps:workhist.

Properties:

name	type	doc
:contact	ps:contact	The contact which has the work history.
:org	ou:org	The org that this work history orgname refers to.
:orgname	ou:name	The reported name of the org the contact worked for.
:orgfqdn	inet:fqdn	The reported fqdn of the org the contact worked for.
:jobtype	ou:jobtype	The type of job.
:employment	ou:employment	The type of employment.
:jobtitle	ou:jobtitle	The job title.
:started	time	The date that the contact began working.
:ended	time	The date that the contact stopped working.
:duration	duration	The duration of the period of work.
:pay	econ:price	The estimated/average yearly pay for the work.
:currency	econ:currency	The currency that the yearly pay was delivered in.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:alert

An instance of an alert which indicates the presence of a risk.

The base type for the form can be found at risk:alert.

Properties:

name	type	doc	opts
:type	risk:alert:taxonomy	A type for the alert, as a taxonomy entry.
:name	str	A brief name for the alert.
:desc	str	A free-form description / overview of the alert.	Display: {'hint': 'text'}
:status	int enums: ((0, 'new'), (10, 'enrichment'), (20, 'todo'), (30, 'analysis'), (40, 'remediation'), (50, 'done'))	The status of the alert.
:benign	bool	Set to true if the alert has been confirmed benign. Set to false if malicious.
:priority	meta:priority	A priority rank for the alert.
:severity	meta:severity	A severity rank for the alert.
:verdict	risk:alert:verdict:taxonomy	A verdict about why the alert is malicious or benign, as a taxonomy entry.	Example: benign.false_positive
:assignee	syn:user	The Synapse user who is assigned to investigate the alert.
:ext:assignee	ps:contact	The alert assignee contact information from an external system.
:engine	it:prod:softver	The software that generated the alert.
:detected	time	The time the alerted condition was detected.
:vuln	risk:vuln	The optional vulnerability that the alert indicates.
:attack	risk:attack	A confirmed attack that this alert indicates.
:url	inet:url	A URL which documents the alert.
:ext:id	str	An external identifier for the alert.
:host	it:host	The host which generated the alert.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:alert:taxonomy

A taxonomy of alert types.

The base type for the form can be found at risk:alert:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	risk:alert:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:alert:verdict:taxonomy

A taxonomy of verdicts for the origin and validity of the alert.

The base type for the form can be found at risk:alert:verdict:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	risk:alert:verdict:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:attack

An instance of an actor attacking a target.

The base type for the form can be found at risk:attack.

Properties:

name	type	doc	opts
:desc	str	A description of the attack.	Display: {'hint': 'text'}
:type	risk:attacktype	A type for the attack, as a taxonomy entry.	Example: cno.phishing
:reporter	ou:org	The organization reporting on the attack.
:reporter:name	ou:name	The name of the organization reporting on the attack.
:time	time	Set if the time of the attack is known.
:detected	time	The first confirmed detection time of the attack.
:success	bool	Set if the attack was known to have succeeded or not.
:targeted	bool	Set if the attack was assessed to be targeted or not.
:goal	ou:goal	The tactical goal of this specific attack.
:campaign	ou:campaign	Set if the attack was part of a larger campaign.
:compromise	risk:compromise	A compromise that this attack contributed to.
:severity	meta:severity	A severity rank for the attack.
:sophistication	meta:sophistication	The assessed sophistication of the attack.
:prev	risk:attack	The previous/parent attack in a list or hierarchy.
:actor:org	ou:org	Deprecated. Please use :attacker to allow entity resolution.	Deprecated: True
:actor:person	ps:person	Deprecated. Please use :attacker to allow entity resolution.	Deprecated: True
:attacker	ps:contact	Contact information representing the attacker.
:target	ps:contact	Deprecated. Please use -(targets)> light weight edges.	Deprecated: True
:target:org	ou:org	Deprecated. Please use -(targets)> light weight edges.	Deprecated: True
:target:host	it:host	Deprecated. Please use -(targets)> light weight edges.	Deprecated: True
:target:person	ps:person	Deprecated. Please use -(targets)> light weight edges.	Deprecated: True
:target:place	geo:place	Deprecated. Please use -(targets)> light weight edges.	Deprecated: True
:via:ipv4	inet:ipv4	Deprecated. Please use -(uses)> light weight edges.	Deprecated: True
:via:ipv6	inet:ipv6	Deprecated. Please use -(uses)> light weight edges.	Deprecated: True
:via:email	inet:email	Deprecated. Please use -(uses)> light weight edges.	Deprecated: True
:via:phone	tel:phone	Deprecated. Please use -(uses)> light weight edges.	Deprecated: True
:used:vuln	risk:vuln	Deprecated. Please use -(uses)> light weight edges.	Deprecated: True
:used:url	inet:url	Deprecated. Please use -(uses)> light weight edges.	Deprecated: True
:used:host	it:host	Deprecated. Please use -(uses)> light weight edges.	Deprecated: True
:used:email	inet:email	Deprecated. Please use -(uses)> light weight edges.	Deprecated: True
:used:file	file:bytes	Deprecated. Please use -(uses)> light weight edges.	Deprecated: True
:used:server	inet:server	Deprecated. Please use -(uses)> light weight edges.	Deprecated: True
:used:software	it:prod:softver	Deprecated. Please use -(uses)> light weight edges.	Deprecated: True
:techniques	array type: ou:technique sorted: True uniq: True	Deprecated for scalability. Please use -(uses)> ou:technique.	Deprecated: True
:url	inet:url	A URL which documents the attack.
:ext:id	str	An external unique ID for the attack.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
risk:attack	-(targets)>	ou:industry	The attack targeted the industry.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	ou:technique	The attacker used the technique in the attack.
risk:attack	-(uses)>	risk:vuln	The attack used the vulnerability.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:attacktype

A taxonomy of attack types.

The base type for the form can be found at risk:attacktype.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	risk:attacktype	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:availability

A taxonomy of availability status values.

The base type for the form can be found at risk:availability.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	risk:availability	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:compromise

An instance of a compromise and its aggregate impact.

The base type for the form can be found at risk:compromise.

Properties:

name	type	doc	opts
:name	str lower: True onespace: True	A brief name for the compromise event.
:desc	str	A prose description of the compromise event.	Display: {'hint': 'text'}
:reporter	ou:org	The organization reporting on the compromise.
:reporter:name	ou:name	The name of the organization reporting on the compromise.
:ext:id	str	An external unique ID for the compromise.
:url	inet:url	A URL which documents the compromise.
:type	risk:compromisetype	A type for the compromise, as a taxonomy entry.	Example: cno.breach
:vector	risk:attack	The attack assessed to be the initial compromise vector.
:target	ps:contact	Contact information representing the target.
:attacker	ps:contact	Contact information representing the attacker.
:campaign	ou:campaign	The campaign that this compromise is part of.
:time	time	Earliest known evidence of compromise.
:lasttime	time	Last known evidence of compromise.
:duration	duration	The duration of the compromise.
:detected	time	The first confirmed detection time of the compromise.
:loss:pii	int	The number of records compromised which contain PII.
:loss:econ	econ:price	The total economic cost of the compromise.
:loss:life	int	The total loss of life due to the compromise.
:loss:bytes	int	An estimate of the volume of data compromised.
:ransom:paid	econ:price	The value of the ransom paid by the target.
:ransom:price	econ:price	The value of the ransom demanded by the attacker.
:response:cost	econ:price	The economic cost of the response and mitigation efforts.
:theft:price	econ:price	The total value of the theft of assets.
:econ:currency	econ:currency	The currency type for the econ:price fields.
:severity	meta:severity	A severity rank for the compromise.
:goal	ou:goal	The assessed primary goal of the attacker for the compromise.
:goals	array type: ou:goal sorted: True uniq: True	An array of assessed attacker goals for the compromise.
:techniques	array type: ou:technique sorted: True uniq: True	Deprecated for scalability. Please use -(uses)> ou:technique.	Deprecated: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:compromise	-(uses)>	ou:technique	The attacker used the technique in the compromise.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:compromisetype

A taxonomy of compromise types.

The base type for the form can be found at risk:compromisetype.

An example of risk:compromisetype:

• cno.breach

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	risk:compromisetype	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:extortion

An event where an attacker attempted to extort a victim.

The base type for the form can be found at risk:extortion.

Properties:

name	type	doc	opts
:name	str lower: True onespace: True	A name for the extortion event.
:desc	str	A description of the extortion event.	Display: {'hint': 'text'}
:reporter	ou:org	The organization reporting on the extortion event.
:reporter:name	ou:name	The name of the organization reporting on the extortion event.
:demanded	time	The time that the attacker made their demands.
:deadline	time	The time that the demand must be met.
:goal	ou:goal	The goal of the attacker in extorting the victim.
:type	risk:extortion:type:taxonomy	A type taxonomy for the extortion event.
:attacker	ps:contact	The extortion attacker identity.
:target	ps:contact	The extortion target identity.
:success	bool	Set to true if the victim met the attacker’s demands.
:enacted	bool	Set to true if attacker carried out the threat.
:public	bool	Set to true if the attacker publicly announced the extortion.
:public:url	inet:url	The URL where the attacker publicly announced the extortion.
:compromise	risk:compromise	The compromise which allowed the attacker to extort the target.
:demanded:payment:price	econ:price	The payment price which was demanded.
:demanded:payment:currency	econ:currency	The currency in which payment was demanded.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:extortion	-(uses)>	ou:technique	The attacker used the technique to extort the victim.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:extortion:type:taxonomy

A taxonomy of extortion event types.

The base type for the form can be found at risk:extortion:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	risk:extortion:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:hasvuln

Deprecated. Please use risk:vulnerable.

The base type for the form can be found at risk:hasvuln.

Properties:

name	type	doc
:vuln	risk:vuln	The vulnerability present in the target.
:person	ps:person	The vulnerable person.
:org	ou:org	The vulnerable org.
:place	geo:place	The vulnerable place.
:software	it:prod:softver	The vulnerable software.
:hardware	it:prod:hardware	The vulnerable hardware.
:spec	mat:spec	The vulnerable material specification.
:item	mat:item	The vulnerable material item.
:host	it:host	The vulnerable host.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:leak

An event where information was disclosed without permission.

The base type for the form can be found at risk:leak.

Properties:

name	type	doc	opts
:name	str lower: True onespace: True	A simple name for the leak event.
:desc	str	A description of the leak event.	Display: {'hint': 'text'}
:reporter	ou:org	The organization reporting on the leak event.
:reporter:name	ou:name	The name of the organization reporting on the leak event.
:disclosed	time	The time the leaked information was disclosed.
:owner	ps:contact	The owner of the leaked information.
:leaker	ps:contact	The identity which leaked the information.
:type	risk:leak:type:taxonomy	A type taxonomy for the leak.
:goal	ou:goal	The goal of the leaker in disclosing the information.
:compromise	risk:compromise	The compromise which allowed the leaker access to the information.
:extortion	risk:extortion	The extortion event which used the threat of the leak as leverage.
:public	bool	Set to true if the leaked information was made publicly available.
:public:url	inet:url	The URL where the leaked information was made publicly available.
:size:bytes	int min: 0	The approximate uncompressed size of the total data leaked.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:leak:type:taxonomy

A taxonomy of leak event types.

The base type for the form can be found at risk:leak:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	risk:leak:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:mitigation

A mitigation for a specific risk:vuln.

The base type for the form can be found at risk:mitigation.

Properties:

name	type	doc	opts
:vuln	risk:vuln	The vulnerability that this mitigation addresses.
:name	str lower: True onespace: True	A brief name for this risk mitigation.
:desc	str	A description of the mitigation approach for the vulnerability.	Display: {'hint': 'text'}
:software	it:prod:softver	A software version which implements a fix for the vulnerability.
:hardware	it:prod:hardware	A hardware version which implements a fix for the vulnerability.
:reporter	ou:org	The organization reporting on the mitigation.
:reporter:name	ou:name	The name of the organization reporting on the mitigation.
:mitre:attack:mitigation	it:mitre:attack:mitigation	A mapping to a MITRE ATT&CK mitigation if applicable.
:tag	syn:tag	The tag used to annotate nodes which have the mitigation in place.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
risk:mitigation	-(addresses)>	ou:technique	The mitigation addresses the technique.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:technique:masquerade

Represents the assessment that a node is designed to resemble another in order to mislead.

The base type for the form can be found at risk:technique:masquerade.

Properties:

name	type	doc
:node	ndef	The node masquerading as another.
:period	ival	The time period when the masquerading was active.
:target	ndef	The being masqueraded as.
:technique	ou:technique	The specific technique which describes the type of masquerading.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:threat

A threat cluster or subgraph of threat activity, as reported by a specific organization.

The base type for the form can be found at risk:threat.

Properties:

name	type	doc	opts
:name	str lower: True onespace: True	A brief descriptive name for the threat cluster.	Example: apt1 (mandiant)
:type	risk:threat:type:taxonomy	A type for the threat, as a taxonomy entry.
:desc	str	A description of the threat cluster.
:tag	syn:tag	The tag used to annotate nodes that are associated with the threat cluster.
:active	ival	An interval for when the threat cluster is assessed to have been active.
:reporter	ou:org	The organization reporting on the threat cluster.
:reporter:name	ou:name	The name of the organization reporting on the threat cluster.
:reporter:discovered	time	The time that the reporting organization first discovered the threat cluster.
:reporter:published	time	The time that the reporting organization first publicly disclosed the threat cluster.
:org	ou:org	The authoritative organization for the threat cluster.
:org:loc	loc	The reporting organization’s assessed location of the threat cluster.
:org:name	ou:name	The reporting organization’s name for the threat cluster.	Example: apt1
:org:names	array type: ou:name sorted: True uniq: True	An array of alternate names for the threat cluster, according to the reporting organization.
:country	pol:country	The reporting organization’s assessed country of origin of the threat cluster.
:country:code	pol:iso2	The 2 digit ISO 3166 country code for the threat cluster’s assessed country of origin.
:goals	array type: ou:goal sorted: True uniq: True	The reporting organization’s assessed goals of the threat cluster.
:sophistication	meta:sophistication	The reporting organization’s assessed sophistication of the threat cluster.
:techniques	array type: ou:technique sorted: True uniq: True	Deprecated for scalability. Please use -(uses)> ou:technique.	Deprecated: True
:merged:time	time	The time that the reporting organization merged this threat cluster into another.
:merged:isnow	risk:threat	The threat cluster that the reporting organization merged this cluster into.
:mitre:attack:group	it:mitre:attack:group	A mapping to a MITRE ATT&CK group if applicable.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
risk:threat	-(targets)>	ou:industry	The threat cluster targets the industry.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	ou:technique	The threat cluster uses the technique.
risk:threat	-(uses)>	risk:vuln	The threat cluster uses the vulnerability.
risk:threat	-(uses)>	*	The threat cluster uses the target node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:threat:type:taxonomy

A taxonomy of threat types.

The base type for the form can be found at risk:threat:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	risk:threat:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:tool:software

A software tool used in threat activity, as reported by a specific organization.

The base type for the form can be found at risk:tool:software.

Properties:

name	type	doc	opts
:tag	syn:tag	The tag used to annotate nodes that are associated with the tool.	Example: rep.mandiant.tabcteng
:desc	str	A description of the tool.
:type	risk:tool:software:taxonomy	A type for the tool, as a taxonomy entry.
:used	ival	An interval for when the tool is assessed to have been deployed.
:availability	risk:availability	The reporting organization’s assessed availability of the tool.
:sophistication	meta:sophistication	The reporting organization’s assessed sophistication of the tool.
:reporter	ou:org	The organization reporting on the tool.
:reporter:name	ou:name	The name of the organization reporting on the tool.
:reporter:discovered	time	The time that the reporting organization first discovered the tool.
:reporter:published	time	The time that the reporting organization first publicly disclosed the tool.
:soft	it:prod:soft	The authoritative software family for the tool.
:soft:name	it:prod:softname	The reporting organization’s name for the tool.
:soft:names	array type: it:prod:softname uniq: True sorted: True	An array of alternate names for the tool, according to the reporting organization.
:techniques	array type: ou:technique uniq: True sorted: True	Deprecated for scalability. Please use -(uses)> ou:technique.	Deprecated: True
:mitre:attack:software	it:mitre:attack:software	A mapping to a MITRE ATT&CK software if applicable.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
risk:tool:software	-(uses)>	ou:technique	The tool uses the technique.
risk:tool:software	-(uses)>	risk:vuln	The tool uses the vulnerability.
risk:tool:software	-(uses)>	*	The tool uses the target node.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:tool:software:taxonomy

A taxonomy of software / tool types.

The base type for the form can be found at risk:tool:software:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	risk:tool:software:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:vuln

A unique vulnerability.

The base type for the form can be found at risk:vuln.

Properties:

name	type	doc	opts
:name	risk:vulnname	A user specified name for the vulnerability.
:names	array type: risk:vulnname sorted: True uniq: True	An array of alternate names for the vulnerability.
:type	risk:vuln:type:taxonomy	A taxonomy type entry for the vulnerability.
:desc	str	A description of the vulnerability.	Display: {'hint': 'text'}
:severity	meta:severity	The severity of the vulnerability.
:priority	meta:priority	The priority of the vulnerability.
:reporter	ou:org	The organization reporting on the vulnerability.
:reporter:name	ou:name	The name of the organization reporting on the vulnerability.
:mitigated	bool	Set to true if a mitigation/fix is available for the vulnerability.
:exploited	bool	Set to true if the vulnerability has been exploited in the wild.
:timeline:discovered	time ismin: True	The earliest known discovery time for the vulnerability.
:timeline:published	time ismin: True	The earliest known time the vulnerability was published.
:timeline:vendor:notified	time ismin: True	The earliest known vendor notification time for the vulnerability.
:timeline:vendor:fixed	time ismin: True	The earliest known time the vendor issued a fix for the vulnerability.
:timeline:exploited	time ismin: True	The earliest known time when the vulnerability was exploited in the wild.
:id	str strip: True	An identifier for the vulnerability.
:cve	it:sec:cve	The CVE ID of the vulnerability.
:cve:desc	str	The description of the vulnerability according to the CVE database.	Display: {'hint': 'text'}
:cve:url	inet:url	A URL linking this vulnerability to the CVE description.
:cve:references	array type: inet:url uniq: True sorted: True	An array of documentation URLs provided by the CVE database.
:nist:nvd:source	ou:name	The name of the organization which reported the vulnerability to NIST.
:nist:nvd:published	time	The date the vulnerability was first published in the NVD.
:nist:nvd:modified	time ismax: True	The date the vulnerability was last modified in the NVD.
:cisa:kev:name	str	The name of the vulnerability according to the CISA KEV database.
:cisa:kev:desc	str	The description of the vulnerability according to the CISA KEV database.
:cisa:kev:action	str	The action to mitigate the vulnerability according to the CISA KEV database.
:cisa:kev:vendor	ou:name	The vendor name listed in the CISA KEV database.
:cisa:kev:product	it:prod:softname	The product name listed in the CISA KEV database.
:cisa:kev:added	time	The date the vulnerability was added to the CISA KEV database.
:cisa:kev:duedate	time	The date the action is due according to the CISA KEV database.
:cvss:v2	cvss:v2	The CVSS v2 vector for the vulnerability.
:cvss:v2_0:score	float	The CVSS v2.0 overall score for the vulnerability.
:cvss:v2_0:score:base	float	The CVSS v2.0 base score for the vulnerability.
:cvss:v2_0:score:temporal	float	The CVSS v2.0 temporal score for the vulnerability.
:cvss:v2_0:score:environmental	float	The CVSS v2.0 environmental score for the vulnerability.
:cvss:v3	cvss:v3	The CVSS v3 vector for the vulnerability.
:cvss:v3_0:score	float	The CVSS v3.0 overall score for the vulnerability.
:cvss:v3_0:score:base	float	The CVSS v3.0 base score for the vulnerability.
:cvss:v3_0:score:temporal	float	The CVSS v3.0 temporal score for the vulnerability.
:cvss:v3_0:score:environmental	float	The CVSS v3.0 environmental score for the vulnerability.
:cvss:v3_1:score	float	The CVSS v3.1 overall score for the vulnerability.
:cvss:v3_1:score:base	float	The CVSS v3.1 base score for the vulnerability.
:cvss:v3_1:score:temporal	float	The CVSS v3.1 temporal score for the vulnerability.
:cvss:v3_1:score:environmental	float	The CVSS v3.1 environmental score for the vulnerability.
:cvss:av	str enums: N,A,P,L	Deprecated. Please use :cvss:v3.	Deprecated: True
:cvss:ac	str enums: L,H	Deprecated. Please use :cvss:v3.	Display: {'enums': (('Low', 'L'), ('High', 'H'))} Deprecated: True
:cvss:pr	str enums: N,L,H	Deprecated. Please use :cvss:v3.	Display: {'enums': ({'title': 'None', 'value': 'N', 'doc': 'FIXME privs stuff'}, {'title': 'Low', 'value': 'L', 'doc': 'FIXME privs stuff'}, {'title': 'High', 'value': 'H', 'doc': 'FIXME privs stuff'})} Deprecated: True
:cvss:ui	str enums: N,R	Deprecated. Please use :cvss:v3.	Deprecated: True
:cvss:s	str enums: U,C	Deprecated. Please use :cvss:v3.	Deprecated: True
:cvss:c	str enums: N,L,H	Deprecated. Please use :cvss:v3.	Deprecated: True
:cvss:i	str enums: N,L,H	Deprecated. Please use :cvss:v3.	Deprecated: True
:cvss:a	str enums: N,L,H	Deprecated. Please use :cvss:v3.	Deprecated: True
:cvss:e	str enums: X,U,P,F,H	Deprecated. Please use :cvss:v3.	Deprecated: True
:cvss:rl	str enums: X,O,T,W,U	Deprecated. Please use :cvss:v3.	Deprecated: True
:cvss:rc	str enums: X,U,R,C	Deprecated. Please use :cvss:v3.	Deprecated: True
:cvss:mav	str enums: X,N,A,L,P	Deprecated. Please use :cvss:v3.	Deprecated: True
:cvss:mac	str enums: X,L,H	Deprecated. Please use :cvss:v3.	Deprecated: True
:cvss:mpr	str enums: X,N,L,H	Deprecated. Please use :cvss:v3.	Deprecated: True
:cvss:mui	str enums: X,N,R	Deprecated. Please use :cvss:v3.	Deprecated: True
:cvss:ms	str enums: X,U,C	Deprecated. Please use :cvss:v3.	Deprecated: True
:cvss:mc	str enums: X,N,L,H	Deprecated. Please use :cvss:v3.	Deprecated: True
:cvss:mi	str enums: X,N,L,H	Deprecated. Please use :cvss:v3.	Deprecated: True
:cvss:ma	str enums: X,N,L,H	Deprecated. Please use :cvss:v3.	Deprecated: True
:cvss:cr	str enums: X,L,M,H	Deprecated. Please use :cvss:v3.	Deprecated: True
:cvss:ir	str enums: X,L,M,H	Deprecated. Please use :cvss:v3.	Deprecated: True
:cvss:ar	str enums: X,L,M,H	Deprecated. Please use :cvss:v3.	Deprecated: True
:cvss:score	float	Deprecated. Please use version specific score properties.	Deprecated: True
:cvss:score:base	float	Deprecated. Please use version specific score properties.	Deprecated: True
:cvss:score:temporal	float	Deprecated. Please use version specific score properties.	Deprecated: True
:cvss:score:environmental	float	Deprecated. Please use version specific score properties.	Deprecated: True
:cwes	array type: it:sec:cwe uniq: True sorted: True	An array of MITRE CWE values that apply to the vulnerability.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	risk:vuln	The attack used the vulnerability.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	risk:vuln	The threat cluster uses the vulnerability.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	risk:vuln	The tool uses the vulnerability.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:vuln:soft:range

A contiguous range of software versions which contain a vulnerability.

The base type for the form can be found at risk:vuln:soft:range.

Properties:

name	type	doc
:vuln	risk:vuln	The vulnerability present in this software version range.
:version:min	it:prod:softver	The minimum version which is vulnerable in this range.
:version:max	it:prod:softver	The maximum version which is vulnerable in this range.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:vuln:type:taxonomy

A taxonomy of vulnerability types.

The base type for the form can be found at risk:vuln:type:taxonomy.

Properties:

name	type	doc	opts
:title	str	A brief title of the definition.
:summary	str	Deprecated. Please use title/desc.	Deprecated: True Display: {'hint': 'text'}
:desc	str	A definition of the taxonomy entry.	Display: {'hint': 'text'}
:sort	int	A display sort order for siblings.
:base	taxon	The base taxon.	Read Only: True
:depth	int	The depth indexed from 0.	Read Only: True
:parent	risk:vuln:type:taxonomy	The taxonomy parent.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:vulnerable

Indicates that a node is susceptible to a vulnerability.

The base type for the form can be found at risk:vulnerable.

Properties:

name	type	doc
:vuln	risk:vuln	The vulnerability that the node is susceptible to.
:period	ival	The time window where the node was vulnerable.
:node	ndef	The node which is vulnerable.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

risk:vulnname

A vulnerability name such as log4j or rowhammer.

The base type for the form can be found at risk:vulnname.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

rsa:key

An RSA keypair modulus and public exponent.

The base type for the form can be found at rsa:key.

Properties:

name	type	doc	opts
:mod	hex	The RSA key modulus.	Read Only: True
:pub:exp	int	The public exponent of the key.	Read Only: True
:bits	int	The length of the modulus in bits.
:priv:exp	hex	The private exponent of the key.
:priv:p	hex	One of the two private primes.
:priv:q	hex	One of the two private primes.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

sci:evidence

An assessment of how an observation supports or refutes a hypothesis.

The base type for the form can be found at sci:evidence.

Properties:

name	type	doc	opts
:hypothesis	sci:experiment	The hypothesis which the evidence supports or refutes.
:observation	sci:observation	The observation which supports or refutes the hypothesis.
:summary	str	A summary of how the observation supports or refutes the hypothesis.	Display: {'hint': 'text'}
:refutes	bool	Set to true if the evidence refutes the hypothesis or false if it supports the hypothesis.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

sci:experiment

An instance of running an experiment.

The base type for the form can be found at sci:experiment.

Properties:

name	type	doc	opts
:name	str lower: True onespace: True	The name of the experiment.
:summary	str	A summary of the experiment.	Display: {'hint': 'text'}
:time	time	The time when the experiment was initiated.
:type	sci:experiment:type:taxonomy	The type of experiment as a user defined taxonomy.
:window	ival	The time window where the experiment was run.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

sci:experiment:type:taxonomy

A taxonomy of experiment types.

The base type for the form can be found at sci:experiment:type:taxonomy.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

sci:hypothesis

A hypothesis or theory.

The base type for the form can be found at sci:hypothesis.

Properties:

name	type	doc	opts
:name	str lower: True onespace: True	The name of the hypothesis.
:type	sci:hypothesis:type:taxonomy	The type of hypothesis as a user defined taxonomy.
:summary	str	A summary of the hypothesis.	Display: {'hint': 'text'}

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

sci:hypothesis:type:taxonomy

A taxonomy of hypothesis types.

The base type for the form can be found at sci:hypothesis:type:taxonomy.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

sci:observation

An observation which may have resulted from an experiment.

The base type for the form can be found at sci:observation.

Properties:

name	type	doc	opts
:experiment	sci:experiment	The experiment which produced the observation.
:summary	str	A summary of the observation.	Display: {'hint': 'text'}
:time	time	The time that the observation occurred.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.

syn:cmd

A Synapse storm command.

The base type for the form can be found at syn:cmd.

Properties:

name	type	doc	opts
:doc	str strip: True	Description of the command.	Display: {'hint': 'text'}
:package	str strip: True	Storm package which provided the command.
:svciden	guid strip: True	Storm service iden which provided the package.
:input	array type: syn:form	The list of forms accepted by the command as input.	uniq: True sorted: True Read Only: True
:output	array type: syn:form	The list of forms produced by the command as output.	uniq: True sorted: True Read Only: True
:nodedata	array type: syn:nodedata	The list of nodedata that may be added by the command.	uniq: True sorted: True Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

syn:cron

A Cortex cron job.

The base type for the form can be found at syn:cron.

Properties:

name	type	doc	opts
:doc	str	A description of the cron job.	Display: {'hint': 'text'}
:name	str	A user friendly name/alias for the cron job.
:storm	str	The storm query executed by the cron job.	Read Only: True Display: {'hint': 'text'}

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

syn:form

A Synapse form used for representing nodes in the graph.

The base type for the form can be found at syn:form.

Properties:

name	type	doc	opts
:doc	str strip: True	The docstring for the form.	Read Only: True
:type	syn:type	Synapse type for this form.	Read Only: True
:runt	bool	Whether or not the form is runtime only.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

syn:prop

A Synapse property.

The base type for the form can be found at syn:prop.

Properties:

name	type	doc	opts
:doc	str strip: True	Description of the property definition.
:form	syn:form	The form of the property.	Read Only: True
:type	syn:type	The synapse type for this property.	Read Only: True
:relname	str strip: True	Relative property name.	Read Only: True
:univ	bool	Specifies if a prop is universal.	Read Only: True
:base	str strip: True	Base name of the property.	Read Only: True
:ro	bool	If the property is read-only after being set.	Read Only: True
:extmodel	bool	If the property is an extended model property or not.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

syn:tag

The base type for a synapse tag.

The base type for the form can be found at syn:tag.

Properties:

name	type	doc	opts
:up	syn:tag	The parent tag for the tag.	Read Only: True
:isnow	syn:tag	Set to an updated tag if the tag has been renamed.
:doc	str	A short definition for the tag.	Display: {'hint': 'text'}
:doc:url	inet:url	A URL link to additional documentation about the tag.
:depth	int	How deep the tag is in the hierarchy.	Read Only: True
:title	str	A display title for the tag.
:base	str	The tag base name. Eg baz for foo.bar.baz .	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

syn:tagprop

A user defined tag property.

The base type for the form can be found at syn:tagprop.

Properties:

name	type	doc	opts
:doc	str strip: True	Description of the tagprop definition.
:type	syn:type	The synapse type for this tagprop.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

syn:trigger

A Cortex trigger.

The base type for the form can be found at syn:trigger.

Properties:

name	type	doc	opts
:vers	int	Trigger version.	Read Only: True
:doc	str	A documentation string describing the trigger.	Display: {'hint': 'text'}
:name	str	A user friendly name/alias for the trigger.
:cond	str strip: True lower: True	The trigger condition.	Read Only: True
:user	str	User who owns the trigger.	Read Only: True
:storm	str	The Storm query for the trigger.	Read Only: True Display: {'hint': 'text'}
:enabled	bool	Trigger enabled status.	Read Only: True
:form	str lower: True strip: True	Form the trigger is watching for.
:verb	str lower: True strip: True	Edge verb the trigger is watching for.
:n2form	str lower: True strip: True	N2 form the trigger is watching for.
:prop	str lower: True strip: True	Property the trigger is watching for.
:tag	str lower: True strip: True	Tag the trigger is watching for.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

syn:type

A Synapse type used for normalizing nodes and properties.

The base type for the form can be found at syn:type.

Properties:

name	type	doc	opts
:doc	str strip: True	The docstring for the type.	Read Only: True
:ctor	str strip: True	The python ctor path for the type object.	Read Only: True
:subof	syn:type	Type which this inherits from.	Read Only: True
:opts	data	Arbitrary type options.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

tel:call

A guid for a telephone call record.

The base type for the form can be found at tel:call.

Properties:

name	type	doc	opts
:src	tel:phone	The source phone number for a call.
:dst	tel:phone	The destination phone number for a call.
:time	time	The time the call was initiated.
:duration	int	The duration of the call in seconds.
:connected	bool	Indicator of whether the call was connected.
:text	str	The text transcription of the call.	Display: {'hint': 'text'}
:file	file:bytes	A file containing related media.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

tel:mob:carrier

The fusion of a MCC/MNC.

The base type for the form can be found at tel:mob:carrier.

Properties:

name	type	doc	opts
:mcc	tel:mob:mcc	ITU Mobile Country Code.	Read Only: True
:mnc	tel:mob:mnc	ITU Mobile Network Code.	Read Only: True
:org	ou:org	Organization operating the carrier.
:loc	loc	Location the carrier operates from.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

tel:mob:cell

A mobile cell site which a phone may connect to.

The base type for the form can be found at tel:mob:cell.

Properties:

name	type	doc	opts
:carrier	tel:mob:carrier	Mobile carrier.	Read Only: True
:carrier:mcc	tel:mob:mcc	Mobile Country Code.	Read Only: True
:carrier:mnc	tel:mob:mnc	Mobile Network Code.	Read Only: True
:lac	int	Location Area Code. LTE networks may call this a TAC.	Read Only: True
:cid	int	The Cell ID.	Read Only: True
:radio	str lower: 1 onespace: 1	Cell radio type.
:latlong	geo:latlong	Last known location of the cell site.
:loc	loc	Location at which the cell is operated.
:place	geo:place	The place associated with the latlong property.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

tel:mob:imei

An International Mobile Equipment Id.

The base type for the form can be found at tel:mob:imei.

An example of tel:mob:imei:

• 490154203237518

Properties:

name	type	doc	opts
:tac	tel:mob:tac	The Type Allocate Code within the IMEI.	Read Only: True
:serial	int	The serial number within the IMEI.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

tel:mob:imid

Fused knowledge of an IMEI/IMSI used together.

The base type for the form can be found at tel:mob:imid.

An example of tel:mob:imid:

• (490154203237518, 310150123456789)

Properties:

name	type	doc	opts
:imei	tel:mob:imei	The IMEI for the phone hardware.	Read Only: True
:imsi	tel:mob:imsi	The IMSI for the phone subscriber.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

tel:mob:imsi

An International Mobile Subscriber Id.

The base type for the form can be found at tel:mob:imsi.

An example of tel:mob:imsi:

• 310150123456789

Properties:

name	type	doc	opts
:mcc	tel:mob:mcc	The Mobile Country Code.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

tel:mob:imsiphone

Fused knowledge of an IMSI assigned phone number.

The base type for the form can be found at tel:mob:imsiphone.

An example of tel:mob:imsiphone:

• (310150123456789, "+7(495) 124-59-83")

Properties:

name	type	doc	opts
:phone	tel:phone	The phone number assigned to the IMSI.	Read Only: True
:imsi	tel:mob:imsi	The IMSI with the assigned phone number.	Read Only: True

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

tel:mob:mcc

ITU Mobile Country Code.

The base type for the form can be found at tel:mob:mcc.

Properties:

name	type	doc
:loc	loc	Location assigned to the MCC.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

tel:mob:tac

A mobile Type Allocation Code.

The base type for the form can be found at tel:mob:tac.

An example of tel:mob:tac:

• 49015420

Properties:

name	type	doc
:org	ou:org	The org guid for the manufacturer.
:manu	str lower: 1	The TAC manufacturer name.
:model	str lower: 1	The TAC model name.
:internal	str lower: 1	The TAC internal model name.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

tel:mob:telem

A single mobile telemetry measurement.

The base type for the form can be found at tel:mob:telem.

Properties:

name	type	doc
:time	time	A date/time value.
:latlong	geo:latlong	A Lat/Long string specifying a point on Earth.
:http:request	inet:http:request	The HTTP request that the telemetry was extracted from.
:host	it:host	The host that generated the mobile telemetry data.
:place	geo:place	The place representing the location of the mobile telemetry sample.
:loc	loc	The geo-political location of the mobile telemetry sample.
:accuracy	geo:dist	The reported accuracy of the latlong telemetry reading.
:cell	tel:mob:cell	A mobile cell site which a phone may connect to.
:cell:carrier	tel:mob:carrier	The fusion of a MCC/MNC.
:imsi	tel:mob:imsi	An International Mobile Subscriber Id.
:imei	tel:mob:imei	An International Mobile Equipment Id.
:phone	tel:phone	A phone number.
:mac	inet:mac	A 48-bit Media Access Control (MAC) address.
:ipv4	inet:ipv4	An IPv4 address.
:ipv6	inet:ipv6	An IPv6 address.
:wifi	inet:wifi:ap	An SSID/MAC address combination for a wireless access point.
:wifi:ssid	inet:wifi:ssid	A WiFi service set identifier (SSID) name.
:wifi:bssid	inet:mac	A 48-bit Media Access Control (MAC) address.
:adid	it:adid	An advertising identification string.
:aaid	it:os:android:aaid	An android advertising identification string.
:idfa	it:os:ios:idfa	An iOS advertising identification string.
:name	ps:name	An arbitrary, lower spaced string with normalized whitespace.
:email	inet:email	An e-mail address.
:acct	inet:web:acct	An account with a given Internet-based site or service.
:app	it:prod:softver	A specific version of a software product.
:data	data	Arbitrary json compatible data.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

tel:phone

A phone number.

The base type for the form can be found at tel:phone.

An example of tel:phone:

• +15558675309

Properties:

name	type	doc
:loc	loc	The location associated with the number.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

tel:txtmesg

A guid for an individual text message.

The base type for the form can be found at tel:txtmesg.

Properties:

name	type	doc	opts
:from	tel:phone	The phone number assigned to the sender.
:to	tel:phone	The phone number assigned to the primary recipient.
:recipients	array type: tel:phone uniq: True sorted: True	An array of phone numbers for additional recipients of the message.
:svctype	str enums: sms,mms,rcs strip: 1 lower: 1	The message service type (sms, mms, rcs).
:time	time	The time the message was sent.
:text	str	The text of the message.	Display: {'hint': 'text'}
:file	file:bytes	A file containing related media.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

transport:air:craft

An individual aircraft.

The base type for the form can be found at transport:air:craft.

Properties:

name	type	doc
:tailnum	transport:air:tailnum	The aircraft tail number.
:type	str lower: True strip: True	The type of aircraft.
:built	time	The date the aircraft was constructed.
:make	str lower: True strip: True	The make of the aircraft.
:model	str lower: True strip: True	The model of the aircraft.
:serial	str strip: True	The serial number of the aircraft.
:operator	ps:contact	Contact info representing the person or org that operates the aircraft.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

transport:air:flight

An individual instance of a flight.

The base type for the form can be found at transport:air:flight.

Properties:

name	type	doc
:num	transport:air:flightnum	The flight number of this flight.
:scheduled:departure	time	The time this flight was originally scheduled to depart.
:scheduled:arrival	time	The time this flight was originally scheduled to arrive.
:departed	time	The time this flight departed.
:arrived	time	The time this flight arrived.
:carrier	ou:org	The org which operates the given flight number.
:craft	transport:air:craft	The aircraft that flew this flight.
:tailnum	transport:air:tailnum	The tail/registration number at the time the aircraft flew this flight.
:to:port	transport:air:port	The destination airport of this flight.
:from:port	transport:air:port	The origin airport of this flight.
:stops	array type: transport:air:port	An ordered list of airport codes for stops which occurred during this flight.
:cancelled	bool	Set to true for cancelled flights.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

transport:air:flightnum

A commercial flight designator including airline and serial.

The base type for the form can be found at transport:air:flightnum.

An example of transport:air:flightnum:

• ua2437

Properties:

name	type	doc
:carrier	ou:org	The org which operates the given flight number.
:to:port	transport:air:port	The most recently registered destination for the flight number.
:from:port	transport:air:port	The most recently registered origin for the flight number.
:stops	array type: transport:air:port	An ordered list of aiport codes for the flight segments.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

transport:air:occupant

An occupant of a specific flight.

The base type for the form can be found at transport:air:occupant.

Properties:

name	type	doc
:type	str lower: True	The type of occupant such as pilot, crew or passenger.
:flight	transport:air:flight	The flight that the occupant was aboard.
:seat	str lower: True	The seat assigned to the occupant.
:contact	ps:contact	The contact information of the occupant.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

transport:air:port

An IATA assigned airport code.

The base type for the form can be found at transport:air:port.

Properties:

name	type	doc
:name	str lower: True onespace: True	The name of the airport.
:place	geo:place	The place where the IATA airport code is assigned.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

transport:air:tailnum

An aircraft registration number or military aircraft serial number.

The base type for the form can be found at transport:air:tailnum.

An example of transport:air:tailnum:

• ff023

Properties:

name	type	doc
:loc	loc	The geopolitical location that the tailnumber is allocated to.
:type	str lower: True strip: True	A type which may be specific to the country prefix.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

transport:air:telem

A telemetry sample from an aircraft in transit.

The base type for the form can be found at transport:air:telem.

Properties:

name	type	doc
:flight	transport:air:flight	The flight being measured.
:latlong	geo:latlong	The lat/lon of the aircraft at the time.
:loc	loc	The location of the aircraft at the time.
:place	geo:place	The place that the lat/lon geocodes to.
:accuracy	geo:dist	The horizontal accuracy of the latlong sample.
:course	transport:direction	The direction, in degrees from true North, that the aircraft is traveling.
:heading	transport:direction	The direction, in degrees from true North, that the nose of the aircraft is pointed.
:speed	velocity	The ground speed of the aircraft at the time.
:airspeed	velocity	The air speed of the aircraft at the time.
:verticalspeed	velocity relative: True	The relative vertical speed of the aircraft at the time.
:altitude	geo:altitude	The altitude of the aircraft at the time.
:altitude:accuracy	geo:dist	The vertical accuracy of the altitude measurement.
:time	time	The time the telemetry sample was taken.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

transport:land:license

A license to operate a land vehicle issued to a contact.

The base type for the form can be found at transport:land:license.

Properties:

name	type	doc
:id	str strip: True	The license ID.
:contact	ps:contact	The contact info of the registrant.
:issued	time	The time the license was issued.
:expires	time	The time the license expires.
:issuer	ou:org	The org which issued the license.
:issuer:name	ou:name	The name of the org which issued the license.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

transport:land:registration

Registration issued to a contact for a land vehicle.

The base type for the form can be found at transport:land:registration.

Properties:

name	type	doc
:id	str strip: True	The vehicle registration ID or license plate.
:contact	ps:contact	The contact info of the registrant.
:license	transport:land:license	The license used to register the vehicle.
:issued	time	The time the vehicle registration was issued.
:expires	time	The time the vehicle registration expires.
:vehicle	transport:land:vehicle	The vehicle being registered.
:issuer	ou:org	The org which issued the registration.
:issuer:name	ou:name	The name of the org which issued the registration.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

transport:land:vehicle

An individual vehicle.

The base type for the form can be found at transport:land:vehicle.

Properties:

name	type	doc
:serial	str strip: True	The serial number or VIN of the vehicle.
:built	time	The date the vehicle was constructed.
:make	ou:name	The make of the vehicle.
:model	str lower: True onespace: True	The model of the vehicle.
:registration	transport:land:registration	The current vehicle registration information.
:owner	ps:contact	The contact info of the owner of the vehicle.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

transport:sea:telem

A telemetry sample from a vessel in transit.

The base type for the form can be found at transport:sea:telem.

Properties:

name	type	doc
:vessel	transport:sea:vessel	The vessel being measured.
:time	time	The time the telemetry was sampled.
:latlong	geo:latlong	The lat/lon of the vessel at the time.
:loc	loc	The location of the vessel at the time.
:place	geo:place	The place that the lat/lon geocodes to.
:accuracy	geo:dist	The horizontal accuracy of the latlong sample.
:course	transport:direction	The direction, in degrees from true North, that the vessel is traveling.
:heading	transport:direction	The direction, in degrees from true North, that the bow of the vessel is pointed.
:speed	velocity	The speed of the vessel at the time.
:draft	geo:dist	The keel depth at the time.
:airdraft	geo:dist	The maximum height of the ship from the waterline.
:destination	geo:place	The fully resolved destination that the vessel has declared.
:destination:name	geo:name	The name of the destination that the vessel has declared.
:destination:eta	time	The estimated time of arrival that the vessel has declared.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

transport:sea:vessel

An individual sea vessel.

The base type for the form can be found at transport:sea:vessel.

Properties:

name	type	doc
:imo	transport:sea:imo	The International Maritime Organization number for the vessel.
:name	str lower: True onespace: True	The name of the vessel.
:length	geo:dist	The official overall vessel length.
:beam	geo:dist	The official overall vessel beam.
:flag	iso:3166:cc	The country the vessel is flagged to.
:mmsi	transport:sea:mmsi	The Maritime Mobile Service Identifier assigned to the vessel.
:built	time	The year the vessel was constructed.
:make	str lower: True strip: True	The make of the vessel.
:model	str lower: True strip: True	The model of the vessel.
:operator	ps:contact	The contact information of the operator.

Source Edges:

source	verb	target	doc
*	-(meets)>	ou:requirement	The requirement is met by the source node.
*	-(refs)>	*	The source node contains a reference to the target node.
*	-(seenat)>	geo:telem	The source node was seen at the geo:telem node place and time.

Target Edges:

source	verb	target	doc
*	-(refs)>	*	None
econ:purchase	-(acquired)>	*	The purchase was used to acquire the target node.
it:app:snort:rule	-(detects)>	*	The snort rule is intended for use in detecting the target node.
it:app:yara:rule	-(detects)>	*	The YARA rule is intended for use in detecting the target node.
it:exec:query	-(found)>	*	The target node was returned as a result of running the query.
meta:note	-(about)>	*	The meta:note is about the target node.
meta:rule	-(detects)>	*	The meta:rule is designed to detect instances of the target node.
meta:rule	-(matches)>	*	The meta:rule has matched on target node.
meta:source	-(seen)>	*	The meta:source observed the target node.
ou:campaign	-(targets)>	*	The campaign targeted the target nodes.
ou:campaign	-(uses)>	*	The campaign made use of the target node.
ou:contribution	-(includes)>	*	The contribution includes the specific node.
ou:org	-(has)>	*	The organization is or was in possession of the target node.
ou:org	-(owns)>	*	The organization owns or owned the target node.
ou:org	-(targets)>	*	The organization targets the target node.
ou:org	-(uses)>	*	The ou:org makes use of the target node.
ps:contact	-(has)>	*	The contact is or was in possession of the target node.
ps:contact	-(owns)>	*	The contact owns or owned the target node.
ps:person	-(has)>	*	The person is or was in possession of the target node.
ps:person	-(owns)>	*	The person owns or owned the target node.
risk:attack	-(targets)>	*	The attack targeted the target node.
risk:attack	-(uses)>	*	The attack used the target node to facilitate the attack.
risk:compromise	-(stole)>	*	The target node was stolen or copied as a result of the compromise.
risk:extortion	-(leveraged)>	*	The extortion event was based on attacker access to the target node.
risk:leak	-(leaked)>	*	The leak included the disclosure of the target node.
risk:threat	-(targets)>	*	The threat cluster targeted the target node.
risk:threat	-(uses)>	*	The threat cluster uses the target node.
risk:tool:software	-(uses)>	*	The tool uses the target node.
sci:evidence	-(has)>	*	The evidence includes observations from the target nodes.
sci:experiment	-(uses)>	*	The experiment used the target nodes when it was run.
sci:observation	-(has)>	*	The observations are summarized from the target nodes.

Universal Properties

Universal props are system level properties which may be present on every node.

These properties are not specific to a particular form and exist outside of a particular namespace.

.created

The time the node was created in the cortex. It has the following property options set:

• Read Only: True

The universal property type is time. Its type has the following options set:

• ismin: True

.seen

The time interval for first/last observation of the node.

The universal property type is ival.