Synapse Data Model - Types¶
Base Types¶
Base types are defined via Python classes.
array¶
A typed array which indexes each field.
It is implemented by the following class: synapse.lib.types.Array.
The base type array has the following default options set:
- type:
int
bool¶
The base boolean type.
It is implemented by the following class: synapse.lib.types.Bool.
comp¶
The base type for compound node fields.
It is implemented by the following class: synapse.lib.types.Comp.
data¶
Arbitrary json compatible data.
It is implemented by the following class: synapse.lib.types.Data.
duration¶
A duration value.
It is implemented by the following class: synapse.lib.types.Duration.
The base type duration has the following default options set:
- signed:
False
edge¶
An digraph edge base type.
It is implemented by the following class: synapse.lib.types.Edge.
file:base¶
A file name with no path.
It is implemented by the following class: synapse.models.files.FileBase.
An example of file:base:
woot.exe
file:bytes¶
The file bytes type with SHA256 based primary property.
It is implemented by the following class: synapse.models.files.FileBytes.
file:path¶
A normalized file path.
It is implemented by the following class: synapse.models.files.FilePath.
An example of file:path:
c:/windows/system32/calc.exe
float¶
The base floating point type.
It is implemented by the following class: synapse.lib.types.Float.
The base type float has the following default options set:
- fmt:
%f- min:
None- minisvalid:
True- max:
None- maxisvalid:
True
geo:dist¶
A geographic distance (base unit is mm).
It is implemented by the following class: synapse.models.geospace.Dist.
An example of geo:dist:
10 km
geo:latlong¶
A Lat/Long string specifying a point on Earth.
It is implemented by the following class: synapse.models.geospace.LatLong.
An example of geo:latlong:
-12.45,56.78
guid¶
The base GUID type.
It is implemented by the following class: synapse.lib.types.Guid.
hex¶
The base hex type.
It is implemented by the following class: synapse.lib.types.Hex.
The base type hex has the following default options set:
- size:
0
hugenum¶
A potentially huge/tiny number. [x] <= 170141183460469231731687 with a fractional precision of 15 decimal digits.
It is implemented by the following class: synapse.lib.types.HugeNum.
The base type hugenum has the following default options set:
- norm:
True
inet:addr¶
A network layer URL-like format to represent tcp/udp/icmp clients and servers.
It is implemented by the following class: synapse.models.inet.Addr.
An example of inet:addr:
tcp://1.2.3.4:80
inet:cidr4¶
An IPv4 address block in Classless Inter-Domain Routing (CIDR) notation.
It is implemented by the following class: synapse.models.inet.Cidr4.
An example of inet:cidr4:
1.2.3.0/24
inet:cidr6¶
An IPv6 address block in Classless Inter-Domain Routing (CIDR) notation.
It is implemented by the following class: synapse.models.inet.Cidr6.
An example of inet:cidr6:
2001:db8::/101
inet:dns:name¶
A DNS query name string. Likely an FQDN but not always.
It is implemented by the following class: synapse.models.dns.DnsName.
An example of inet:dns:name:
vertex.link
inet:email¶
An e-mail address.
It is implemented by the following class: synapse.models.inet.Email.
inet:fqdn¶
A Fully Qualified Domain Name (FQDN).
It is implemented by the following class: synapse.models.inet.Fqdn.
An example of inet:fqdn:
vertex.link
inet:ipv4¶
An IPv4 address.
It is implemented by the following class: synapse.models.inet.IPv4.
An example of inet:ipv4:
1.2.3.4
inet:ipv4range¶
An IPv4 address range.
It is implemented by the following class: synapse.models.inet.IPv4Range.
An example of inet:ipv4range:
1.2.3.4-1.2.3.8
inet:ipv6¶
An IPv6 address.
It is implemented by the following class: synapse.models.inet.IPv6.
An example of inet:ipv6:
2607:f8b0:4004:809::200e
inet:ipv6range¶
An IPv6 address range.
It is implemented by the following class: synapse.models.inet.IPv6Range.
An example of inet:ipv6range:
(2607:f8b0:4004:809::200e, 2607:f8b0:4004:809::2011)
inet:rfc2822:addr¶
An RFC 2822 Address field.
It is implemented by the following class: synapse.models.inet.Rfc2822Addr.
An example of inet:rfc2822:addr:
"Visi Kenshoto" <visi@vertex.link>
inet:url¶
A Universal Resource Locator (URL).
It is implemented by the following class: synapse.models.inet.Url.
An example of inet:url:
http://www.woot.com/files/index.html
int¶
The base 64 bit signed integer type.
It is implemented by the following class: synapse.lib.types.Int.
The base type int has the following default options set:
- size:
8- signed:
True- fmt:
%d- min:
None- max:
None- ismin:
False- ismax:
False
it:sec:cpe¶
A NIST CPE 2.3 Formatted String.
It is implemented by the following class: synapse.models.infotech.Cpe23Str.
The base type it:sec:cpe has the following default options set:
- lower:
True
it:semver¶
Semantic Version type.
It is implemented by the following class: synapse.models.infotech.SemVer.
ival¶
A time window/interval.
It is implemented by the following class: synapse.lib.types.Ival.
loc¶
The base geo political location type.
It is implemented by the following class: synapse.lib.types.Loc.
ndef¶
The node definition type for a (form,valu) compound field.
It is implemented by the following class: synapse.lib.types.Ndef.
nodeprop¶
The nodeprop type for a (prop,valu) compound field.
It is implemented by the following class: synapse.lib.types.NodeProp.
range¶
A base range type.
It is implemented by the following class: synapse.lib.types.Range.
The base type range has the following default options set:
- type:
('int', {})
str¶
The base string type.
It is implemented by the following class: synapse.lib.types.Str.
The base type str has the following default options set:
- enums:
None- regex:
None- lower:
False- strip:
False- replace:
()- onespace:
False- globsuffix:
False
syn:tag¶
The base type for a synapse tag.
It is implemented by the following class: synapse.lib.types.Tag.
The base type syn:tag has the following default options set:
- enums:
None- regex:
None- lower:
False- strip:
False- replace:
()- onespace:
False- globsuffix:
False
syn:tag:part¶
A tag component string.
It is implemented by the following class: synapse.lib.types.TagPart.
The base type syn:tag:part has the following default options set:
- enums:
None- regex:
None- lower:
False- strip:
False- replace:
()- onespace:
False- globsuffix:
False
tel:mob:imei¶
An International Mobile Equipment Id.
It is implemented by the following class: synapse.models.telco.Imei.
An example of tel:mob:imei:
490154203237518
tel:mob:imsi¶
An International Mobile Subscriber Id.
It is implemented by the following class: synapse.models.telco.Imsi.
An example of tel:mob:imsi:
310150123456789
tel:phone¶
A phone number.
It is implemented by the following class: synapse.models.telco.Phone.
An example of tel:phone:
+15558675309
time¶
A date/time value.
It is implemented by the following class: synapse.lib.types.Time.
The base type time has the following default options set:
- ismin:
False- ismax:
False
timeedge¶
An digraph edge base type with a unique time.
It is implemented by the following class: synapse.lib.types.TimeEdge.
Types¶
Regular types are derived from BaseTypes.
auth:access¶
An instance of using creds to access a resource.
The auth:access type is derived from the base type: guid.
auth:creds¶
A unique set of credentials used to access a resource.
The auth:creds type is derived from the base type: guid.
crypto:currency:address¶
An individual crypto currency address.
The crypto:currency:address type is derived from the base type: comp.
An example of crypto:currency:address:
(btc, 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2)
The type crypto:currency:address has the following options set:
- fields:
(('coin', 'crypto:currency:coin'), ('iden', 'str'))
crypto:currency:client¶
A fused node representing a crypto currency address used by an Internet client.
The crypto:currency:client type is derived from the base type: comp.
An example of crypto:currency:client:
(1.2.3.4, (btc, 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2))
The type crypto:currency:client has the following options set:
- fields:
(('inetaddr', 'inet:client'), ('coinaddr', 'crypto:currency:address'))
crypto:currency:coin¶
An individual crypto currency type.
The crypto:currency:coin type is derived from the base type: str.
An example of crypto:currency:coin:
btc
The type crypto:currency:coin has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
None- replace:
()- strip:
False
crypto:x509:cert¶
A unique X.509 certificate.
The crypto:x509:cert type is derived from the base type: guid.
crypto:x509:crl¶
A unique X.509 Certificate Revocation List.
The crypto:x509:crl type is derived from the base type: guid.
crypto:x509:revoked¶
A revocation relationship between a CRL and an X.509 certificate.
The crypto:x509:revoked type is derived from the base type: comp.
The type crypto:x509:revoked has the following options set:
- fields:
(('crl', 'crypto:x509:crl'), ('cert', 'crypto:x509:cert'))
crypto:x509:san¶
An X.509 Subject Alternative Name (SAN).
The crypto:x509:san type is derived from the base type: comp.
The type crypto:x509:san has the following options set:
- fields:
(('type', 'str'), ('value', 'str'))
crypto:x509:signedfile¶
A digital signature relationship between an X.509 certificate and a file.
The crypto:x509:signedfile type is derived from the base type: comp.
The type crypto:x509:signedfile has the following options set:
- fields:
(('cert', 'crypto:x509:cert'), ('file', 'file:bytes'))
econ:acct:payment¶
A payment moving currency from one monetary instrument to another.
The econ:acct:payment type is derived from the base type: guid.
econ:acquired¶
A relationship between a purchase event and a purchased item.
The econ:acquired type is derived from the base type: comp.
The type econ:acquired has the following options set:
- fields:
(('purchase', 'econ:purchase'), ('item', 'ndef'))
econ:currency¶
The name of a system of money in general use.
The econ:currency type is derived from the base type: str.
An example of econ:currency:
usd
The type econ:currency has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
None- replace:
()- strip:
False
econ:fin:bar¶
A sample of the open, close, high, low prices of a security in a specific time window.
The econ:fin:bar type is derived from the base type: guid.
econ:fin:exchange¶
A financial exchange where securities are traded.
The econ:fin:exchange type is derived from the base type: guid.
econ:fin:security¶
A financial security which is typically traded on an exchange.
The econ:fin:security type is derived from the base type: guid.
econ:fin:tick¶
A sample of the price of a security at a single moment in time.
The econ:fin:tick type is derived from the base type: guid.
econ:pay:card¶
A single payment card.
The econ:pay:card type is derived from the base type: guid.
econ:pay:cvv¶
A Card Verification Value (CVV).
The econ:pay:cvv type is derived from the base type: str.
The type econ:pay:cvv has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
^[0-9]{1,6}$- replace:
()- strip:
False
econ:pay:iin¶
An Issuer Id Number (IIN).
The econ:pay:iin type is derived from the base type: int.
The type econ:pay:iin has the following options set:
- fmt:
%d- ismax:
False- ismin:
False- max:
999999- min:
0- signed:
True- size:
8
econ:pay:mii¶
A Major Industry Identifier (MII).
The econ:pay:mii type is derived from the base type: int.
The type econ:pay:mii has the following options set:
- fmt:
%d- ismax:
False- ismin:
False- max:
9- min:
0- signed:
True- size:
8
econ:pay:pan¶
A Primary Account Number (PAN) or card number.
The econ:pay:pan type is derived from the base type: str.
The type econ:pay:pan has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
^(?<iin>(?<mii>[0-9]{1})[0-9]{5})[0-9]{1,13}$- replace:
()- strip:
False
econ:pay:pin¶
A Personal Identification Number.
The econ:pay:pin type is derived from the base type: str.
The type econ:pay:pin has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
^[0-9]{3,6}$- replace:
()- strip:
False
econ:price¶
The amount of money expected, required, or given in payment for something.
The econ:price type is derived from the base type: hugenum.
An example of econ:price:
2.20
The type econ:price has the following options set:
- norm:
False
econ:purchase¶
A purchase event.
The econ:purchase type is derived from the base type: guid.
edge:has¶
A digraph edge which records that N1 has N2.
The edge:has type is derived from the base type: edge.
edge:refs¶
A digraph edge which records that N1 refers to or contains N2.
The edge:refs type is derived from the base type: edge.
edge:wentto¶
A digraph edge which records that N1 went to N2 at a specific time.
The edge:wentto type is derived from the base type: timeedge.
edu:class¶
An instance of an edu:course taught at a given time.
The edu:class type is derived from the base type: guid.
edu:course¶
A course of study taught by an org.
The edu:course type is derived from the base type: guid.
file:filepath¶
The fused knowledge of the association of a file:bytes node and a file:path.
The file:filepath type is derived from the base type: comp.
The type file:filepath has the following options set:
- fields:
(('file', 'file:bytes'), ('path', 'file:path'))
file:ismime¶
Records one, of potentially multiple, mime types for a given file.
The file:ismime type is derived from the base type: comp.
The type file:ismime has the following options set:
- fields:
(('file', 'file:bytes'), ('mime', 'file:mime'))
file:mime¶
A file mime name string.
The file:mime type is derived from the base type: str.
An example of file:mime:
text/plain
The type file:mime has the following options set:
- globsuffix:
False- lower:
1- onespace:
False- regex:
None- replace:
()- strip:
False
file:mime:gif¶
The GUID of a set of mime metadata for a .gif file.
The file:mime:gif type is derived from the base type: guid.
file:mime:jpg¶
The GUID of a set of mime metadata for a .jpg file.
The file:mime:jpg type is derived from the base type: guid.
file:mime:msdoc¶
The GUID of a set of mime metadata for a Microsoft Word file.
The file:mime:msdoc type is derived from the base type: guid.
file:mime:msppt¶
The GUID of a set of mime metadata for a Microsoft Powerpoint file.
The file:mime:msppt type is derived from the base type: guid.
file:mime:msxls¶
The GUID of a set of mime metadata for a Microsoft Excel file.
The file:mime:msxls type is derived from the base type: guid.
file:mime:pe:export¶
The fused knowledge of a file:bytes node containing a pe named export.
The file:mime:pe:export type is derived from the base type: comp.
The type file:mime:pe:export has the following options set:
- fields:
(('file', 'file:bytes'), ('name', 'str'))
file:mime:pe:resource¶
The fused knowledge of a file:bytes node containing a pe resource.
The file:mime:pe:resource type is derived from the base type: comp.
The type file:mime:pe:resource has the following options set:
- fields:
[ [ "file", "file:bytes" ], [ "type", "pe:resource:type" ], [ "langid", "pe:langid" ], [ "resource", "file:bytes" ] ]
file:mime:pe:section¶
The fused knowledge a file:bytes node containing a pe section.
The file:mime:pe:section type is derived from the base type: comp.
The type file:mime:pe:section has the following options set:
- fields:
(('file', 'file:bytes'), ('name', 'str'), ('sha256', 'hash:sha256'))
file:mime:pe:vsvers:info¶
knowledge of a file:bytes node containing vsvers info.
The file:mime:pe:vsvers:info type is derived from the base type: comp.
The type file:mime:pe:vsvers:info has the following options set:
- fields:
(('file', 'file:bytes'), ('keyval', 'file:mime:pe:vsvers:keyval'))
file:mime:pe:vsvers:keyval¶
A key value pair found in a PE vsversion info structure.
The file:mime:pe:vsvers:keyval type is derived from the base type: comp.
The type file:mime:pe:vsvers:keyval has the following options set:
- fields:
(('name', 'str'), ('value', 'str'))
file:mime:png¶
The GUID of a set of mime metadata for a .png file.
The file:mime:png type is derived from the base type: guid.
file:mime:rtf¶
The GUID of a set of mime metadata for a .rtf file.
The file:mime:rtf type is derived from the base type: guid.
file:mime:tif¶
The GUID of a set of mime metadata for a .tif file.
The file:mime:tif type is derived from the base type: guid.
file:string¶
Deprecated. Please use the edge -(refs)> it:dev:str.
The file:string type is derived from the base type: comp.
The type file:string has the following options set:
- fields:
(('file', 'file:bytes'), ('string', 'str'))
file:subfile¶
A parent file that fully contains the specified child file.
The file:subfile type is derived from the base type: comp.
The type file:subfile has the following options set:
- fields:
(('parent', 'file:bytes'), ('child', 'file:bytes'))
geo:address¶
A street/mailing address string.
The geo:address type is derived from the base type: str.
The type geo:address has the following options set:
- globsuffix:
False- lower:
1- onespace:
1- regex:
None- replace:
()- strip:
True
geo:altitude¶
A negative or positive offset from Mean Sea Level (6,371.0088km from Earths core).
The geo:altitude type is derived from the base type: geo:dist.
An example of geo:altitude:
10 km
The type geo:altitude has the following options set:
- baseoff:
6371008800- fmt:
%d- ismax:
False- ismin:
False- max:
None- min:
None- signed:
True- size:
8
geo:bbox¶
A geospatial bounding box in (xmin, xmax, ymin, ymax) format.
The geo:bbox type is derived from the base type: comp.
The type geo:bbox has the following options set:
- fields:
[ [ "xmin", "geo:longitude" ], [ "xmax", "geo:longitude" ], [ "ymin", "geo:latitude" ], [ "ymax", "geo:latitude" ] ]
- sepr:
,
geo:json¶
GeoJSON structured JSON data.
The geo:json type is derived from the base type: data.
The type geo:json has the following options set:
- schema:
{ "$schema": "http://json-schema.org/draft-07/schema#", "definitions": { "BoundingBox": { "items": { "type": "number" }, "minItems": 4, "type": "array" }, "Feature": { "properties": { "bbox": { "$ref": "#/definitions/BoundingBox" }, "geometry": { "oneOf": [ { "type": "null" }, { "$ref": "#/definitions/Point" }, { "$ref": "#/definitions/LineString" }, { "$ref": "#/definitions/Polygon" }, { "$ref": "#/definitions/MultiPoint" }, { "$ref": "#/definitions/MultiLineString" }, { "$ref": "#/definitions/MultiPolygon" }, { "$ref": "#/definitions/GeometryCollection" } ] }, "properties": { "oneOf": [ { "type": "null" }, { "type": "object" } ] }, "type": { "enum": [ "Feature" ], "type": "string" } }, "required": [ "type", "properties", "geometry" ], "title": "GeoJSON Feature", "type": "object" }, "FeatureCollection": { "properties": { "bbox": { "$ref": "#/definitions/BoundingBox" }, "features": { "items": { "$ref": "#/definitions/Feature" }, "type": "array" }, "type": { "enum": [ "FeatureCollection" ], "type": "string" } }, "required": [ "type", "features" ], "title": "GeoJSON FeatureCollection", "type": "object" }, "GeometryCollection": { "properties": { "bbox": { "$ref": "#/definitions/BoundingBox" }, "geometries": { "items": { "oneOf": [ { "$ref": "#/definitions/Point" }, { "$ref": "#/definitions/LineString" }, { "$ref": "#/definitions/Polygon" }, { "$ref": "#/definitions/MultiPoint" }, { "$ref": "#/definitions/MultiLineString" }, { "$ref": "#/definitions/MultiPolygon" } ] }, "type": "array" }, "type": { "enum": [ "GeometryCollection" ], "type": "string" } }, "required": [ "type", "geometries" ], "title": "GeoJSON GeometryCollection", "type": "object" }, "LineString": { "properties": { "bbox": { "$ref": "#/definitions/BoundingBox" }, "coordinates": { "$ref": "#/definitions/LineStringCoordinates" }, "type": { "enum": [ "LineString" ], "type": "string" } }, "required": [ "type", "coordinates" ], "title": "GeoJSON LineString", "type": "object" }, "LineStringCoordinates": { "items": { "$ref": "#/definitions/PointCoordinates" }, "minItems": 2, "type": "array" }, "LinearRingCoordinates": { "items": { "$ref": "#/definitions/PointCoordinates" }, "minItems": 4, "type": "array" }, "MultiLineString": { "properties": { "bbox": { "$ref": "#/definitions/BoundingBox" }, "coordinates": { "items": { "$ref": "#/definitions/LineStringCoordinates" }, "type": "array" }, "type": { "enum": [ "MultiLineString" ], "type": "string" } }, "required": [ "type", "coordinates" ], "title": "GeoJSON MultiLineString", "type": "object" }, "MultiPoint": { "properties": { "bbox": { "$ref": "#/definitions/BoundingBox" }, "coordinates": { "items": { "$ref": "#/definitions/PointCoordinates" }, "type": "array" }, "type": { "enum": [ "MultiPoint" ], "type": "string" } }, "required": [ "type", "coordinates" ], "title": "GeoJSON MultiPoint", "type": "object" }, "MultiPolygon": { "properties": { "bbox": { "$ref": "#/definitions/BoundingBox" }, "coordinates": { "items": { "$ref": "#/definitions/PolygonCoordinates" }, "type": "array" }, "type": { "enum": [ "MultiPolygon" ], "type": "string" } }, "required": [ "type", "coordinates" ], "title": "GeoJSON MultiPolygon", "type": "object" }, "Point": { "properties": { "bbox": { "$ref": "#/definitions/BoundingBox" }, "coordinates": { "$ref": "#/definitions/PointCoordinates" }, "type": { "enum": [ "Point" ], "type": "string" } }, "required": [ "type", "coordinates" ], "title": "GeoJSON Point", "type": "object" }, "PointCoordinates": { "items": { "type": "number" }, "minItems": 2, "type": "array" }, "Polygon": { "properties": { "bbox": { "$ref": "#/definitions/BoundingBox" }, "coordinates": { "$ref": "#/definitions/PolygonCoordinates" }, "type": { "enum": [ "Polygon" ], "type": "string" } }, "required": [ "type", "coordinates" ], "title": "GeoJSON Polygon", "type": "object" }, "PolygonCoordinates": { "items": { "$ref": "#/definitions/LinearRingCoordinates" }, "type": "array" } }, "oneOf": [ { "$ref": "#/definitions/Point" }, { "$ref": "#/definitions/LineString" }, { "$ref": "#/definitions/Polygon" }, { "$ref": "#/definitions/MultiPoint" }, { "$ref": "#/definitions/MultiLineString" }, { "$ref": "#/definitions/MultiPolygon" }, { "$ref": "#/definitions/GeometryCollection" }, { "$ref": "#/definitions/Feature" }, { "$ref": "#/definitions/FeatureCollection" } ] }
geo:latitude¶
A latitude in floating point notation.
The geo:latitude type is derived from the base type: float.
An example of geo:latitude:
31.337
The type geo:latitude has the following options set:
- fmt:
%f- max:
90.0- maxisvalid:
True- min:
-90.0- minisvalid:
True
geo:longitude¶
A longitude in floating point notation.
The geo:longitude type is derived from the base type: float.
An example of geo:longitude:
31.337
The type geo:longitude has the following options set:
- fmt:
%f- max:
180.0- maxisvalid:
True- min:
-180.0- minisvalid:
False
geo:nloc¶
Records a node latitude/longitude in space-time.
The geo:nloc type is derived from the base type: comp.
The type geo:nloc has the following options set:
- fields:
(('ndef', 'ndef'), ('latlong', 'geo:latlong'), ('time', 'time'))
geo:place¶
A GUID for a geographic place.
The geo:place type is derived from the base type: guid.
gov:cn:icp¶
A Chinese Internet Content Provider ID.
The gov:cn:icp type is derived from the base type: int.
The type gov:cn:icp has the following options set:
- fmt:
%d- ismax:
False- ismin:
False- max:
None- min:
None- signed:
True- size:
8
gov:cn:mucd¶
A Chinese PLA MUCD.
The gov:cn:mucd type is derived from the base type: int.
The type gov:cn:mucd has the following options set:
- fmt:
%d- ismax:
False- ismin:
False- max:
None- min:
None- signed:
True- size:
8
gov:intl:un:m49¶
UN M49 Numeric Country Code.
The gov:intl:un:m49 type is derived from the base type: int.
The type gov:intl:un:m49 has the following options set:
- fmt:
%d- ismax:
False- ismin:
False- max:
999- min:
1- signed:
True- size:
8
gov:us:cage¶
A Commercial and Government Entity (CAGE) code.
The gov:us:cage type is derived from the base type: str.
The type gov:us:cage has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
None- replace:
()- strip:
False
gov:us:ssn¶
A US Social Security Number (SSN).
The gov:us:ssn type is derived from the base type: int.
The type gov:us:ssn has the following options set:
- fmt:
%d- ismax:
False- ismin:
False- max:
None- min:
None- signed:
True- size:
8
gov:us:zip¶
A US Postal Zip Code.
The gov:us:zip type is derived from the base type: int.
The type gov:us:zip has the following options set:
- fmt:
%d- ismax:
False- ismin:
False- max:
None- min:
None- signed:
True- size:
8
graph:cluster¶
A generic node, used in conjunction with Edge types, to cluster arbitrary nodes to a single node in the model.
The graph:cluster type is derived from the base type: guid.
graph:edge¶
A generic digraph edge to show relationships outside the model.
The graph:edge type is derived from the base type: edge.
graph:event¶
A generic event node to represent events outside the model.
The graph:event type is derived from the base type: guid.
graph:node¶
A generic node used to represent objects outside the model.
The graph:node type is derived from the base type: guid.
graph:timeedge¶
A generic digraph time edge to show relationships outside the model.
The graph:timeedge type is derived from the base type: timeedge.
hash:lm¶
A hex encoded Microsoft Windows LM password hash.
The hash:lm type is derived from the base type: hex.
An example of hash:lm:
d41d8cd98f00b204e9800998ecf8427e
The type hash:lm has the following options set:
- size:
32
hash:md5¶
A hex encoded MD5 hash.
The hash:md5 type is derived from the base type: hex.
An example of hash:md5:
d41d8cd98f00b204e9800998ecf8427e
The type hash:md5 has the following options set:
- size:
32
hash:ntlm¶
A hex encoded Microsoft Windows NTLM password hash.
The hash:ntlm type is derived from the base type: hex.
An example of hash:ntlm:
d41d8cd98f00b204e9800998ecf8427e
The type hash:ntlm has the following options set:
- size:
32
hash:sha1¶
A hex encoded SHA1 hash.
The hash:sha1 type is derived from the base type: hex.
An example of hash:sha1:
da39a3ee5e6b4b0d3255bfef95601890afd80709
The type hash:sha1 has the following options set:
- size:
40
hash:sha256¶
A hex encoded SHA256 hash.
The hash:sha256 type is derived from the base type: hex.
An example of hash:sha256:
ad9f4fe922b61e674a09530831759843b1880381de686a43460a76864ca0340c
The type hash:sha256 has the following options set:
- size:
64
hash:sha384¶
A hex encoded SHA384 hash.
The hash:sha384 type is derived from the base type: hex.
An example of hash:sha384:
d425f1394e418ce01ed1579069a8bfaa1da8f32cf823982113ccbef531fa36bda9987f389c5af05b5e28035242efab6c
The type hash:sha384 has the following options set:
- size:
96
hash:sha512¶
A hex encoded SHA512 hash.
The hash:sha512 type is derived from the base type: hex.
An example of hash:sha512:
ca74fe2ff2d03b29339ad7d08ba21d192077fece1715291c7b43c20c9136cd132788239189f3441a87eb23ce2660aa243f334295902c904b5520f6e80ab91f11
The type hash:sha512 has the following options set:
- size:
128
inet:asn¶
An Autonomous System Number (ASN).
The inet:asn type is derived from the base type: int.
The type inet:asn has the following options set:
- fmt:
%d- ismax:
False- ismin:
False- max:
None- min:
None- signed:
True- size:
8
inet:asnet4¶
An Autonomous System Number (ASN) and its associated IPv4 address range.
The inet:asnet4 type is derived from the base type: comp.
An example of inet:asnet4:
(54959, (1.2.3.4, 1.2.3.20))
The type inet:asnet4 has the following options set:
- fields:
(('asn', 'inet:asn'), ('net4', 'inet:net4'))
inet:asnet6¶
An Autonomous System Number (ASN) and its associated IPv6 address range.
The inet:asnet6 type is derived from the base type: comp.
An example of inet:asnet6:
(54959, (ff::00, ff::02))
The type inet:asnet6 has the following options set:
- fields:
(('asn', 'inet:asn'), ('net6', 'inet:net6'))
inet:banner¶
A network protocol banner string presented by a server.
The inet:banner type is derived from the base type: comp.
The type inet:banner has the following options set:
- fields:
(('server', 'inet:server'), ('text', 'it:dev:str'))
inet:client¶
A network client address.
The inet:client type is derived from the base type: inet:addr.
An example of inet:client:
tcp://1.2.3.4:80
The type inet:client has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
False
inet:dns:a¶
The result of a DNS A record lookup.
The inet:dns:a type is derived from the base type: comp.
An example of inet:dns:a:
(vertex.link,1.2.3.4)
The type inet:dns:a has the following options set:
- fields:
(('fqdn', 'inet:fqdn'), ('ipv4', 'inet:ipv4'))
inet:dns:aaaa¶
The result of a DNS AAAA record lookup.
The inet:dns:aaaa type is derived from the base type: comp.
An example of inet:dns:aaaa:
(vertex.link,2607:f8b0:4004:809::200e)
The type inet:dns:aaaa has the following options set:
- fields:
(('fqdn', 'inet:fqdn'), ('ipv6', 'inet:ipv6'))
inet:dns:answer¶
A single answer from within a DNS reply.
The inet:dns:answer type is derived from the base type: guid.
inet:dns:cname¶
The result of a DNS CNAME record lookup.
The inet:dns:cname type is derived from the base type: comp.
An example of inet:dns:cname:
(foo.vertex.link,vertex.link)
The type inet:dns:cname has the following options set:
- fields:
(('fqdn', 'inet:fqdn'), ('cname', 'inet:fqdn'))
inet:dns:mx¶
The result of a DNS MX record lookup.
The inet:dns:mx type is derived from the base type: comp.
An example of inet:dns:mx:
(vertex.link,mail.vertex.link)
The type inet:dns:mx has the following options set:
- fields:
(('fqdn', 'inet:fqdn'), ('mx', 'inet:fqdn'))
inet:dns:ns¶
The result of a DNS NS record lookup.
The inet:dns:ns type is derived from the base type: comp.
An example of inet:dns:ns:
(vertex.link,ns.dnshost.com)
The type inet:dns:ns has the following options set:
- fields:
(('zone', 'inet:fqdn'), ('ns', 'inet:fqdn'))
inet:dns:query¶
A DNS query unique to a given client.
The inet:dns:query type is derived from the base type: comp.
An example of inet:dns:query:
(1.2.3.4, woot.com, 1)
The type inet:dns:query has the following options set:
- fields:
(('client', 'inet:client'), ('name', 'inet:dns:name'), ('type', 'int'))
inet:dns:request¶
A single instance of a DNS resolver request and optional reply info.
The inet:dns:request type is derived from the base type: guid.
inet:dns:rev¶
The transformed result of a DNS PTR record lookup.
The inet:dns:rev type is derived from the base type: comp.
An example of inet:dns:rev:
(1.2.3.4,vertex.link)
The type inet:dns:rev has the following options set:
- fields:
(('ipv4', 'inet:ipv4'), ('fqdn', 'inet:fqdn'))
inet:dns:rev6¶
The transformed result of a DNS PTR record for an IPv6 address.
The inet:dns:rev6 type is derived from the base type: comp.
An example of inet:dns:rev6:
(2607:f8b0:4004:809::200e,vertex.link)
The type inet:dns:rev6 has the following options set:
- fields:
(('ipv6', 'inet:ipv6'), ('fqdn', 'inet:fqdn'))
inet:dns:soa¶
The result of a DNS SOA record lookup.
The inet:dns:soa type is derived from the base type: guid.
inet:dns:txt¶
The result of a DNS MX record lookup.
The inet:dns:txt type is derived from the base type: comp.
An example of inet:dns:txt:
(hehe.vertex.link,"fancy TXT record")
The type inet:dns:txt has the following options set:
- fields:
(('fqdn', 'inet:fqdn'), ('txt', 'str'))
inet:dns:type¶
A DNS query/answer type integer.
The inet:dns:type type is derived from the base type: int.
The type inet:dns:type has the following options set:
- fmt:
%d- ismax:
False- ismin:
False- max:
None- min:
None- signed:
True- size:
8
inet:dns:wild:a¶
A DNS A wild card record and the IPv4 it resolves to.
The inet:dns:wild:a type is derived from the base type: comp.
The type inet:dns:wild:a has the following options set:
- fields:
(('fqdn', 'inet:fqdn'), ('ipv4', 'inet:ipv4'))
inet:dns:wild:aaaa¶
A DNS AAAA wild card record and the IPv6 it resolves to.
The inet:dns:wild:aaaa type is derived from the base type: comp.
The type inet:dns:wild:aaaa has the following options set:
- fields:
(('fqdn', 'inet:fqdn'), ('ipv6', 'inet:ipv6'))
inet:download¶
An instance of a file downloaded from a server.
The inet:download type is derived from the base type: guid.
inet:email:header¶
A unique email message header.
The inet:email:header type is derived from the base type: comp.
The type inet:email:header has the following options set:
- fields:
(('name', 'inet:email:header:name'), ('value', 'str'))
inet:email:header:name¶
An email header name.
The inet:email:header:name type is derived from the base type: str.
An example of inet:email:header:name:
subject
The type inet:email:header:name has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
None- replace:
()- strip:
False
inet:email:message¶
A unique email message.
The inet:email:message type is derived from the base type: guid.
inet:email:message:attachment¶
A file which was attached to an email message.
The inet:email:message:attachment type is derived from the base type: comp.
The type inet:email:message:attachment has the following options set:
- fields:
(('message', 'inet:email:message'), ('file', 'file:bytes'))
inet:email:message:link¶
A url/link embedded in an email message.
The inet:email:message:link type is derived from the base type: comp.
The type inet:email:message:link has the following options set:
- fields:
(('message', 'inet:email:message'), ('url', 'inet:url'))
inet:flow¶
An individual network connection between a given source and destination.
The inet:flow type is derived from the base type: guid.
inet:group¶
A group name string.
The inet:group type is derived from the base type: str.
The type inet:group has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
False
inet:http:cookie¶
An HTTP cookie string.
The inet:http:cookie type is derived from the base type: str.
The type inet:http:cookie has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
False
inet:http:header¶
An HTTP protocol header key/value.
The inet:http:header type is derived from the base type: comp.
The type inet:http:header has the following options set:
- fields:
(('name', 'inet:http:header:name'), ('value', 'str'))
inet:http:header:name¶
The base string type.
The inet:http:header:name type is derived from the base type: str.
The type inet:http:header:name has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
None- replace:
()- strip:
False
inet:http:param¶
An HTTP request path query parameter.
The inet:http:param type is derived from the base type: comp.
The type inet:http:param has the following options set:
- fields:
(('name', 'str'), ('value', 'str'))
inet:http:request¶
A single HTTP request.
The inet:http:request type is derived from the base type: guid.
inet:http:request:header¶
An HTTP request header.
The inet:http:request:header type is derived from the base type: inet:http:header.
The type inet:http:request:header has the following options set:
- fields:
(('name', 'inet:http:header:name'), ('value', 'str'))
inet:http:response:header¶
An HTTP response header.
The inet:http:response:header type is derived from the base type: inet:http:header.
The type inet:http:response:header has the following options set:
- fields:
(('name', 'inet:http:header:name'), ('value', 'str'))
inet:iface¶
A network interface with a set of associated protocol addresses.
The inet:iface type is derived from the base type: guid.
inet:mac¶
A 48-bit Media Access Control (MAC) address.
The inet:mac type is derived from the base type: str.
An example of inet:mac:
aa:bb:cc:dd:ee:ff
The type inet:mac has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$- replace:
()- strip:
False
inet:net4¶
An IPv4 address range.
The inet:net4 type is derived from the base type: inet:ipv4range.
An example of inet:net4:
(1.2.3.4, 1.2.3.20)
The type inet:net4 has the following options set:
- type:
('inet:ipv4', {})
inet:net6¶
An IPv6 address range.
The inet:net6 type is derived from the base type: inet:ipv6range.
An example of inet:net6:
('ff::00', 'ff::30')
The type inet:net6 has the following options set:
- type:
('inet:ipv6', {})
inet:passwd¶
A password string.
The inet:passwd type is derived from the base type: str.
The type inet:passwd has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
False
inet:port¶
A network port.
The inet:port type is derived from the base type: int.
An example of inet:port:
80
The type inet:port has the following options set:
- fmt:
%d- ismax:
False- ismin:
False- max:
65535- min:
0- signed:
True- size:
8
inet:search:query¶
An instance of a search query issued to a search engine.
The inet:search:query type is derived from the base type: guid.
inet:search:result¶
A single result from a web search.
The inet:search:result type is derived from the base type: guid.
inet:server¶
A network server address.
The inet:server type is derived from the base type: inet:addr.
An example of inet:server:
tcp://1.2.3.4:80
The type inet:server has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
False
inet:servfile¶
A file hosted on a server for access over a network protocol.
The inet:servfile type is derived from the base type: comp.
The type inet:servfile has the following options set:
- fields:
(('server', 'inet:server'), ('file', 'file:bytes'))
inet:ssl:cert¶
An SSL certificate file served by a server.
The inet:ssl:cert type is derived from the base type: comp.
An example of inet:ssl:cert:
(1.2.3.4:443, guid:d41d8cd98f00b204e9800998ecf8427e)
The type inet:ssl:cert has the following options set:
- fields:
(('server', 'inet:server'), ('file', 'file:bytes'))
inet:url:mirror¶
A URL mirror site.
The inet:url:mirror type is derived from the base type: comp.
The type inet:url:mirror has the following options set:
- fields:
(('of', 'inet:url'), ('at', 'inet:url'))
inet:urlfile¶
A file hosted at a specific Universal Resource Locator (URL).
The inet:urlfile type is derived from the base type: comp.
The type inet:urlfile has the following options set:
- fields:
(('url', 'inet:url'), ('file', 'file:bytes'))
inet:urlredir¶
A URL that redirects to another URL, such as via a URL shortening service or an HTTP 302 response.
The inet:urlredir type is derived from the base type: comp.
An example of inet:urlredir:
(http://foo.com/,http://bar.com/)
The type inet:urlredir has the following options set:
- fields:
(('src', 'inet:url'), ('dst', 'inet:url'))
inet:user¶
A username string.
The inet:user type is derived from the base type: str.
The type inet:user has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
None- replace:
()- strip:
False
inet:web:acct¶
An account with a given Internet-based site or service.
The inet:web:acct type is derived from the base type: comp.
An example of inet:web:acct:
twitter.com/invisig0th
The type inet:web:acct has the following options set:
- fields:
(('site', 'inet:fqdn'), ('user', 'inet:user'))- sepr:
/
inet:web:action¶
An instance of an account performing an action at an Internet-based site or service.
The inet:web:action type is derived from the base type: guid.
inet:web:chprofile¶
A change to a web account. Used to capture historical properties associated with an account, as opposed to current data in the inet:web:acct node.
The inet:web:chprofile type is derived from the base type: guid.
inet:web:file¶
A file posted by a web account.
The inet:web:file type is derived from the base type: comp.
The type inet:web:file has the following options set:
- fields:
(('acct', 'inet:web:acct'), ('file', 'file:bytes'))
inet:web:follows¶
A web account follows or is connected to another web account.
The inet:web:follows type is derived from the base type: comp.
The type inet:web:follows has the following options set:
- fields:
(('follower', 'inet:web:acct'), ('followee', 'inet:web:acct'))
inet:web:group¶
A group hosted within or registered with a given Internet-based site or service.
The inet:web:group type is derived from the base type: comp.
An example of inet:web:group:
somesite.com/mycoolgroup
The type inet:web:group has the following options set:
- fields:
(('site', 'inet:fqdn'), ('id', 'inet:group'))- sepr:
/
inet:web:hashtag¶
A hashtag used in a web post.
The inet:web:hashtag type is derived from the base type: str.
The type inet:web:hashtag has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
^#[\w]+$- replace:
()- strip:
False
inet:web:logon¶
An instance of an account authenticating to an Internet-based site or service.
The inet:web:logon type is derived from the base type: guid.
inet:web:memb¶
A web account that is a member of a web group.
The inet:web:memb type is derived from the base type: comp.
The type inet:web:memb has the following options set:
- fields:
(('acct', 'inet:web:acct'), ('group', 'inet:web:group'))
inet:web:mesg¶
A message sent from one web account to another web account.
The inet:web:mesg type is derived from the base type: comp.
An example of inet:web:mesg:
((twitter.com, invisig0th), (twitter.com, gobbles), 20041012130220)
The type inet:web:mesg has the following options set:
- fields:
(('from', 'inet:web:acct'), ('to', 'inet:web:acct'), ('time', 'time'))
inet:web:post¶
A post made by a web account.
The inet:web:post type is derived from the base type: guid.
inet:whois:contact¶
An individual contact from a domain whois record.
The inet:whois:contact type is derived from the base type: comp.
The type inet:whois:contact has the following options set:
- fields:
(('rec', 'inet:whois:rec'), ('type', ('str', {'lower': True})))
inet:whois:email¶
An email address associated with an FQDN via whois registration text.
The inet:whois:email type is derived from the base type: comp.
The type inet:whois:email has the following options set:
- fields:
(('fqdn', 'inet:fqdn'), ('email', 'inet:email'))
inet:whois:ipcontact¶
An individual contact from an IP block record.
The inet:whois:ipcontact type is derived from the base type: guid.
inet:whois:ipquery¶
Query details used to retrieve an IP record.
The inet:whois:ipquery type is derived from the base type: guid.
inet:whois:iprec¶
An IPv4/IPv6 block registration record.
The inet:whois:iprec type is derived from the base type: guid.
inet:whois:rar¶
A domain registrar.
The inet:whois:rar type is derived from the base type: str.
An example of inet:whois:rar:
godaddy, inc.
The type inet:whois:rar has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
None- replace:
()- strip:
False
inet:whois:rec¶
A domain whois record.
The inet:whois:rec type is derived from the base type: comp.
The type inet:whois:rec has the following options set:
- fields:
(('fqdn', 'inet:fqdn'), ('asof', 'time'))
inet:whois:recns¶
A nameserver associated with a domain whois record.
The inet:whois:recns type is derived from the base type: comp.
The type inet:whois:recns has the following options set:
- fields:
(('ns', 'inet:fqdn'), ('rec', 'inet:whois:rec'))
inet:whois:reg¶
A domain registrant.
The inet:whois:reg type is derived from the base type: str.
An example of inet:whois:reg:
woot hostmaster
The type inet:whois:reg has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
None- replace:
()- strip:
False
inet:whois:regid¶
The registry unique identifier of the registration record.
The inet:whois:regid type is derived from the base type: str.
An example of inet:whois:regid:
NET-10-0-0-0-1
The type inet:whois:regid has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
False
inet:wifi:ap¶
An SSID/MAC address combination for a wireless access point.
The inet:wifi:ap type is derived from the base type: comp.
The type inet:wifi:ap has the following options set:
- fields:
(('ssid', 'inet:wifi:ssid'), ('bssid', 'inet:mac'))
inet:wifi:ssid¶
A WiFi service set identifier (SSID) name.
The inet:wifi:ssid type is derived from the base type: str.
An example of inet:wifi:ssid:
The Vertex Project
The type inet:wifi:ssid has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
False
iso:3166:cc¶
An ISO 3166 2 digit country code.
The iso:3166:cc type is derived from the base type: str.
The type iso:3166:cc has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
^[a-z]{2}$- replace:
()- strip:
False
iso:oid¶
An ISO Object Identifier string.
The iso:oid type is derived from the base type: str.
The type iso:oid has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
^([0-2])((\.0)|(\.[1-9][0-9]*))*$- replace:
()- strip:
False
it:account¶
A GUID that represents an account on a host or network.
The it:account type is derived from the base type: guid.
it:adid¶
An advertising identification string.
The it:adid type is derived from the base type: str.
The type it:adid has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
None- replace:
()- strip:
True
it:app:snort:hit¶
An instance of a snort rule hit.
The it:app:snort:hit type is derived from the base type: guid.
it:app:snort:rule¶
A snort rule unique identifier.
The it:app:snort:rule type is derived from the base type: guid.
it:app:yara:match¶
A yara rule match to a file.
The it:app:yara:match type is derived from the base type: comp.
The type it:app:yara:match has the following options set:
- fields:
(('rule', 'it:app:yara:rule'), ('file', 'file:bytes'))
it:app:yara:rule¶
A yara rule unique identifier.
The it:app:yara:rule type is derived from the base type: guid.
it:auth:passwdhash¶
An instance of a password hash.
The it:auth:passwdhash type is derived from the base type: guid.
it:av:filehit¶
A file that triggered an alert on a specific antivirus signature.
The it:av:filehit type is derived from the base type: comp.
The type it:av:filehit has the following options set:
- fields:
(('file', 'file:bytes'), ('sig', 'it:av:sig'))
it:av:sig¶
A signature name within the namespace of an antivirus engine name.
The it:av:sig type is derived from the base type: comp.
The type it:av:sig has the following options set:
- fields:
(('soft', 'it:prod:soft'), ('name', ('str', {'lower': True})))
it:cmd¶
A unique command-line string.
The it:cmd type is derived from the base type: str.
An example of it:cmd:
foo.exe --dostuff bar
The type it:cmd has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
True
it:dev:int¶
A developer selected integer constant.
The it:dev:int type is derived from the base type: int.
The type it:dev:int has the following options set:
- fmt:
%d- ismax:
False- ismin:
False- max:
None- min:
None- signed:
True- size:
8
it:dev:mutex¶
A string representing a mutex.
The it:dev:mutex type is derived from the base type: str.
The type it:dev:mutex has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
False
it:dev:pipe¶
A string representing a named pipe.
The it:dev:pipe type is derived from the base type: str.
The type it:dev:pipe has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
False
it:dev:regkey¶
A Windows registry key.
The it:dev:regkey type is derived from the base type: str.
An example of it:dev:regkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The type it:dev:regkey has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
False
it:dev:regval¶
A Windows registry key/value pair.
The it:dev:regval type is derived from the base type: guid.
it:dev:str¶
A developer-selected string.
The it:dev:str type is derived from the base type: str.
The type it:dev:str has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
False
it:domain¶
A logical boundary of authentication and configuration such as a windows domain.
The it:domain type is derived from the base type: guid.
it:exec:bind¶
An instance of a host binding a listening port.
The it:exec:bind type is derived from the base type: guid.
it:exec:file:add¶
An instance of a host adding a file to a filesystem.
The it:exec:file:add type is derived from the base type: guid.
it:exec:file:del¶
An instance of a host deleting a file from a filesystem.
The it:exec:file:del type is derived from the base type: guid.
it:exec:file:read¶
An instance of a host reading a file from a filesystem.
The it:exec:file:read type is derived from the base type: guid.
it:exec:file:write¶
An instance of a host writing a file to a filesystem.
The it:exec:file:write type is derived from the base type: guid.
it:exec:mutex¶
A mutex created by a process at runtime.
The it:exec:mutex type is derived from the base type: guid.
it:exec:pipe¶
A named pipe created by a process at runtime.
The it:exec:pipe type is derived from the base type: guid.
it:exec:proc¶
A process executing on a host. May be an actual (e.g., endpoint) or virtual (e.g., malware sandbox) host.
The it:exec:proc type is derived from the base type: guid.
it:exec:reg:del¶
An instance of a host deleting a registry key.
The it:exec:reg:del type is derived from the base type: guid.
it:exec:reg:get¶
An instance of a host getting a registry key.
The it:exec:reg:get type is derived from the base type: guid.
it:exec:reg:set¶
An instance of a host creating or setting a registry key.
The it:exec:reg:set type is derived from the base type: guid.
it:exec:url¶
An instance of a host requesting a URL.
The it:exec:url type is derived from the base type: guid.
it:fs:file¶
A file on a host.
The it:fs:file type is derived from the base type: guid.
it:group¶
A GUID that represents a group on a host or network.
The it:group type is derived from the base type: guid.
it:host¶
A GUID that represents a host or system.
The it:host type is derived from the base type: guid.
it:hostname¶
The name of a host or system.
The it:hostname type is derived from the base type: str.
The type it:hostname has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
None- replace:
()- strip:
True
it:hostsoft¶
A version of a software product which is present on a given host.
The it:hostsoft type is derived from the base type: comp.
The type it:hostsoft has the following options set:
- fields:
(('host', 'it:host'), ('softver', 'it:prod:softver'))
it:hosturl¶
A url hosted on or served by a host or system.
The it:hosturl type is derived from the base type: comp.
The type it:hosturl has the following options set:
- fields:
(('host', 'it:host'), ('url', 'inet:url'))
it:log:event¶
A GUID representing an individual log event.
The it:log:event type is derived from the base type: guid.
it:logon¶
A GUID that represents an individual logon/logoff event.
The it:logon type is derived from the base type: guid.
it:mitre:attack:group¶
A Mitre ATT&CK Group ID.
The it:mitre:attack:group type is derived from the base type: str.
An example of it:mitre:attack:group:
G0100
The type it:mitre:attack:group has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
^G[0-9]{4}$- replace:
()- strip:
False
it:mitre:attack:mitigation¶
A Mitre ATT&CK Mitigation ID.
The it:mitre:attack:mitigation type is derived from the base type: str.
An example of it:mitre:attack:mitigation:
M1036
The type it:mitre:attack:mitigation has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
^M[0-9]{4}$- replace:
()- strip:
False
it:mitre:attack:software¶
A Mitre ATT&CK Software ID.
The it:mitre:attack:software type is derived from the base type: str.
An example of it:mitre:attack:software:
S0154
The type it:mitre:attack:software has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
^S[0-9]{4}$- replace:
()- strip:
False
it:mitre:attack:status¶
A Mitre ATT&CK element status.
The it:mitre:attack:status type is derived from the base type: str.
An example of it:mitre:attack:status:
current
The type it:mitre:attack:status has the following options set:
enums:
valu current deprecated withdrawn globsuffix:
Falselower:
Falseonespace:
Falseregex:
Nonereplace:
()strip:
False
it:mitre:attack:tactic¶
A Mitre ATT&CK Tactic ID.
The it:mitre:attack:tactic type is derived from the base type: str.
An example of it:mitre:attack:tactic:
TA0040
The type it:mitre:attack:tactic has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
^TA[0-9]{4}$- replace:
()- strip:
False
it:mitre:attack:technique¶
A Mitre ATT&CK Technique ID.
The it:mitre:attack:technique type is derived from the base type: str.
An example of it:mitre:attack:technique:
T1548
The type it:mitre:attack:technique has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
^T[0-9]{4}(.[0-9]{3})?$- replace:
()- strip:
False
it:network¶
A GUID that represents a logical network.
The it:network type is derived from the base type: guid.
it:os:android:aaid¶
An android advertising identification string.
The it:os:android:aaid type is derived from the base type: it:adid.
The type it:os:android:aaid has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
None- replace:
()- strip:
True
it:os:android:ibroadcast¶
The given software broadcasts the given Android intent.
The it:os:android:ibroadcast type is derived from the base type: comp.
The type it:os:android:ibroadcast has the following options set:
- fields:
(('app', 'it:prod:soft'), ('intent', 'it:os:android:intent'))
it:os:android:ilisten¶
The given software listens for an android intent.
The it:os:android:ilisten type is derived from the base type: comp.
The type it:os:android:ilisten has the following options set:
- fields:
(('app', 'it:prod:soft'), ('intent', 'it:os:android:intent'))
it:os:android:intent¶
An android intent string.
The it:os:android:intent type is derived from the base type: str.
The type it:os:android:intent has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
False
it:os:android:perm¶
An android permission string.
The it:os:android:perm type is derived from the base type: str.
The type it:os:android:perm has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
False
it:os:android:reqperm¶
The given software requests the android permission.
The it:os:android:reqperm type is derived from the base type: comp.
The type it:os:android:reqperm has the following options set:
- fields:
(('app', 'it:prod:soft'), ('perm', 'it:os:android:perm'))
it:os:ios:idfa¶
An iOS advertising identification string.
The it:os:ios:idfa type is derived from the base type: it:adid.
The type it:os:ios:idfa has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
None- replace:
()- strip:
True
it:os:windows:sid¶
A Microsoft Windows Security Identifier.
The it:os:windows:sid type is derived from the base type: str.
An example of it:os:windows:sid:
S-1-5-21-1220945662-1202665555-839525555-5555
The type it:os:windows:sid has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
^S-1-[0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[1-9]\d{3}$- replace:
()- strip:
False
it:prod:soft¶
A arbitrary, unversioned software product.
The it:prod:soft type is derived from the base type: guid.
it:prod:softfile¶
A file is distributed by a specific software version.
The it:prod:softfile type is derived from the base type: comp.
The type it:prod:softfile has the following options set:
- fields:
(('soft', 'it:prod:softver'), ('file', 'file:bytes'))
it:prod:softlib¶
A software version contains a library software version.
The it:prod:softlib type is derived from the base type: comp.
The type it:prod:softlib has the following options set:
- fields:
(('soft', 'it:prod:softver'), ('lib', 'it:prod:softver'))
it:prod:softos¶
The software version is known to be compatible with the given os software version.
The it:prod:softos type is derived from the base type: comp.
The type it:prod:softos has the following options set:
- fields:
(('soft', 'it:prod:softver'), ('os', 'it:prod:softver'))
it:prod:softver¶
A specific version of a software product.
The it:prod:softver type is derived from the base type: guid.
it:reveng:filefunc¶
An instance of a function in an executable.
The it:reveng:filefunc type is derived from the base type: comp.
The type it:reveng:filefunc has the following options set:
- fields:
(('file', 'file:bytes'), ('function', 'it:reveng:function'))
it:reveng:funcstr¶
A reference to a string inside a function.
The it:reveng:funcstr type is derived from the base type: comp.
The type it:reveng:funcstr has the following options set:
- fields:
(('function', 'it:reveng:function'), ('string', 'str'))
it:reveng:function¶
A function inside an executable.
The it:reveng:function type is derived from the base type: guid.
it:reveng:impfunc¶
A function from an imported library.
The it:reveng:impfunc type is derived from the base type: str.
The type it:reveng:impfunc has the following options set:
- globsuffix:
False- lower:
1- onespace:
False- regex:
None- replace:
()- strip:
False
it:sec:cve¶
A vulnerability as designated by a Common Vulnerabilities and Exposures (CVE) number.
The it:sec:cve type is derived from the base type: str.
An example of it:sec:cve:
cve-2012-0158
The type it:sec:cve has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
(?i)^CVE-[0-9]{4}-[0-9]{4,}$- replace:
()- strip:
False
it:sec:cwe¶
NIST NVD Common Weaknesses Enumeration Specification.
The it:sec:cwe type is derived from the base type: str.
An example of it:sec:cwe:
CWE-120
The type it:sec:cwe has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
^CWE-[0-9]{1,8}$- replace:
()- strip:
False
lang:code¶
An optionally 2 part language code.
The lang:code type is derived from the base type: str.
An example of lang:code:
pt.br
The type lang:code has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
^[a-z]{2}(.[a-z]{2})?$- replace:
()- strip:
False
lang:idiom¶
Deprecated. Please use lang:translation.
The lang:idiom type is derived from the base type: str.
The type lang:idiom has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
False
lang:trans¶
Deprecated. Please use lang:translation.
The lang:trans type is derived from the base type: str.
The type lang:trans has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
False
lang:translation¶
A translation of text from one language to another.
The lang:translation type is derived from the base type: guid.
mat:item¶
A GUID assigned to a material object.
The mat:item type is derived from the base type: guid.
mat:itemimage¶
The base type for compound node fields.
The mat:itemimage type is derived from the base type: comp.
The type mat:itemimage has the following options set:
- fields:
(('item', 'mat:item'), ('file', 'file:bytes'))
mat:spec¶
A GUID assigned to a material specification.
The mat:spec type is derived from the base type: guid.
mat:specimage¶
The base type for compound node fields.
The mat:specimage type is derived from the base type: comp.
The type mat:specimage has the following options set:
- fields:
(('spec', 'mat:spec'), ('file', 'file:bytes'))
media:news¶
A GUID for a news article or report.
The media:news type is derived from the base type: guid.
meta:seen¶
Annotates that the data in a node was obtained from or observed by a given source.
The meta:seen type is derived from the base type: comp.
The type meta:seen has the following options set:
- fields:
(('source', 'meta:source'), ('node', 'ndef'))
meta:source¶
A data source unique identifier.
The meta:source type is derived from the base type: guid.
ou:alias¶
An alias for the org GUID.
The ou:alias type is derived from the base type: str.
An example of ou:alias:
vertexproject
The type ou:alias has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
^[0-9a-z_]+$- replace:
()- strip:
False
ou:attendee¶
A node representing a person attending a meeting, conference, or event.
The ou:attendee type is derived from the base type: guid.
ou:award¶
An award issued by an organization.
The ou:award type is derived from the base type: guid.
ou:campaign¶
Represents an orgs activity in pursuit of a goal.
The ou:campaign type is derived from the base type: guid.
ou:conference¶
A conference with a name and sponsoring org.
The ou:conference type is derived from the base type: guid.
ou:conference:attendee¶
Deprecated. Please use ou:attendee.
The ou:conference:attendee type is derived from the base type: comp.
The type ou:conference:attendee has the following options set:
- fields:
(('conference', 'ou:conference'), ('person', 'ps:person'))
ou:conference:event¶
A conference event with a name and associated conference.
The ou:conference:event type is derived from the base type: guid.
ou:conference:event:attendee¶
Deprecated. Please use ou:attendee.
The ou:conference:event:attendee type is derived from the base type: comp.
The type ou:conference:event:attendee has the following options set:
- fields:
(('conference', 'ou:conference:event'), ('person', 'ps:person'))
ou:contest¶
A competitive event resulting in a ranked set of participants.
The ou:contest type is derived from the base type: guid.
ou:contest:result¶
The results from a single contest participant.
The ou:contest:result type is derived from the base type: comp.
The type ou:contest:result has the following options set:
- fields:
(('contest', 'ou:contest'), ('participant', 'ps:contact'))
ou:contract¶
An contract between multiple entities.
The ou:contract type is derived from the base type: guid.
ou:contract:type¶
A pre-defined set of contract types.
The ou:contract:type type is derived from the base type: str.
The type ou:contract:type has the following options set:
- enum:
('nda', 'other', 'grant', 'treaty', 'purchase', 'indemnity', 'partnership')- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
False
ou:goal¶
An assessed or stated goal which may be abstract or org specific.
The ou:goal type is derived from the base type: guid.
ou:hasalias¶
The knowledge that an organization has an alias.
The ou:hasalias type is derived from the base type: comp.
The type ou:hasalias has the following options set:
- fields:
(('org', 'ou:org'), ('alias', 'ou:alias'))
ou:hasgoal¶
An org has an assessed or stated goal.
The ou:hasgoal type is derived from the base type: comp.
The type ou:hasgoal has the following options set:
- fields:
(('org', 'ou:org'), ('goal', 'ou:goal'))
ou:id:number¶
A unique id number issued by a specific organization.
The ou:id:number type is derived from the base type: comp.
The type ou:id:number has the following options set:
- fields:
(('type', 'ou:id:type'), ('value', 'ou:id:value'))
ou:id:type¶
A type of id number issued by an org.
The ou:id:type type is derived from the base type: guid.
ou:id:update¶
A status update to an org:id:number.
The ou:id:update type is derived from the base type: guid.
ou:id:value¶
The value of an org:id:number.
The ou:id:value type is derived from the base type: str.
The type ou:id:value has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
True
ou:industry¶
An industry classification type.
The ou:industry type is derived from the base type: guid.
ou:isic¶
An International Standard Industrial Classification of All Economic Activities (ISIC) code.
The ou:isic type is derived from the base type: str.
An example of ou:isic:
C1393
The type ou:isic has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
^[A-Z]([0-9]{2}[0-9]{0,2})?$- replace:
()- strip:
False
ou:meet¶
An informal meeting of people which has no title or sponsor. See also: ou:conference.
The ou:meet type is derived from the base type: guid.
ou:meet:attendee¶
Deprecated. Please use ou:attendee.
The ou:meet:attendee type is derived from the base type: comp.
The type ou:meet:attendee has the following options set:
- fields:
(('meet', 'ou:meet'), ('person', 'ps:person'))
ou:member¶
Deprecated. Please use ou:position.
The ou:member type is derived from the base type: comp.
The type ou:member has the following options set:
- fields:
(('org', 'ou:org'), ('person', 'ps:person'))
ou:naics¶
The five or six digit North American Industry Classification System code.
The ou:naics type is derived from the base type: str.
An example of ou:naics:
541715
The type ou:naics has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
^[1-9][0-9]{4}[0-9]?$- replace:
()- strip:
False
ou:name¶
The name of an organization. This may be a formal name or informal name of the organization.
The ou:name type is derived from the base type: str.
An example of ou:name:
acme corporation
The type ou:name has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
None- replace:
()- strip:
True
ou:org¶
A GUID for a human organization such as a company or military unit.
The ou:org type is derived from the base type: guid.
ou:org:has¶
An org owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time.
The ou:org:has type is derived from the base type: comp.
The type ou:org:has has the following options set:
- fields:
(('org', 'ou:org'), ('node', 'ndef'))
ou:orgnet4¶
An organization’s IPv4 netblock.
The ou:orgnet4 type is derived from the base type: comp.
The type ou:orgnet4 has the following options set:
- fields:
(('org', 'ou:org'), ('net', 'inet:net4'))
ou:orgnet6¶
An organization’s IPv6 netblock.
The ou:orgnet6 type is derived from the base type: comp.
The type ou:orgnet6 has the following options set:
- fields:
(('org', 'ou:org'), ('net', 'inet:net6'))
ou:position¶
A position within an org. May be organized into an org chart.
The ou:position type is derived from the base type: guid.
ou:preso¶
A webinar, conference talk, or other type of presentation.
The ou:preso type is derived from the base type: guid.
ou:role¶
A named role when participating in an event.
The ou:role type is derived from the base type: str.
An example of ou:role:
staff
The type ou:role has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
^\w+$- replace:
()- strip:
False
ou:sic¶
The four digit Standard Industrial Classification Code.
The ou:sic type is derived from the base type: str.
An example of ou:sic:
0111
The type ou:sic has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
^[0-9]{4}$- replace:
()- strip:
False
ou:suborg¶
Any parent/child relationship between two orgs. May represent ownership, organizational structure, etc.
The ou:suborg type is derived from the base type: comp.
The type ou:suborg has the following options set:
- fields:
(('org', 'ou:org'), ('sub', 'ou:org'))
ou:user¶
A user name within an organization.
The ou:user type is derived from the base type: comp.
The type ou:user has the following options set:
- fields:
(('org', 'ou:org'), ('user', 'inet:user'))
pe:langid¶
The PE language id.
The pe:langid type is derived from the base type: int.
The type pe:langid has the following options set:
enums:
int valu 0 neutral 4 zh-Hans 26 hr 127 invariant 1024 default 1025 ar-SA 1026 bg-BG 1027 ca-ES 1029 cs-CZ 1030 da-DK 1031 de-DE 1032 el-GR 1033 en-US 1034 es-ES-traditional 1035 fi-FI 1036 fr-FR 1037 he-IL 1038 hu-HU 1039 is-IS 1040 it-IT 1041 ja-JP 1042 ko-KR 1043 nl-NL 1044 nb-NO 1045 pl-PL 1046 pt-BR 1047 rm-CH 1048 ro-RO 1049 ru-RU 1050 hr-HR 1051 sk-SK 1052 sq-AL 1053 sv-SE 1054 th-TH 1055 tr-TR 1056 ur-PK 1057 id-ID 1058 uk-UA 1059 be-BY 1060 sl-SI 1061 et-EE 1062 lv-LV 1063 lt-LT 1064 tg-TJ 1065 fa-IR 1066 vi-VN 1067 hy-AM 1068 az-AZ-Latin 1069 Basque-Basque 1070 hsb-DE 1071 mk-MK 1074 tn-ZA 1076 xh-ZA 1077 zu-ZA 1078 af-ZA 1079 ka-GE 1080 fo-FO 1081 hi-IN 1082 mt-MT 1083 se-NO 1086 ms-MY 1087 kk-KZ 1088 ky-KG 1089 sw-KE 1090 tk-TM 1091 uz-UZ-Latin 1092 tt-RU 1093 bn-Bangledesh 1094 pa-IN 1095 gu-IN 1096 or-IN 1097 ta-IN 1098 te-IN 1099 kn-IN 1100 ml-IN 1101 as-IN 1102 mr-IN 1103 sa-IN 1104 mn-MN-Cyrllic 1105 bo-CN 1106 cy-GB 1107 kh-KH 1108 lo-LA 1110 gl-ES 1111 kok-IN 1114 syr-SY 1115 si-LK 1116 chr-Cher 1117 iu-CA 1118 am-ET 1121 ne-NP 1122 fy-NL 1123 ps-AF 1124 fil-PH 1125 dv-MV 1128 ha-NG 1130 yo-NG 1131 quz-BO 1132 nso-ZA 1133 ba-RU 1134 lb-LU 1135 kl-GL 1136 ig-NG 1139 ti-ET 1141 haw-US 1144 ii-CN 1146 arn-CL 1148 moh-CA 1150 br-FR 1152 ug-CN 1153 mi-NZ 1154 oc-FR 1155 co-FR 1156 gsw-FR 1157 sah-RU 1158 qut-GT 1159 rw-RW 1160 wo-SN 1164 prs-AF 1170 ku-IQ 2048 sys default 2049 ar-IQ 2051 ca-ES-Valencia 2055 de-CH 2057 en-GB 2058 es-MX 2060 fr-BE 2064 it-CH 2067 nl-BE 2068 no-NO 2070 pt-PT 2074 sr-CS-Latin 2077 sv-FI 2080 ur-IN 2092 az-AZ-Cyrillic 2094 dsb-DE 2098 tn-BW 2107 se-SE 2108 ga-IE 2110 ms-BN 2115 uz-UZ-Cyrillic 2117 bn-IN 2118 pa-PK 2121 ta-LK 2128 mn-MN-Prc 2137 sd-PK 2141 iu-CA-Latin 2143 tzm-DZ 2151 ff-SN 2155 quz-EC 2163 ti-ER 3072 custom default 3073 ar-EG 3076 zh-HK 3079 de-AT 3081 en-AU 3082 es-ES-modern 3084 fr-CA 3098 sr-CS-Cyrillic 3131 se-FI 3179 quz-PE 4096 custom unspecified 4097 ar-LY 4100 zh-SG 4103 de-LU 4105 en-CA 4106 es-GT 4108 fr-CH 4122 hr-BA 4155 smj-NO 5120 ui_custom_default 5121 ar-DZ 5124 zh-MO 5127 de-LI 5129 en-NZ 5130 es-CR 5132 fr-LU 5146 bs-BA-Latin 5179 smj-SE 6145 ar-MA 6153 en-IE 6154 es-PA 6156 fr-MC 6170 sr-code-Latin 6203 sma-NO 7169 ar-TN 7177 en-ZA 7178 es-DO 7194 sr-BA 7227 sma-SE 8193 ar-OM 8201 en-JM 8202 es-VE 8218 bs-BA-Cyrillic 8251 sms-FI 9217 ar-YE 9225 en-029 9226 es-CO 9275 smn-FIl 10241 ar-SY 10249 en-BZ 10250 es-PE 11265 ar-JO 11273 en-TT 11274 es-AR 12289 ar-LB 12297 en-ZW 12298 es-EC 13313 ar-KW 13321 en-PH 13322 es-CL 14337 ar-AE 14346 es-UY 15361 ar-BH 15370 es-PY 16385 ar-QA 16393 en-IN 16394 es-BO 17417 en-MY 17418 es-SV 18441 en-SG 18442 es-HN 19466 es-NI 20490 es-PR 21514 es-US 30746 bs-neutral 31748 zh-Hant 31770 sr-Neutral fmt:
%dismax:
Falseismin:
Falsemax:
Nonemin:
Nonesigned:
Truesize:
8
pe:resource:type¶
The typecode for the resource.
The pe:resource:type type is derived from the base type: int.
The type pe:resource:type has the following options set:
enums:
int valu 1 RT_CURSOR 2 RT_BITMAP 3 RT_ICON 4 RT_MENU 5 RT_DIALOG 6 RT_STRING 7 RT_FONTDIR 8 RT_FONT 9 RT_ACCELERATOR 10 RT_RCDATA 11 RT_MESSAGETABLE 12 RT_GROUP_CURSOR 14 RT_GROUP_ICON 16 RT_VERSION 17 RT_DLGINCLUDE 19 RT_PLUGPLAY 20 RT_VXD 21 RT_ANICURSOR 22 RT_ANIICON 23 RT_HTML 24 RT_MANIFEST fmt:
%dismax:
Falseismin:
Falsemax:
Nonemin:
Nonesigned:
Truesize:
8
pol:country¶
A GUID for a country.
The pol:country type is derived from the base type: guid.
pol:iso2¶
The 2 digit ISO country code.
The pol:iso2 type is derived from the base type: str.
An example of pol:iso2:
us
The type pol:iso2 has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
^[a-z0-9]{2}$- replace:
()- strip:
False
pol:iso3¶
The 3 digit ISO country code.
The pol:iso3 type is derived from the base type: str.
An example of pol:iso3:
usa
The type pol:iso3 has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
^[a-z0-9]{3}$- replace:
()- strip:
False
pol:isonum¶
The ISO integer country code.
The pol:isonum type is derived from the base type: int.
An example of pol:isonum:
840
The type pol:isonum has the following options set:
- fmt:
%d- ismax:
False- ismin:
False- max:
None- min:
None- signed:
True- size:
8
proj:comment¶
The base GUID type.
The proj:comment type is derived from the base type: guid.
proj:epic¶
The base GUID type.
The proj:epic type is derived from the base type: guid.
proj:project¶
The base GUID type.
The proj:project type is derived from the base type: guid.
proj:sprint¶
The base GUID type.
The proj:sprint type is derived from the base type: guid.
proj:ticket¶
The base GUID type.
The proj:ticket type is derived from the base type: guid.
ps:achievement¶
An instance of an individual receiving an award.
The ps:achievement type is derived from the base type: guid.
ps:contact¶
A GUID for a contact info record.
The ps:contact type is derived from the base type: guid.
ps:contactlist¶
A GUID for a list of associated contacts.
The ps:contactlist type is derived from the base type: guid.
ps:education¶
A period of education for an individual.
The ps:education type is derived from the base type: guid.
ps:name¶
An arbitrary, lower spaced string with normalized whitespace.
The ps:name type is derived from the base type: str.
An example of ps:name:
robert grey
The type ps:name has the following options set:
- globsuffix:
False- lower:
True- onespace:
True- regex:
None- replace:
()- strip:
False
ps:person¶
A GUID for a person.
The ps:person type is derived from the base type: guid.
ps:person:has¶
A person owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time.
The ps:person:has type is derived from the base type: comp.
The type ps:person:has has the following options set:
- fields:
(('person', 'ps:person'), ('node', 'ndef'))
ps:persona¶
A GUID for a suspected person.
The ps:persona type is derived from the base type: guid.
ps:persona:has¶
A persona owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time.
The ps:persona:has type is derived from the base type: comp.
The type ps:persona:has has the following options set:
- fields:
(('persona', 'ps:persona'), ('node', 'ndef'))
ps:tokn¶
A single name element (potentially given or sur).
The ps:tokn type is derived from the base type: str.
An example of ps:tokn:
robert
The type ps:tokn has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
None- replace:
()- strip:
True
risk:attack¶
An instance of an actor attacking a target.
The risk:attack type is derived from the base type: guid.
risk:hasvuln¶
An instance of a vulnerability present in a target.
The risk:hasvuln type is derived from the base type: guid.
risk:vuln¶
A unique vulnerability.
The risk:vuln type is derived from the base type: guid.
rsa:key¶
An RSA keypair modulus and public exponent.
The rsa:key type is derived from the base type: comp.
The type rsa:key has the following options set:
- fields:
(('mod', 'hex'), ('pub:exp', 'int'))
syn:cmd¶
A Synapse storm command.
The syn:cmd type is derived from the base type: str.
The type syn:cmd has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
True
syn:cron¶
A Cortex cron job.
The syn:cron type is derived from the base type: guid.
syn:form¶
A Synapse form used for representing nodes in the graph.
The syn:form type is derived from the base type: str.
The type syn:form has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
True
syn:nodedata¶
A nodedata key and the form it may be present on.
The syn:nodedata type is derived from the base type: comp.
The type syn:nodedata has the following options set:
- fields:
(('key', 'str'), ('form', 'syn:form'))
syn:prop¶
A Synapse property.
The syn:prop type is derived from the base type: str.
The type syn:prop has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
True
syn:role¶
A Synapse role GUID.
The syn:role type is derived from the base type: guid.
The type syn:role has the following options set:
- strip:
True
syn:splice¶
A splice from a layer.
The syn:splice type is derived from the base type: guid.
The type syn:splice has the following options set:
- strip:
True
syn:tagprop¶
A user defined tag property.
The syn:tagprop type is derived from the base type: str.
The type syn:tagprop has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
True
syn:trigger¶
A Cortex trigger.
The syn:trigger type is derived from the base type: guid.
syn:type¶
A Synapse type used for normalizing nodes and properties.
The syn:type type is derived from the base type: str.
The type syn:type has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
None- replace:
()- strip:
True
syn:user¶
A Synapse user GUID.
The syn:user type is derived from the base type: guid.
The type syn:user has the following options set:
- strip:
True
tel:call¶
A guid for a telephone call record.
The tel:call type is derived from the base type: guid.
tel:mob:carrier¶
The fusion of a MCC/MNC.
The tel:mob:carrier type is derived from the base type: comp.
The type tel:mob:carrier has the following options set:
- fields:
(('mcc', 'tel:mob:mcc'), ('mnc', 'tel:mob:mnc'))
tel:mob:cell¶
A mobile cell site which a phone may connect to.
The tel:mob:cell type is derived from the base type: comp.
The type tel:mob:cell has the following options set:
- fields:
(('carrier', 'tel:mob:carrier'), ('lac', ('int', {})), ('cid', ('int', {})))
tel:mob:imid¶
Fused knowledge of an IMEI/IMSI used together.
The tel:mob:imid type is derived from the base type: comp.
An example of tel:mob:imid:
(490154203237518, 310150123456789)
The type tel:mob:imid has the following options set:
- fields:
(('imei', 'tel:mob:imei'), ('imsi', 'tel:mob:imsi'))
tel:mob:imsiphone¶
Fused knowledge of an IMSI assigned phone number.
The tel:mob:imsiphone type is derived from the base type: comp.
An example of tel:mob:imsiphone:
(310150123456789, "+7(495) 124-59-83")
The type tel:mob:imsiphone has the following options set:
- fields:
(('imsi', 'tel:mob:imsi'), ('phone', 'tel:phone'))
tel:mob:mcc¶
ITU Mobile Country Code.
The tel:mob:mcc type is derived from the base type: str.
The type tel:mob:mcc has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
^[0-9]{3}$- replace:
()- strip:
1
tel:mob:mnc¶
ITU Mobile Network Code.
The tel:mob:mnc type is derived from the base type: str.
The type tel:mob:mnc has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
^[0-9]{2,3}$- replace:
()- strip:
1
tel:mob:tac¶
A mobile Type Allocation Code.
The tel:mob:tac type is derived from the base type: int.
An example of tel:mob:tac:
49015420
The type tel:mob:tac has the following options set:
- fmt:
%d- ismax:
False- ismin:
False- max:
None- min:
None- signed:
True- size:
8
tel:mob:telem¶
A single mobile telemetry measurement.
The tel:mob:telem type is derived from the base type: guid.
tel:txtmesg¶
A guid for an individual text message.
The tel:txtmesg type is derived from the base type: guid.
transport:air:craft¶
An individual aircraft.
The transport:air:craft type is derived from the base type: guid.
transport:air:flight¶
An individual instance of a flight.
The transport:air:flight type is derived from the base type: guid.
transport:air:flightnum¶
A commercial flight designator including airline and serial.
The transport:air:flightnum type is derived from the base type: str.
An example of transport:air:flightnum:
ua2437
The type transport:air:flightnum has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
^[a-z]{2}[0-9]{1,4}$- replace:
((' ', ''),)- strip:
True
transport:air:occupant¶
An occupant of a specific flight.
The transport:air:occupant type is derived from the base type: guid.
transport:air:port¶
An IATA assigned airport code.
The transport:air:port type is derived from the base type: str.
The type transport:air:port has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
None- replace:
()- strip:
False
transport:air:tailnum¶
An aircraft registration number or military aircraft serial number.
The transport:air:tailnum type is derived from the base type: str.
An example of transport:air:tailnum:
ff023
The type transport:air:tailnum has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
^[a-z0-9-]{2,}$- replace:
()- strip:
True
transport:air:telem¶
A telemtry sample from an aircraft in transit.
The transport:air:telem type is derived from the base type: guid.
transport:sea:imo¶
An International Maritime Organization registration number.
The transport:sea:imo type is derived from the base type: str.
The type transport:sea:imo has the following options set:
- globsuffix:
False- lower:
True- onespace:
False- regex:
^imo[0-9]{7}$- replace:
((' ', ''),)- strip:
True
transport:sea:mmsi¶
A Maritime Mobile Service Identifier.
The transport:sea:mmsi type is derived from the base type: str.
The type transport:sea:mmsi has the following options set:
- globsuffix:
False- lower:
False- onespace:
False- regex:
[0-9]{9}- replace:
()- strip:
False
transport:sea:telem¶
A telemetry sample from a vessel in transit.
The transport:sea:telem type is derived from the base type: guid.
transport:sea:vessel¶
An individual sea vessel.
The transport:sea:vessel type is derived from the base type: guid.