Synapse Data Model - Types

Base Types

Base types are defined via Python classes.

array

A typed array which indexes each field. It is implemented by the following class: synapse.lib.types.Array.

The base type array has the following default options set:

• type: int

bool

The base boolean type. It is implemented by the following class: synapse.lib.types.Bool.

comp

The base type for compound node fields. It is implemented by the following class: synapse.lib.types.Comp.

cvss:v2

A CVSS v2 vector string. It is implemented by the following class: synapse.models.risk.CvssV2.

An example of cvss:v2:

• (AV:L/AC:L/Au:M/C:P/I:C/A:N)

cvss:v3

A CVSS v3.x vector string. It is implemented by the following class: synapse.models.risk.CvssV3.

An example of cvss:v3:

• AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

data

Arbitrary json compatible data. It is implemented by the following class: synapse.lib.types.Data.

duration

A duration value. It is implemented by the following class: synapse.lib.types.Duration.

The base type duration has the following default options set:

• signed: False

edge

An digraph edge base type. It is implemented by the following class: synapse.lib.types.Edge.

file:base

A file name with no path. It is implemented by the following class: synapse.models.files.FileBase.

An example of file:base:

• woot.exe

file:bytes

The file bytes type with SHA256 based primary property. It is implemented by the following class: synapse.models.files.FileBytes.

file:path

A normalized file path. It is implemented by the following class: synapse.models.files.FilePath.

An example of file:path:

• c:/windows/system32/calc.exe

float

The base floating point type. It is implemented by the following class: synapse.lib.types.Float.

The base type float has the following default options set:

• fmt: %f

• min: None

• minisvalid: True

• max: None

• maxisvalid: True

geo:area

A geographic area (base unit is square mm). It is implemented by the following class: synapse.models.geospace.Area.

An example of geo:area:

• 10 sq.km

geo:dist

A geographic distance (base unit is mm). It is implemented by the following class: synapse.models.geospace.Dist.

An example of geo:dist:

• 10 km

geo:latlong

A Lat/Long string specifying a point on Earth. It is implemented by the following class: synapse.models.geospace.LatLong.

An example of geo:latlong:

• -12.45,56.78

guid

The base GUID type. It is implemented by the following class: synapse.lib.types.Guid.

hex

The base hex type. It is implemented by the following class: synapse.lib.types.Hex.

The base type hex has the following default options set:

• size: 0

• zeropad: 0

hugenum

A potentially huge/tiny number. [x] <= 730750818665451459101842 with a fractional precision of 24 decimal digits. It is implemented by the following class: synapse.lib.types.HugeNum.

The base type hugenum has the following default options set:

• units: None

• modulo: None

inet:addr

A network layer URL-like format to represent tcp/udp/icmp clients and servers. It is implemented by the following class: synapse.models.inet.Addr.

An example of inet:addr:

• tcp://1.2.3.4:80

inet:cidr4

An IPv4 address block in Classless Inter-Domain Routing (CIDR) notation. It is implemented by the following class: synapse.models.inet.Cidr4.

An example of inet:cidr4:

• 1.2.3.0/24

inet:cidr6

An IPv6 address block in Classless Inter-Domain Routing (CIDR) notation. It is implemented by the following class: synapse.models.inet.Cidr6.

An example of inet:cidr6:

• 2001:db8::/101

inet:dns:name

A DNS query name string. Likely an FQDN but not always. It is implemented by the following class: synapse.models.dns.DnsName.

An example of inet:dns:name:

• vertex.link

inet:email

An e-mail address. It is implemented by the following class: synapse.models.inet.Email.

inet:fqdn

A Fully Qualified Domain Name (FQDN). It is implemented by the following class: synapse.models.inet.Fqdn.

An example of inet:fqdn:

• vertex.link

inet:http:cookie

An individual HTTP cookie string. It is implemented by the following class: synapse.models.inet.HttpCookie.

An example of inet:http:cookie:

• PHPSESSID=el4ukv0kqbvoirg7nkp4dncpk3

inet:ipv4

An IPv4 address. It is implemented by the following class: synapse.models.inet.IPv4.

An example of inet:ipv4:

• 1.2.3.4

inet:ipv4range

An IPv4 address range. It is implemented by the following class: synapse.models.inet.IPv4Range.

An example of inet:ipv4range:

• 1.2.3.4-1.2.3.8

inet:ipv6

An IPv6 address. It is implemented by the following class: synapse.models.inet.IPv6.

An example of inet:ipv6:

• 2607:f8b0:4004:809::200e

inet:ipv6range

An IPv6 address range. It is implemented by the following class: synapse.models.inet.IPv6Range.

An example of inet:ipv6range:

• (2607:f8b0:4004:809::200e, 2607:f8b0:4004:809::2011)

inet:rfc2822:addr

An RFC 2822 Address field. It is implemented by the following class: synapse.models.inet.Rfc2822Addr.

An example of inet:rfc2822:addr:

• "Visi Kenshoto" <visi@vertex.link>

inet:url

A Universal Resource Locator (URL). It is implemented by the following class: synapse.models.inet.Url.

An example of inet:url:

• http://www.woot.com/files/index.html

int

The base 64 bit signed integer type. It is implemented by the following class: synapse.lib.types.Int.

The base type int has the following default options set:

• size: 8

• signed: True

• enums:strict: True

• fmt: %d

• min: None

• max: None

• ismin: False

• ismax: False

it:sec:cpe

A NIST CPE 2.3 Formatted String. It is implemented by the following class: synapse.models.infotech.Cpe23Str.

The base type it:sec:cpe has the following default options set:

• lower: True

it:sec:cpe:v2_2

A NIST CPE 2.2 Formatted String. It is implemented by the following class: synapse.models.infotech.Cpe22Str.

The base type it:sec:cpe:v2_2 has the following default options set:

• lower: True

it:semver

Semantic Version type. It is implemented by the following class: synapse.models.infotech.SemVer.

ival

A time window/interval. It is implemented by the following class: synapse.lib.types.Ival.

loc

The base geo political location type. It is implemented by the following class: synapse.lib.types.Loc.

ndef

The node definition type for a (form,valu) compound field. It is implemented by the following class: synapse.lib.types.Ndef.

nodeprop

The nodeprop type for a (prop,valu) compound field. It is implemented by the following class: synapse.lib.types.NodeProp.

range

A base range type. It is implemented by the following class: synapse.lib.types.Range.

The base type range has the following default options set:

• type: ('int', {})

str

The base string type. It is implemented by the following class: synapse.lib.types.Str.

The base type str has the following default options set:

• enums: None

• regex: None

• lower: False

• strip: False

• replace: ()

• onespace: False

• globsuffix: False

syn:role

A Synapse role. It is implemented by the following class: synapse.models.syn.SynRole.

syn:tag

The base type for a synapse tag. It is implemented by the following class: synapse.lib.types.Tag.

The base type syn:tag has the following default options set:

• enums: None

• regex: None

• lower: False

• strip: False

• replace: ()

• onespace: False

• globsuffix: False

syn:tag:part

A tag component string. It is implemented by the following class: synapse.lib.types.TagPart.

The base type syn:tag:part has the following default options set:

• enums: None

• regex: None

• lower: False

• strip: False

• replace: ()

• onespace: False

• globsuffix: False

syn:user

A Synapse user. It is implemented by the following class: synapse.models.syn.SynUser.

taxon

A component of a hierarchical taxonomy. It is implemented by the following class: synapse.lib.types.Taxon.

The base type taxon has the following default options set:

• enums: None

• regex: None

• lower: False

• strip: False

• replace: ()

• onespace: False

• globsuffix: False

taxonomy

A hierarchical taxonomy. It is implemented by the following class: synapse.lib.types.Taxonomy.

The base type taxonomy has the following default options set:

• enums: None

• regex: None

• lower: False

• strip: False

• replace: ()

• onespace: False

• globsuffix: False

tel:mob:imei

An International Mobile Equipment Id. It is implemented by the following class: synapse.models.telco.Imei.

An example of tel:mob:imei:

• 490154203237518

tel:mob:imsi

An International Mobile Subscriber Id. It is implemented by the following class: synapse.models.telco.Imsi.

An example of tel:mob:imsi:

• 310150123456789

tel:phone

A phone number. It is implemented by the following class: synapse.models.telco.Phone.

An example of tel:phone:

• +15558675309

time

A date/time value. It is implemented by the following class: synapse.lib.types.Time.

The base type time has the following default options set:

• ismin: False

• ismax: False

timeedge

An digraph edge base type with a unique time. It is implemented by the following class: synapse.lib.types.TimeEdge.

velocity

A velocity with base units in mm/sec. It is implemented by the following class: synapse.lib.types.Velocity.

The base type velocity has the following default options set:

• relative: False

Types

Regular types are derived from BaseTypes.

auth:access

An instance of using creds to access a resource. The auth:access type is derived from the base type: guid.

auth:creds

A unique set of credentials used to access a resource. The auth:creds type is derived from the base type: guid.

belief:subscriber

A contact which subscribes to a belief system. The belief:subscriber type is derived from the base type: guid.

belief:system

A belief system such as an ideology, philosophy, or religion. The belief:system type is derived from the base type: guid.

belief:system:type:taxonomy

A hierarchical taxonomy of belief system types. The belief:system:type:taxonomy type is derived from the base type: taxonomy.

The type belief:system:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

belief:tenet

A concrete tenet potentially shared by multiple belief systems. The belief:tenet type is derived from the base type: guid.

biz:bundle

A bundle allows construction of products which bundle instances of other products. The biz:bundle type is derived from the base type: guid.

biz:deal

A sales or procurement effort in pursuit of a purchase. The biz:deal type is derived from the base type: guid.

biz:dealstatus

A deal/rfp status taxonomy. The biz:dealstatus type is derived from the base type: taxonomy.

The type biz:dealstatus has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

biz:dealtype

A deal type taxonomy. The biz:dealtype type is derived from the base type: taxonomy.

The type biz:dealtype has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

biz:listing

A product or service being listed for sale at a given price by a specific seller. The biz:listing type is derived from the base type: guid.

biz:prodtype

A product type taxonomy. The biz:prodtype type is derived from the base type: taxonomy.

The type biz:prodtype has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

biz:product

A product which is available for purchase. The biz:product type is derived from the base type: guid.

biz:rfp

An RFP (Request for Proposal) soliciting proposals. The biz:rfp type is derived from the base type: guid.

biz:service

A service which is performed by a specific organization. The biz:service type is derived from the base type: guid.

biz:service:type:taxonomy

A taxonomy of service offering types. The biz:service:type:taxonomy type is derived from the base type: taxonomy.

The type biz:service:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

biz:stake

A stake or partial ownership in a company. The biz:stake type is derived from the base type: guid.

crypto:algorithm

A cryptographic algorithm name. The crypto:algorithm type is derived from the base type: str.

An example of crypto:algorithm:

• aes256

The type crypto:algorithm has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

crypto:currency:address

An individual crypto currency address. The crypto:currency:address type is derived from the base type: comp.

An example of crypto:currency:address:

• btc/1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2

The type crypto:currency:address has the following options set:

• fields: (('coin', 'crypto:currency:coin'), ('iden', 'str'))

• sepr: /

crypto:currency:block

An individual crypto currency block record on the blockchain. The crypto:currency:block type is derived from the base type: comp.

The type crypto:currency:block has the following options set:

• fields: (('coin', 'crypto:currency:coin'), ('offset', 'int'))

• sepr: /

crypto:currency:client

A fused node representing a crypto currency address used by an Internet client. The crypto:currency:client type is derived from the base type: comp.

An example of crypto:currency:client:

• (1.2.3.4, (btc, 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2))

The type crypto:currency:client has the following options set:

• fields: (('inetaddr', 'inet:client'), ('coinaddr', 'crypto:currency:address'))

crypto:currency:coin

An individual crypto currency type. The crypto:currency:coin type is derived from the base type: str.

An example of crypto:currency:coin:

• btc

The type crypto:currency:coin has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: False

crypto:currency:transaction

An individual crypto currency transaction recorded on the blockchain. The crypto:currency:transaction type is derived from the base type: guid.

crypto:key

A cryptographic key and algorithm. The crypto:key type is derived from the base type: guid.

crypto:payment:input

A payment made into a transaction. The crypto:payment:input type is derived from the base type: guid.

crypto:payment:output

A payment received from a transaction. The crypto:payment:output type is derived from the base type: guid.

crypto:smart:contract

A smart contract. The crypto:smart:contract type is derived from the base type: guid.

crypto:smart:effect:burntoken

A smart contract effect which destroys a non-fungible token. The crypto:smart:effect:burntoken type is derived from the base type: guid.

crypto:smart:effect:edittokensupply

A smart contract effect which increases or decreases the supply of a fungible token. The crypto:smart:effect:edittokensupply type is derived from the base type: guid.

crypto:smart:effect:minttoken

A smart contract effect which creates a new non-fungible token. The crypto:smart:effect:minttoken type is derived from the base type: guid.

crypto:smart:effect:proxytoken

A smart contract effect which grants a non-owner address the ability to manipulate a specific non-fungible token. The crypto:smart:effect:proxytoken type is derived from the base type: guid.

crypto:smart:effect:proxytokenall

A smart contract effect which grants a non-owner address the ability to manipulate all non-fungible tokens of the owner. The crypto:smart:effect:proxytokenall type is derived from the base type: guid.

crypto:smart:effect:proxytokens

A smart contract effect which grants a non-owner address the ability to manipulate fungible tokens. The crypto:smart:effect:proxytokens type is derived from the base type: guid.

crypto:smart:effect:transfertoken

A smart contract effect which transfers ownership of a non-fungible token. The crypto:smart:effect:transfertoken type is derived from the base type: guid.

crypto:smart:effect:transfertokens

A smart contract effect which transfers fungible tokens. The crypto:smart:effect:transfertokens type is derived from the base type: guid.

crypto:smart:token

A token managed by a smart contract. The crypto:smart:token type is derived from the base type: comp.

The type crypto:smart:token has the following options set:

• fields: (('contract', 'crypto:smart:contract'), ('tokenid', 'hugenum'))

crypto:x509:cert

A unique X.509 certificate. The crypto:x509:cert type is derived from the base type: guid.

crypto:x509:crl

A unique X.509 Certificate Revocation List. The crypto:x509:crl type is derived from the base type: guid.

crypto:x509:revoked

A revocation relationship between a CRL and an X.509 certificate. The crypto:x509:revoked type is derived from the base type: comp.

The type crypto:x509:revoked has the following options set:

• fields: (('crl', 'crypto:x509:crl'), ('cert', 'crypto:x509:cert'))

crypto:x509:san

An X.509 Subject Alternative Name (SAN). The crypto:x509:san type is derived from the base type: comp.

The type crypto:x509:san has the following options set:

• fields: (('type', 'str'), ('value', 'str'))

crypto:x509:signedfile

A digital signature relationship between an X.509 certificate and a file. The crypto:x509:signedfile type is derived from the base type: comp.

The type crypto:x509:signedfile has the following options set:

• fields: (('cert', 'crypto:x509:cert'), ('file', 'file:bytes'))

doc:policy

Guiding principles used to reach a set of goals. The doc:policy type is derived from the base type: guid.

doc:policy:type:taxonomy

A taxonomy of policy types. The doc:policy:type:taxonomy type is derived from the base type: taxonomy.

The type doc:policy:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

doc:standard

A group of requirements which define how to implement a policy or goal. The doc:standard type is derived from the base type: guid.

doc:standard:type:taxonomy

A taxonomy of standard types. The doc:standard:type:taxonomy type is derived from the base type: taxonomy.

The type doc:standard:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

econ:acct:balance

A snapshot of the balance of an account at a point in time. The econ:acct:balance type is derived from the base type: guid.

econ:acct:invoice

An invoice issued requesting payment. The econ:acct:invoice type is derived from the base type: guid.

econ:acct:payment

A payment or crypto currency transaction. The econ:acct:payment type is derived from the base type: guid.

econ:acct:receipt

A receipt issued as proof of payment. The econ:acct:receipt type is derived from the base type: guid.

econ:acquired

Deprecated. Please use econ:purchase -(acquired)> *. The econ:acquired type is derived from the base type: comp.

The type econ:acquired has the following options set:

• fields: (('purchase', 'econ:purchase'), ('item', 'ndef'))

econ:bank:aba:rtn

An American Bank Association (ABA) routing transit number (RTN). The econ:bank:aba:rtn type is derived from the base type: str.

The type econ:bank:aba:rtn has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: [0-9]{9}

• replace: ()

• strip: False

econ:bank:account

A bank account. The econ:bank:account type is derived from the base type: guid.

econ:bank:account:type:taxonomy

A bank account type taxonomy. The econ:bank:account:type:taxonomy type is derived from the base type: taxonomy.

The type econ:bank:account:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

econ:bank:balance

A balance contained by a bank account at a point in time. The econ:bank:balance type is derived from the base type: guid.

econ:bank:iban

An International Bank Account Number. The econ:bank:iban type is derived from the base type: str.

The type econ:bank:iban has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: [A-Z]{2}[0-9]{2}[a-zA-Z0-9]{1,30}

• replace: ()

• strip: False

econ:bank:statement

A statement of bank account payment activity over a period of time. The econ:bank:statement type is derived from the base type: guid.

econ:bank:swift:bic

A Society for Worldwide Interbank Financial Telecommunication (SWIFT) Business Identifier Code (BIC). The econ:bank:swift:bic type is derived from the base type: str.

The type econ:bank:swift:bic has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: [A-Z]{6}[A-Z0-9]{5}

• replace: ()

• strip: False

econ:currency

The name of a system of money in general use. The econ:currency type is derived from the base type: str.

An example of econ:currency:

• usd

The type econ:currency has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: False

econ:fin:bar

A sample of the open, close, high, low prices of a security in a specific time window. The econ:fin:bar type is derived from the base type: guid.

econ:fin:exchange

A financial exchange where securities are traded. The econ:fin:exchange type is derived from the base type: guid.

econ:fin:security

A financial security which is typically traded on an exchange. The econ:fin:security type is derived from the base type: guid.

econ:fin:tick

A sample of the price of a security at a single moment in time. The econ:fin:tick type is derived from the base type: guid.

econ:pay:card

A single payment card. The econ:pay:card type is derived from the base type: guid.

econ:pay:cvv

A Card Verification Value (CVV). The econ:pay:cvv type is derived from the base type: str.

The type econ:pay:cvv has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^[0-9]{1,6}$

• replace: ()

• strip: False

econ:pay:iin

An Issuer Id Number (IIN). The econ:pay:iin type is derived from the base type: int.

The type econ:pay:iin has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: 999999

• min: 0

• signed: True

• size: 8

econ:pay:mii

A Major Industry Identifier (MII). The econ:pay:mii type is derived from the base type: int.

The type econ:pay:mii has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: 9

• min: 0

• signed: True

• size: 8

econ:pay:pan

A Primary Account Number (PAN) or card number. The econ:pay:pan type is derived from the base type: str.

The type econ:pay:pan has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^(?<iin>(?<mii>[0-9]{1})[0-9]{5})[0-9]{1,13}$

• replace: ()

• strip: False

econ:pay:pin

A Personal Identification Number (PIN). The econ:pay:pin type is derived from the base type: str.

The type econ:pay:pin has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^[0-9]{3,6}$

• replace: ()

• strip: False

econ:price

The amount of money expected, required, or given in payment for something. The econ:price type is derived from the base type: hugenum.

An example of econ:price:

• 2.20

The type econ:price has the following options set:

• modulo: None

• norm: False

• units: None

econ:purchase

A purchase event. The econ:purchase type is derived from the base type: guid.

econ:receipt:item

A line item included as part of a purchase. The econ:receipt:item type is derived from the base type: guid.

edge:has

A digraph edge which records that N1 has N2. The edge:has type is derived from the base type: edge.

edge:refs

A digraph edge which records that N1 refers to or contains N2. The edge:refs type is derived from the base type: edge.

edge:wentto

A digraph edge which records that N1 went to N2 at a specific time. The edge:wentto type is derived from the base type: timeedge.

edu:class

An instance of an edu:course taught at a given time. The edu:class type is derived from the base type: guid.

edu:course

A course of study taught by an org. The edu:course type is derived from the base type: guid.

entity:name

A name used to refer to an entity. The entity:name type is derived from the base type: str.

The type entity:name has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

file:archive:entry

An archive entry representing a file and metadata within a parent archive file. The file:archive:entry type is derived from the base type: guid.

file:attachment

A file attachment. The file:attachment type is derived from the base type: guid.

file:filepath

The fused knowledge of the association of a file:bytes node and a file:path. The file:filepath type is derived from the base type: comp.

The type file:filepath has the following options set:

• fields: (('file', 'file:bytes'), ('path', 'file:path'))

file:ismime

Records one, of potentially multiple, mime types for a given file. The file:ismime type is derived from the base type: comp.

The type file:ismime has the following options set:

• fields: (('file', 'file:bytes'), ('mime', 'file:mime'))

file:mime

A file mime name string. The file:mime type is derived from the base type: str.

An example of file:mime:

• text/plain

The type file:mime has the following options set:

• globsuffix: False

• lower: 1

• onespace: False

• regex: None

• replace: ()

• strip: False

file:mime:gif

The GUID of a set of mime metadata for a .gif file. The file:mime:gif type is derived from the base type: guid.

file:mime:jpg

The GUID of a set of mime metadata for a .jpg file. The file:mime:jpg type is derived from the base type: guid.

file:mime:lnk

The GUID of the metadata pulled from a Windows shortcut or LNK file. The file:mime:lnk type is derived from the base type: guid.

file:mime:macho:loadcmd

A generic load command pulled from the Mach-O headers. The file:mime:macho:loadcmd type is derived from the base type: guid.

file:mime:macho:section

A section inside a Mach-O binary denoting a named region of bytes inside a segment. The file:mime:macho:section type is derived from the base type: guid.

file:mime:macho:segment

A named region of bytes inside a Mach-O binary. The file:mime:macho:segment type is derived from the base type: guid.

file:mime:macho:uuid

A specific load command denoting a UUID used to uniquely identify the Mach-O binary. The file:mime:macho:uuid type is derived from the base type: guid.

file:mime:macho:version

A specific load command used to denote the version of the source used to build the Mach-O binary. The file:mime:macho:version type is derived from the base type: guid.

file:mime:msdoc

The GUID of a set of mime metadata for a Microsoft Word file. The file:mime:msdoc type is derived from the base type: guid.

file:mime:msppt

The GUID of a set of mime metadata for a Microsoft Powerpoint file. The file:mime:msppt type is derived from the base type: guid.

file:mime:msxls

The GUID of a set of mime metadata for a Microsoft Excel file. The file:mime:msxls type is derived from the base type: guid.

file:mime:pe:export

The fused knowledge of a file:bytes node containing a pe named export. The file:mime:pe:export type is derived from the base type: comp.

The type file:mime:pe:export has the following options set:

• fields: (('file', 'file:bytes'), ('name', 'str'))

file:mime:pe:resource

The fused knowledge of a file:bytes node containing a pe resource. The file:mime:pe:resource type is derived from the base type: comp.

The type file:mime:pe:resource has the following options set:

• fields:

[
 [
  "file",
  "file:bytes"
 ],
 [
  "type",
  "pe:resource:type"
 ],
 [
  "langid",
  "pe:langid"
 ],
 [
  "resource",
  "file:bytes"
 ]
]

file:mime:pe:section

The fused knowledge a file:bytes node containing a pe section. The file:mime:pe:section type is derived from the base type: comp.

The type file:mime:pe:section has the following options set:

• fields: (('file', 'file:bytes'), ('name', 'str'), ('sha256', 'hash:sha256'))

file:mime:pe:vsvers:info

knowledge of a file:bytes node containing vsvers info. The file:mime:pe:vsvers:info type is derived from the base type: comp.

The type file:mime:pe:vsvers:info has the following options set:

• fields: (('file', 'file:bytes'), ('keyval', 'file:mime:pe:vsvers:keyval'))

file:mime:pe:vsvers:keyval

A key value pair found in a PE vsversion info structure. The file:mime:pe:vsvers:keyval type is derived from the base type: comp.

The type file:mime:pe:vsvers:keyval has the following options set:

• fields: (('name', 'str'), ('value', 'str'))

file:mime:png

The GUID of a set of mime metadata for a .png file. The file:mime:png type is derived from the base type: guid.

file:mime:rtf

The GUID of a set of mime metadata for a .rtf file. The file:mime:rtf type is derived from the base type: guid.

file:mime:tif

The GUID of a set of mime metadata for a .tif file. The file:mime:tif type is derived from the base type: guid.

file:string

Deprecated. Please use the edge -(refs)> it:dev:str. The file:string type is derived from the base type: comp.

The type file:string has the following options set:

• fields: (('file', 'file:bytes'), ('string', 'str'))

file:subfile

A parent file that fully contains the specified child file. The file:subfile type is derived from the base type: comp.

The type file:subfile has the following options set:

• fields: (('parent', 'file:bytes'), ('child', 'file:bytes'))

geo:address

A street/mailing address string. The geo:address type is derived from the base type: str.

The type geo:address has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

geo:altitude

A negative or positive offset from Mean Sea Level (6,371.0088km from Earths core). The geo:altitude type is derived from the base type: geo:dist.

An example of geo:altitude:

• 10 km

The type geo:altitude has the following options set:

• baseoff: 6371008800

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

geo:bbox

A geospatial bounding box in (xmin, xmax, ymin, ymax) format. The geo:bbox type is derived from the base type: comp.

The type geo:bbox has the following options set:

• fields:

[
 [
  "xmin",
  "geo:longitude"
 ],
 [
  "xmax",
  "geo:longitude"
 ],
 [
  "ymin",
  "geo:latitude"
 ],
 [
  "ymax",
  "geo:latitude"
 ]
]

• sepr: ,

geo:json

GeoJSON structured JSON data. The geo:json type is derived from the base type: data.

The type geo:json has the following options set:

• schema:

{
 "$schema": "http://json-schema.org/draft-07/schema#",
 "definitions": {
  "BoundingBox": {
   "items": {
    "type": "number"
   },
   "minItems": 4,
   "type": "array"
  },
  "Feature": {
   "properties": {
    "bbox": {
     "$ref": "#/definitions/BoundingBox"
    },
    "geometry": {
     "oneOf": [
      {
       "type": "null"
      },
      {
       "$ref": "#/definitions/Point"
      },
      {
       "$ref": "#/definitions/LineString"
      },
      {
       "$ref": "#/definitions/Polygon"
      },
      {
       "$ref": "#/definitions/MultiPoint"
      },
      {
       "$ref": "#/definitions/MultiLineString"
      },
      {
       "$ref": "#/definitions/MultiPolygon"
      },
      {
       "$ref": "#/definitions/GeometryCollection"
      }
     ]
    },
    "properties": {
     "oneOf": [
      {
       "type": "null"
      },
      {
       "type": "object"
      }
     ]
    },
    "type": {
     "enum": [
      "Feature"
     ],
     "type": "string"
    }
   },
   "required": [
    "type",
    "properties",
    "geometry"
   ],
   "title": "GeoJSON Feature",
   "type": "object"
  },
  "FeatureCollection": {
   "properties": {
    "bbox": {
     "$ref": "#/definitions/BoundingBox"
    },
    "features": {
     "items": {
      "$ref": "#/definitions/Feature"
     },
     "type": "array"
    },
    "type": {
     "enum": [
      "FeatureCollection"
     ],
     "type": "string"
    }
   },
   "required": [
    "type",
    "features"
   ],
   "title": "GeoJSON FeatureCollection",
   "type": "object"
  },
  "GeometryCollection": {
   "properties": {
    "bbox": {
     "$ref": "#/definitions/BoundingBox"
    },
    "geometries": {
     "items": {
      "oneOf": [
       {
        "$ref": "#/definitions/Point"
       },
       {
        "$ref": "#/definitions/LineString"
       },
       {
        "$ref": "#/definitions/Polygon"
       },
       {
        "$ref": "#/definitions/MultiPoint"
       },
       {
        "$ref": "#/definitions/MultiLineString"
       },
       {
        "$ref": "#/definitions/MultiPolygon"
       }
      ]
     },
     "type": "array"
    },
    "type": {
     "enum": [
      "GeometryCollection"
     ],
     "type": "string"
    }
   },
   "required": [
    "type",
    "geometries"
   ],
   "title": "GeoJSON GeometryCollection",
   "type": "object"
  },
  "LineString": {
   "properties": {
    "bbox": {
     "$ref": "#/definitions/BoundingBox"
    },
    "coordinates": {
     "$ref": "#/definitions/LineStringCoordinates"
    },
    "type": {
     "enum": [
      "LineString"
     ],
     "type": "string"
    }
   },
   "required": [
    "type",
    "coordinates"
   ],
   "title": "GeoJSON LineString",
   "type": "object"
  },
  "LineStringCoordinates": {
   "items": {
    "$ref": "#/definitions/PointCoordinates"
   },
   "minItems": 2,
   "type": "array"
  },
  "LinearRingCoordinates": {
   "items": {
    "$ref": "#/definitions/PointCoordinates"
   },
   "minItems": 4,
   "type": "array"
  },
  "MultiLineString": {
   "properties": {
    "bbox": {
     "$ref": "#/definitions/BoundingBox"
    },
    "coordinates": {
     "items": {
      "$ref": "#/definitions/LineStringCoordinates"
     },
     "type": "array"
    },
    "type": {
     "enum": [
      "MultiLineString"
     ],
     "type": "string"
    }
   },
   "required": [
    "type",
    "coordinates"
   ],
   "title": "GeoJSON MultiLineString",
   "type": "object"
  },
  "MultiPoint": {
   "properties": {
    "bbox": {
     "$ref": "#/definitions/BoundingBox"
    },
    "coordinates": {
     "items": {
      "$ref": "#/definitions/PointCoordinates"
     },
     "type": "array"
    },
    "type": {
     "enum": [
      "MultiPoint"
     ],
     "type": "string"
    }
   },
   "required": [
    "type",
    "coordinates"
   ],
   "title": "GeoJSON MultiPoint",
   "type": "object"
  },
  "MultiPolygon": {
   "properties": {
    "bbox": {
     "$ref": "#/definitions/BoundingBox"
    },
    "coordinates": {
     "items": {
      "$ref": "#/definitions/PolygonCoordinates"
     },
     "type": "array"
    },
    "type": {
     "enum": [
      "MultiPolygon"
     ],
     "type": "string"
    }
   },
   "required": [
    "type",
    "coordinates"
   ],
   "title": "GeoJSON MultiPolygon",
   "type": "object"
  },
  "Point": {
   "properties": {
    "bbox": {
     "$ref": "#/definitions/BoundingBox"
    },
    "coordinates": {
     "$ref": "#/definitions/PointCoordinates"
    },
    "type": {
     "enum": [
      "Point"
     ],
     "type": "string"
    }
   },
   "required": [
    "type",
    "coordinates"
   ],
   "title": "GeoJSON Point",
   "type": "object"
  },
  "PointCoordinates": {
   "items": {
    "type": "number"
   },
   "minItems": 2,
   "type": "array"
  },
  "Polygon": {
   "properties": {
    "bbox": {
     "$ref": "#/definitions/BoundingBox"
    },
    "coordinates": {
     "$ref": "#/definitions/PolygonCoordinates"
    },
    "type": {
     "enum": [
      "Polygon"
     ],
     "type": "string"
    }
   },
   "required": [
    "type",
    "coordinates"
   ],
   "title": "GeoJSON Polygon",
   "type": "object"
  },
  "PolygonCoordinates": {
   "items": {
    "$ref": "#/definitions/LinearRingCoordinates"
   },
   "type": "array"
  }
 },
 "oneOf": [
  {
   "$ref": "#/definitions/Point"
  },
  {
   "$ref": "#/definitions/LineString"
  },
  {
   "$ref": "#/definitions/Polygon"
  },
  {
   "$ref": "#/definitions/MultiPoint"
  },
  {
   "$ref": "#/definitions/MultiLineString"
  },
  {
   "$ref": "#/definitions/MultiPolygon"
  },
  {
   "$ref": "#/definitions/GeometryCollection"
  },
  {
   "$ref": "#/definitions/Feature"
  },
  {
   "$ref": "#/definitions/FeatureCollection"
  }
 ]
}

geo:latitude

A latitude in floating point notation. The geo:latitude type is derived from the base type: float.

An example of geo:latitude:

• 31.337

The type geo:latitude has the following options set:

• fmt: %f

• max: 90.0

• maxisvalid: True

• min: -90.0

• minisvalid: True

geo:longitude

A longitude in floating point notation. The geo:longitude type is derived from the base type: float.

An example of geo:longitude:

• 31.337

The type geo:longitude has the following options set:

• fmt: %f

• max: 180.0

• maxisvalid: True

• min: -180.0

• minisvalid: False

geo:name

An unstructured place name or address. The geo:name type is derived from the base type: str.

The type geo:name has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

geo:nloc

Records a node latitude/longitude in space-time. The geo:nloc type is derived from the base type: comp.

The type geo:nloc has the following options set:

• fields: (('ndef', 'ndef'), ('latlong', 'geo:latlong'), ('time', 'time'))

geo:place

A GUID for a geographic place. The geo:place type is derived from the base type: guid.

geo:place:taxonomy

A taxonomy of place types. The geo:place:taxonomy type is derived from the base type: taxonomy.

The type geo:place:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

geo:telem

A geospatial position of a node at a given time. The node should be linked via -(seenat)> edges. The geo:telem type is derived from the base type: guid.

gov:cn:icp

A Chinese Internet Content Provider ID. The gov:cn:icp type is derived from the base type: int.

The type gov:cn:icp has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

gov:cn:mucd

A Chinese PLA MUCD. The gov:cn:mucd type is derived from the base type: int.

The type gov:cn:mucd has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

gov:intl:un:m49

UN M49 Numeric Country Code. The gov:intl:un:m49 type is derived from the base type: int.

The type gov:intl:un:m49 has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: 999

• min: 1

• signed: True

• size: 8

gov:us:cage

A Commercial and Government Entity (CAGE) code. The gov:us:cage type is derived from the base type: str.

The type gov:us:cage has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: False

gov:us:ssn

A US Social Security Number (SSN). The gov:us:ssn type is derived from the base type: int.

The type gov:us:ssn has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

gov:us:zip

A US Postal Zip Code. The gov:us:zip type is derived from the base type: int.

The type gov:us:zip has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

graph:cluster

A generic node, used in conjunction with Edge types, to cluster arbitrary nodes to a single node in the model. The graph:cluster type is derived from the base type: guid.

graph:edge

A generic digraph edge to show relationships outside the model. The graph:edge type is derived from the base type: edge.

graph:event

A generic event node to represent events outside the model. The graph:event type is derived from the base type: guid.

graph:node

A generic node used to represent objects outside the model. The graph:node type is derived from the base type: guid.

graph:timeedge

A generic digraph time edge to show relationships outside the model. The graph:timeedge type is derived from the base type: timeedge.

hash:lm

A hex encoded Microsoft Windows LM password hash. The hash:lm type is derived from the base type: hex.

An example of hash:lm:

• d41d8cd98f00b204e9800998ecf8427e

The type hash:lm has the following options set:

• size: 32

• zeropad: 0

hash:md5

A hex encoded MD5 hash. The hash:md5 type is derived from the base type: hex.

An example of hash:md5:

• d41d8cd98f00b204e9800998ecf8427e

The type hash:md5 has the following options set:

• size: 32

• zeropad: 0

hash:ntlm

A hex encoded Microsoft Windows NTLM password hash. The hash:ntlm type is derived from the base type: hex.

An example of hash:ntlm:

• d41d8cd98f00b204e9800998ecf8427e

The type hash:ntlm has the following options set:

• size: 32

• zeropad: 0

hash:sha1

A hex encoded SHA1 hash. The hash:sha1 type is derived from the base type: hex.

An example of hash:sha1:

• da39a3ee5e6b4b0d3255bfef95601890afd80709

The type hash:sha1 has the following options set:

• size: 40

• zeropad: 0

hash:sha256

A hex encoded SHA256 hash. The hash:sha256 type is derived from the base type: hex.

An example of hash:sha256:

• ad9f4fe922b61e674a09530831759843b1880381de686a43460a76864ca0340c

The type hash:sha256 has the following options set:

• size: 64

• zeropad: 0

hash:sha384

A hex encoded SHA384 hash. The hash:sha384 type is derived from the base type: hex.

An example of hash:sha384:

• d425f1394e418ce01ed1579069a8bfaa1da8f32cf823982113ccbef531fa36bda9987f389c5af05b5e28035242efab6c

The type hash:sha384 has the following options set:

• size: 96

• zeropad: 0

hash:sha512

A hex encoded SHA512 hash. The hash:sha512 type is derived from the base type: hex.

An example of hash:sha512:

• ca74fe2ff2d03b29339ad7d08ba21d192077fece1715291c7b43c20c9136cd132788239189f3441a87eb23ce2660aa243f334295902c904b5520f6e80ab91f11

The type hash:sha512 has the following options set:

• size: 128

• zeropad: 0

inet:asn

An Autonomous System Number (ASN). The inet:asn type is derived from the base type: int.

The type inet:asn has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

inet:asnet4

An Autonomous System Number (ASN) and its associated IPv4 address range. The inet:asnet4 type is derived from the base type: comp.

An example of inet:asnet4:

• (54959, (1.2.3.4, 1.2.3.20))

The type inet:asnet4 has the following options set:

• fields: (('asn', 'inet:asn'), ('net4', 'inet:net4'))

inet:asnet6

An Autonomous System Number (ASN) and its associated IPv6 address range. The inet:asnet6 type is derived from the base type: comp.

An example of inet:asnet6:

• (54959, (ff::00, ff::02))

The type inet:asnet6 has the following options set:

• fields: (('asn', 'inet:asn'), ('net6', 'inet:net6'))

inet:banner

A network protocol banner string presented by a server. The inet:banner type is derived from the base type: comp.

The type inet:banner has the following options set:

• fields: (('server', 'inet:server'), ('text', 'it:dev:str'))

inet:client

A network client address. The inet:client type is derived from the base type: inet:addr.

An example of inet:client:

• tcp://1.2.3.4:80

The type inet:client has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:dns:a

The result of a DNS A record lookup. The inet:dns:a type is derived from the base type: comp.

An example of inet:dns:a:

• (vertex.link,1.2.3.4)

The type inet:dns:a has the following options set:

• fields: (('fqdn', 'inet:fqdn'), ('ipv4', 'inet:ipv4'))

inet:dns:aaaa

The result of a DNS AAAA record lookup. The inet:dns:aaaa type is derived from the base type: comp.

An example of inet:dns:aaaa:

• (vertex.link,2607:f8b0:4004:809::200e)

The type inet:dns:aaaa has the following options set:

• fields: (('fqdn', 'inet:fqdn'), ('ipv6', 'inet:ipv6'))

inet:dns:answer

A single answer from within a DNS reply. The inet:dns:answer type is derived from the base type: guid.

inet:dns:cname

The result of a DNS CNAME record lookup. The inet:dns:cname type is derived from the base type: comp.

An example of inet:dns:cname:

• (foo.vertex.link,vertex.link)

The type inet:dns:cname has the following options set:

• fields: (('fqdn', 'inet:fqdn'), ('cname', 'inet:fqdn'))

inet:dns:dynreg

A dynamic DNS registration. The inet:dns:dynreg type is derived from the base type: guid.

inet:dns:mx

The result of a DNS MX record lookup. The inet:dns:mx type is derived from the base type: comp.

An example of inet:dns:mx:

• (vertex.link,mail.vertex.link)

The type inet:dns:mx has the following options set:

• fields: (('fqdn', 'inet:fqdn'), ('mx', 'inet:fqdn'))

inet:dns:ns

The result of a DNS NS record lookup. The inet:dns:ns type is derived from the base type: comp.

An example of inet:dns:ns:

• (vertex.link,ns.dnshost.com)

The type inet:dns:ns has the following options set:

• fields: (('zone', 'inet:fqdn'), ('ns', 'inet:fqdn'))

inet:dns:query

A DNS query unique to a given client. The inet:dns:query type is derived from the base type: comp.

An example of inet:dns:query:

• (1.2.3.4, woot.com, 1)

The type inet:dns:query has the following options set:

• fields: (('client', 'inet:client'), ('name', 'inet:dns:name'), ('type', 'int'))

inet:dns:request

A single instance of a DNS resolver request and optional reply info. The inet:dns:request type is derived from the base type: guid.

inet:dns:rev

The transformed result of a DNS PTR record lookup. The inet:dns:rev type is derived from the base type: comp.

An example of inet:dns:rev:

• (1.2.3.4,vertex.link)

The type inet:dns:rev has the following options set:

• fields: (('ipv4', 'inet:ipv4'), ('fqdn', 'inet:fqdn'))

inet:dns:rev6

The transformed result of a DNS PTR record for an IPv6 address. The inet:dns:rev6 type is derived from the base type: comp.

An example of inet:dns:rev6:

• (2607:f8b0:4004:809::200e,vertex.link)

The type inet:dns:rev6 has the following options set:

• fields: (('ipv6', 'inet:ipv6'), ('fqdn', 'inet:fqdn'))

inet:dns:soa

The result of a DNS SOA record lookup. The inet:dns:soa type is derived from the base type: guid.

inet:dns:txt

The result of a DNS MX record lookup. The inet:dns:txt type is derived from the base type: comp.

An example of inet:dns:txt:

• (hehe.vertex.link,"fancy TXT record")

The type inet:dns:txt has the following options set:

• fields: (('fqdn', 'inet:fqdn'), ('txt', 'str'))

inet:dns:type

A DNS query/answer type integer. The inet:dns:type type is derived from the base type: int.

The type inet:dns:type has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

inet:dns:wild:a

A DNS A wild card record and the IPv4 it resolves to. The inet:dns:wild:a type is derived from the base type: comp.

The type inet:dns:wild:a has the following options set:

• fields: (('fqdn', 'inet:fqdn'), ('ipv4', 'inet:ipv4'))

inet:dns:wild:aaaa

A DNS AAAA wild card record and the IPv6 it resolves to. The inet:dns:wild:aaaa type is derived from the base type: comp.

The type inet:dns:wild:aaaa has the following options set:

• fields: (('fqdn', 'inet:fqdn'), ('ipv6', 'inet:ipv6'))

inet:download

An instance of a file downloaded from a server. The inet:download type is derived from the base type: guid.

inet:egress

A host using a specific network egress client address. The inet:egress type is derived from the base type: guid.

inet:email:header

A unique email message header. The inet:email:header type is derived from the base type: comp.

The type inet:email:header has the following options set:

• fields: (('name', 'inet:email:header:name'), ('value', 'str'))

inet:email:header:name

An email header name. The inet:email:header:name type is derived from the base type: str.

An example of inet:email:header:name:

• subject

The type inet:email:header:name has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:email:message

An individual email message delivered to an inbox. The inet:email:message type is derived from the base type: guid.

inet:email:message:attachment

A file which was attached to an email message. The inet:email:message:attachment type is derived from the base type: comp.

The type inet:email:message:attachment has the following options set:

• fields: (('message', 'inet:email:message'), ('file', 'file:bytes'))

inet:email:message:link

A url/link embedded in an email message. The inet:email:message:link type is derived from the base type: comp.

The type inet:email:message:link has the following options set:

• fields: (('message', 'inet:email:message'), ('url', 'inet:url'))

inet:flow

An individual network connection between a given source and destination. The inet:flow type is derived from the base type: guid.

inet:group

A group name string. The inet:group type is derived from the base type: str.

The type inet:group has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:http:header

An HTTP protocol header key/value. The inet:http:header type is derived from the base type: comp.

The type inet:http:header has the following options set:

• fields: (('name', 'inet:http:header:name'), ('value', 'str'))

inet:http:header:name

The base string type. The inet:http:header:name type is derived from the base type: str.

The type inet:http:header:name has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:http:param

An HTTP request path query parameter. The inet:http:param type is derived from the base type: comp.

The type inet:http:param has the following options set:

• fields: (('name', 'str'), ('value', 'str'))

inet:http:request

A single HTTP request. The inet:http:request type is derived from the base type: guid.

inet:http:request:header

An HTTP request header. The inet:http:request:header type is derived from the base type: inet:http:header.

The type inet:http:request:header has the following options set:

• fields: (('name', 'inet:http:header:name'), ('value', 'str'))

inet:http:response:header

An HTTP response header. The inet:http:response:header type is derived from the base type: inet:http:header.

The type inet:http:response:header has the following options set:

• fields: (('name', 'inet:http:header:name'), ('value', 'str'))

inet:http:session

An HTTP session. The inet:http:session type is derived from the base type: guid.

inet:iface

A network interface with a set of associated protocol addresses. The inet:iface type is derived from the base type: guid.

inet:mac

A 48-bit Media Access Control (MAC) address. The inet:mac type is derived from the base type: str.

An example of inet:mac:

• aa:bb:cc:dd:ee:ff

The type inet:mac has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$

• replace: ()

• strip: False

inet:net4

An IPv4 address range. The inet:net4 type is derived from the base type: inet:ipv4range.

An example of inet:net4:

• (1.2.3.4, 1.2.3.20)

The type inet:net4 has the following options set:

• type: ('inet:ipv4', {})

inet:net6

An IPv6 address range. The inet:net6 type is derived from the base type: inet:ipv6range.

An example of inet:net6:

• ('ff::00', 'ff::30')

The type inet:net6 has the following options set:

• type: ('inet:ipv6', {})

inet:passwd

A password string. The inet:passwd type is derived from the base type: str.

The type inet:passwd has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:port

A network port. The inet:port type is derived from the base type: int.

An example of inet:port:

• 80

The type inet:port has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: 65535

• min: 0

• signed: True

• size: 8

inet:proto

A network protocol name. The inet:proto type is derived from the base type: str.

The type inet:proto has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^[a-z0-9+-]+$

• replace: ()

• strip: False

inet:search:query

An instance of a search query issued to a search engine. The inet:search:query type is derived from the base type: guid.

inet:search:result

A single result from a web search. The inet:search:result type is derived from the base type: guid.

inet:server

A network server address. The inet:server type is derived from the base type: inet:addr.

An example of inet:server:

• tcp://1.2.3.4:80

The type inet:server has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:servfile

A file hosted on a server for access over a network protocol. The inet:servfile type is derived from the base type: comp.

The type inet:servfile has the following options set:

• fields: (('server', 'inet:server'), ('file', 'file:bytes'))

inet:service:access

Represents a user access request to a service resource. The inet:service:access type is derived from the base type: guid.

inet:service:account

An account within a service platform. Accounts may be instance specific. The inet:service:account type is derived from the base type: guid.

inet:service:bucket

A file/blob storage object within a service architecture. The inet:service:bucket type is derived from the base type: guid.

inet:service:bucket:item

An individual file stored within a bucket. The inet:service:bucket:item type is derived from the base type: guid.

inet:service:channel

A channel used to distribute messages. The inet:service:channel type is derived from the base type: guid.

inet:service:channel:member

Represents a service account being a member of a channel. The inet:service:channel:member type is derived from the base type: guid.

inet:service:emote

An emote or reaction by an account. The inet:service:emote type is derived from the base type: guid.

inet:service:group

A group or role which contains member accounts. The inet:service:group type is derived from the base type: guid.

inet:service:group:member

Represents a service account being a member of a group. The inet:service:group:member type is derived from the base type: guid.

inet:service:instance

An instance of the platform such as Slack or Discord instances. The inet:service:instance type is derived from the base type: guid.

inet:service:login

A login event for a service account. The inet:service:login type is derived from the base type: guid.

inet:service:login:method:taxonomy

A taxonomy of inet service login methods. The inet:service:login:method:taxonomy type is derived from the base type: taxonomy.

The type inet:service:login:method:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:service:message

A message or post created by an account. The inet:service:message type is derived from the base type: guid.

inet:service:message:attachment

A file attachment included within a message. The inet:service:message:attachment type is derived from the base type: guid.

inet:service:message:link

A URL link included within a message. The inet:service:message:link type is derived from the base type: guid.

inet:service:message:type:taxonomy

A message type taxonomy. The inet:service:message:type:taxonomy type is derived from the base type: taxonomy.

The type inet:service:message:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:service:object

An ndef type including all forms which implement the inet:service:object interface. The inet:service:object type is derived from the base type: ndef.

The type inet:service:object has the following options set:

• interfaces: ('inet:service:object',)

inet:service:object:status

An object status enumeration. The inet:service:object:status type is derived from the base type: int.

The type inet:service:object:status has the following options set:

• enums:

  int	valu
  10	draft
  30	available
  40	offline
  50	removed

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

inet:service:permission

A permission which may be granted to a service account or role. The inet:service:permission type is derived from the base type: guid.

inet:service:permission:type:taxonomy

A permission type taxonomy. The inet:service:permission:type:taxonomy type is derived from the base type: taxonomy.

The type inet:service:permission:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:service:platform

A network platform which provides services. The inet:service:platform type is derived from the base type: guid.

inet:service:relationship

A relationship between two service objects. The inet:service:relationship type is derived from the base type: guid.

inet:service:relationship:type:taxonomy

A service object relationship type taxonomy. The inet:service:relationship:type:taxonomy type is derived from the base type: taxonomy.

The type inet:service:relationship:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:service:resource

A generic resource provided by the service architecture. The inet:service:resource type is derived from the base type: guid.

inet:service:resource:type:taxonomy

A taxonomy of inet service resource types. The inet:service:resource:type:taxonomy type is derived from the base type: taxonomy.

The type inet:service:resource:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:service:rule

A rule which grants or denies a permission to a service account or role. The inet:service:rule type is derived from the base type: guid.

inet:service:session

An authenticated session. The inet:service:session type is derived from the base type: guid.

inet:service:thread

A message thread. The inet:service:thread type is derived from the base type: guid.

inet:ssl:cert

Deprecated. Please use inet:tls:servercert or inet:tls:clientcert. The inet:ssl:cert type is derived from the base type: comp.

The type inet:ssl:cert has the following options set:

• fields: (('server', 'inet:server'), ('file', 'file:bytes'))

inet:ssl:jarmhash

A TLS JARM fingerprint hash. The inet:ssl:jarmhash type is derived from the base type: str.

The type inet:ssl:jarmhash has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^(?<ciphers>[0-9a-f]{30})(?<extensions>[0-9a-f]{32})$

• replace: ()

• strip: True

inet:ssl:jarmsample

A JARM hash sample taken from a server. The inet:ssl:jarmsample type is derived from the base type: comp.

The type inet:ssl:jarmsample has the following options set:

• fields: (('server', 'inet:server'), ('jarmhash', 'inet:ssl:jarmhash'))

inet:tls:clientcert

An x509 certificate sent by a client for TLS. The inet:tls:clientcert type is derived from the base type: comp.

An example of inet:tls:clientcert:

• (1.2.3.4:443, 3fdf364e081c14997b291852d1f23868)

The type inet:tls:clientcert has the following options set:

• fields: (('client', 'inet:client'), ('cert', 'crypto:x509:cert'))

inet:tls:handshake

An instance of a TLS handshake between a server and client. The inet:tls:handshake type is derived from the base type: guid.

inet:tls:ja3:sample

A JA3 sample taken from a client. The inet:tls:ja3:sample type is derived from the base type: comp.

The type inet:tls:ja3:sample has the following options set:

• fields: (('client', 'inet:client'), ('ja3', 'hash:md5'))

inet:tls:ja3s:sample

A JA3 sample taken from a server. The inet:tls:ja3s:sample type is derived from the base type: comp.

The type inet:tls:ja3s:sample has the following options set:

• fields: (('server', 'inet:server'), ('ja3s', 'hash:md5'))

inet:tls:servercert

An x509 certificate sent by a server for TLS. The inet:tls:servercert type is derived from the base type: comp.

An example of inet:tls:servercert:

• (1.2.3.4:443, c7437790af01ae1bb2f8f3b684c70bf8)

The type inet:tls:servercert has the following options set:

• fields: (('server', 'inet:server'), ('cert', 'crypto:x509:cert'))

inet:tunnel

A specific sequence of hosts forwarding connections such as a VPN or proxy. The inet:tunnel type is derived from the base type: guid.

inet:tunnel:type:taxonomy

A taxonomy of network tunnel types. The inet:tunnel:type:taxonomy type is derived from the base type: taxonomy.

The type inet:tunnel:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:url:mirror

A URL mirror site. The inet:url:mirror type is derived from the base type: comp.

The type inet:url:mirror has the following options set:

• fields: (('of', 'inet:url'), ('at', 'inet:url'))

inet:urlfile

A file hosted at a specific Universal Resource Locator (URL). The inet:urlfile type is derived from the base type: comp.

The type inet:urlfile has the following options set:

• fields: (('url', 'inet:url'), ('file', 'file:bytes'))

inet:urlredir

A URL that redirects to another URL, such as via a URL shortening service or an HTTP 302 response. The inet:urlredir type is derived from the base type: comp.

An example of inet:urlredir:

• (http://foo.com/,http://bar.com/)

The type inet:urlredir has the following options set:

• fields: (('src', 'inet:url'), ('dst', 'inet:url'))

inet:user

A username string. The inet:user type is derived from the base type: str.

The type inet:user has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:web:acct

An account with a given Internet-based site or service. The inet:web:acct type is derived from the base type: comp.

An example of inet:web:acct:

• twitter.com/invisig0th

The type inet:web:acct has the following options set:

• fields: (('site', 'inet:fqdn'), ('user', 'inet:user'))

• sepr: /

inet:web:action

An instance of an account performing an action at an Internet-based site or service. The inet:web:action type is derived from the base type: guid.

inet:web:attachment

An instance of a file being sent to a web service by an account. The inet:web:attachment type is derived from the base type: guid.

inet:web:channel

A channel within a web service or instance such as slack or discord. The inet:web:channel type is derived from the base type: guid.

inet:web:chprofile

A change to a web account. Used to capture historical properties associated with an account, as opposed to current data in the inet:web:acct node. The inet:web:chprofile type is derived from the base type: guid.

inet:web:file

A file posted by a web account. The inet:web:file type is derived from the base type: comp.

The type inet:web:file has the following options set:

• fields: (('acct', 'inet:web:acct'), ('file', 'file:bytes'))

inet:web:follows

A web account follows or is connected to another web account. The inet:web:follows type is derived from the base type: comp.

The type inet:web:follows has the following options set:

• fields: (('follower', 'inet:web:acct'), ('followee', 'inet:web:acct'))

inet:web:group

A group hosted within or registered with a given Internet-based site or service. The inet:web:group type is derived from the base type: comp.

An example of inet:web:group:

• somesite.com/mycoolgroup

The type inet:web:group has the following options set:

• fields: (('site', 'inet:fqdn'), ('id', 'inet:group'))

• sepr: /

inet:web:hashtag

A hashtag used in a web post. The inet:web:hashtag type is derived from the base type: str.

The type inet:web:hashtag has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^#\w[\w·]*(?<!·)$

• replace: ()

• strip: False

inet:web:instance

An instance of a web service such as slack or discord. The inet:web:instance type is derived from the base type: guid.

inet:web:logon

An instance of an account authenticating to an Internet-based site or service. The inet:web:logon type is derived from the base type: guid.

inet:web:memb

Deprecated. Please use inet:web:member. The inet:web:memb type is derived from the base type: comp.

The type inet:web:memb has the following options set:

• fields: (('acct', 'inet:web:acct'), ('group', 'inet:web:group'))

inet:web:member

Represents a web account membership in a channel or group. The inet:web:member type is derived from the base type: guid.

inet:web:mesg

A message sent from one web account to another web account or channel. The inet:web:mesg type is derived from the base type: comp.

An example of inet:web:mesg:

• ((twitter.com, invisig0th), (twitter.com, gobbles), 20041012130220)

The type inet:web:mesg has the following options set:

• fields: (('from', 'inet:web:acct'), ('to', 'inet:web:acct'), ('time', 'time'))

inet:web:post

A post made by a web account. The inet:web:post type is derived from the base type: guid.

inet:web:post:link

A link contained within post text. The inet:web:post:link type is derived from the base type: guid.

inet:whois:contact

An individual contact from a domain whois record. The inet:whois:contact type is derived from the base type: comp.

The type inet:whois:contact has the following options set:

• fields: (('rec', 'inet:whois:rec'), ('type', ('str', {'lower': True})))

inet:whois:email

An email address associated with an FQDN via whois registration text. The inet:whois:email type is derived from the base type: comp.

The type inet:whois:email has the following options set:

• fields: (('fqdn', 'inet:fqdn'), ('email', 'inet:email'))

inet:whois:ipcontact

An individual contact from an IP block record. The inet:whois:ipcontact type is derived from the base type: guid.

inet:whois:ipquery

Query details used to retrieve an IP record. The inet:whois:ipquery type is derived from the base type: guid.

inet:whois:iprec

An IPv4/IPv6 block registration record. The inet:whois:iprec type is derived from the base type: guid.

inet:whois:rar

A domain registrar. The inet:whois:rar type is derived from the base type: str.

An example of inet:whois:rar:

• godaddy, inc.

The type inet:whois:rar has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:whois:rec

A domain whois record. The inet:whois:rec type is derived from the base type: comp.

The type inet:whois:rec has the following options set:

• fields: (('fqdn', 'inet:fqdn'), ('asof', 'time'))

inet:whois:recns

A nameserver associated with a domain whois record. The inet:whois:recns type is derived from the base type: comp.

The type inet:whois:recns has the following options set:

• fields: (('ns', 'inet:fqdn'), ('rec', 'inet:whois:rec'))

inet:whois:reg

A domain registrant. The inet:whois:reg type is derived from the base type: str.

An example of inet:whois:reg:

• woot hostmaster

The type inet:whois:reg has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:whois:regid

The registry unique identifier of the registration record. The inet:whois:regid type is derived from the base type: str.

An example of inet:whois:regid:

• NET-10-0-0-0-1

The type inet:whois:regid has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:wifi:ap

An SSID/MAC address combination for a wireless access point. The inet:wifi:ap type is derived from the base type: comp.

The type inet:wifi:ap has the following options set:

• fields: (('ssid', 'inet:wifi:ssid'), ('bssid', 'inet:mac'))

inet:wifi:ssid

A WiFi service set identifier (SSID) name. The inet:wifi:ssid type is derived from the base type: str.

An example of inet:wifi:ssid:

• The Vertex Project

The type inet:wifi:ssid has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

iso:3166:cc

An ISO 3166 2 digit country code. The iso:3166:cc type is derived from the base type: str.

The type iso:3166:cc has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^[a-z]{2}$

• replace: ()

• strip: False

iso:oid

An ISO Object Identifier string. The iso:oid type is derived from the base type: str.

The type iso:oid has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^([0-2])((\.0)|(\.[1-9][0-9]*))*$

• replace: ()

• strip: False

it:account

A GUID that represents an account on a host or network. The it:account type is derived from the base type: guid.

it:adid

An advertising identification string. The it:adid type is derived from the base type: str.

The type it:adid has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: True

it:app:snort:hit

An instance of a snort rule hit. The it:app:snort:hit type is derived from the base type: guid.

it:app:snort:rule

A snort rule. The it:app:snort:rule type is derived from the base type: guid.

it:app:yara:match

A YARA rule match to a file. The it:app:yara:match type is derived from the base type: comp.

The type it:app:yara:match has the following options set:

• fields: (('rule', 'it:app:yara:rule'), ('file', 'file:bytes'))

it:app:yara:netmatch

An instance of a YARA rule network hunting match. The it:app:yara:netmatch type is derived from the base type: guid.

it:app:yara:procmatch

An instance of a YARA rule match to a process. The it:app:yara:procmatch type is derived from the base type: guid.

it:app:yara:rule

A YARA rule unique identifier. The it:app:yara:rule type is derived from the base type: guid.

it:auth:passwdhash

An instance of a password hash. The it:auth:passwdhash type is derived from the base type: guid.

it:av:filehit

Deprecated. Please use it:av:scan:result. The it:av:filehit type is derived from the base type: comp.

The type it:av:filehit has the following options set:

• fields: (('file', 'file:bytes'), ('sig', 'it:av:sig'))

it:av:prochit

Deprecated. Please use it:av:scan:result. The it:av:prochit type is derived from the base type: guid.

it:av:scan:result

The result of running an antivirus scanner. The it:av:scan:result type is derived from the base type: guid.

it:av:sig

Deprecated. Please use it:av:scan:result. The it:av:sig type is derived from the base type: comp.

The type it:av:sig has the following options set:

• fields: (('soft', 'it:prod:soft'), ('name', 'it:av:signame'))

it:av:signame

An antivirus signature name. The it:av:signame type is derived from the base type: str.

The type it:av:signame has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: False

it:cmd

A unique command-line string. The it:cmd type is derived from the base type: str.

An example of it:cmd:

• foo.exe --dostuff bar

The type it:cmd has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: True

it:cmd:history

A single command executed within a session. The it:cmd:history type is derived from the base type: guid.

it:cmd:session

A command line session with multiple commands run over time. The it:cmd:session type is derived from the base type: guid.

it:dev:int

A developer selected integer constant. The it:dev:int type is derived from the base type: int.

The type it:dev:int has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

it:dev:mutex

A string representing a mutex. The it:dev:mutex type is derived from the base type: str.

The type it:dev:mutex has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:dev:pipe

A string representing a named pipe. The it:dev:pipe type is derived from the base type: str.

The type it:dev:pipe has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:dev:regkey

A Windows registry key. The it:dev:regkey type is derived from the base type: str.

An example of it:dev:regkey:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The type it:dev:regkey has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:dev:regval

A Windows registry key/value pair. The it:dev:regval type is derived from the base type: guid.

it:dev:repo

A version control system instance. The it:dev:repo type is derived from the base type: guid.

it:dev:repo:branch

A branch in a version control system instance. The it:dev:repo:branch type is derived from the base type: guid.

it:dev:repo:commit

A commit to a repository. The it:dev:repo:commit type is derived from the base type: guid.

it:dev:repo:diff

A diff of a file being applied in a single commit. The it:dev:repo:diff type is derived from the base type: guid.

it:dev:repo:diff:comment

A comment on a diff in a repository. The it:dev:repo:diff:comment type is derived from the base type: guid.

it:dev:repo:issue

An issue raised in a repository. The it:dev:repo:issue type is derived from the base type: guid.

it:dev:repo:issue:comment

A comment on an issue in a repository. The it:dev:repo:issue:comment type is derived from the base type: guid.

it:dev:repo:issue:label

A label applied to a repository issue. The it:dev:repo:issue:label type is derived from the base type: guid.

it:dev:repo:label

A developer selected label. The it:dev:repo:label type is derived from the base type: guid.

it:dev:repo:remote

A remote repo that is tracked for changes/branches/etc. The it:dev:repo:remote type is derived from the base type: guid.

it:dev:repo:type:taxonomy

A version control system type taxonomy. The it:dev:repo:type:taxonomy type is derived from the base type: taxonomy.

The type it:dev:repo:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:dev:str

A developer selected string. The it:dev:str type is derived from the base type: str.

The type it:dev:str has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:domain

A logical boundary of authentication and configuration such as a windows domain. The it:domain type is derived from the base type: guid.

it:exec:bind

An instance of a host binding a listening port. The it:exec:bind type is derived from the base type: guid.

it:exec:file:add

An instance of a host adding a file to a filesystem. The it:exec:file:add type is derived from the base type: guid.

it:exec:file:del

An instance of a host deleting a file from a filesystem. The it:exec:file:del type is derived from the base type: guid.

it:exec:file:read

An instance of a host reading a file from a filesystem. The it:exec:file:read type is derived from the base type: guid.

it:exec:file:write

An instance of a host writing a file to a filesystem. The it:exec:file:write type is derived from the base type: guid.

it:exec:loadlib

A library load event in a process. The it:exec:loadlib type is derived from the base type: guid.

it:exec:mmap

A memory mapped segment located in a process. The it:exec:mmap type is derived from the base type: guid.

it:exec:mutex

A mutex created by a process at runtime. The it:exec:mutex type is derived from the base type: guid.

it:exec:pipe

A named pipe created by a process at runtime. The it:exec:pipe type is derived from the base type: guid.

it:exec:proc

A process executing on a host. May be an actual (e.g., endpoint) or virtual (e.g., malware sandbox) host. The it:exec:proc type is derived from the base type: guid.

it:exec:query

An instance of an executed query. The it:exec:query type is derived from the base type: guid.

it:exec:reg:del

An instance of a host deleting a registry key. The it:exec:reg:del type is derived from the base type: guid.

it:exec:reg:get

An instance of a host getting a registry key. The it:exec:reg:get type is derived from the base type: guid.

it:exec:reg:set

An instance of a host creating or setting a registry key. The it:exec:reg:set type is derived from the base type: guid.

it:exec:thread

A thread executing in a process. The it:exec:thread type is derived from the base type: guid.

it:exec:url

An instance of a host requesting a URL. The it:exec:url type is derived from the base type: guid.

it:fs:file

A file on a host. The it:fs:file type is derived from the base type: guid.

it:group

A GUID that represents a group on a host or network. The it:group type is derived from the base type: guid.

it:host

A GUID that represents a host or system. The it:host type is derived from the base type: guid.

it:host:tenancy

A time window where a host was a tenant run by another host. The it:host:tenancy type is derived from the base type: guid.

it:hostname

The name of a host or system. The it:hostname type is derived from the base type: str.

The type it:hostname has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: True

it:hostsoft

A version of a software product which is present on a given host. The it:hostsoft type is derived from the base type: comp.

The type it:hostsoft has the following options set:

• fields: (('host', 'it:host'), ('softver', 'it:prod:softver'))

it:hosturl

A url hosted on or served by a host or system. The it:hosturl type is derived from the base type: comp.

The type it:hosturl has the following options set:

• fields: (('host', 'it:host'), ('url', 'inet:url'))

it:log:event

A GUID representing an individual log event. The it:log:event type is derived from the base type: guid.

it:log:event:type:taxonomy

A taxonomy of log event types. The it:log:event:type:taxonomy type is derived from the base type: taxonomy.

The type it:log:event:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:logon

A GUID that represents an individual logon/logoff event. The it:logon type is derived from the base type: guid.

it:mitre:attack:campaign

A MITRE ATT&CK Campaign ID. The it:mitre:attack:campaign type is derived from the base type: str.

An example of it:mitre:attack:campaign:

• C0028

The type it:mitre:attack:campaign has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^C[0-9]{4}$

• replace: ()

• strip: False

it:mitre:attack:data:component

A MITRE ATT&CK data component. The it:mitre:attack:data:component type is derived from the base type: guid.

it:mitre:attack:datasource

A MITRE ATT&CK Datasource ID. The it:mitre:attack:datasource type is derived from the base type: str.

An example of it:mitre:attack:datasource:

• DS0026

The type it:mitre:attack:datasource has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^DS[0-9]{4}$

• replace: ()

• strip: False

it:mitre:attack:flow

A MITRE ATT&CK Flow diagram. The it:mitre:attack:flow type is derived from the base type: guid.

it:mitre:attack:group

A MITRE ATT&CK Group ID. The it:mitre:attack:group type is derived from the base type: str.

An example of it:mitre:attack:group:

• G0100

The type it:mitre:attack:group has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^G[0-9]{4}$

• replace: ()

• strip: False

it:mitre:attack:matrix

An enumeration of ATT&CK matrix values. The it:mitre:attack:matrix type is derived from the base type: str.

An example of it:mitre:attack:matrix:

• enterprise

The type it:mitre:attack:matrix has the following options set:

• enums:

  valu
  enterprise
  mobile
  ics

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:mitre:attack:mitigation

A MITRE ATT&CK Mitigation ID. The it:mitre:attack:mitigation type is derived from the base type: str.

An example of it:mitre:attack:mitigation:

• M1036

The type it:mitre:attack:mitigation has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^M[0-9]{4}$

• replace: ()

• strip: False

it:mitre:attack:software

A MITRE ATT&CK Software ID. The it:mitre:attack:software type is derived from the base type: str.

An example of it:mitre:attack:software:

• S0154

The type it:mitre:attack:software has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^S[0-9]{4}$

• replace: ()

• strip: False

it:mitre:attack:status

A MITRE ATT&CK element status. The it:mitre:attack:status type is derived from the base type: str.

An example of it:mitre:attack:status:

• current

The type it:mitre:attack:status has the following options set:

• enums:

  valu
  current
  deprecated
  withdrawn

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:mitre:attack:tactic

A MITRE ATT&CK Tactic ID. The it:mitre:attack:tactic type is derived from the base type: str.

An example of it:mitre:attack:tactic:

• TA0040

The type it:mitre:attack:tactic has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^TA[0-9]{4}$

• replace: ()

• strip: False

it:mitre:attack:technique

A MITRE ATT&CK Technique ID. The it:mitre:attack:technique type is derived from the base type: str.

An example of it:mitre:attack:technique:

• T1548

The type it:mitre:attack:technique has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^T[0-9]{4}(.[0-9]{3})?$

• replace: ()

• strip: False

it:network

A GUID that represents a logical network. The it:network type is derived from the base type: guid.

it:network:type:taxonomy

A taxonomy of network types. The it:network:type:taxonomy type is derived from the base type: taxonomy.

The type it:network:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:os:android:aaid

An android advertising identification string. The it:os:android:aaid type is derived from the base type: it:adid.

The type it:os:android:aaid has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: True

it:os:android:ibroadcast

The given software broadcasts the given Android intent. The it:os:android:ibroadcast type is derived from the base type: comp.

The type it:os:android:ibroadcast has the following options set:

• fields: (('app', 'it:prod:soft'), ('intent', 'it:os:android:intent'))

it:os:android:ilisten

The given software listens for an android intent. The it:os:android:ilisten type is derived from the base type: comp.

The type it:os:android:ilisten has the following options set:

• fields: (('app', 'it:prod:soft'), ('intent', 'it:os:android:intent'))

it:os:android:intent

An android intent string. The it:os:android:intent type is derived from the base type: str.

The type it:os:android:intent has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:os:android:perm

An android permission string. The it:os:android:perm type is derived from the base type: str.

The type it:os:android:perm has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:os:android:reqperm

The given software requests the android permission. The it:os:android:reqperm type is derived from the base type: comp.

The type it:os:android:reqperm has the following options set:

• fields: (('app', 'it:prod:soft'), ('perm', 'it:os:android:perm'))

it:os:ios:idfa

An iOS advertising identification string. The it:os:ios:idfa type is derived from the base type: it:adid.

The type it:os:ios:idfa has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: True

it:os:windows:sid

A Microsoft Windows Security Identifier. The it:os:windows:sid type is derived from the base type: str.

An example of it:os:windows:sid:

• S-1-5-21-1220945662-1202665555-839525555-5555

The type it:os:windows:sid has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^S-1-(?:\d{1,10}|0x[0-9a-fA-F]{12})(?:-(?:\d+|0x[0-9a-fA-F]{2,}))*$

• replace: ()

• strip: False

it:prod:component

A specific instance of an it:prod:hardware most often as part of an it:host. The it:prod:component type is derived from the base type: guid.

it:prod:hardware

A specification for a piece of IT hardware. The it:prod:hardware type is derived from the base type: guid.

it:prod:hardwaretype

An IT hardware type taxonomy. The it:prod:hardwaretype type is derived from the base type: taxonomy.

The type it:prod:hardwaretype has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:prod:soft

A software product. The it:prod:soft type is derived from the base type: guid.

it:prod:soft:taxonomy

A software type taxonomy. The it:prod:soft:taxonomy type is derived from the base type: taxonomy.

The type it:prod:soft:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:prod:softfile

A file is distributed by a specific software version. The it:prod:softfile type is derived from the base type: comp.

The type it:prod:softfile has the following options set:

• fields: (('soft', 'it:prod:softver'), ('file', 'file:bytes'))

it:prod:softid

An identifier issued to a given host by a specific software application. The it:prod:softid type is derived from the base type: guid.

it:prod:softlib

A software version contains a library software version. The it:prod:softlib type is derived from the base type: comp.

The type it:prod:softlib has the following options set:

• fields: (('soft', 'it:prod:softver'), ('lib', 'it:prod:softver'))

it:prod:softname

A software product name. The it:prod:softname type is derived from the base type: str.

The type it:prod:softname has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

it:prod:softos

The software version is known to be compatible with the given os software version. The it:prod:softos type is derived from the base type: comp.

The type it:prod:softos has the following options set:

• fields: (('soft', 'it:prod:softver'), ('os', 'it:prod:softver'))

it:prod:softreg

A registry entry is created by a specific software version. The it:prod:softreg type is derived from the base type: comp.

The type it:prod:softreg has the following options set:

• fields: (('softver', 'it:prod:softver'), ('regval', 'it:dev:regval'))

it:prod:softver

A specific version of a software product. The it:prod:softver type is derived from the base type: guid.

it:query

A unique query string. The it:query type is derived from the base type: str.

The type it:query has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: True

it:reveng:filefunc

An instance of a function in an executable. The it:reveng:filefunc type is derived from the base type: comp.

The type it:reveng:filefunc has the following options set:

• fields: (('file', 'file:bytes'), ('function', 'it:reveng:function'))

it:reveng:funcstr

A reference to a string inside a function. The it:reveng:funcstr type is derived from the base type: comp.

The type it:reveng:funcstr has the following options set:

• fields: (('function', 'it:reveng:function'), ('string', 'str'))

it:reveng:function

A function inside an executable. The it:reveng:function type is derived from the base type: guid.

it:reveng:impfunc

A function from an imported library. The it:reveng:impfunc type is derived from the base type: str.

The type it:reveng:impfunc has the following options set:

• globsuffix: False

• lower: 1

• onespace: False

• regex: None

• replace: ()

• strip: False

it:screenshot

A screenshot of a host. The it:screenshot type is derived from the base type: guid.

it:sec:c2:config

An extracted C2 config from an executable. The it:sec:c2:config type is derived from the base type: guid.

it:sec:cve

A vulnerability as designated by a Common Vulnerabilities and Exposures (CVE) number. The it:sec:cve type is derived from the base type: str.

An example of it:sec:cve:

• cve-2012-0158

The type it:sec:cve has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: (?i)^CVE-[0-9]{4}-[0-9]{4,}$

• replace: (('‑', '-'), ('‒', '-'), ('–', '-'), ('—', '-'))

• strip: False

it:sec:cwe

NIST NVD Common Weaknesses Enumeration Specification. The it:sec:cwe type is derived from the base type: str.

An example of it:sec:cwe:

• CWE-120

The type it:sec:cwe has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^CWE-[0-9]{1,8}$

• replace: ()

• strip: False

it:sec:metrics

A node used to track metrics of an organization’s infosec program. The it:sec:metrics type is derived from the base type: guid.

it:sec:stix:bundle

A STIX bundle. The it:sec:stix:bundle type is derived from the base type: guid.

it:sec:stix:indicator

A STIX indicator pattern. The it:sec:stix:indicator type is derived from the base type: guid.

it:sec:tlp

The US CISA Traffic-Light-Protocol used to designate information sharing boundaries. The it:sec:tlp type is derived from the base type: int.

An example of it:sec:tlp:

• green

The type it:sec:tlp has the following options set:

• enums:

  int	valu
  10	clear
  20	green
  30	amber
  40	amber-strict
  50	red

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

it:sec:vuln:scan

An instance of running a vulnerability scan. The it:sec:vuln:scan type is derived from the base type: guid.

it:sec:vuln:scan:result

A vulnerability scan result for an asset. The it:sec:vuln:scan:result type is derived from the base type: guid.

it:software:image

The base image used to create a container or OS. The it:software:image type is derived from the base type: guid.

it:software:image:type:taxonomy

A taxonomy of software image types. The it:software:image:type:taxonomy type is derived from the base type: taxonomy.

The type it:software:image:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:storage:mount

A storage volume that has been attached to an image. The it:storage:mount type is derived from the base type: guid.

it:storage:volume

A physical or logical storage volume that can be attached to a physical/virtual machine or container. The it:storage:volume type is derived from the base type: guid.

it:storage:volume:type:taxonomy

A taxonomy of storage volume types. The it:storage:volume:type:taxonomy type is derived from the base type: taxonomy.

An example of it:storage:volume:type:taxonomy:

• network.smb

The type it:storage:volume:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

lang:code

An optionally 2 part language code. The lang:code type is derived from the base type: str.

An example of lang:code:

• pt.br

The type lang:code has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^[a-z]{2}(.[a-z]{2})?$

• replace: ()

• strip: False

lang:idiom

Deprecated. Please use lang:translation. The lang:idiom type is derived from the base type: str.

The type lang:idiom has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

lang:language

A specific written or spoken language. The lang:language type is derived from the base type: guid.

lang:name

A name used to refer to a language. The lang:name type is derived from the base type: str.

The type lang:name has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

lang:phrase

A small group of words which stand together as a concept. The lang:phrase type is derived from the base type: str.

The type lang:phrase has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

lang:trans

Deprecated. Please use lang:translation. The lang:trans type is derived from the base type: str.

The type lang:trans has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

lang:translation

A translation of text from one language to another. The lang:translation type is derived from the base type: guid.

mass

A mass which converts to grams as a base unit. The mass type is derived from the base type: hugenum.

The type mass has the following options set:

• modulo: None

• units: {'µg': '0.000001', 'microgram': '0.000001', 'micrograms': '0.000001', 'mg': '0.001', 'milligram': '0.001', 'milligrams': '0.001', 'g': '1', 'grams': '1', 'kg': '1000', 'kilogram': '1000', 'kilograms': '1000', 'lb': '453.592', 'lbs': '453.592', 'pound': '453.592', 'pounds': '453.592', 'stone': '6350.29'}

mat:item

A GUID assigned to a material object. The mat:item type is derived from the base type: guid.

mat:itemimage

The base type for compound node fields. The mat:itemimage type is derived from the base type: comp.

The type mat:itemimage has the following options set:

• fields: (('item', 'mat:item'), ('file', 'file:bytes'))

mat:spec

A GUID assigned to a material specification. The mat:spec type is derived from the base type: guid.

mat:specimage

The base type for compound node fields. The mat:specimage type is derived from the base type: comp.

The type mat:specimage has the following options set:

• fields: (('spec', 'mat:spec'), ('file', 'file:bytes'))

mat:type

A taxonomy of material item/specification types. The mat:type type is derived from the base type: taxonomy.

The type mat:type has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

math:algorithm

A mathematical algorithm. The math:algorithm type is derived from the base type: guid.

math:algorithm:type:taxonomy

A hierarchical taxonomy of algorithm types. The math:algorithm:type:taxonomy type is derived from the base type: taxonomy.

The type math:algorithm:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

media:news

A GUID for a news article or report. The media:news type is derived from the base type: guid.

media:news:taxonomy

A taxonomy of types or sources of news. The media:news:taxonomy type is derived from the base type: taxonomy.

The type media:news:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

media:topic

A topic string. The media:topic type is derived from the base type: str.

The type media:topic has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

meta:aggregate

A node which represents an aggregate count of a specific type. The meta:aggregate type is derived from the base type: guid.

meta:aggregate:type:taxonomy

A type of item being counted in aggregate. The meta:aggregate:type:taxonomy type is derived from the base type: taxonomy.

The type meta:aggregate:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

meta:event

An analytically relevant event in a curated timeline. The meta:event type is derived from the base type: guid.

meta:event:taxonomy

A taxonomy of event types for meta:event nodes. The meta:event:taxonomy type is derived from the base type: taxonomy.

The type meta:event:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

meta:note

An analyst note about nodes linked with -(about)> edges. The meta:note type is derived from the base type: guid.

meta:note:type:taxonomy

An analyst note type taxonomy. The meta:note:type:taxonomy type is derived from the base type: taxonomy.

The type meta:note:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

meta:priority

A generic priority enumeration. The meta:priority type is derived from the base type: int.

The type meta:priority has the following options set:

• enums:

  int	valu
  0	none
  10	lowest
  20	low
  30	medium
  40	high
  50	highest

• enums:strict: False

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

meta:rule

A generic rule linked to matches with -(matches)> edges. The meta:rule type is derived from the base type: guid.

meta:rule:type:taxonomy

A taxonomy for meta:rule types. The meta:rule:type:taxonomy type is derived from the base type: taxonomy.

The type meta:rule:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

meta:ruleset

A set of rules linked with -(has)> edges. The meta:ruleset type is derived from the base type: guid.

meta:seen

Annotates that the data in a node was obtained from or observed by a given source. The meta:seen type is derived from the base type: comp.

The type meta:seen has the following options set:

• fields: (('source', 'meta:source'), ('node', 'ndef'))

meta:severity

A generic severity enumeration. The meta:severity type is derived from the base type: int.

The type meta:severity has the following options set:

• enums:

  int	valu
  0	none
  10	lowest
  20	low
  30	medium
  40	high
  50	highest

• enums:strict: False

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

meta:sophistication

A sophistication score with named values: very low, low, medium, high, and very high. The meta:sophistication type is derived from the base type: int.

The type meta:sophistication has the following options set:

• enums:

  int	valu
  10	very low
  20	low
  30	medium
  40	high
  50	very high

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

meta:source

A data source unique identifier. The meta:source type is derived from the base type: guid.

meta:timeline

A curated timeline of analytically relevant events. The meta:timeline type is derived from the base type: guid.

meta:timeline:taxonomy

A taxonomy of timeline types for meta:timeline nodes. The meta:timeline:taxonomy type is derived from the base type: taxonomy.

The type meta:timeline:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:alias

An alias for the org GUID. The ou:alias type is derived from the base type: str.

An example of ou:alias:

• vertexproject

The type ou:alias has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^[0-9a-z_]+$

• replace: ()

• strip: False

ou:asset

A node for tracking assets which belong to an organization. The ou:asset type is derived from the base type: guid.

ou:asset:status:taxonomy

An asset status taxonomy. The ou:asset:status:taxonomy type is derived from the base type: taxonomy.

The type ou:asset:status:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:asset:type:taxonomy

An asset type taxonomy. The ou:asset:type:taxonomy type is derived from the base type: taxonomy.

The type ou:asset:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:attendee

A node representing a person attending a meeting, conference, or event. The ou:attendee type is derived from the base type: guid.

ou:award

An award issued by an organization. The ou:award type is derived from the base type: guid.

ou:campaign

Represents an org’s activity in pursuit of a goal. The ou:campaign type is derived from the base type: guid.

ou:campname

A campaign name. The ou:campname type is derived from the base type: str.

The type ou:campname has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

ou:camptype

An campaign type taxonomy. The ou:camptype type is derived from the base type: taxonomy.

The type ou:camptype has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:candidate

A candidate being considered for a role within an organization. The ou:candidate type is derived from the base type: guid.

ou:candidate:method:taxonomy

A taxonomy of methods by which a candidate came under consideration. The ou:candidate:method:taxonomy type is derived from the base type: taxonomy.

The type ou:candidate:method:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:conference

A conference with a name and sponsoring org. The ou:conference type is derived from the base type: guid.

ou:conference:attendee

Deprecated. Please use ou:attendee. The ou:conference:attendee type is derived from the base type: comp.

The type ou:conference:attendee has the following options set:

• fields: (('conference', 'ou:conference'), ('person', 'ps:person'))

ou:conference:event

A conference event with a name and associated conference. The ou:conference:event type is derived from the base type: guid.

ou:conference:event:attendee

Deprecated. Please use ou:attendee. The ou:conference:event:attendee type is derived from the base type: comp.

The type ou:conference:event:attendee has the following options set:

• fields: (('conference', 'ou:conference:event'), ('person', 'ps:person'))

ou:conflict

Represents a conflict where two or more campaigns have mutually exclusive goals. The ou:conflict type is derived from the base type: guid.

ou:contest

A competitive event resulting in a ranked set of participants. The ou:contest type is derived from the base type: guid.

ou:contest:result

The results from a single contest participant. The ou:contest:result type is derived from the base type: comp.

The type ou:contest:result has the following options set:

• fields: (('contest', 'ou:contest'), ('participant', 'ps:contact'))

ou:contract

An contract between multiple entities. The ou:contract type is derived from the base type: guid.

ou:contract:type

A pre-defined set of contract types. The ou:contract:type type is derived from the base type: str.

The type ou:contract:type has the following options set:

• enum: ('nda', 'other', 'grant', 'treaty', 'purchase', 'indemnity', 'partnership')

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:contribution

Represents a specific instance of contributing material support to a campaign. The ou:contribution type is derived from the base type: guid.

ou:conttype

A contract type taxonomy. The ou:conttype type is derived from the base type: taxonomy.

The type ou:conttype has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:employment

An employment type taxonomy. The ou:employment type is derived from the base type: taxonomy.

An example of ou:employment:

• fulltime.salary

The type ou:employment has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:enacted

An organization enacting a document. The ou:enacted type is derived from the base type: guid.

ou:enacted:status:taxonomy

A taxonomy of enacted statuses. The ou:enacted:status:taxonomy type is derived from the base type: taxonomy.

The type ou:enacted:status:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:goal

An assessed or stated goal which may be abstract or org specific. The ou:goal type is derived from the base type: guid.

ou:goal:type:taxonomy

A taxonomy of goal types. The ou:goal:type:taxonomy type is derived from the base type: taxonomy.

The type ou:goal:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:goalname

A goal name. The ou:goalname type is derived from the base type: str.

The type ou:goalname has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

ou:hasalias

The knowledge that an organization has an alias. The ou:hasalias type is derived from the base type: comp.

The type ou:hasalias has the following options set:

• fields: (('org', 'ou:org'), ('alias', 'ou:alias'))

ou:hasgoal

Deprecated. Please use ou:org:goals. The ou:hasgoal type is derived from the base type: comp.

The type ou:hasgoal has the following options set:

• fields: (('org', 'ou:org'), ('goal', 'ou:goal'))

ou:id:number

A unique id number issued by a specific organization. The ou:id:number type is derived from the base type: comp.

The type ou:id:number has the following options set:

• fields: (('type', 'ou:id:type'), ('value', 'ou:id:value'))

ou:id:type

A type of id number issued by an org. The ou:id:type type is derived from the base type: guid.

ou:id:update

A status update to an org:id:number. The ou:id:update type is derived from the base type: guid.

ou:id:value

The value of an org:id:number. The ou:id:value type is derived from the base type: str.

The type ou:id:value has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: True

ou:industry

An industry classification type. The ou:industry type is derived from the base type: guid.

ou:industry:type:taxonomy

An industry type taxonomy. The ou:industry:type:taxonomy type is derived from the base type: taxonomy.

The type ou:industry:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:industryname

The name of an industry. The ou:industryname type is derived from the base type: str.

The type ou:industryname has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

ou:isic

An International Standard Industrial Classification of All Economic Activities (ISIC) code. The ou:isic type is derived from the base type: str.

An example of ou:isic:

• C1393

The type ou:isic has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^[A-Z]([0-9]{2}[0-9]{0,2})?$

• replace: ()

• strip: False

ou:jobtitle

A title for a position within an org. The ou:jobtitle type is derived from the base type: str.

The type ou:jobtitle has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

ou:jobtype

A taxonomy of job types. The ou:jobtype type is derived from the base type: taxonomy.

An example of ou:jobtype:

• it.dev.python

The type ou:jobtype has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:meet

An informal meeting of people which has no title or sponsor. See also: ou:conference. The ou:meet type is derived from the base type: guid.

ou:meet:attendee

Deprecated. Please use ou:attendee. The ou:meet:attendee type is derived from the base type: comp.

The type ou:meet:attendee has the following options set:

• fields: (('meet', 'ou:meet'), ('person', 'ps:person'))

ou:member

Deprecated. Please use ou:position. The ou:member type is derived from the base type: comp.

The type ou:member has the following options set:

• fields: (('org', 'ou:org'), ('person', 'ps:person'))

ou:naics

North American Industry Classification System codes and prefixes. The ou:naics type is derived from the base type: str.

An example of ou:naics:

• 541715

The type ou:naics has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^[1-9][0-9]{1,5}?$

• replace: ()

• strip: True

ou:name

The name of an organization. This may be a formal name or informal name of the organization. The ou:name type is derived from the base type: str.

An example of ou:name:

• acme corporation

The type ou:name has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: True

ou:opening

A job/work opening within an org. The ou:opening type is derived from the base type: guid.

ou:org

A GUID for a human organization such as a company or military unit. The ou:org type is derived from the base type: guid.

ou:org:has

An org owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time. The ou:org:has type is derived from the base type: comp.

The type ou:org:has has the following options set:

• fields: (('org', 'ou:org'), ('node', 'ndef'))

ou:orgnet4

An organization’s IPv4 netblock. The ou:orgnet4 type is derived from the base type: comp.

The type ou:orgnet4 has the following options set:

• fields: (('org', 'ou:org'), ('net', 'inet:net4'))

ou:orgnet6

An organization’s IPv6 netblock. The ou:orgnet6 type is derived from the base type: comp.

The type ou:orgnet6 has the following options set:

• fields: (('org', 'ou:org'), ('net', 'inet:net6'))

ou:orgtype

An org type taxonomy. The ou:orgtype type is derived from the base type: taxonomy.

The type ou:orgtype has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:position

A position within an org. May be organized into an org chart. The ou:position type is derived from the base type: guid.

ou:preso

A webinar, conference talk, or other type of presentation. The ou:preso type is derived from the base type: guid.

ou:requirement

A specific requirement. The ou:requirement type is derived from the base type: guid.

ou:requirement:type:taxonomy

A taxonomy of requirement types. The ou:requirement:type:taxonomy type is derived from the base type: taxonomy.

The type ou:requirement:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:role

A named role when participating in an event. The ou:role type is derived from the base type: str.

An example of ou:role:

• staff

The type ou:role has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^\w+$

• replace: ()

• strip: False

ou:sic

The four digit Standard Industrial Classification Code. The ou:sic type is derived from the base type: str.

An example of ou:sic:

• 0111

The type ou:sic has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^[0-9]{4}$

• replace: ()

• strip: False

ou:suborg

Any parent/child relationship between two orgs. May represent ownership, organizational structure, etc. The ou:suborg type is derived from the base type: comp.

The type ou:suborg has the following options set:

• fields: (('org', 'ou:org'), ('sub', 'ou:org'))

ou:team

A GUID for a team within an organization. The ou:team type is derived from the base type: guid.

ou:technique

A specific technique used to achieve a goal. The ou:technique type is derived from the base type: guid.

ou:technique:taxonomy

An analyst defined taxonomy to classify techniques in different disciplines. The ou:technique:taxonomy type is derived from the base type: taxonomy.

The type ou:technique:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:user

A user name within an organization. The ou:user type is derived from the base type: comp.

The type ou:user has the following options set:

• fields: (('org', 'ou:org'), ('user', 'inet:user'))

ou:vitals

Vital statistics about an org for a given time period. The ou:vitals type is derived from the base type: guid.

pe:langid

The PE language id. The pe:langid type is derived from the base type: int.

The type pe:langid has the following options set:

• enums:

  int	valu
  0	neutral
  1	ar
  2	bg
  3	ca
  4	zh-Hans
  5	cs
  6	da
  7	de
  8	el
  9	en
  10	es
  11	fi
  12	fr
  13	he
  14	hu
  15	is
  16	it
  17	ja
  18	ko
  19	nl
  20	no
  21	pl
  22	pt
  23	rm
  24	ro
  25	ru
  26	hr
  27	sk
  28	sq
  29	sv
  30	th
  31	tr
  32	ur
  33	id
  34	uk
  35	be
  36	sl
  37	et
  38	lv
  39	lt
  40	tg
  41	fa
  42	vi
  43	hy
  44	az
  45	eu
  46	hsb
  47	mk
  48	st
  49	ts
  50	tn
  51	ve
  52	xh
  53	zu
  54	af
  55	ka
  56	fo
  57	hi
  58	mt
  59	se
  60	ga
  61	yi
  62	ms
  63	kk
  64	ky
  65	sw
  66	tk
  67	uz
  68	tt
  69	bn
  70	pa
  71	gu
  72	or
  73	ta
  74	te
  75	kn
  76	ml
  77	as
  78	mr
  79	sa
  80	mn
  81	bo
  82	cy
  83	km
  84	lo
  85	my
  86	gl
  87	kok
  88	mni
  89	sd
  90	syr
  91	si
  92	chr
  93	iu
  94	am
  95	tzm
  96	ks
  97	ne
  98	fy
  99	ps
  100	fil
  101	dv
  102	bin
  103	ff
  104	ha
  105	ibb
  106	yo
  107	quz
  108	nso
  109	ba
  110	lb
  111	kl
  112	ig
  113	kr
  114	om
  115	ti
  116	gn
  117	haw
  118	la
  119	so
  120	ii
  121	pap
  122	arn
  123	undefined and unreserved 0x007B
  124	moh
  125	undefined and unreserved 0x007D
  126	br
  127	invariant
  128	ug
  129	mi
  130	oc
  131	co
  132	gsw
  133	sah
  134	quc
  135	rw
  136	wo
  137	undefined and unreserved 0x0089
  138	undefined and unreserved 0x008A
  139	undefined and unreserved 0x008B
  140	prs
  141	undefined and unreserved 0x008D
  142	undefined and unreserved 0x008E
  143	undefined and unreserved 0x008F
  144	undefined and unreserved 0x0090
  145	gd
  146	ku
  147	quc, reserved
  1024	default
  1025	ar-SA
  1026	bg-BG
  1027	ca-ES
  1028	zh-TW
  1029	cs-CZ
  1030	da-DK
  1031	de-DE
  1032	el-GR
  1033	en-US
  1034	es-ES_tradnl
  1035	fi-FI
  1036	fr-FR
  1037	he-IL
  1038	hu-HU
  1039	is-IS
  1040	it-IT
  1041	ja-JP
  1042	ko-KR
  1043	nl-NL
  1044	nb-NO
  1045	pl-PL
  1046	pt-BR
  1047	rm-CH
  1048	ro-RO
  1049	ru-RU
  1050	hr-HR
  1051	sk-SK
  1052	sq-AL
  1053	sv-SE
  1054	th-TH
  1055	tr-TR
  1056	ur-PK
  1057	id-ID
  1058	uk-UA
  1059	be-BY
  1060	sl-SI
  1061	et-EE
  1062	lv-LV
  1063	lt-LT
  1064	tg-Cyrl-TJ
  1065	fa-IR
  1066	vi-VN
  1067	hy-AM
  1068	az-Latn-AZ
  1069	eu-ES
  1070	hsb-DE
  1071	mk-MK
  1072	st-ZA
  1073	ts-ZA
  1074	tn-ZA
  1075	ve-ZA
  1076	xh-ZA
  1077	zu-ZA
  1078	af-ZA
  1079	ka-GE
  1080	fo-FO
  1081	hi-IN
  1082	mt-MT
  1083	se-NO
  1085	yi-001
  1086	ms-MY
  1087	kk-KZ
  1088	ky-KG
  1089	sw-KE
  1090	tk-TM
  1091	uz-Latn-UZ
  1092	tt-RU
  1093	bn-IN
  1094	pa-IN
  1095	gu-IN
  1096	or-IN
  1097	ta-IN
  1098	te-IN
  1099	kn-IN
  1100	ml-IN
  1101	as-IN
  1102	mr-IN
  1103	sa-IN
  1104	mn-MN
  1105	bo-CN
  1106	cy-GB
  1107	km-KH
  1108	lo-LA
  1109	my-MM
  1110	gl-ES
  1111	kok-IN
  1112	mni-IN
  1113	sd-Deva-IN
  1114	syr-SY
  1115	si-LK
  1116	chr-Cher-US
  1117	iu-Cans-CA
  1118	am-ET
  1119	tzm-Arab-MA
  1120	ks-Arab
  1121	ne-NP
  1122	fy-NL
  1123	ps-AF
  1124	fil-PH
  1125	dv-MV
  1126	bin-NG
  1127	ff-NG
  1128	ha-Latn-NG
  1129	ibb-NG
  1130	yo-NG
  1131	quz-BO
  1132	nso-ZA
  1133	ba-RU
  1134	lb-LU
  1135	kl-GL
  1136	ig-NG
  1137	kr-Latn-NG
  1138	om-ET
  1139	ti-ET
  1140	gn-PY
  1141	haw-US
  1142	la-VA
  1143	so-SO
  1144	ii-CN
  1145	pap-029
  1146	arn-CL
  1148	moh-CA
  1150	br-FR
  1152	ug-CN
  1153	mi-NZ
  1154	oc-FR
  1155	co-FR
  1156	gsw-FR
  1157	sah-RU
  1158	quc-Latn-GT
  1159	rw-RW
  1160	wo-SN
  1164	prs-AF
  1165	plt-MG
  1166	zh-yue-HK
  1167	tdd-Tale-CN
  1168	khb-Talu-CN
  1169	gd-GB
  1170	ku-Arab-IQ
  1171	quc-CO, reserved
  1281	qps-ploc
  1534	qps-ploca
  2048	sys default
  2049	ar-IQ
  2051	ca-ES-Valencia
  2052	zh-CN
  2055	de-CH
  2057	en-GB
  2058	es-MX
  2060	fr-BE
  2064	it-CH
  2065	ja-Ploc-JP
  2067	nl-BE
  2068	nn-NO
  2070	pt-PT
  2072	ro-MD
  2073	ru-MD
  2074	sr-Latn-CS
  2077	sv-FI
  2080	ur-IN
  2087	undefined and unreserved 0x0827
  2092	az-Cyrl-AZ
  2094	dsb-DE
  2098	tn-BW
  2107	se-SE
  2108	ga-IE
  2110	ms-BN
  2111	kk-Latn-KZ
  2115	uz-Cyrl-UZ
  2117	bn-BD
  2118	pa-Arab-PK
  2121	ta-LK
  2128	mn-Mong-CN
  2129	bo-BT
  2137	sd-Arab-PK
  2141	iu-Latn-CA
  2143	tzm-Latn-DZ
  2144	ks-Deva-IN
  2145	ne-IN
  2151	ff-Latn-SN
  2155	quz-EC
  2163	ti-ER
  2559	qps-plocm
  3072	custom default
  3073	ar-EG
  3076	zh-HK
  3079	de-AT
  3081	en-AU
  3082	es-ES
  3084	fr-CA
  3098	sr-Cyrl-CS
  3131	se-FI
  3152	mn-Mong-MN
  3153	dz-BT
  3167	tzm-MA
  3179	quz-PE
  4096	custom unspecified
  4097	ar-LY
  4100	zh-SG
  4103	de-LU
  4105	en-CA
  4106	es-GT
  4108	fr-CH
  4122	hr-BA
  4155	smj-NO
  4191	tzm-Tfng-MA
  5120	ui_custom_default
  5121	ar-DZ
  5124	zh-MO
  5127	de-LI
  5129	en-NZ
  5130	es-CR
  5132	fr-LU
  5146	bs-Latn-BA
  5179	smj-SE
  6145	ar-MA
  6153	en-IE
  6154	es-PA
  6156	fr-MC
  6170	sr-Latn-BA
  6203	sma-NO
  7169	ar-TN
  7177	en-ZA
  7178	es-DO
  7180	fr-029
  7194	sr-Cyrl-BA
  7227	sma-SE
  8192	custom transient 0x2000
  8193	ar-OM
  8200	undefined and unreserved 0x2008
  8201	en-JM
  8202	es-VE
  8204	fr-RE
  8218	bs-Cyrl-BA
  8251	sms-FI
  9216	custom transient 0x2400
  9217	ar-YE
  9225	en-029
  9226	es-CO
  9228	fr-CD
  9242	sr-Latn-RS
  9275	smn-FI
  10240	custom transient 0x2800
  10241	ar-SY
  10249	en-BZ
  10250	es-PE
  10252	fr-SN
  10266	sr-Cyrl-RS
  11264	custom transient 0x2C00
  11265	ar-JO
  11273	en-TT
  11274	es-AR
  11276	fr-CM
  11290	sr-Latn-ME
  12288	custom transient 0x3000
  12289	ar-LB
  12297	en-ZW
  12298	es-EC
  12300	fr-CI
  12314	sr-Cyrl-ME
  13312	custom transient 0x3400
  13313	ar-KW
  13321	en-PH
  13322	es-CL
  13324	fr-ML
  14336	custom transient 0x3800
  14337	ar-AE
  14345	en-ID
  14346	es-UY
  14348	fr-MA
  15360	custom transient 0x3C00
  15361	ar-BH
  15369	en-HK
  15370	es-PY
  15372	fr-HT
  16384	custom transient 0x4000
  16385	ar-QA
  16393	en-IN
  16394	es-BO
  17408	custom transient 0x4400
  17409	ar-Ploc-SA
  17417	en-MY
  17418	es-SV
  18432	custom transient 0x4800
  18433	ar-145
  18441	en-SG
  18442	es-HN
  19456	custom transient 0x4C00
  19465	en-AE
  19466	es-NI
  20489	en-BH
  20490	es-PR
  21513	en-EG
  21514	es-US
  22537	en-JO
  22538	es-419
  23561	en-KW
  23562	es-CU
  24585	en-TR
  25609	en-YE
  25626	bs-Cyrl
  26650	bs-Latn
  27674	sr-Cyrl
  28698	sr-Latn
  28731	smn
  29740	az-Cyrl
  29755	sms
  30724	zh
  30740	nn
  30746	bs
  30764	az-Latn
  30779	sma
  30783	kk-Cyrl
  30787	uz-Cyrl
  30800	mn-Cyrl
  30813	iu-Cans
  30815	tzm-Tfng
  31748	zh-Hant
  31764	nb
  31770	sr
  31784	tg-Cyrl
  31790	dsb
  31803	smj
  31807	kk-Latn
  31811	uz-Latn
  31814	pa-Arab
  31824	mn-Mong
  31833	sd-Arab
  31836	chr-Cher
  31837	iu-Latn
  31839	tzm-Latn
  31847	ff-Latn
  31848	ha-Latn
  31890	ku-Arab
  58380	fr-015
  61166	reserved 0xEEEE
  62190	reserved 0xF2EE

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

pe:resource:type

The typecode for the resource. The pe:resource:type type is derived from the base type: int.

The type pe:resource:type has the following options set:

• enums:

  int	valu
  1	RT_CURSOR
  2	RT_BITMAP
  3	RT_ICON
  4	RT_MENU
  5	RT_DIALOG
  6	RT_STRING
  7	RT_FONTDIR
  8	RT_FONT
  9	RT_ACCELERATOR
  10	RT_RCDATA
  11	RT_MESSAGETABLE
  12	RT_GROUP_CURSOR
  14	RT_GROUP_ICON
  16	RT_VERSION
  17	RT_DLGINCLUDE
  19	RT_PLUGPLAY
  20	RT_VXD
  21	RT_ANICURSOR
  22	RT_ANIICON
  23	RT_HTML
  24	RT_MANIFEST

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

plan:phase

A phase within a planning system which may be used to group steps within a procedure. The plan:phase type is derived from the base type: guid.

plan:procedure

A procedure consisting of steps. The plan:procedure type is derived from the base type: guid.

plan:procedure:link

A link between steps in a procedure. The plan:procedure:link type is derived from the base type: guid.

plan:procedure:step

A step within a procedure. The plan:procedure:step type is derived from the base type: guid.

plan:procedure:type:taxonomy

A taxonomy of procedure types. The plan:procedure:type:taxonomy type is derived from the base type: taxonomy.

The type plan:procedure:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

plan:procedure:variable

A variable used by a procedure. The plan:procedure:variable type is derived from the base type: guid.

plan:system

A planning or behavioral analysis system that defines phases and procedures. The plan:system type is derived from the base type: guid.

pol:candidate

A candidate for office in a specific race. The pol:candidate type is derived from the base type: guid.

pol:country

A GUID for a country. The pol:country type is derived from the base type: guid.

pol:election

An election involving one or more races for office. The pol:election type is derived from the base type: guid.

pol:immigration:status

A node which tracks the immigration status of a contact. The pol:immigration:status type is derived from the base type: guid.

pol:immigration:status:type:taxonomy

A taxonomy of immigration types. The pol:immigration:status:type:taxonomy type is derived from the base type: taxonomy.

The type pol:immigration:status:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

pol:iso2

The 2 digit ISO 3166 country code. The pol:iso2 type is derived from the base type: str.

An example of pol:iso2:

• us

The type pol:iso2 has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^[a-z0-9]{2}$

• replace: ()

• strip: False

pol:iso3

The 3 digit ISO 3166 country code. The pol:iso3 type is derived from the base type: str.

An example of pol:iso3:

• usa

The type pol:iso3 has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^[a-z0-9]{3}$

• replace: ()

• strip: False

pol:isonum

The ISO integer country code. The pol:isonum type is derived from the base type: int.

An example of pol:isonum:

• 840

The type pol:isonum has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

pol:office

An elected or appointed office. The pol:office type is derived from the base type: guid.

pol:pollingplace

An official place where ballots may be cast for a specific election. The pol:pollingplace type is derived from the base type: guid.

pol:race

An individual race for office. The pol:race type is derived from the base type: guid.

pol:term

A term in office held by a specific individual. The pol:term type is derived from the base type: guid.

pol:vitals

A set of vital statistics about a country. The pol:vitals type is derived from the base type: guid.

proj:attachment

A file attachment added to a ticket or comment. The proj:attachment type is derived from the base type: guid.

proj:comment

A user comment on a ticket. The proj:comment type is derived from the base type: guid.

proj:epic

A collection of tickets related to a topic. The proj:epic type is derived from the base type: guid.

proj:project

A project in a ticketing system. The proj:project type is derived from the base type: guid.

proj:project:type:taxonomy

A type taxonomy for projects. The proj:project:type:taxonomy type is derived from the base type: taxonomy.

The type proj:project:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

proj:sprint

A timeboxed period to complete a set amount of work. The proj:sprint type is derived from the base type: guid.

proj:ticket

A ticket in a ticketing system. The proj:ticket type is derived from the base type: guid.

ps:achievement

An instance of an individual receiving an award. The ps:achievement type is derived from the base type: guid.

ps:contact

A GUID for a contact info record. The ps:contact type is derived from the base type: guid.

ps:contact:type:taxonomy

A taxonomy of contact types. The ps:contact:type:taxonomy type is derived from the base type: taxonomy.

The type ps:contact:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ps:contactlist

A GUID for a list of associated contacts. The ps:contactlist type is derived from the base type: guid.

ps:education

A period of education for an individual. The ps:education type is derived from the base type: guid.

ps:name

An arbitrary, lower spaced string with normalized whitespace. The ps:name type is derived from the base type: str.

An example of ps:name:

• robert grey

The type ps:name has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

ps:person

A GUID for a person. The ps:person type is derived from the base type: guid.

ps:person:has

A person owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time. The ps:person:has type is derived from the base type: comp.

The type ps:person:has has the following options set:

• fields: (('person', 'ps:person'), ('node', 'ndef'))

ps:persona

A GUID for a suspected person. The ps:persona type is derived from the base type: guid.

ps:persona:has

A persona owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time. The ps:persona:has type is derived from the base type: comp.

The type ps:persona:has has the following options set:

• fields: (('persona', 'ps:persona'), ('node', 'ndef'))

ps:proficiency

The assessment that a given contact possesses a specific skill. The ps:proficiency type is derived from the base type: guid.

ps:skill

A specific skill which a person or organization may have. The ps:skill type is derived from the base type: guid.

ps:skill:type:taxonomy

A taxonomy of skill types. The ps:skill:type:taxonomy type is derived from the base type: taxonomy.

The type ps:skill:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ps:tokn

A single name element (potentially given or sur). The ps:tokn type is derived from the base type: str.

An example of ps:tokn:

• robert

The type ps:tokn has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: True

ps:vitals

Statistics and demographic data about a person or contact. The ps:vitals type is derived from the base type: guid.

ps:workhist

A GUID representing entry in a contact’s work history. The ps:workhist type is derived from the base type: guid.

risk:alert

An instance of an alert which indicates the presence of a risk. The risk:alert type is derived from the base type: guid.

risk:alert:taxonomy

A taxonomy of alert types. The risk:alert:taxonomy type is derived from the base type: taxonomy.

The type risk:alert:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:alert:verdict:taxonomy

A taxonomy of verdicts for the origin and validity of the alert. The risk:alert:verdict:taxonomy type is derived from the base type: taxonomy.

The type risk:alert:verdict:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:attack

An instance of an actor attacking a target. The risk:attack type is derived from the base type: guid.

risk:attacktype

A taxonomy of attack types. The risk:attacktype type is derived from the base type: taxonomy.

The type risk:attacktype has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:availability

A taxonomy of availability status values. The risk:availability type is derived from the base type: taxonomy.

The type risk:availability has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:compromise

An instance of a compromise and its aggregate impact. The risk:compromise type is derived from the base type: guid.

risk:compromisetype

A taxonomy of compromise types. The risk:compromisetype type is derived from the base type: taxonomy.

An example of risk:compromisetype:

• cno.breach

The type risk:compromisetype has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:extortion

An event where an attacker attempted to extort a victim. The risk:extortion type is derived from the base type: guid.

risk:extortion:type:taxonomy

A taxonomy of extortion event types. The risk:extortion:type:taxonomy type is derived from the base type: taxonomy.

The type risk:extortion:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:hasvuln

Deprecated. Please use risk:vulnerable. The risk:hasvuln type is derived from the base type: guid.

risk:leak

An event where information was disclosed without permission. The risk:leak type is derived from the base type: guid.

risk:leak:type:taxonomy

A taxonomy of leak event types. The risk:leak:type:taxonomy type is derived from the base type: taxonomy.

The type risk:leak:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:mitigation

A mitigation for a specific risk:vuln. The risk:mitigation type is derived from the base type: guid.

risk:mitigation:type:taxonomy

A taxonomy of mitigation types. The risk:mitigation:type:taxonomy type is derived from the base type: taxonomy.

The type risk:mitigation:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:outage

An outage event which affected resource availability. The risk:outage type is derived from the base type: guid.

risk:outage:cause:taxonomy

An outage cause taxonomy. The risk:outage:cause:taxonomy type is derived from the base type: taxonomy.

The type risk:outage:cause:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:outage:type:taxonomy

An outage type taxonomy. The risk:outage:type:taxonomy type is derived from the base type: taxonomy.

The type risk:outage:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:technique:masquerade

Represents the assessment that a node is designed to resemble another in order to mislead. The risk:technique:masquerade type is derived from the base type: guid.

risk:threat

A threat cluster or subgraph of threat activity, as reported by a specific organization. The risk:threat type is derived from the base type: guid.

risk:threat:type:taxonomy

A taxonomy of threat types. The risk:threat:type:taxonomy type is derived from the base type: taxonomy.

The type risk:threat:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:tool:software

A software tool used in threat activity, as reported by a specific organization. The risk:tool:software type is derived from the base type: guid.

risk:tool:software:taxonomy

A taxonomy of software / tool types. The risk:tool:software:taxonomy type is derived from the base type: taxonomy.

The type risk:tool:software:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:vuln

A unique vulnerability. The risk:vuln type is derived from the base type: guid.

risk:vuln:soft:range

A contiguous range of software versions which contain a vulnerability. The risk:vuln:soft:range type is derived from the base type: guid.

risk:vuln:type:taxonomy

A taxonomy of vulnerability types. The risk:vuln:type:taxonomy type is derived from the base type: taxonomy.

The type risk:vuln:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:vulnerable

Indicates that a node is susceptible to a vulnerability. The risk:vulnerable type is derived from the base type: guid.

risk:vulnname

A vulnerability name such as log4j or rowhammer. The risk:vulnname type is derived from the base type: str.

The type risk:vulnname has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

rsa:key

An RSA keypair modulus and public exponent. The rsa:key type is derived from the base type: comp.

The type rsa:key has the following options set:

• fields: (('mod', 'hex'), ('pub:exp', 'int'))

sci:evidence

An assessment of how an observation supports or refutes a hypothesis. The sci:evidence type is derived from the base type: guid.

sci:experiment

An instance of running an experiment. The sci:experiment type is derived from the base type: guid.

sci:experiment:type:taxonomy

A taxonomy of experiment types. The sci:experiment:type:taxonomy type is derived from the base type: taxonomy.

The type sci:experiment:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

sci:hypothesis

A hypothesis or theory. The sci:hypothesis type is derived from the base type: guid.

sci:hypothesis:type:taxonomy

A taxonomy of hypothesis types. The sci:hypothesis:type:taxonomy type is derived from the base type: taxonomy.

The type sci:hypothesis:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

sci:observation

An observation which may have resulted from an experiment. The sci:observation type is derived from the base type: guid.

syn:cmd

A Synapse storm command. The syn:cmd type is derived from the base type: str.

The type syn:cmd has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: True

syn:cron

A Cortex cron job. The syn:cron type is derived from the base type: guid.

syn:form

A Synapse form used for representing nodes in the graph. The syn:form type is derived from the base type: str.

The type syn:form has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: True

syn:nodedata

A nodedata key and the form it may be present on. The syn:nodedata type is derived from the base type: comp.

The type syn:nodedata has the following options set:

• fields: (('key', 'str'), ('form', 'syn:form'))

syn:prop

A Synapse property. The syn:prop type is derived from the base type: str.

The type syn:prop has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: True

syn:tagprop

A user defined tag property. The syn:tagprop type is derived from the base type: str.

The type syn:tagprop has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: True

syn:trigger

A Cortex trigger. The syn:trigger type is derived from the base type: guid.

syn:type

A Synapse type used for normalizing nodes and properties. The syn:type type is derived from the base type: str.

The type syn:type has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: True

tel:call

A guid for a telephone call record. The tel:call type is derived from the base type: guid.

tel:mob:carrier

The fusion of a MCC/MNC. The tel:mob:carrier type is derived from the base type: comp.

The type tel:mob:carrier has the following options set:

• fields: (('mcc', 'tel:mob:mcc'), ('mnc', 'tel:mob:mnc'))

tel:mob:cell

A mobile cell site which a phone may connect to. The tel:mob:cell type is derived from the base type: comp.

The type tel:mob:cell has the following options set:

• fields: (('carrier', 'tel:mob:carrier'), ('lac', ('int', {})), ('cid', ('int', {})))

tel:mob:imid

Fused knowledge of an IMEI/IMSI used together. The tel:mob:imid type is derived from the base type: comp.

An example of tel:mob:imid:

• (490154203237518, 310150123456789)

The type tel:mob:imid has the following options set:

• fields: (('imei', 'tel:mob:imei'), ('imsi', 'tel:mob:imsi'))

tel:mob:imsiphone

Fused knowledge of an IMSI assigned phone number. The tel:mob:imsiphone type is derived from the base type: comp.

An example of tel:mob:imsiphone:

• (310150123456789, "+7(495) 124-59-83")

The type tel:mob:imsiphone has the following options set:

• fields: (('imsi', 'tel:mob:imsi'), ('phone', 'tel:phone'))

tel:mob:mcc

ITU Mobile Country Code. The tel:mob:mcc type is derived from the base type: str.

The type tel:mob:mcc has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^[0-9]{3}$

• replace: ()

• strip: 1

tel:mob:mnc

ITU Mobile Network Code. The tel:mob:mnc type is derived from the base type: str.

The type tel:mob:mnc has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^[0-9]{2,3}$

• replace: ()

• strip: 1

tel:mob:tac

A mobile Type Allocation Code. The tel:mob:tac type is derived from the base type: int.

An example of tel:mob:tac:

• 49015420

The type tel:mob:tac has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

tel:mob:telem

A single mobile telemetry measurement. The tel:mob:telem type is derived from the base type: guid.

tel:txtmesg

A guid for an individual text message. The tel:txtmesg type is derived from the base type: guid.

transport:air:craft

An individual aircraft. The transport:air:craft type is derived from the base type: guid.

transport:air:flight

An individual instance of a flight. The transport:air:flight type is derived from the base type: guid.

transport:air:flightnum

A commercial flight designator including airline and serial. The transport:air:flightnum type is derived from the base type: str.

An example of transport:air:flightnum:

• ua2437

The type transport:air:flightnum has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^[a-z0-9]{3,6}$

• replace: ((' ', ''),)

• strip: True

transport:air:occupant

An occupant of a specific flight. The transport:air:occupant type is derived from the base type: guid.

transport:air:port

An IATA assigned airport code. The transport:air:port type is derived from the base type: str.

The type transport:air:port has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: False

transport:air:tailnum

An aircraft registration number or military aircraft serial number. The transport:air:tailnum type is derived from the base type: str.

An example of transport:air:tailnum:

• ff023

The type transport:air:tailnum has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^[a-z0-9-]{2,}$

• replace: ()

• strip: True

transport:air:telem

A telemetry sample from an aircraft in transit. The transport:air:telem type is derived from the base type: guid.

transport:direction

A direction measured in degrees with 0.0 being true North. The transport:direction type is derived from the base type: hugenum.

The type transport:direction has the following options set:

• modulo: 360

• units: None

transport:land:license

A license to operate a land vehicle issued to a contact. The transport:land:license type is derived from the base type: guid.

transport:land:registration

Registration issued to a contact for a land vehicle. The transport:land:registration type is derived from the base type: guid.

transport:land:vehicle

An individual vehicle. The transport:land:vehicle type is derived from the base type: guid.

transport:sea:imo

An International Maritime Organization registration number. The transport:sea:imo type is derived from the base type: str.

The type transport:sea:imo has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^imo[0-9]{7}$

• replace: ((' ', ''),)

• strip: True

transport:sea:mmsi

A Maritime Mobile Service Identifier. The transport:sea:mmsi type is derived from the base type: str.

The type transport:sea:mmsi has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: [0-9]{9}

• replace: ()

• strip: False

transport:sea:telem

A telemetry sample from a vessel in transit. The transport:sea:telem type is derived from the base type: guid.

transport:sea:vessel

An individual sea vessel. The transport:sea:vessel type is derived from the base type: guid.