Synapse Data Model - Types

Base Types

Base types are defined via Python classes.

array

A typed array which indexes each field. It is implemented by the following class: synapse.lib.types.Array.

The base type array has the following default options set:

• type: int

bool

The base boolean type. It is implemented by the following class: synapse.lib.types.Bool.

comp

The base type for compound node fields. It is implemented by the following class: synapse.lib.types.Comp.

cvss:v2

A CVSS v2 vector string. It is implemented by the following class: synapse.models.risk.CvssV2.

An example of cvss:v2:

• (AV:L/AC:L/Au:M/C:P/I:C/A:N)

cvss:v3

A CVSS v3.x vector string. It is implemented by the following class: synapse.models.risk.CvssV3.

An example of cvss:v3:

• AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

data

Arbitrary json compatible data. It is implemented by the following class: synapse.lib.types.Data.

duration

A duration value. It is implemented by the following class: synapse.lib.types.Duration.

The base type duration has the following default options set:

• signed: False

edge

An digraph edge base type. It is implemented by the following class: synapse.lib.types.Edge.

file:base

A file name with no path. It is implemented by the following class: synapse.models.files.FileBase.

An example of file:base:

• woot.exe

file:bytes

The file bytes type with SHA256 based primary property. It is implemented by the following class: synapse.models.files.FileBytes.

file:path

A normalized file path. It is implemented by the following class: synapse.models.files.FilePath.

An example of file:path:

• c:/windows/system32/calc.exe

float

The base floating point type. It is implemented by the following class: synapse.lib.types.Float.

The base type float has the following default options set:

• fmt: %f

• min: None

• minisvalid: True

• max: None

• maxisvalid: True

geo:area

A geographic area (base unit is square mm). It is implemented by the following class: synapse.models.geospace.Area.

An example of geo:area:

• 10 sq.km

geo:dist

A geographic distance (base unit is mm). It is implemented by the following class: synapse.models.geospace.Dist.

An example of geo:dist:

• 10 km

geo:latlong

A Lat/Long string specifying a point on Earth. It is implemented by the following class: synapse.models.geospace.LatLong.

An example of geo:latlong:

• -12.45,56.78

guid

The base GUID type. It is implemented by the following class: synapse.lib.types.Guid.

hex

The base hex type. It is implemented by the following class: synapse.lib.types.Hex.

The base type hex has the following default options set:

• size: 0

• zeropad: 0

hugenum

A potentially huge/tiny number. [x] <= 730750818665451459101842 with a fractional precision of 24 decimal digits. It is implemented by the following class: synapse.lib.types.HugeNum.

The base type hugenum has the following default options set:

• units: None

• modulo: None

inet:addr

A network layer URL-like format to represent tcp/udp/icmp clients and servers. It is implemented by the following class: synapse.models.inet.Addr.

An example of inet:addr:

• tcp://1.2.3.4:80

inet:cidr4

An IPv4 address block in Classless Inter-Domain Routing (CIDR) notation. It is implemented by the following class: synapse.models.inet.Cidr4.

An example of inet:cidr4:

• 1.2.3.0/24

inet:cidr6

An IPv6 address block in Classless Inter-Domain Routing (CIDR) notation. It is implemented by the following class: synapse.models.inet.Cidr6.

An example of inet:cidr6:

• 2001:db8::/101

inet:dns:name

A DNS query name string. Likely an FQDN but not always. It is implemented by the following class: synapse.models.dns.DnsName.

An example of inet:dns:name:

• vertex.link

inet:email

An e-mail address. It is implemented by the following class: synapse.models.inet.Email.

inet:fqdn

A Fully Qualified Domain Name (FQDN). It is implemented by the following class: synapse.models.inet.Fqdn.

An example of inet:fqdn:

• vertex.link

inet:http:cookie

An individual HTTP cookie string. It is implemented by the following class: synapse.models.inet.HttpCookie.

An example of inet:http:cookie:

• PHPSESSID=el4ukv0kqbvoirg7nkp4dncpk3

inet:ipv4

An IPv4 address. It is implemented by the following class: synapse.models.inet.IPv4.

An example of inet:ipv4:

• 1.2.3.4

inet:ipv4range

An IPv4 address range. It is implemented by the following class: synapse.models.inet.IPv4Range.

An example of inet:ipv4range:

• 1.2.3.4-1.2.3.8

inet:ipv6

An IPv6 address. It is implemented by the following class: synapse.models.inet.IPv6.

An example of inet:ipv6:

• 2607:f8b0:4004:809::200e

inet:ipv6range

An IPv6 address range. It is implemented by the following class: synapse.models.inet.IPv6Range.

An example of inet:ipv6range:

• (2607:f8b0:4004:809::200e, 2607:f8b0:4004:809::2011)

inet:rfc2822:addr

An RFC 2822 Address field. It is implemented by the following class: synapse.models.inet.Rfc2822Addr.

An example of inet:rfc2822:addr:

• "Visi Kenshoto" <visi@vertex.link>

inet:url

A Universal Resource Locator (URL). It is implemented by the following class: synapse.models.inet.Url.

An example of inet:url:

• http://www.woot.com/files/index.html

int

The base 64 bit signed integer type. It is implemented by the following class: synapse.lib.types.Int.

The base type int has the following default options set:

• size: 8

• signed: True

• enums:strict: True

• fmt: %d

• min: None

• max: None

• ismin: False

• ismax: False

it:sec:cpe

A NIST CPE 2.3 Formatted String. It is implemented by the following class: synapse.models.infotech.Cpe23Str.

The base type it:sec:cpe has the following default options set:

• lower: True

it:sec:cpe:v2_2

A NIST CPE 2.2 Formatted String. It is implemented by the following class: synapse.models.infotech.Cpe22Str.

The base type it:sec:cpe:v2_2 has the following default options set:

• lower: True

it:semver

Semantic Version type. It is implemented by the following class: synapse.models.infotech.SemVer.

ival

A time window/interval. It is implemented by the following class: synapse.lib.types.Ival.

loc

The base geo political location type. It is implemented by the following class: synapse.lib.types.Loc.

ndef

The node definition type for a (form,valu) compound field. It is implemented by the following class: synapse.lib.types.Ndef.

nodeprop

The nodeprop type for a (prop,valu) compound field. It is implemented by the following class: synapse.lib.types.NodeProp.

range

A base range type. It is implemented by the following class: synapse.lib.types.Range.

The base type range has the following default options set:

• type: ('int', {})

str

The base string type. It is implemented by the following class: synapse.lib.types.Str.

The base type str has the following default options set:

• enums: None

• regex: None

• lower: False

• strip: False

• replace: ()

• onespace: False

• globsuffix: False

syn:tag

The base type for a synapse tag. It is implemented by the following class: synapse.lib.types.Tag.

The base type syn:tag has the following default options set:

• enums: None

• regex: None

• lower: False

• strip: False

• replace: ()

• onespace: False

• globsuffix: False

syn:tag:part

A tag component string. It is implemented by the following class: synapse.lib.types.TagPart.

The base type syn:tag:part has the following default options set:

• enums: None

• regex: None

• lower: False

• strip: False

• replace: ()

• onespace: False

• globsuffix: False

taxon

A component of a hierarchical taxonomy. It is implemented by the following class: synapse.lib.types.Taxon.

The base type taxon has the following default options set:

• enums: None

• regex: None

• lower: False

• strip: False

• replace: ()

• onespace: False

• globsuffix: False

taxonomy

A hierarchical taxonomy. It is implemented by the following class: synapse.lib.types.Taxonomy.

The base type taxonomy has the following default options set:

• enums: None

• regex: None

• lower: False

• strip: False

• replace: ()

• onespace: False

• globsuffix: False

tel:mob:imei

An International Mobile Equipment Id. It is implemented by the following class: synapse.models.telco.Imei.

An example of tel:mob:imei:

• 490154203237518

tel:mob:imsi

An International Mobile Subscriber Id. It is implemented by the following class: synapse.models.telco.Imsi.

An example of tel:mob:imsi:

• 310150123456789

tel:phone

A phone number. It is implemented by the following class: synapse.models.telco.Phone.

An example of tel:phone:

• +15558675309

time

A date/time value. It is implemented by the following class: synapse.lib.types.Time.

The base type time has the following default options set:

• ismin: False

• ismax: False

timeedge

An digraph edge base type with a unique time. It is implemented by the following class: synapse.lib.types.TimeEdge.

velocity

A velocity with base units in mm/sec. It is implemented by the following class: synapse.lib.types.Velocity.

The base type velocity has the following default options set:

• relative: False

Types

Regular types are derived from BaseTypes.

auth:access

An instance of using creds to access a resource. The auth:access type is derived from the base type: guid.

auth:creds

A unique set of credentials used to access a resource. The auth:creds type is derived from the base type: guid.

belief:subscriber

A contact which subscribes to a belief system. The belief:subscriber type is derived from the base type: guid.

belief:system

A belief system such as an ideology, philosophy, or religion. The belief:system type is derived from the base type: guid.

belief:system:type:taxonomy

A hierarchical taxonomy of belief system types. The belief:system:type:taxonomy type is derived from the base type: taxonomy.

The type belief:system:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

belief:tenet

A concrete tenet potentially shared by multiple belief systems. The belief:tenet type is derived from the base type: guid.

biz:bundle

A bundle allows construction of products which bundle instances of other products. The biz:bundle type is derived from the base type: guid.

biz:deal

A sales or procurement effort in pursuit of a purchase. The biz:deal type is derived from the base type: guid.

biz:dealstatus

A deal/rfp status taxonomy. The biz:dealstatus type is derived from the base type: taxonomy.

The type biz:dealstatus has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

biz:dealtype

A deal type taxonomy. The biz:dealtype type is derived from the base type: taxonomy.

The type biz:dealtype has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

biz:listing

A product or service being listed for sale at a given price by a specific seller. The biz:listing type is derived from the base type: guid.

biz:prodtype

A product type taxonomy. The biz:prodtype type is derived from the base type: taxonomy.

The type biz:prodtype has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

biz:product

A product which is available for purchase. The biz:product type is derived from the base type: guid.

biz:rfp

An RFP (Request for Proposal) soliciting proposals. The biz:rfp type is derived from the base type: guid.

biz:service

A service which is performed by a specific organization. The biz:service type is derived from the base type: guid.

biz:service:type:taxonomy

A taxonomy of service offering types. The biz:service:type:taxonomy type is derived from the base type: taxonomy.

The type biz:service:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

biz:stake

A stake or partial ownership in a company. The biz:stake type is derived from the base type: guid.

crypto:algorithm

A cryptographic algorithm name. The crypto:algorithm type is derived from the base type: str.

An example of crypto:algorithm:

• aes256

The type crypto:algorithm has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

crypto:currency:address

An individual crypto currency address. The crypto:currency:address type is derived from the base type: comp.

An example of crypto:currency:address:

• btc/1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2

The type crypto:currency:address has the following options set:

• fields: (('coin', 'crypto:currency:coin'), ('iden', 'str'))

• sepr: /

crypto:currency:block

An individual crypto currency block record on the blockchain. The crypto:currency:block type is derived from the base type: comp.

The type crypto:currency:block has the following options set:

• fields: (('coin', 'crypto:currency:coin'), ('offset', 'int'))

• sepr: /

crypto:currency:client

A fused node representing a crypto currency address used by an Internet client. The crypto:currency:client type is derived from the base type: comp.

An example of crypto:currency:client:

• (1.2.3.4, (btc, 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2))

The type crypto:currency:client has the following options set:

• fields: (('inetaddr', 'inet:client'), ('coinaddr', 'crypto:currency:address'))

crypto:currency:coin

An individual crypto currency type. The crypto:currency:coin type is derived from the base type: str.

An example of crypto:currency:coin:

• btc

The type crypto:currency:coin has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: False

crypto:currency:transaction

An individual crypto currency transaction recorded on the blockchain. The crypto:currency:transaction type is derived from the base type: guid.

crypto:key

A cryptographic key and algorithm. The crypto:key type is derived from the base type: guid.

crypto:payment:input

A payment made into a transaction. The crypto:payment:input type is derived from the base type: guid.

crypto:payment:output

A payment received from a transaction. The crypto:payment:output type is derived from the base type: guid.

crypto:smart:contract

A smart contract. The crypto:smart:contract type is derived from the base type: guid.

crypto:smart:effect:burntoken

A smart contract effect which destroys a non-fungible token. The crypto:smart:effect:burntoken type is derived from the base type: guid.

crypto:smart:effect:edittokensupply

A smart contract effect which increases or decreases the supply of a fungible token. The crypto:smart:effect:edittokensupply type is derived from the base type: guid.

crypto:smart:effect:minttoken

A smart contract effect which creates a new non-fungible token. The crypto:smart:effect:minttoken type is derived from the base type: guid.

crypto:smart:effect:proxytoken

A smart contract effect which grants a non-owner address the ability to manipulate a specific non-fungible token. The crypto:smart:effect:proxytoken type is derived from the base type: guid.

crypto:smart:effect:proxytokenall

A smart contract effect which grants a non-owner address the ability to manipulate all non-fungible tokens of the owner. The crypto:smart:effect:proxytokenall type is derived from the base type: guid.

crypto:smart:effect:proxytokens

A smart contract effect which grants a non-owner address the ability to manipulate fungible tokens. The crypto:smart:effect:proxytokens type is derived from the base type: guid.

crypto:smart:effect:transfertoken

A smart contract effect which transfers ownership of a non-fungible token. The crypto:smart:effect:transfertoken type is derived from the base type: guid.

crypto:smart:effect:transfertokens

A smart contract effect which transfers fungible tokens. The crypto:smart:effect:transfertokens type is derived from the base type: guid.

crypto:smart:token

A token managed by a smart contract. The crypto:smart:token type is derived from the base type: comp.

The type crypto:smart:token has the following options set:

• fields: (('contract', 'crypto:smart:contract'), ('tokenid', 'hugenum'))

crypto:x509:cert

A unique X.509 certificate. The crypto:x509:cert type is derived from the base type: guid.

crypto:x509:crl

A unique X.509 Certificate Revocation List. The crypto:x509:crl type is derived from the base type: guid.

crypto:x509:revoked

A revocation relationship between a CRL and an X.509 certificate. The crypto:x509:revoked type is derived from the base type: comp.

The type crypto:x509:revoked has the following options set:

• fields: (('crl', 'crypto:x509:crl'), ('cert', 'crypto:x509:cert'))

crypto:x509:san

An X.509 Subject Alternative Name (SAN). The crypto:x509:san type is derived from the base type: comp.

The type crypto:x509:san has the following options set:

• fields: (('type', 'str'), ('value', 'str'))

crypto:x509:signedfile

A digital signature relationship between an X.509 certificate and a file. The crypto:x509:signedfile type is derived from the base type: comp.

The type crypto:x509:signedfile has the following options set:

• fields: (('cert', 'crypto:x509:cert'), ('file', 'file:bytes'))

econ:acct:balance

A snapshot of the balance of an account at a point in time. The econ:acct:balance type is derived from the base type: guid.

econ:acct:invoice

An invoice issued requesting payment. The econ:acct:invoice type is derived from the base type: guid.

econ:acct:payment

A payment or crypto currency transaction. The econ:acct:payment type is derived from the base type: guid.

econ:acct:receipt

A receipt issued as proof of payment. The econ:acct:receipt type is derived from the base type: guid.

econ:acquired

Deprecated. Please use econ:purchase -(acquired)> *. The econ:acquired type is derived from the base type: comp.

The type econ:acquired has the following options set:

• fields: (('purchase', 'econ:purchase'), ('item', 'ndef'))

econ:bank:aba:rtn

An American Bank Association (ABA) routing transit number (RTN). The econ:bank:aba:rtn type is derived from the base type: str.

The type econ:bank:aba:rtn has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: [0-9]{9}

• replace: ()

• strip: False

econ:bank:account

A bank account. The econ:bank:account type is derived from the base type: guid.

econ:bank:account:type:taxonomy

A bank account type taxonomy. The econ:bank:account:type:taxonomy type is derived from the base type: taxonomy.

The type econ:bank:account:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

econ:bank:balance

A balance contained by a bank account at a point in time. The econ:bank:balance type is derived from the base type: guid.

econ:bank:iban

An International Bank Account Number. The econ:bank:iban type is derived from the base type: str.

The type econ:bank:iban has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: [A-Z]{2}[0-9]{2}[a-zA-Z0-9]{1,30}

• replace: ()

• strip: False

econ:bank:statement

A statement of bank account payment activity over a period of time. The econ:bank:statement type is derived from the base type: guid.

econ:bank:swift:bic

A Society for Worldwide Interbank Financial Telecommunication (SWIFT) Business Identifier Code (BIC). The econ:bank:swift:bic type is derived from the base type: str.

The type econ:bank:swift:bic has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: [A-Z]{6}[A-Z0-9]{5}

• replace: ()

• strip: False

econ:currency

The name of a system of money in general use. The econ:currency type is derived from the base type: str.

An example of econ:currency:

• usd

The type econ:currency has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: False

econ:fin:bar

A sample of the open, close, high, low prices of a security in a specific time window. The econ:fin:bar type is derived from the base type: guid.

econ:fin:exchange

A financial exchange where securities are traded. The econ:fin:exchange type is derived from the base type: guid.

econ:fin:security

A financial security which is typically traded on an exchange. The econ:fin:security type is derived from the base type: guid.

econ:fin:tick

A sample of the price of a security at a single moment in time. The econ:fin:tick type is derived from the base type: guid.

econ:pay:card

A single payment card. The econ:pay:card type is derived from the base type: guid.

econ:pay:cvv

A Card Verification Value (CVV). The econ:pay:cvv type is derived from the base type: str.

The type econ:pay:cvv has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^[0-9]{1,6}$

• replace: ()

• strip: False

econ:pay:iin

An Issuer Id Number (IIN). The econ:pay:iin type is derived from the base type: int.

The type econ:pay:iin has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: 999999

• min: 0

• signed: True

• size: 8

econ:pay:mii

A Major Industry Identifier (MII). The econ:pay:mii type is derived from the base type: int.

The type econ:pay:mii has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: 9

• min: 0

• signed: True

• size: 8

econ:pay:pan

A Primary Account Number (PAN) or card number. The econ:pay:pan type is derived from the base type: str.

The type econ:pay:pan has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^(?<iin>(?<mii>[0-9]{1})[0-9]{5})[0-9]{1,13}$

• replace: ()

• strip: False

econ:pay:pin

A Personal Identification Number (PIN). The econ:pay:pin type is derived from the base type: str.

The type econ:pay:pin has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^[0-9]{3,6}$

• replace: ()

• strip: False

econ:price

The amount of money expected, required, or given in payment for something. The econ:price type is derived from the base type: hugenum.

An example of econ:price:

• 2.20

The type econ:price has the following options set:

• modulo: None

• norm: False

• units: None

econ:purchase

A purchase event. The econ:purchase type is derived from the base type: guid.

econ:receipt:item

A line item included as part of a purchase. The econ:receipt:item type is derived from the base type: guid.

edge:has

A digraph edge which records that N1 has N2. The edge:has type is derived from the base type: edge.

edge:refs

A digraph edge which records that N1 refers to or contains N2. The edge:refs type is derived from the base type: edge.

edge:wentto

A digraph edge which records that N1 went to N2 at a specific time. The edge:wentto type is derived from the base type: timeedge.

edu:class

An instance of an edu:course taught at a given time. The edu:class type is derived from the base type: guid.

edu:course

A course of study taught by an org. The edu:course type is derived from the base type: guid.

file:archive:entry

An archive entry representing a file and metadata within a parent archive file. The file:archive:entry type is derived from the base type: guid.

file:filepath

The fused knowledge of the association of a file:bytes node and a file:path. The file:filepath type is derived from the base type: comp.

The type file:filepath has the following options set:

• fields: (('file', 'file:bytes'), ('path', 'file:path'))

file:ismime

Records one, of potentially multiple, mime types for a given file. The file:ismime type is derived from the base type: comp.

The type file:ismime has the following options set:

• fields: (('file', 'file:bytes'), ('mime', 'file:mime'))

file:mime

A file mime name string. The file:mime type is derived from the base type: str.

An example of file:mime:

• text/plain

The type file:mime has the following options set:

• globsuffix: False

• lower: 1

• onespace: False

• regex: None

• replace: ()

• strip: False

file:mime:gif

The GUID of a set of mime metadata for a .gif file. The file:mime:gif type is derived from the base type: guid.

file:mime:jpg

The GUID of a set of mime metadata for a .jpg file. The file:mime:jpg type is derived from the base type: guid.

file:mime:macho:loadcmd

A generic load command pulled from the Mach-O headers. The file:mime:macho:loadcmd type is derived from the base type: guid.

file:mime:macho:section

A section inside a Mach-O binary denoting a named region of bytes inside a segment. The file:mime:macho:section type is derived from the base type: guid.

file:mime:macho:segment

A named region of bytes inside a Mach-O binary. The file:mime:macho:segment type is derived from the base type: guid.

file:mime:macho:uuid

A specific load command denoting a UUID used to uniquely identify the Mach-O binary. The file:mime:macho:uuid type is derived from the base type: guid.

file:mime:macho:version

A specific load command used to denote the version of the source used to build the Mach-O binary. The file:mime:macho:version type is derived from the base type: guid.

file:mime:msdoc

The GUID of a set of mime metadata for a Microsoft Word file. The file:mime:msdoc type is derived from the base type: guid.

file:mime:msppt

The GUID of a set of mime metadata for a Microsoft Powerpoint file. The file:mime:msppt type is derived from the base type: guid.

file:mime:msxls

The GUID of a set of mime metadata for a Microsoft Excel file. The file:mime:msxls type is derived from the base type: guid.

file:mime:pe:export

The fused knowledge of a file:bytes node containing a pe named export. The file:mime:pe:export type is derived from the base type: comp.

The type file:mime:pe:export has the following options set:

• fields: (('file', 'file:bytes'), ('name', 'str'))

file:mime:pe:resource

The fused knowledge of a file:bytes node containing a pe resource. The file:mime:pe:resource type is derived from the base type: comp.

The type file:mime:pe:resource has the following options set:

• fields:

[
 [
  "file",
  "file:bytes"
 ],
 [
  "type",
  "pe:resource:type"
 ],
 [
  "langid",
  "pe:langid"
 ],
 [
  "resource",
  "file:bytes"
 ]
]

file:mime:pe:section

The fused knowledge a file:bytes node containing a pe section. The file:mime:pe:section type is derived from the base type: comp.

The type file:mime:pe:section has the following options set:

• fields: (('file', 'file:bytes'), ('name', 'str'), ('sha256', 'hash:sha256'))

file:mime:pe:vsvers:info

knowledge of a file:bytes node containing vsvers info. The file:mime:pe:vsvers:info type is derived from the base type: comp.

The type file:mime:pe:vsvers:info has the following options set:

• fields: (('file', 'file:bytes'), ('keyval', 'file:mime:pe:vsvers:keyval'))

file:mime:pe:vsvers:keyval

A key value pair found in a PE vsversion info structure. The file:mime:pe:vsvers:keyval type is derived from the base type: comp.

The type file:mime:pe:vsvers:keyval has the following options set:

• fields: (('name', 'str'), ('value', 'str'))

file:mime:png

The GUID of a set of mime metadata for a .png file. The file:mime:png type is derived from the base type: guid.

file:mime:rtf

The GUID of a set of mime metadata for a .rtf file. The file:mime:rtf type is derived from the base type: guid.

file:mime:tif

The GUID of a set of mime metadata for a .tif file. The file:mime:tif type is derived from the base type: guid.

file:string

Deprecated. Please use the edge -(refs)> it:dev:str. The file:string type is derived from the base type: comp.

The type file:string has the following options set:

• fields: (('file', 'file:bytes'), ('string', 'str'))

file:subfile

A parent file that fully contains the specified child file. The file:subfile type is derived from the base type: comp.

The type file:subfile has the following options set:

• fields: (('parent', 'file:bytes'), ('child', 'file:bytes'))

geo:address

A street/mailing address string. The geo:address type is derived from the base type: str.

The type geo:address has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

geo:altitude

A negative or positive offset from Mean Sea Level (6,371.0088km from Earths core). The geo:altitude type is derived from the base type: geo:dist.

An example of geo:altitude:

• 10 km

The type geo:altitude has the following options set:

• baseoff: 6371008800

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

geo:bbox

A geospatial bounding box in (xmin, xmax, ymin, ymax) format. The geo:bbox type is derived from the base type: comp.

The type geo:bbox has the following options set:

• fields:

[
 [
  "xmin",
  "geo:longitude"
 ],
 [
  "xmax",
  "geo:longitude"
 ],
 [
  "ymin",
  "geo:latitude"
 ],
 [
  "ymax",
  "geo:latitude"
 ]
]

• sepr: ,

geo:json

GeoJSON structured JSON data. The geo:json type is derived from the base type: data.

The type geo:json has the following options set:

• schema:

{
 "$schema": "http://json-schema.org/draft-07/schema#",
 "definitions": {
  "BoundingBox": {
   "items": {
    "type": "number"
   },
   "minItems": 4,
   "type": "array"
  },
  "Feature": {
   "properties": {
    "bbox": {
     "$ref": "#/definitions/BoundingBox"
    },
    "geometry": {
     "oneOf": [
      {
       "type": "null"
      },
      {
       "$ref": "#/definitions/Point"
      },
      {
       "$ref": "#/definitions/LineString"
      },
      {
       "$ref": "#/definitions/Polygon"
      },
      {
       "$ref": "#/definitions/MultiPoint"
      },
      {
       "$ref": "#/definitions/MultiLineString"
      },
      {
       "$ref": "#/definitions/MultiPolygon"
      },
      {
       "$ref": "#/definitions/GeometryCollection"
      }
     ]
    },
    "properties": {
     "oneOf": [
      {
       "type": "null"
      },
      {
       "type": "object"
      }
     ]
    },
    "type": {
     "enum": [
      "Feature"
     ],
     "type": "string"
    }
   },
   "required": [
    "type",
    "properties",
    "geometry"
   ],
   "title": "GeoJSON Feature",
   "type": "object"
  },
  "FeatureCollection": {
   "properties": {
    "bbox": {
     "$ref": "#/definitions/BoundingBox"
    },
    "features": {
     "items": {
      "$ref": "#/definitions/Feature"
     },
     "type": "array"
    },
    "type": {
     "enum": [
      "FeatureCollection"
     ],
     "type": "string"
    }
   },
   "required": [
    "type",
    "features"
   ],
   "title": "GeoJSON FeatureCollection",
   "type": "object"
  },
  "GeometryCollection": {
   "properties": {
    "bbox": {
     "$ref": "#/definitions/BoundingBox"
    },
    "geometries": {
     "items": {
      "oneOf": [
       {
        "$ref": "#/definitions/Point"
       },
       {
        "$ref": "#/definitions/LineString"
       },
       {
        "$ref": "#/definitions/Polygon"
       },
       {
        "$ref": "#/definitions/MultiPoint"
       },
       {
        "$ref": "#/definitions/MultiLineString"
       },
       {
        "$ref": "#/definitions/MultiPolygon"
       }
      ]
     },
     "type": "array"
    },
    "type": {
     "enum": [
      "GeometryCollection"
     ],
     "type": "string"
    }
   },
   "required": [
    "type",
    "geometries"
   ],
   "title": "GeoJSON GeometryCollection",
   "type": "object"
  },
  "LineString": {
   "properties": {
    "bbox": {
     "$ref": "#/definitions/BoundingBox"
    },
    "coordinates": {
     "$ref": "#/definitions/LineStringCoordinates"
    },
    "type": {
     "enum": [
      "LineString"
     ],
     "type": "string"
    }
   },
   "required": [
    "type",
    "coordinates"
   ],
   "title": "GeoJSON LineString",
   "type": "object"
  },
  "LineStringCoordinates": {
   "items": {
    "$ref": "#/definitions/PointCoordinates"
   },
   "minItems": 2,
   "type": "array"
  },
  "LinearRingCoordinates": {
   "items": {
    "$ref": "#/definitions/PointCoordinates"
   },
   "minItems": 4,
   "type": "array"
  },
  "MultiLineString": {
   "properties": {
    "bbox": {
     "$ref": "#/definitions/BoundingBox"
    },
    "coordinates": {
     "items": {
      "$ref": "#/definitions/LineStringCoordinates"
     },
     "type": "array"
    },
    "type": {
     "enum": [
      "MultiLineString"
     ],
     "type": "string"
    }
   },
   "required": [
    "type",
    "coordinates"
   ],
   "title": "GeoJSON MultiLineString",
   "type": "object"
  },
  "MultiPoint": {
   "properties": {
    "bbox": {
     "$ref": "#/definitions/BoundingBox"
    },
    "coordinates": {
     "items": {
      "$ref": "#/definitions/PointCoordinates"
     },
     "type": "array"
    },
    "type": {
     "enum": [
      "MultiPoint"
     ],
     "type": "string"
    }
   },
   "required": [
    "type",
    "coordinates"
   ],
   "title": "GeoJSON MultiPoint",
   "type": "object"
  },
  "MultiPolygon": {
   "properties": {
    "bbox": {
     "$ref": "#/definitions/BoundingBox"
    },
    "coordinates": {
     "items": {
      "$ref": "#/definitions/PolygonCoordinates"
     },
     "type": "array"
    },
    "type": {
     "enum": [
      "MultiPolygon"
     ],
     "type": "string"
    }
   },
   "required": [
    "type",
    "coordinates"
   ],
   "title": "GeoJSON MultiPolygon",
   "type": "object"
  },
  "Point": {
   "properties": {
    "bbox": {
     "$ref": "#/definitions/BoundingBox"
    },
    "coordinates": {
     "$ref": "#/definitions/PointCoordinates"
    },
    "type": {
     "enum": [
      "Point"
     ],
     "type": "string"
    }
   },
   "required": [
    "type",
    "coordinates"
   ],
   "title": "GeoJSON Point",
   "type": "object"
  },
  "PointCoordinates": {
   "items": {
    "type": "number"
   },
   "minItems": 2,
   "type": "array"
  },
  "Polygon": {
   "properties": {
    "bbox": {
     "$ref": "#/definitions/BoundingBox"
    },
    "coordinates": {
     "$ref": "#/definitions/PolygonCoordinates"
    },
    "type": {
     "enum": [
      "Polygon"
     ],
     "type": "string"
    }
   },
   "required": [
    "type",
    "coordinates"
   ],
   "title": "GeoJSON Polygon",
   "type": "object"
  },
  "PolygonCoordinates": {
   "items": {
    "$ref": "#/definitions/LinearRingCoordinates"
   },
   "type": "array"
  }
 },
 "oneOf": [
  {
   "$ref": "#/definitions/Point"
  },
  {
   "$ref": "#/definitions/LineString"
  },
  {
   "$ref": "#/definitions/Polygon"
  },
  {
   "$ref": "#/definitions/MultiPoint"
  },
  {
   "$ref": "#/definitions/MultiLineString"
  },
  {
   "$ref": "#/definitions/MultiPolygon"
  },
  {
   "$ref": "#/definitions/GeometryCollection"
  },
  {
   "$ref": "#/definitions/Feature"
  },
  {
   "$ref": "#/definitions/FeatureCollection"
  }
 ]
}

geo:latitude

A latitude in floating point notation. The geo:latitude type is derived from the base type: float.

An example of geo:latitude:

• 31.337

The type geo:latitude has the following options set:

• fmt: %f

• max: 90.0

• maxisvalid: True

• min: -90.0

• minisvalid: True

geo:longitude

A longitude in floating point notation. The geo:longitude type is derived from the base type: float.

An example of geo:longitude:

• 31.337

The type geo:longitude has the following options set:

• fmt: %f

• max: 180.0

• maxisvalid: True

• min: -180.0

• minisvalid: False

geo:name

An unstructured place name or address. The geo:name type is derived from the base type: str.

The type geo:name has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

geo:nloc

Records a node latitude/longitude in space-time. The geo:nloc type is derived from the base type: comp.

The type geo:nloc has the following options set:

• fields: (('ndef', 'ndef'), ('latlong', 'geo:latlong'), ('time', 'time'))

geo:place

A GUID for a geographic place. The geo:place type is derived from the base type: guid.

geo:place:taxonomy

A taxonomy of place types. The geo:place:taxonomy type is derived from the base type: taxonomy.

The type geo:place:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

geo:telem

A geospatial position of a node at a given time. The node should be linked via -(seenat)> edges. The geo:telem type is derived from the base type: guid.

gov:cn:icp

A Chinese Internet Content Provider ID. The gov:cn:icp type is derived from the base type: int.

The type gov:cn:icp has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

gov:cn:mucd

A Chinese PLA MUCD. The gov:cn:mucd type is derived from the base type: int.

The type gov:cn:mucd has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

gov:intl:un:m49

UN M49 Numeric Country Code. The gov:intl:un:m49 type is derived from the base type: int.

The type gov:intl:un:m49 has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: 999

• min: 1

• signed: True

• size: 8

gov:us:cage

A Commercial and Government Entity (CAGE) code. The gov:us:cage type is derived from the base type: str.

The type gov:us:cage has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: False

gov:us:ssn

A US Social Security Number (SSN). The gov:us:ssn type is derived from the base type: int.

The type gov:us:ssn has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

gov:us:zip

A US Postal Zip Code. The gov:us:zip type is derived from the base type: int.

The type gov:us:zip has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

graph:cluster

A generic node, used in conjunction with Edge types, to cluster arbitrary nodes to a single node in the model. The graph:cluster type is derived from the base type: guid.

graph:edge

A generic digraph edge to show relationships outside the model. The graph:edge type is derived from the base type: edge.

graph:event

A generic event node to represent events outside the model. The graph:event type is derived from the base type: guid.

graph:node

A generic node used to represent objects outside the model. The graph:node type is derived from the base type: guid.

graph:timeedge

A generic digraph time edge to show relationships outside the model. The graph:timeedge type is derived from the base type: timeedge.

hash:lm

A hex encoded Microsoft Windows LM password hash. The hash:lm type is derived from the base type: hex.

An example of hash:lm:

• d41d8cd98f00b204e9800998ecf8427e

The type hash:lm has the following options set:

• size: 32

• zeropad: 0

hash:md5

A hex encoded MD5 hash. The hash:md5 type is derived from the base type: hex.

An example of hash:md5:

• d41d8cd98f00b204e9800998ecf8427e

The type hash:md5 has the following options set:

• size: 32

• zeropad: 0

hash:ntlm

A hex encoded Microsoft Windows NTLM password hash. The hash:ntlm type is derived from the base type: hex.

An example of hash:ntlm:

• d41d8cd98f00b204e9800998ecf8427e

The type hash:ntlm has the following options set:

• size: 32

• zeropad: 0

hash:sha1

A hex encoded SHA1 hash. The hash:sha1 type is derived from the base type: hex.

An example of hash:sha1:

• da39a3ee5e6b4b0d3255bfef95601890afd80709

The type hash:sha1 has the following options set:

• size: 40

• zeropad: 0

hash:sha256

A hex encoded SHA256 hash. The hash:sha256 type is derived from the base type: hex.

An example of hash:sha256:

• ad9f4fe922b61e674a09530831759843b1880381de686a43460a76864ca0340c

The type hash:sha256 has the following options set:

• size: 64

• zeropad: 0

hash:sha384

A hex encoded SHA384 hash. The hash:sha384 type is derived from the base type: hex.

An example of hash:sha384:

• d425f1394e418ce01ed1579069a8bfaa1da8f32cf823982113ccbef531fa36bda9987f389c5af05b5e28035242efab6c

The type hash:sha384 has the following options set:

• size: 96

• zeropad: 0

hash:sha512

A hex encoded SHA512 hash. The hash:sha512 type is derived from the base type: hex.

An example of hash:sha512:

• ca74fe2ff2d03b29339ad7d08ba21d192077fece1715291c7b43c20c9136cd132788239189f3441a87eb23ce2660aa243f334295902c904b5520f6e80ab91f11

The type hash:sha512 has the following options set:

• size: 128

• zeropad: 0

inet:asn

An Autonomous System Number (ASN). The inet:asn type is derived from the base type: int.

The type inet:asn has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

inet:asnet4

An Autonomous System Number (ASN) and its associated IPv4 address range. The inet:asnet4 type is derived from the base type: comp.

An example of inet:asnet4:

• (54959, (1.2.3.4, 1.2.3.20))

The type inet:asnet4 has the following options set:

• fields: (('asn', 'inet:asn'), ('net4', 'inet:net4'))

inet:asnet6

An Autonomous System Number (ASN) and its associated IPv6 address range. The inet:asnet6 type is derived from the base type: comp.

An example of inet:asnet6:

• (54959, (ff::00, ff::02))

The type inet:asnet6 has the following options set:

• fields: (('asn', 'inet:asn'), ('net6', 'inet:net6'))

inet:banner

A network protocol banner string presented by a server. The inet:banner type is derived from the base type: comp.

The type inet:banner has the following options set:

• fields: (('server', 'inet:server'), ('text', 'it:dev:str'))

inet:client

A network client address. The inet:client type is derived from the base type: inet:addr.

An example of inet:client:

• tcp://1.2.3.4:80

The type inet:client has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:dns:a

The result of a DNS A record lookup. The inet:dns:a type is derived from the base type: comp.

An example of inet:dns:a:

• (vertex.link,1.2.3.4)

The type inet:dns:a has the following options set:

• fields: (('fqdn', 'inet:fqdn'), ('ipv4', 'inet:ipv4'))

inet:dns:aaaa

The result of a DNS AAAA record lookup. The inet:dns:aaaa type is derived from the base type: comp.

An example of inet:dns:aaaa:

• (vertex.link,2607:f8b0:4004:809::200e)

The type inet:dns:aaaa has the following options set:

• fields: (('fqdn', 'inet:fqdn'), ('ipv6', 'inet:ipv6'))

inet:dns:answer

A single answer from within a DNS reply. The inet:dns:answer type is derived from the base type: guid.

inet:dns:cname

The result of a DNS CNAME record lookup. The inet:dns:cname type is derived from the base type: comp.

An example of inet:dns:cname:

• (foo.vertex.link,vertex.link)

The type inet:dns:cname has the following options set:

• fields: (('fqdn', 'inet:fqdn'), ('cname', 'inet:fqdn'))

inet:dns:dynreg

A dynamic DNS registration. The inet:dns:dynreg type is derived from the base type: guid.

inet:dns:mx

The result of a DNS MX record lookup. The inet:dns:mx type is derived from the base type: comp.

An example of inet:dns:mx:

• (vertex.link,mail.vertex.link)

The type inet:dns:mx has the following options set:

• fields: (('fqdn', 'inet:fqdn'), ('mx', 'inet:fqdn'))

inet:dns:ns

The result of a DNS NS record lookup. The inet:dns:ns type is derived from the base type: comp.

An example of inet:dns:ns:

• (vertex.link,ns.dnshost.com)

The type inet:dns:ns has the following options set:

• fields: (('zone', 'inet:fqdn'), ('ns', 'inet:fqdn'))

inet:dns:query

A DNS query unique to a given client. The inet:dns:query type is derived from the base type: comp.

An example of inet:dns:query:

• (1.2.3.4, woot.com, 1)

The type inet:dns:query has the following options set:

• fields: (('client', 'inet:client'), ('name', 'inet:dns:name'), ('type', 'int'))

inet:dns:request

A single instance of a DNS resolver request and optional reply info. The inet:dns:request type is derived from the base type: guid.

inet:dns:rev

The transformed result of a DNS PTR record lookup. The inet:dns:rev type is derived from the base type: comp.

An example of inet:dns:rev:

• (1.2.3.4,vertex.link)

The type inet:dns:rev has the following options set:

• fields: (('ipv4', 'inet:ipv4'), ('fqdn', 'inet:fqdn'))

inet:dns:rev6

The transformed result of a DNS PTR record for an IPv6 address. The inet:dns:rev6 type is derived from the base type: comp.

An example of inet:dns:rev6:

• (2607:f8b0:4004:809::200e,vertex.link)

The type inet:dns:rev6 has the following options set:

• fields: (('ipv6', 'inet:ipv6'), ('fqdn', 'inet:fqdn'))

inet:dns:soa

The result of a DNS SOA record lookup. The inet:dns:soa type is derived from the base type: guid.

inet:dns:txt

The result of a DNS MX record lookup. The inet:dns:txt type is derived from the base type: comp.

An example of inet:dns:txt:

• (hehe.vertex.link,"fancy TXT record")

The type inet:dns:txt has the following options set:

• fields: (('fqdn', 'inet:fqdn'), ('txt', 'str'))

inet:dns:type

A DNS query/answer type integer. The inet:dns:type type is derived from the base type: int.

The type inet:dns:type has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

inet:dns:wild:a

A DNS A wild card record and the IPv4 it resolves to. The inet:dns:wild:a type is derived from the base type: comp.

The type inet:dns:wild:a has the following options set:

• fields: (('fqdn', 'inet:fqdn'), ('ipv4', 'inet:ipv4'))

inet:dns:wild:aaaa

A DNS AAAA wild card record and the IPv6 it resolves to. The inet:dns:wild:aaaa type is derived from the base type: comp.

The type inet:dns:wild:aaaa has the following options set:

• fields: (('fqdn', 'inet:fqdn'), ('ipv6', 'inet:ipv6'))

inet:download

An instance of a file downloaded from a server. The inet:download type is derived from the base type: guid.

inet:egress

A host using a specific network egress client address. The inet:egress type is derived from the base type: guid.

inet:email:header

A unique email message header. The inet:email:header type is derived from the base type: comp.

The type inet:email:header has the following options set:

• fields: (('name', 'inet:email:header:name'), ('value', 'str'))

inet:email:header:name

An email header name. The inet:email:header:name type is derived from the base type: str.

An example of inet:email:header:name:

• subject

The type inet:email:header:name has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:email:message

An individual email message delivered to an inbox. The inet:email:message type is derived from the base type: guid.

inet:email:message:attachment

A file which was attached to an email message. The inet:email:message:attachment type is derived from the base type: comp.

The type inet:email:message:attachment has the following options set:

• fields: (('message', 'inet:email:message'), ('file', 'file:bytes'))

inet:email:message:link

A url/link embedded in an email message. The inet:email:message:link type is derived from the base type: comp.

The type inet:email:message:link has the following options set:

• fields: (('message', 'inet:email:message'), ('url', 'inet:url'))

inet:flow

An individual network connection between a given source and destination. The inet:flow type is derived from the base type: guid.

inet:group

A group name string. The inet:group type is derived from the base type: str.

The type inet:group has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:http:header

An HTTP protocol header key/value. The inet:http:header type is derived from the base type: comp.

The type inet:http:header has the following options set:

• fields: (('name', 'inet:http:header:name'), ('value', 'str'))

inet:http:header:name

The base string type. The inet:http:header:name type is derived from the base type: str.

The type inet:http:header:name has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:http:param

An HTTP request path query parameter. The inet:http:param type is derived from the base type: comp.

The type inet:http:param has the following options set:

• fields: (('name', 'str'), ('value', 'str'))

inet:http:request

A single HTTP request. The inet:http:request type is derived from the base type: guid.

inet:http:request:header

An HTTP request header. The inet:http:request:header type is derived from the base type: inet:http:header.

The type inet:http:request:header has the following options set:

• fields: (('name', 'inet:http:header:name'), ('value', 'str'))

inet:http:response:header

An HTTP response header. The inet:http:response:header type is derived from the base type: inet:http:header.

The type inet:http:response:header has the following options set:

• fields: (('name', 'inet:http:header:name'), ('value', 'str'))

inet:http:session

An HTTP session. The inet:http:session type is derived from the base type: guid.

inet:iface

A network interface with a set of associated protocol addresses. The inet:iface type is derived from the base type: guid.

inet:mac

A 48-bit Media Access Control (MAC) address. The inet:mac type is derived from the base type: str.

An example of inet:mac:

• aa:bb:cc:dd:ee:ff

The type inet:mac has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$

• replace: ()

• strip: False

inet:net4

An IPv4 address range. The inet:net4 type is derived from the base type: inet:ipv4range.

An example of inet:net4:

• (1.2.3.4, 1.2.3.20)

The type inet:net4 has the following options set:

• type: ('inet:ipv4', {})

inet:net6

An IPv6 address range. The inet:net6 type is derived from the base type: inet:ipv6range.

An example of inet:net6:

• ('ff::00', 'ff::30')

The type inet:net6 has the following options set:

• type: ('inet:ipv6', {})

inet:passwd

A password string. The inet:passwd type is derived from the base type: str.

The type inet:passwd has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:port

A network port. The inet:port type is derived from the base type: int.

An example of inet:port:

• 80

The type inet:port has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: 65535

• min: 0

• signed: True

• size: 8

inet:proto

A network protocol name. The inet:proto type is derived from the base type: str.

The type inet:proto has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^[a-z0-9+-]+$

• replace: ()

• strip: False

inet:search:query

An instance of a search query issued to a search engine. The inet:search:query type is derived from the base type: guid.

inet:search:result

A single result from a web search. The inet:search:result type is derived from the base type: guid.

inet:server

A network server address. The inet:server type is derived from the base type: inet:addr.

An example of inet:server:

• tcp://1.2.3.4:80

The type inet:server has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:servfile

A file hosted on a server for access over a network protocol. The inet:servfile type is derived from the base type: comp.

The type inet:servfile has the following options set:

• fields: (('server', 'inet:server'), ('file', 'file:bytes'))

inet:ssl:cert

Deprecated. Please use inet:tls:servercert or inet:tls:clientcert. The inet:ssl:cert type is derived from the base type: comp.

The type inet:ssl:cert has the following options set:

• fields: (('server', 'inet:server'), ('file', 'file:bytes'))

inet:ssl:jarmhash

A TLS JARM fingerprint hash. The inet:ssl:jarmhash type is derived from the base type: str.

The type inet:ssl:jarmhash has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^(?<ciphers>[0-9a-f]{30})(?<extensions>[0-9a-f]{32})$

• replace: ()

• strip: True

inet:ssl:jarmsample

A JARM hash sample taken from a server. The inet:ssl:jarmsample type is derived from the base type: comp.

The type inet:ssl:jarmsample has the following options set:

• fields: (('server', 'inet:server'), ('jarmhash', 'inet:ssl:jarmhash'))

inet:tls:clientcert

An x509 certificate sent by a client for TLS. The inet:tls:clientcert type is derived from the base type: comp.

An example of inet:tls:clientcert:

• (1.2.3.4:443, 3fdf364e081c14997b291852d1f23868)

The type inet:tls:clientcert has the following options set:

• fields: (('client', 'inet:client'), ('cert', 'crypto:x509:cert'))

inet:tls:handshake

An instance of a TLS handshake between a server and client. The inet:tls:handshake type is derived from the base type: guid.

inet:tls:ja3:sample

A JA3 sample taken from a client. The inet:tls:ja3:sample type is derived from the base type: comp.

The type inet:tls:ja3:sample has the following options set:

• fields: (('client', 'inet:client'), ('ja3', 'hash:md5'))

inet:tls:ja3s:sample

A JA3 sample taken from a server. The inet:tls:ja3s:sample type is derived from the base type: comp.

The type inet:tls:ja3s:sample has the following options set:

• fields: (('server', 'inet:server'), ('ja3s', 'hash:md5'))

inet:tls:servercert

An x509 certificate sent by a server for TLS. The inet:tls:servercert type is derived from the base type: comp.

An example of inet:tls:servercert:

• (1.2.3.4:443, c7437790af01ae1bb2f8f3b684c70bf8)

The type inet:tls:servercert has the following options set:

• fields: (('server', 'inet:server'), ('cert', 'crypto:x509:cert'))

inet:tunnel

A specific sequence of hosts forwarding connections such as a VPN or proxy. The inet:tunnel type is derived from the base type: guid.

inet:tunnel:type:taxonomy

A taxonomy of network tunnel types. The inet:tunnel:type:taxonomy type is derived from the base type: taxonomy.

The type inet:tunnel:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:url:mirror

A URL mirror site. The inet:url:mirror type is derived from the base type: comp.

The type inet:url:mirror has the following options set:

• fields: (('of', 'inet:url'), ('at', 'inet:url'))

inet:urlfile

A file hosted at a specific Universal Resource Locator (URL). The inet:urlfile type is derived from the base type: comp.

The type inet:urlfile has the following options set:

• fields: (('url', 'inet:url'), ('file', 'file:bytes'))

inet:urlredir

A URL that redirects to another URL, such as via a URL shortening service or an HTTP 302 response. The inet:urlredir type is derived from the base type: comp.

An example of inet:urlredir:

• (http://foo.com/,http://bar.com/)

The type inet:urlredir has the following options set:

• fields: (('src', 'inet:url'), ('dst', 'inet:url'))

inet:user

A username string. The inet:user type is derived from the base type: str.

The type inet:user has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:web:acct

An account with a given Internet-based site or service. The inet:web:acct type is derived from the base type: comp.

An example of inet:web:acct:

• twitter.com/invisig0th

The type inet:web:acct has the following options set:

• fields: (('site', 'inet:fqdn'), ('user', 'inet:user'))

• sepr: /

inet:web:action

An instance of an account performing an action at an Internet-based site or service. The inet:web:action type is derived from the base type: guid.

inet:web:attachment

An instance of a file being sent to a web service by an account. The inet:web:attachment type is derived from the base type: guid.

inet:web:channel

A channel within a web service or instance such as slack or discord. The inet:web:channel type is derived from the base type: guid.

inet:web:chprofile

A change to a web account. Used to capture historical properties associated with an account, as opposed to current data in the inet:web:acct node. The inet:web:chprofile type is derived from the base type: guid.

inet:web:file

A file posted by a web account. The inet:web:file type is derived from the base type: comp.

The type inet:web:file has the following options set:

• fields: (('acct', 'inet:web:acct'), ('file', 'file:bytes'))

inet:web:follows

A web account follows or is connected to another web account. The inet:web:follows type is derived from the base type: comp.

The type inet:web:follows has the following options set:

• fields: (('follower', 'inet:web:acct'), ('followee', 'inet:web:acct'))

inet:web:group

A group hosted within or registered with a given Internet-based site or service. The inet:web:group type is derived from the base type: comp.

An example of inet:web:group:

• somesite.com/mycoolgroup

The type inet:web:group has the following options set:

• fields: (('site', 'inet:fqdn'), ('id', 'inet:group'))

• sepr: /

inet:web:hashtag

A hashtag used in a web post. The inet:web:hashtag type is derived from the base type: str.

The type inet:web:hashtag has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^#[\w]+$

• replace: ()

• strip: False

inet:web:instance

An instance of a web service such as slack or discord. The inet:web:instance type is derived from the base type: guid.

inet:web:logon

An instance of an account authenticating to an Internet-based site or service. The inet:web:logon type is derived from the base type: guid.

inet:web:memb

Deprecated. Please use inet:web:member. The inet:web:memb type is derived from the base type: comp.

The type inet:web:memb has the following options set:

• fields: (('acct', 'inet:web:acct'), ('group', 'inet:web:group'))

inet:web:member

Represents a web account membership in a channel or group. The inet:web:member type is derived from the base type: guid.

inet:web:mesg

A message sent from one web account to another web account or channel. The inet:web:mesg type is derived from the base type: comp.

An example of inet:web:mesg:

• ((twitter.com, invisig0th), (twitter.com, gobbles), 20041012130220)

The type inet:web:mesg has the following options set:

• fields: (('from', 'inet:web:acct'), ('to', 'inet:web:acct'), ('time', 'time'))

inet:web:post

A post made by a web account. The inet:web:post type is derived from the base type: guid.

inet:web:post:link

A link contained within post text. The inet:web:post:link type is derived from the base type: guid.

inet:whois:contact

An individual contact from a domain whois record. The inet:whois:contact type is derived from the base type: comp.

The type inet:whois:contact has the following options set:

• fields: (('rec', 'inet:whois:rec'), ('type', ('str', {'lower': True})))

inet:whois:email

An email address associated with an FQDN via whois registration text. The inet:whois:email type is derived from the base type: comp.

The type inet:whois:email has the following options set:

• fields: (('fqdn', 'inet:fqdn'), ('email', 'inet:email'))

inet:whois:ipcontact

An individual contact from an IP block record. The inet:whois:ipcontact type is derived from the base type: guid.

inet:whois:ipquery

Query details used to retrieve an IP record. The inet:whois:ipquery type is derived from the base type: guid.

inet:whois:iprec

An IPv4/IPv6 block registration record. The inet:whois:iprec type is derived from the base type: guid.

inet:whois:rar

A domain registrar. The inet:whois:rar type is derived from the base type: str.

An example of inet:whois:rar:

• godaddy, inc.

The type inet:whois:rar has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:whois:rec

A domain whois record. The inet:whois:rec type is derived from the base type: comp.

The type inet:whois:rec has the following options set:

• fields: (('fqdn', 'inet:fqdn'), ('asof', 'time'))

inet:whois:recns

A nameserver associated with a domain whois record. The inet:whois:recns type is derived from the base type: comp.

The type inet:whois:recns has the following options set:

• fields: (('ns', 'inet:fqdn'), ('rec', 'inet:whois:rec'))

inet:whois:reg

A domain registrant. The inet:whois:reg type is derived from the base type: str.

An example of inet:whois:reg:

• woot hostmaster

The type inet:whois:reg has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:whois:regid

The registry unique identifier of the registration record. The inet:whois:regid type is derived from the base type: str.

An example of inet:whois:regid:

• NET-10-0-0-0-1

The type inet:whois:regid has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

inet:wifi:ap

An SSID/MAC address combination for a wireless access point. The inet:wifi:ap type is derived from the base type: comp.

The type inet:wifi:ap has the following options set:

• fields: (('ssid', 'inet:wifi:ssid'), ('bssid', 'inet:mac'))

inet:wifi:ssid

A WiFi service set identifier (SSID) name. The inet:wifi:ssid type is derived from the base type: str.

An example of inet:wifi:ssid:

• The Vertex Project

The type inet:wifi:ssid has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

iso:3166:cc

An ISO 3166 2 digit country code. The iso:3166:cc type is derived from the base type: str.

The type iso:3166:cc has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^[a-z]{2}$

• replace: ()

• strip: False

iso:oid

An ISO Object Identifier string. The iso:oid type is derived from the base type: str.

The type iso:oid has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^([0-2])((\.0)|(\.[1-9][0-9]*))*$

• replace: ()

• strip: False

it:account

A GUID that represents an account on a host or network. The it:account type is derived from the base type: guid.

it:adid

An advertising identification string. The it:adid type is derived from the base type: str.

The type it:adid has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: True

it:app:snort:hit

An instance of a snort rule hit. The it:app:snort:hit type is derived from the base type: guid.

it:app:snort:rule

A snort rule. The it:app:snort:rule type is derived from the base type: guid.

it:app:yara:match

A YARA rule match to a file. The it:app:yara:match type is derived from the base type: comp.

The type it:app:yara:match has the following options set:

• fields: (('rule', 'it:app:yara:rule'), ('file', 'file:bytes'))

it:app:yara:procmatch

An instance of a YARA rule match to a process. The it:app:yara:procmatch type is derived from the base type: guid.

it:app:yara:rule

A YARA rule unique identifier. The it:app:yara:rule type is derived from the base type: guid.

it:auth:passwdhash

An instance of a password hash. The it:auth:passwdhash type is derived from the base type: guid.

it:av:filehit

Deprecated. Please use it:av:scan:result. The it:av:filehit type is derived from the base type: comp.

The type it:av:filehit has the following options set:

• fields: (('file', 'file:bytes'), ('sig', 'it:av:sig'))

it:av:prochit

Deprecated. Please use it:av:scan:result. The it:av:prochit type is derived from the base type: guid.

it:av:scan:result

The result of running an antivirus scanner. The it:av:scan:result type is derived from the base type: guid.

it:av:sig

Deprecated. Please use it:av:scan:result. The it:av:sig type is derived from the base type: comp.

The type it:av:sig has the following options set:

• fields: (('soft', 'it:prod:soft'), ('name', 'it:av:signame'))

it:av:signame

An antivirus signature name. The it:av:signame type is derived from the base type: str.

The type it:av:signame has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: False

it:cmd

A unique command-line string. The it:cmd type is derived from the base type: str.

An example of it:cmd:

• foo.exe --dostuff bar

The type it:cmd has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: True

it:dev:int

A developer selected integer constant. The it:dev:int type is derived from the base type: int.

The type it:dev:int has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

it:dev:mutex

A string representing a mutex. The it:dev:mutex type is derived from the base type: str.

The type it:dev:mutex has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:dev:pipe

A string representing a named pipe. The it:dev:pipe type is derived from the base type: str.

The type it:dev:pipe has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:dev:regkey

A Windows registry key. The it:dev:regkey type is derived from the base type: str.

An example of it:dev:regkey:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The type it:dev:regkey has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:dev:regval

A Windows registry key/value pair. The it:dev:regval type is derived from the base type: guid.

it:dev:repo

A version control system instance. The it:dev:repo type is derived from the base type: guid.

it:dev:repo:branch

A branch in a version control system instance. The it:dev:repo:branch type is derived from the base type: guid.

it:dev:repo:commit

A commit to a repository. The it:dev:repo:commit type is derived from the base type: guid.

it:dev:repo:diff

A diff of a file being applied in a single commit. The it:dev:repo:diff type is derived from the base type: guid.

it:dev:repo:diff:comment

A comment on a diff in a repository. The it:dev:repo:diff:comment type is derived from the base type: guid.

it:dev:repo:issue

An issue raised in a repository. The it:dev:repo:issue type is derived from the base type: guid.

it:dev:repo:issue:comment

A comment on an issue in a repository. The it:dev:repo:issue:comment type is derived from the base type: guid.

it:dev:repo:issue:label

A label applied to a repository issue. The it:dev:repo:issue:label type is derived from the base type: guid.

it:dev:repo:label

A developer selected label. The it:dev:repo:label type is derived from the base type: guid.

it:dev:repo:remote

A remote repo that is tracked for changes/branches/etc. The it:dev:repo:remote type is derived from the base type: guid.

it:dev:repo:type:taxonomy

A version control system type taxonomy. The it:dev:repo:type:taxonomy type is derived from the base type: taxonomy.

The type it:dev:repo:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:dev:str

A developer selected string. The it:dev:str type is derived from the base type: str.

The type it:dev:str has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:domain

A logical boundary of authentication and configuration such as a windows domain. The it:domain type is derived from the base type: guid.

it:exec:bind

An instance of a host binding a listening port. The it:exec:bind type is derived from the base type: guid.

it:exec:file:add

An instance of a host adding a file to a filesystem. The it:exec:file:add type is derived from the base type: guid.

it:exec:file:del

An instance of a host deleting a file from a filesystem. The it:exec:file:del type is derived from the base type: guid.

it:exec:file:read

An instance of a host reading a file from a filesystem. The it:exec:file:read type is derived from the base type: guid.

it:exec:file:write

An instance of a host writing a file to a filesystem. The it:exec:file:write type is derived from the base type: guid.

it:exec:loadlib

A library load event in a process. The it:exec:loadlib type is derived from the base type: guid.

it:exec:mmap

A memory mapped segment located in a process. The it:exec:mmap type is derived from the base type: guid.

it:exec:mutex

A mutex created by a process at runtime. The it:exec:mutex type is derived from the base type: guid.

it:exec:pipe

A named pipe created by a process at runtime. The it:exec:pipe type is derived from the base type: guid.

it:exec:proc

A process executing on a host. May be an actual (e.g., endpoint) or virtual (e.g., malware sandbox) host. The it:exec:proc type is derived from the base type: guid.

it:exec:query

An instance of an executed query. The it:exec:query type is derived from the base type: guid.

it:exec:reg:del

An instance of a host deleting a registry key. The it:exec:reg:del type is derived from the base type: guid.

it:exec:reg:get

An instance of a host getting a registry key. The it:exec:reg:get type is derived from the base type: guid.

it:exec:reg:set

An instance of a host creating or setting a registry key. The it:exec:reg:set type is derived from the base type: guid.

it:exec:thread

A thread executing in a process. The it:exec:thread type is derived from the base type: guid.

it:exec:url

An instance of a host requesting a URL. The it:exec:url type is derived from the base type: guid.

it:fs:file

A file on a host. The it:fs:file type is derived from the base type: guid.

it:group

A GUID that represents a group on a host or network. The it:group type is derived from the base type: guid.

it:host

A GUID that represents a host or system. The it:host type is derived from the base type: guid.

it:hostname

The name of a host or system. The it:hostname type is derived from the base type: str.

The type it:hostname has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: True

it:hostsoft

A version of a software product which is present on a given host. The it:hostsoft type is derived from the base type: comp.

The type it:hostsoft has the following options set:

• fields: (('host', 'it:host'), ('softver', 'it:prod:softver'))

it:hosturl

A url hosted on or served by a host or system. The it:hosturl type is derived from the base type: comp.

The type it:hosturl has the following options set:

• fields: (('host', 'it:host'), ('url', 'inet:url'))

it:log:event

A GUID representing an individual log event. The it:log:event type is derived from the base type: guid.

it:log:event:type:taxonomy

A taxonomy of log event types. The it:log:event:type:taxonomy type is derived from the base type: taxonomy.

The type it:log:event:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:logon

A GUID that represents an individual logon/logoff event. The it:logon type is derived from the base type: guid.

it:mitre:attack:campaign

A MITRE ATT&CK Campaign ID. The it:mitre:attack:campaign type is derived from the base type: str.

An example of it:mitre:attack:campaign:

• C0028

The type it:mitre:attack:campaign has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^C[0-9]{4}$

• replace: ()

• strip: False

it:mitre:attack:flow

A MITRE ATT&CK Flow diagram. The it:mitre:attack:flow type is derived from the base type: guid.

it:mitre:attack:group

A MITRE ATT&CK Group ID. The it:mitre:attack:group type is derived from the base type: str.

An example of it:mitre:attack:group:

• G0100

The type it:mitre:attack:group has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^G[0-9]{4}$

• replace: ()

• strip: False

it:mitre:attack:matrix

An enumeration of ATT&CK matrix values. The it:mitre:attack:matrix type is derived from the base type: str.

An example of it:mitre:attack:matrix:

• enterprise

The type it:mitre:attack:matrix has the following options set:

• enums:

  valu
  enterprise
  mobile
  ics

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:mitre:attack:mitigation

A MITRE ATT&CK Mitigation ID. The it:mitre:attack:mitigation type is derived from the base type: str.

An example of it:mitre:attack:mitigation:

• M1036

The type it:mitre:attack:mitigation has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^M[0-9]{4}$

• replace: ()

• strip: False

it:mitre:attack:software

A MITRE ATT&CK Software ID. The it:mitre:attack:software type is derived from the base type: str.

An example of it:mitre:attack:software:

• S0154

The type it:mitre:attack:software has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^S[0-9]{4}$

• replace: ()

• strip: False

it:mitre:attack:status

A MITRE ATT&CK element status. The it:mitre:attack:status type is derived from the base type: str.

An example of it:mitre:attack:status:

• current

The type it:mitre:attack:status has the following options set:

• enums:

  valu
  current
  deprecated
  withdrawn

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:mitre:attack:tactic

A MITRE ATT&CK Tactic ID. The it:mitre:attack:tactic type is derived from the base type: str.

An example of it:mitre:attack:tactic:

• TA0040

The type it:mitre:attack:tactic has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^TA[0-9]{4}$

• replace: ()

• strip: False

it:mitre:attack:technique

A MITRE ATT&CK Technique ID. The it:mitre:attack:technique type is derived from the base type: str.

An example of it:mitre:attack:technique:

• T1548

The type it:mitre:attack:technique has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^T[0-9]{4}(.[0-9]{3})?$

• replace: ()

• strip: False

it:network

A GUID that represents a logical network. The it:network type is derived from the base type: guid.

it:os:android:aaid

An android advertising identification string. The it:os:android:aaid type is derived from the base type: it:adid.

The type it:os:android:aaid has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: True

it:os:android:ibroadcast

The given software broadcasts the given Android intent. The it:os:android:ibroadcast type is derived from the base type: comp.

The type it:os:android:ibroadcast has the following options set:

• fields: (('app', 'it:prod:soft'), ('intent', 'it:os:android:intent'))

it:os:android:ilisten

The given software listens for an android intent. The it:os:android:ilisten type is derived from the base type: comp.

The type it:os:android:ilisten has the following options set:

• fields: (('app', 'it:prod:soft'), ('intent', 'it:os:android:intent'))

it:os:android:intent

An android intent string. The it:os:android:intent type is derived from the base type: str.

The type it:os:android:intent has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:os:android:perm

An android permission string. The it:os:android:perm type is derived from the base type: str.

The type it:os:android:perm has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:os:android:reqperm

The given software requests the android permission. The it:os:android:reqperm type is derived from the base type: comp.

The type it:os:android:reqperm has the following options set:

• fields: (('app', 'it:prod:soft'), ('perm', 'it:os:android:perm'))

it:os:ios:idfa

An iOS advertising identification string. The it:os:ios:idfa type is derived from the base type: it:adid.

The type it:os:ios:idfa has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: True

it:os:windows:sid

A Microsoft Windows Security Identifier. The it:os:windows:sid type is derived from the base type: str.

An example of it:os:windows:sid:

• S-1-5-21-1220945662-1202665555-839525555-5555

The type it:os:windows:sid has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^S-1-(?:\d{1,10}|0x[0-9a-fA-F]{12})(?:-(?:\d+|0x[0-9a-fA-F]{2,}))*$

• replace: ()

• strip: False

it:prod:component

A specific instance of an it:prod:hardware most often as part of an it:host. The it:prod:component type is derived from the base type: guid.

it:prod:hardware

A specification for a piece of IT hardware. The it:prod:hardware type is derived from the base type: guid.

it:prod:hardwaretype

An IT hardware type taxonomy. The it:prod:hardwaretype type is derived from the base type: taxonomy.

The type it:prod:hardwaretype has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:prod:soft

A software product. The it:prod:soft type is derived from the base type: guid.

it:prod:soft:taxonomy

A software type taxonomy. The it:prod:soft:taxonomy type is derived from the base type: taxonomy.

The type it:prod:soft:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

it:prod:softfile

A file is distributed by a specific software version. The it:prod:softfile type is derived from the base type: comp.

The type it:prod:softfile has the following options set:

• fields: (('soft', 'it:prod:softver'), ('file', 'file:bytes'))

it:prod:softid

An identifier issued to a given host by a specific software application. The it:prod:softid type is derived from the base type: guid.

it:prod:softlib

A software version contains a library software version. The it:prod:softlib type is derived from the base type: comp.

The type it:prod:softlib has the following options set:

• fields: (('soft', 'it:prod:softver'), ('lib', 'it:prod:softver'))

it:prod:softname

A software product name. The it:prod:softname type is derived from the base type: str.

The type it:prod:softname has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

it:prod:softos

The software version is known to be compatible with the given os software version. The it:prod:softos type is derived from the base type: comp.

The type it:prod:softos has the following options set:

• fields: (('soft', 'it:prod:softver'), ('os', 'it:prod:softver'))

it:prod:softreg

A registry entry is created by a specific software version. The it:prod:softreg type is derived from the base type: comp.

The type it:prod:softreg has the following options set:

• fields: (('softver', 'it:prod:softver'), ('regval', 'it:dev:regval'))

it:prod:softver

A specific version of a software product. The it:prod:softver type is derived from the base type: guid.

it:query

A unique query string. The it:query type is derived from the base type: str.

The type it:query has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: True

it:reveng:filefunc

An instance of a function in an executable. The it:reveng:filefunc type is derived from the base type: comp.

The type it:reveng:filefunc has the following options set:

• fields: (('file', 'file:bytes'), ('function', 'it:reveng:function'))

it:reveng:funcstr

A reference to a string inside a function. The it:reveng:funcstr type is derived from the base type: comp.

The type it:reveng:funcstr has the following options set:

• fields: (('function', 'it:reveng:function'), ('string', 'str'))

it:reveng:function

A function inside an executable. The it:reveng:function type is derived from the base type: guid.

it:reveng:impfunc

A function from an imported library. The it:reveng:impfunc type is derived from the base type: str.

The type it:reveng:impfunc has the following options set:

• globsuffix: False

• lower: 1

• onespace: False

• regex: None

• replace: ()

• strip: False

it:screenshot

A screenshot of a host. The it:screenshot type is derived from the base type: guid.

it:sec:c2:config

An extracted C2 config from an executable. The it:sec:c2:config type is derived from the base type: guid.

it:sec:cve

A vulnerability as designated by a Common Vulnerabilities and Exposures (CVE) number. The it:sec:cve type is derived from the base type: str.

An example of it:sec:cve:

• cve-2012-0158

The type it:sec:cve has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: (?i)^CVE-[0-9]{4}-[0-9]{4,}$

• replace: (('‑', '-'), ('‒', '-'), ('–', '-'), ('—', '-'))

• strip: False

it:sec:cwe

NIST NVD Common Weaknesses Enumeration Specification. The it:sec:cwe type is derived from the base type: str.

An example of it:sec:cwe:

• CWE-120

The type it:sec:cwe has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^CWE-[0-9]{1,8}$

• replace: ()

• strip: False

it:sec:metrics

A node used to track metrics of an organization’s infosec program. The it:sec:metrics type is derived from the base type: guid.

it:sec:stix:bundle

A STIX bundle. The it:sec:stix:bundle type is derived from the base type: guid.

it:sec:stix:indicator

A STIX indicator pattern. The it:sec:stix:indicator type is derived from the base type: guid.

it:sec:tlp

The US CISA Traffic-Light-Protocol used to designate information sharing boundaries. The it:sec:tlp type is derived from the base type: int.

An example of it:sec:tlp:

• green

The type it:sec:tlp has the following options set:

• enums:

  int	valu
  10	clear
  20	green
  30	amber
  40	amber-strict
  50	red

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

it:sec:vuln:scan

An instance of running a vulnerability scan. The it:sec:vuln:scan type is derived from the base type: guid.

it:sec:vuln:scan:result

A vulnerability scan result for an asset. The it:sec:vuln:scan:result type is derived from the base type: guid.

lang:code

An optionally 2 part language code. The lang:code type is derived from the base type: str.

An example of lang:code:

• pt.br

The type lang:code has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^[a-z]{2}(.[a-z]{2})?$

• replace: ()

• strip: False

lang:idiom

Deprecated. Please use lang:translation. The lang:idiom type is derived from the base type: str.

The type lang:idiom has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

lang:language

A specific written or spoken language. The lang:language type is derived from the base type: guid.

lang:name

A name used to refer to a language. The lang:name type is derived from the base type: str.

The type lang:name has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

lang:trans

Deprecated. Please use lang:translation. The lang:trans type is derived from the base type: str.

The type lang:trans has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

lang:translation

A translation of text from one language to another. The lang:translation type is derived from the base type: guid.

mass

A mass which converts to grams as a base unit. The mass type is derived from the base type: hugenum.

The type mass has the following options set:

• modulo: None

• units: {'µg': '0.000001', 'microgram': '0.000001', 'micrograms': '0.000001', 'mg': '0.001', 'milligram': '0.001', 'milligrams': '0.001', 'g': '1', 'grams': '1', 'kg': '1000', 'kilogram': '1000', 'kilograms': '1000', 'lb': '453.592', 'lbs': '453.592', 'pound': '453.592', 'pounds': '453.592', 'stone': '6350.29'}

mat:item

A GUID assigned to a material object. The mat:item type is derived from the base type: guid.

mat:itemimage

The base type for compound node fields. The mat:itemimage type is derived from the base type: comp.

The type mat:itemimage has the following options set:

• fields: (('item', 'mat:item'), ('file', 'file:bytes'))

mat:spec

A GUID assigned to a material specification. The mat:spec type is derived from the base type: guid.

mat:specimage

The base type for compound node fields. The mat:specimage type is derived from the base type: comp.

The type mat:specimage has the following options set:

• fields: (('spec', 'mat:spec'), ('file', 'file:bytes'))

mat:type

A taxonomy of material item/specification types. The mat:type type is derived from the base type: taxonomy.

The type mat:type has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

media:news

A GUID for a news article or report. The media:news type is derived from the base type: guid.

media:news:taxonomy

A taxonomy of types or sources of news. The media:news:taxonomy type is derived from the base type: taxonomy.

The type media:news:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

media:topic

A topic string. The media:topic type is derived from the base type: str.

The type media:topic has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

meta:event

An analytically relevant event in a curated timeline. The meta:event type is derived from the base type: guid.

meta:event:taxonomy

A taxonomy of event types for meta:event nodes. The meta:event:taxonomy type is derived from the base type: taxonomy.

The type meta:event:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

meta:note

An analyst note about nodes linked with -(about)> edges. The meta:note type is derived from the base type: guid.

meta:note:type:taxonomy

An analyst note type taxonomy. The meta:note:type:taxonomy type is derived from the base type: taxonomy.

The type meta:note:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

meta:priority

A generic priority enumeration. The meta:priority type is derived from the base type: int.

The type meta:priority has the following options set:

• enums:

  int	valu
  0	none
  10	lowest
  20	low
  30	medium
  40	high
  50	highest

• enums:strict: False

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

meta:rule

A generic rule linked to matches with -(matches)> edges. The meta:rule type is derived from the base type: guid.

meta:ruleset

A set of rules linked with -(has)> edges. The meta:ruleset type is derived from the base type: guid.

meta:seen

Annotates that the data in a node was obtained from or observed by a given source. The meta:seen type is derived from the base type: comp.

The type meta:seen has the following options set:

• fields: (('source', 'meta:source'), ('node', 'ndef'))

meta:severity

A generic severity enumeration. The meta:severity type is derived from the base type: int.

The type meta:severity has the following options set:

• enums:

  int	valu
  0	none
  10	lowest
  20	low
  30	medium
  40	high
  50	highest

• enums:strict: False

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

meta:sophistication

A sophistication score with named values: very low, low, medium, high, and very high. The meta:sophistication type is derived from the base type: int.

The type meta:sophistication has the following options set:

• enums:

  int	valu
  10	very low
  20	low
  30	medium
  40	high
  50	very high

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

meta:source

A data source unique identifier. The meta:source type is derived from the base type: guid.

meta:timeline

A curated timeline of analytically relevant events. The meta:timeline type is derived from the base type: guid.

meta:timeline:taxonomy

A taxonomy of timeline types for meta:timeline nodes. The meta:timeline:taxonomy type is derived from the base type: taxonomy.

The type meta:timeline:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:alias

An alias for the org GUID. The ou:alias type is derived from the base type: str.

An example of ou:alias:

• vertexproject

The type ou:alias has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^[0-9a-z_]+$

• replace: ()

• strip: False

ou:attendee

A node representing a person attending a meeting, conference, or event. The ou:attendee type is derived from the base type: guid.

ou:award

An award issued by an organization. The ou:award type is derived from the base type: guid.

ou:campaign

Represents an org’s activity in pursuit of a goal. The ou:campaign type is derived from the base type: guid.

ou:campname

A campaign name. The ou:campname type is derived from the base type: str.

The type ou:campname has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

ou:camptype

An campaign type taxonomy. The ou:camptype type is derived from the base type: taxonomy.

The type ou:camptype has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:conference

A conference with a name and sponsoring org. The ou:conference type is derived from the base type: guid.

ou:conference:attendee

Deprecated. Please use ou:attendee. The ou:conference:attendee type is derived from the base type: comp.

The type ou:conference:attendee has the following options set:

• fields: (('conference', 'ou:conference'), ('person', 'ps:person'))

ou:conference:event

A conference event with a name and associated conference. The ou:conference:event type is derived from the base type: guid.

ou:conference:event:attendee

Deprecated. Please use ou:attendee. The ou:conference:event:attendee type is derived from the base type: comp.

The type ou:conference:event:attendee has the following options set:

• fields: (('conference', 'ou:conference:event'), ('person', 'ps:person'))

ou:conflict

Represents a conflict where two or more campaigns have mutually exclusive goals. The ou:conflict type is derived from the base type: guid.

ou:contest

A competitive event resulting in a ranked set of participants. The ou:contest type is derived from the base type: guid.

ou:contest:result

The results from a single contest participant. The ou:contest:result type is derived from the base type: comp.

The type ou:contest:result has the following options set:

• fields: (('contest', 'ou:contest'), ('participant', 'ps:contact'))

ou:contract

An contract between multiple entities. The ou:contract type is derived from the base type: guid.

ou:contract:type

A pre-defined set of contract types. The ou:contract:type type is derived from the base type: str.

The type ou:contract:type has the following options set:

• enum: ('nda', 'other', 'grant', 'treaty', 'purchase', 'indemnity', 'partnership')

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:contribution

Represents a specific instance of contributing material support to a campaign. The ou:contribution type is derived from the base type: guid.

ou:conttype

A contract type taxonomy. The ou:conttype type is derived from the base type: taxonomy.

The type ou:conttype has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:employment

An employment type taxonomy. The ou:employment type is derived from the base type: taxonomy.

An example of ou:employment:

• fulltime.salary

The type ou:employment has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:goal

An assessed or stated goal which may be abstract or org specific. The ou:goal type is derived from the base type: guid.

ou:goal:type:taxonomy

A taxonomy of goal types. The ou:goal:type:taxonomy type is derived from the base type: taxonomy.

The type ou:goal:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:goalname

A goal name. The ou:goalname type is derived from the base type: str.

The type ou:goalname has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

ou:hasalias

The knowledge that an organization has an alias. The ou:hasalias type is derived from the base type: comp.

The type ou:hasalias has the following options set:

• fields: (('org', 'ou:org'), ('alias', 'ou:alias'))

ou:hasgoal

Deprecated. Please use ou:org:goals. The ou:hasgoal type is derived from the base type: comp.

The type ou:hasgoal has the following options set:

• fields: (('org', 'ou:org'), ('goal', 'ou:goal'))

ou:id:number

A unique id number issued by a specific organization. The ou:id:number type is derived from the base type: comp.

The type ou:id:number has the following options set:

• fields: (('type', 'ou:id:type'), ('value', 'ou:id:value'))

ou:id:type

A type of id number issued by an org. The ou:id:type type is derived from the base type: guid.

ou:id:update

A status update to an org:id:number. The ou:id:update type is derived from the base type: guid.

ou:id:value

The value of an org:id:number. The ou:id:value type is derived from the base type: str.

The type ou:id:value has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: True

ou:industry

An industry classification type. The ou:industry type is derived from the base type: guid.

ou:industry:type:taxonomy

An industry type taxonomy. The ou:industry:type:taxonomy type is derived from the base type: taxonomy.

The type ou:industry:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:industryname

The name of an industry. The ou:industryname type is derived from the base type: str.

The type ou:industryname has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

ou:isic

An International Standard Industrial Classification of All Economic Activities (ISIC) code. The ou:isic type is derived from the base type: str.

An example of ou:isic:

• C1393

The type ou:isic has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^[A-Z]([0-9]{2}[0-9]{0,2})?$

• replace: ()

• strip: False

ou:jobtitle

A title for a position within an org. The ou:jobtitle type is derived from the base type: str.

The type ou:jobtitle has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

ou:jobtype

A taxonomy of job types. The ou:jobtype type is derived from the base type: taxonomy.

An example of ou:jobtype:

• it.dev.python

The type ou:jobtype has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:meet

An informal meeting of people which has no title or sponsor. See also: ou:conference. The ou:meet type is derived from the base type: guid.

ou:meet:attendee

Deprecated. Please use ou:attendee. The ou:meet:attendee type is derived from the base type: comp.

The type ou:meet:attendee has the following options set:

• fields: (('meet', 'ou:meet'), ('person', 'ps:person'))

ou:member

Deprecated. Please use ou:position. The ou:member type is derived from the base type: comp.

The type ou:member has the following options set:

• fields: (('org', 'ou:org'), ('person', 'ps:person'))

ou:naics

North American Industry Classification System codes and prefixes. The ou:naics type is derived from the base type: str.

An example of ou:naics:

• 541715

The type ou:naics has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^[1-9][0-9]{1,5}?$

• replace: ()

• strip: True

ou:name

The name of an organization. This may be a formal name or informal name of the organization. The ou:name type is derived from the base type: str.

An example of ou:name:

• acme corporation

The type ou:name has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: True

ou:opening

A job/work opening within an org. The ou:opening type is derived from the base type: guid.

ou:org

A GUID for a human organization such as a company or military unit. The ou:org type is derived from the base type: guid.

ou:org:has

An org owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time. The ou:org:has type is derived from the base type: comp.

The type ou:org:has has the following options set:

• fields: (('org', 'ou:org'), ('node', 'ndef'))

ou:orgnet4

An organization’s IPv4 netblock. The ou:orgnet4 type is derived from the base type: comp.

The type ou:orgnet4 has the following options set:

• fields: (('org', 'ou:org'), ('net', 'inet:net4'))

ou:orgnet6

An organization’s IPv6 netblock. The ou:orgnet6 type is derived from the base type: comp.

The type ou:orgnet6 has the following options set:

• fields: (('org', 'ou:org'), ('net', 'inet:net6'))

ou:orgtype

An org type taxonomy. The ou:orgtype type is derived from the base type: taxonomy.

The type ou:orgtype has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:position

A position within an org. May be organized into an org chart. The ou:position type is derived from the base type: guid.

ou:preso

A webinar, conference talk, or other type of presentation. The ou:preso type is derived from the base type: guid.

ou:requirement

A specific requirement. The ou:requirement type is derived from the base type: guid.

ou:role

A named role when participating in an event. The ou:role type is derived from the base type: str.

An example of ou:role:

• staff

The type ou:role has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^\w+$

• replace: ()

• strip: False

ou:sic

The four digit Standard Industrial Classification Code. The ou:sic type is derived from the base type: str.

An example of ou:sic:

• 0111

The type ou:sic has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^[0-9]{4}$

• replace: ()

• strip: False

ou:suborg

Any parent/child relationship between two orgs. May represent ownership, organizational structure, etc. The ou:suborg type is derived from the base type: comp.

The type ou:suborg has the following options set:

• fields: (('org', 'ou:org'), ('sub', 'ou:org'))

ou:team

A GUID for a team within an organization. The ou:team type is derived from the base type: guid.

ou:technique

A specific technique used to achieve a goal. The ou:technique type is derived from the base type: guid.

ou:technique:taxonomy

An analyst defined taxonomy to classify techniques in different disciplines. The ou:technique:taxonomy type is derived from the base type: taxonomy.

The type ou:technique:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ou:user

A user name within an organization. The ou:user type is derived from the base type: comp.

The type ou:user has the following options set:

• fields: (('org', 'ou:org'), ('user', 'inet:user'))

ou:vitals

Vital statistics about an org for a given time period. The ou:vitals type is derived from the base type: guid.

pe:langid

The PE language id. The pe:langid type is derived from the base type: int.

The type pe:langid has the following options set:

• enums:

  int	valu
  0	neutral
  4	zh-Hans
  26	hr
  127	invariant
  1024	default
  1025	ar-SA
  1026	bg-BG
  1027	ca-ES
  1029	cs-CZ
  1030	da-DK
  1031	de-DE
  1032	el-GR
  1033	en-US
  1034	es-ES-traditional
  1035	fi-FI
  1036	fr-FR
  1037	he-IL
  1038	hu-HU
  1039	is-IS
  1040	it-IT
  1041	ja-JP
  1042	ko-KR
  1043	nl-NL
  1044	nb-NO
  1045	pl-PL
  1046	pt-BR
  1047	rm-CH
  1048	ro-RO
  1049	ru-RU
  1050	hr-HR
  1051	sk-SK
  1052	sq-AL
  1053	sv-SE
  1054	th-TH
  1055	tr-TR
  1056	ur-PK
  1057	id-ID
  1058	uk-UA
  1059	be-BY
  1060	sl-SI
  1061	et-EE
  1062	lv-LV
  1063	lt-LT
  1064	tg-TJ
  1065	fa-IR
  1066	vi-VN
  1067	hy-AM
  1068	az-AZ-Latin
  1069	Basque-Basque
  1070	hsb-DE
  1071	mk-MK
  1074	tn-ZA
  1076	xh-ZA
  1077	zu-ZA
  1078	af-ZA
  1079	ka-GE
  1080	fo-FO
  1081	hi-IN
  1082	mt-MT
  1083	se-NO
  1086	ms-MY
  1087	kk-KZ
  1088	ky-KG
  1089	sw-KE
  1090	tk-TM
  1091	uz-UZ-Latin
  1092	tt-RU
  1093	bn-Bangledesh
  1094	pa-IN
  1095	gu-IN
  1096	or-IN
  1097	ta-IN
  1098	te-IN
  1099	kn-IN
  1100	ml-IN
  1101	as-IN
  1102	mr-IN
  1103	sa-IN
  1104	mn-MN-Cyrllic
  1105	bo-CN
  1106	cy-GB
  1107	kh-KH
  1108	lo-LA
  1110	gl-ES
  1111	kok-IN
  1114	syr-SY
  1115	si-LK
  1116	chr-Cher
  1117	iu-CA
  1118	am-ET
  1121	ne-NP
  1122	fy-NL
  1123	ps-AF
  1124	fil-PH
  1125	dv-MV
  1128	ha-NG
  1130	yo-NG
  1131	quz-BO
  1132	nso-ZA
  1133	ba-RU
  1134	lb-LU
  1135	kl-GL
  1136	ig-NG
  1139	ti-ET
  1141	haw-US
  1144	ii-CN
  1146	arn-CL
  1148	moh-CA
  1150	br-FR
  1152	ug-CN
  1153	mi-NZ
  1154	oc-FR
  1155	co-FR
  1156	gsw-FR
  1157	sah-RU
  1158	qut-GT
  1159	rw-RW
  1160	wo-SN
  1164	prs-AF
  1170	ku-IQ
  2048	sys default
  2049	ar-IQ
  2051	ca-ES-Valencia
  2055	de-CH
  2057	en-GB
  2058	es-MX
  2060	fr-BE
  2064	it-CH
  2067	nl-BE
  2068	no-NO
  2070	pt-PT
  2074	sr-CS-Latin
  2077	sv-FI
  2080	ur-IN
  2092	az-AZ-Cyrillic
  2094	dsb-DE
  2098	tn-BW
  2107	se-SE
  2108	ga-IE
  2110	ms-BN
  2115	uz-UZ-Cyrillic
  2117	bn-IN
  2118	pa-PK
  2121	ta-LK
  2128	mn-MN-Prc
  2137	sd-PK
  2141	iu-CA-Latin
  2143	tzm-DZ
  2151	ff-SN
  2155	quz-EC
  2163	ti-ER
  3072	custom default
  3073	ar-EG
  3076	zh-HK
  3079	de-AT
  3081	en-AU
  3082	es-ES-modern
  3084	fr-CA
  3098	sr-CS-Cyrillic
  3131	se-FI
  3179	quz-PE
  4096	custom unspecified
  4097	ar-LY
  4100	zh-SG
  4103	de-LU
  4105	en-CA
  4106	es-GT
  4108	fr-CH
  4122	hr-BA
  4155	smj-NO
  5120	ui_custom_default
  5121	ar-DZ
  5124	zh-MO
  5127	de-LI
  5129	en-NZ
  5130	es-CR
  5132	fr-LU
  5146	bs-BA-Latin
  5179	smj-SE
  6145	ar-MA
  6153	en-IE
  6154	es-PA
  6156	fr-MC
  6170	sr-code-Latin
  6203	sma-NO
  7169	ar-TN
  7177	en-ZA
  7178	es-DO
  7194	sr-BA
  7227	sma-SE
  8193	ar-OM
  8201	en-JM
  8202	es-VE
  8218	bs-BA-Cyrillic
  8251	sms-FI
  9217	ar-YE
  9225	en-029
  9226	es-CO
  9275	smn-FIl
  10241	ar-SY
  10249	en-BZ
  10250	es-PE
  11265	ar-JO
  11273	en-TT
  11274	es-AR
  12289	ar-LB
  12297	en-ZW
  12298	es-EC
  13313	ar-KW
  13321	en-PH
  13322	es-CL
  14337	ar-AE
  14346	es-UY
  15361	ar-BH
  15370	es-PY
  16385	ar-QA
  16393	en-IN
  16394	es-BO
  17417	en-MY
  17418	es-SV
  18441	en-SG
  18442	es-HN
  19466	es-NI
  20490	es-PR
  21514	es-US
  30746	bs-neutral
  31748	zh-Hant
  31770	sr-Neutral

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

pe:resource:type

The typecode for the resource. The pe:resource:type type is derived from the base type: int.

The type pe:resource:type has the following options set:

• enums:

  int	valu
  1	RT_CURSOR
  2	RT_BITMAP
  3	RT_ICON
  4	RT_MENU
  5	RT_DIALOG
  6	RT_STRING
  7	RT_FONTDIR
  8	RT_FONT
  9	RT_ACCELERATOR
  10	RT_RCDATA
  11	RT_MESSAGETABLE
  12	RT_GROUP_CURSOR
  14	RT_GROUP_ICON
  16	RT_VERSION
  17	RT_DLGINCLUDE
  19	RT_PLUGPLAY
  20	RT_VXD
  21	RT_ANICURSOR
  22	RT_ANIICON
  23	RT_HTML
  24	RT_MANIFEST

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

pol:candidate

A candidate for office in a specific race. The pol:candidate type is derived from the base type: guid.

pol:country

A GUID for a country. The pol:country type is derived from the base type: guid.

pol:election

An election involving one or more races for office. The pol:election type is derived from the base type: guid.

pol:immigration:status

A node which tracks the immigration status of a contact. The pol:immigration:status type is derived from the base type: guid.

pol:immigration:status:type:taxonomy

A taxonomy of immigration types. The pol:immigration:status:type:taxonomy type is derived from the base type: taxonomy.

The type pol:immigration:status:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

pol:iso2

The 2 digit ISO 3166 country code. The pol:iso2 type is derived from the base type: str.

An example of pol:iso2:

• us

The type pol:iso2 has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^[a-z0-9]{2}$

• replace: ()

• strip: False

pol:iso3

The 3 digit ISO 3166 country code. The pol:iso3 type is derived from the base type: str.

An example of pol:iso3:

• usa

The type pol:iso3 has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^[a-z0-9]{3}$

• replace: ()

• strip: False

pol:isonum

The ISO integer country code. The pol:isonum type is derived from the base type: int.

An example of pol:isonum:

• 840

The type pol:isonum has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

pol:office

An elected or appointed office. The pol:office type is derived from the base type: guid.

pol:pollingplace

An official place where ballots may be cast for a specific election. The pol:pollingplace type is derived from the base type: guid.

pol:race

An individual race for office. The pol:race type is derived from the base type: guid.

pol:term

A term in office held by a specific individual. The pol:term type is derived from the base type: guid.

pol:vitals

A set of vital statistics about a country. The pol:vitals type is derived from the base type: guid.

proj:attachment

A file attachment added to a ticket or comment. The proj:attachment type is derived from the base type: guid.

proj:comment

A user comment on a ticket. The proj:comment type is derived from the base type: guid.

proj:epic

A collection of tickets related to a topic. The proj:epic type is derived from the base type: guid.

proj:project

A project in a ticketing system. The proj:project type is derived from the base type: guid.

proj:project:type:taxonomy

A type taxonomy for projects. The proj:project:type:taxonomy type is derived from the base type: taxonomy.

The type proj:project:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

proj:sprint

A timeboxed period to complete a set amount of work. The proj:sprint type is derived from the base type: guid.

proj:ticket

A ticket in a ticketing system. The proj:ticket type is derived from the base type: guid.

ps:achievement

An instance of an individual receiving an award. The ps:achievement type is derived from the base type: guid.

ps:contact

A GUID for a contact info record. The ps:contact type is derived from the base type: guid.

ps:contact:type:taxonomy

A taxonomy of contact types. The ps:contact:type:taxonomy type is derived from the base type: taxonomy.

The type ps:contact:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ps:contactlist

A GUID for a list of associated contacts. The ps:contactlist type is derived from the base type: guid.

ps:education

A period of education for an individual. The ps:education type is derived from the base type: guid.

ps:name

An arbitrary, lower spaced string with normalized whitespace. The ps:name type is derived from the base type: str.

An example of ps:name:

• robert grey

The type ps:name has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

ps:person

A GUID for a person. The ps:person type is derived from the base type: guid.

ps:person:has

A person owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time. The ps:person:has type is derived from the base type: comp.

The type ps:person:has has the following options set:

• fields: (('person', 'ps:person'), ('node', 'ndef'))

ps:persona

A GUID for a suspected person. The ps:persona type is derived from the base type: guid.

ps:persona:has

A persona owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time. The ps:persona:has type is derived from the base type: comp.

The type ps:persona:has has the following options set:

• fields: (('persona', 'ps:persona'), ('node', 'ndef'))

ps:proficiency

The assessment that a given contact possesses a specific skill. The ps:proficiency type is derived from the base type: guid.

ps:skill

A specific skill which a person or organization may have. The ps:skill type is derived from the base type: guid.

ps:skill:type:taxonomy

A taxonomy of skill types. The ps:skill:type:taxonomy type is derived from the base type: taxonomy.

The type ps:skill:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

ps:tokn

A single name element (potentially given or sur). The ps:tokn type is derived from the base type: str.

An example of ps:tokn:

• robert

The type ps:tokn has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: True

ps:vitals

Statistics and demographic data about a person or contact. The ps:vitals type is derived from the base type: guid.

ps:workhist

A GUID representing entry in a contact’s work history. The ps:workhist type is derived from the base type: guid.

risk:alert

An instance of an alert which indicates the presence of a risk. The risk:alert type is derived from the base type: guid.

risk:alert:taxonomy

A taxonomy of alert types. The risk:alert:taxonomy type is derived from the base type: taxonomy.

The type risk:alert:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:alert:verdict:taxonomy

A taxonomy of verdicts for the origin and validity of the alert. The risk:alert:verdict:taxonomy type is derived from the base type: taxonomy.

The type risk:alert:verdict:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:attack

An instance of an actor attacking a target. The risk:attack type is derived from the base type: guid.

risk:attacktype

A taxonomy of attack types. The risk:attacktype type is derived from the base type: taxonomy.

The type risk:attacktype has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:availability

A taxonomy of availability status values. The risk:availability type is derived from the base type: taxonomy.

The type risk:availability has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:compromise

An instance of a compromise and its aggregate impact. The risk:compromise type is derived from the base type: guid.

risk:compromisetype

A taxonomy of compromise types. The risk:compromisetype type is derived from the base type: taxonomy.

An example of risk:compromisetype:

• cno.breach

The type risk:compromisetype has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:extortion

An event where an attacker attempted to extort a victim. The risk:extortion type is derived from the base type: guid.

risk:extortion:type:taxonomy

A taxonomy of extortion event types. The risk:extortion:type:taxonomy type is derived from the base type: taxonomy.

The type risk:extortion:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:hasvuln

Deprecated. Please use risk:vulnerable. The risk:hasvuln type is derived from the base type: guid.

risk:leak

An event where information was disclosed without permission. The risk:leak type is derived from the base type: guid.

risk:leak:type:taxonomy

A taxonomy of leak event types. The risk:leak:type:taxonomy type is derived from the base type: taxonomy.

The type risk:leak:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:mitigation

A mitigation for a specific risk:vuln. The risk:mitigation type is derived from the base type: guid.

risk:technique:masquerade

Represents the assessment that a node is designed to resemble another in order to mislead. The risk:technique:masquerade type is derived from the base type: guid.

risk:threat

A threat cluster or subgraph of threat activity, as reported by a specific organization. The risk:threat type is derived from the base type: guid.

risk:threat:type:taxonomy

A taxonomy of threat types. The risk:threat:type:taxonomy type is derived from the base type: taxonomy.

The type risk:threat:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:tool:software

A software tool used in threat activity, as reported by a specific organization. The risk:tool:software type is derived from the base type: guid.

risk:tool:software:taxonomy

A taxonomy of software / tool types. The risk:tool:software:taxonomy type is derived from the base type: taxonomy.

The type risk:tool:software:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:vuln

A unique vulnerability. The risk:vuln type is derived from the base type: guid.

risk:vuln:soft:range

A contiguous range of software versions which contain a vulnerability. The risk:vuln:soft:range type is derived from the base type: guid.

risk:vuln:type:taxonomy

A taxonomy of vulnerability types. The risk:vuln:type:taxonomy type is derived from the base type: taxonomy.

The type risk:vuln:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

risk:vulnerable

Indicates that a node is susceptible to a vulnerability. The risk:vulnerable type is derived from the base type: guid.

risk:vulnname

A vulnerability name such as log4j or rowhammer. The risk:vulnname type is derived from the base type: str.

The type risk:vulnname has the following options set:

• globsuffix: False

• lower: True

• onespace: True

• regex: None

• replace: ()

• strip: False

rsa:key

An RSA keypair modulus and public exponent. The rsa:key type is derived from the base type: comp.

The type rsa:key has the following options set:

• fields: (('mod', 'hex'), ('pub:exp', 'int'))

sci:evidence

An assessment of how an observation supports or refutes a hypothesis. The sci:evidence type is derived from the base type: guid.

sci:experiment

An instance of running an experiment. The sci:experiment type is derived from the base type: guid.

sci:experiment:type:taxonomy

A taxonomy of experiment types. The sci:experiment:type:taxonomy type is derived from the base type: taxonomy.

The type sci:experiment:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

sci:hypothesis

A hypothesis or theory. The sci:hypothesis type is derived from the base type: guid.

sci:hypothesis:type:taxonomy

A taxonomy of hypothesis types. The sci:hypothesis:type:taxonomy type is derived from the base type: taxonomy.

The type sci:hypothesis:type:taxonomy has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: False

sci:observation

An observation which may have resulted from an experiment. The sci:observation type is derived from the base type: guid.

syn:cmd

A Synapse storm command. The syn:cmd type is derived from the base type: str.

The type syn:cmd has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: True

syn:cron

A Cortex cron job. The syn:cron type is derived from the base type: guid.

syn:form

A Synapse form used for representing nodes in the graph. The syn:form type is derived from the base type: str.

The type syn:form has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: True

syn:nodedata

A nodedata key and the form it may be present on. The syn:nodedata type is derived from the base type: comp.

The type syn:nodedata has the following options set:

• fields: (('key', 'str'), ('form', 'syn:form'))

syn:prop

A Synapse property. The syn:prop type is derived from the base type: str.

The type syn:prop has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: True

syn:role

A Synapse role GUID. The syn:role type is derived from the base type: guid.

The type syn:role has the following options set:

• strip: True

syn:tagprop

A user defined tag property. The syn:tagprop type is derived from the base type: str.

The type syn:tagprop has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: True

syn:trigger

A Cortex trigger. The syn:trigger type is derived from the base type: guid.

syn:type

A Synapse type used for normalizing nodes and properties. The syn:type type is derived from the base type: str.

The type syn:type has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: None

• replace: ()

• strip: True

syn:user

A Synapse user GUID. The syn:user type is derived from the base type: guid.

The type syn:user has the following options set:

• strip: True

tel:call

A guid for a telephone call record. The tel:call type is derived from the base type: guid.

tel:mob:carrier

The fusion of a MCC/MNC. The tel:mob:carrier type is derived from the base type: comp.

The type tel:mob:carrier has the following options set:

• fields: (('mcc', 'tel:mob:mcc'), ('mnc', 'tel:mob:mnc'))

tel:mob:cell

A mobile cell site which a phone may connect to. The tel:mob:cell type is derived from the base type: comp.

The type tel:mob:cell has the following options set:

• fields: (('carrier', 'tel:mob:carrier'), ('lac', ('int', {})), ('cid', ('int', {})))

tel:mob:imid

Fused knowledge of an IMEI/IMSI used together. The tel:mob:imid type is derived from the base type: comp.

An example of tel:mob:imid:

• (490154203237518, 310150123456789)

The type tel:mob:imid has the following options set:

• fields: (('imei', 'tel:mob:imei'), ('imsi', 'tel:mob:imsi'))

tel:mob:imsiphone

Fused knowledge of an IMSI assigned phone number. The tel:mob:imsiphone type is derived from the base type: comp.

An example of tel:mob:imsiphone:

• (310150123456789, "+7(495) 124-59-83")

The type tel:mob:imsiphone has the following options set:

• fields: (('imsi', 'tel:mob:imsi'), ('phone', 'tel:phone'))

tel:mob:mcc

ITU Mobile Country Code. The tel:mob:mcc type is derived from the base type: str.

The type tel:mob:mcc has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^[0-9]{3}$

• replace: ()

• strip: 1

tel:mob:mnc

ITU Mobile Network Code. The tel:mob:mnc type is derived from the base type: str.

The type tel:mob:mnc has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: ^[0-9]{2,3}$

• replace: ()

• strip: 1

tel:mob:tac

A mobile Type Allocation Code. The tel:mob:tac type is derived from the base type: int.

An example of tel:mob:tac:

• 49015420

The type tel:mob:tac has the following options set:

• enums:strict: True

• fmt: %d

• ismax: False

• ismin: False

• max: None

• min: None

• signed: True

• size: 8

tel:mob:telem

A single mobile telemetry measurement. The tel:mob:telem type is derived from the base type: guid.

tel:txtmesg

A guid for an individual text message. The tel:txtmesg type is derived from the base type: guid.

transport:air:craft

An individual aircraft. The transport:air:craft type is derived from the base type: guid.

transport:air:flight

An individual instance of a flight. The transport:air:flight type is derived from the base type: guid.

transport:air:flightnum

A commercial flight designator including airline and serial. The transport:air:flightnum type is derived from the base type: str.

An example of transport:air:flightnum:

• ua2437

The type transport:air:flightnum has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^[a-z]{2}[0-9]{1,4}$

• replace: ((' ', ''),)

• strip: True

transport:air:occupant

An occupant of a specific flight. The transport:air:occupant type is derived from the base type: guid.

transport:air:port

An IATA assigned airport code. The transport:air:port type is derived from the base type: str.

The type transport:air:port has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: None

• replace: ()

• strip: False

transport:air:tailnum

An aircraft registration number or military aircraft serial number. The transport:air:tailnum type is derived from the base type: str.

An example of transport:air:tailnum:

• ff023

The type transport:air:tailnum has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^[a-z0-9-]{2,}$

• replace: ()

• strip: True

transport:air:telem

A telemetry sample from an aircraft in transit. The transport:air:telem type is derived from the base type: guid.

transport:direction

A direction measured in degrees with 0.0 being true North. The transport:direction type is derived from the base type: hugenum.

The type transport:direction has the following options set:

• modulo: 360

• units: None

transport:land:license

A license to operate a land vehicle issued to a contact. The transport:land:license type is derived from the base type: guid.

transport:land:registration

Registration issued to a contact for a land vehicle. The transport:land:registration type is derived from the base type: guid.

transport:land:vehicle

An individual vehicle. The transport:land:vehicle type is derived from the base type: guid.

transport:sea:imo

An International Maritime Organization registration number. The transport:sea:imo type is derived from the base type: str.

The type transport:sea:imo has the following options set:

• globsuffix: False

• lower: True

• onespace: False

• regex: ^imo[0-9]{7}$

• replace: ((' ', ''),)

• strip: True

transport:sea:mmsi

A Maritime Mobile Service Identifier. The transport:sea:mmsi type is derived from the base type: str.

The type transport:sea:mmsi has the following options set:

• globsuffix: False

• lower: False

• onespace: False

• regex: [0-9]{9}

• replace: ()

• strip: False

transport:sea:telem

A telemetry sample from a vessel in transit. The transport:sea:telem type is derived from the base type: guid.

transport:sea:vessel

An individual sea vessel. The transport:sea:vessel type is derived from the base type: guid.