Synapse Data Model - Forms
Forms
Forms are derived from types, or base types. Forms represent node types in the graph.
auth:access
An instance of using creds to access a resource.
The base type for the form can be found at auth:access.
- Properties:
name
type
doc
:creds
The credentials used to attempt access.
:time
The time of the access attempt.
:success
Set to true if the access was successful.
:person
The person who attempted access.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
auth:creds
A unique set of credentials used to access a resource.
The base type for the form can be found at auth:creds.
- Properties:
name
type
doc
The email address used to identify the user.
:user
The user name used to identify the user.
:phone
The phone number used to identify the user.
:passwd
The password used to authenticate.
:passwdhash
The password hash used to authenticate.
:account
The account that the creds allow access to.
:website
The base URL of the website that the credentials allow access to.
:host
The host that the credentials allow access to.
:wifi:ssid
The WiFi SSID that the credentials allow access to.
:web:acct
The web account that the credentials allow access to.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
belief:subscriber
A contact which subscribes to a belief system.
The base type for the form can be found at belief:subscriber.
- Properties:
name
type
doc
:contact
The contact which subscribes to the belief system.
:system
The belief system to which the contact subscribes.
:began
The time that the contact began to be a subscriber to the belief system.
:ended
The time when the contact ceased to be a subscriber to the belief system.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
belief:subscriber
-(follows)>
belief:tenet
The subscriber is assessed to generally adhere to the specific tenet.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
belief:system
A belief system such as an ideology, philosophy, or religion.
The base type for the form can be found at belief:system.
- Properties:
name
type
doc
opts
:name
The name of the belief system.
:desc
A description of the belief system.
Display:
{'hint': 'text'}
:type
A taxonometric type for the belief system.
:began
The time that the belief system was first observed.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
belief:system
-(has)>
belief:tenet
The belief system includes the tenet.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
belief:system:type:taxonomy
A hierarchical taxonomy of belief system types.
The base type for the form can be found at belief:system:type:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
belief:tenet
A concrete tenet potentially shared by multiple belief systems.
The base type for the form can be found at belief:tenet.
- Properties:
name
type
doc
opts
:name
The name of the tenet.
:desc
A description of the tenet.
Display:
{'hint': 'text'}
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
belief:subscriber
-(follows)>
belief:tenet
The subscriber is assessed to generally adhere to the specific tenet.
belief:system
-(has)>
belief:tenet
The belief system includes the tenet.
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
biz:bundle
A bundle allows construction of products which bundle instances of other products.
The base type for the form can be found at biz:bundle.
- Properties:
name
type
doc
opts
:count
The number of instances of the product or service included in the bundle.
:price
The price of the bundle.
:product
The product included in the bundle.
:service
The service included in the bundle.
:deal
Deprecated. Please use econ:receipt:item for instances of bundles being sold.
Deprecated:
True
:purchase
Deprecated. Please use econ:receipt:item for instances of bundles being sold.
Deprecated:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
biz:deal
A sales or procurement effort in pursuit of a purchase.
The base type for the form can be found at biz:deal.
- Properties:
name
type
doc
opts
:title
A title for the deal.
:type
The type of deal.
Display:
{'hint': 'taxonomy'}
:status
The status of the deal.
Display:
{'hint': 'taxonomy'}
:updated
The last time the deal had a significant update.
:contacted
The last time the contacts communicated about the deal.
:rfp
The RFP that the deal is in response to.
:buyer
The primary contact information for the buyer.
:buyer:org
The buyer org.
:buyer:orgname
The reported ou:name of the buyer org.
:buyer:orgfqdn
The reported inet:fqdn of the buyer org.
:seller
The primary contact information for the seller.
:seller:org
The seller org.
:seller:orgname
The reported ou:name of the seller org.
:seller:orgfqdn
The reported inet:fqdn of the seller org.
:currency
The currency of econ:price values associated with the deal.
:buyer:budget
The buyers budget for the eventual purchase.
:buyer:deadline
When the buyer intends to make a decision.
:offer:price
The total price of the offered products.
:offer:expires
When the offer expires.
:purchase
Records a purchase resulting from the deal.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
biz:dealstatus
A deal/rfp status taxonomy.
The base type for the form can be found at biz:dealstatus.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
biz:dealtype
A deal type taxonomy.
The base type for the form can be found at biz:dealtype.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
biz:listing
A product or service being listed for sale at a given price by a specific seller.
The base type for the form can be found at biz:listing.
- Properties:
name
type
doc
:seller
The contact information for the seller.
:product
The product being offered.
:service
The service being offered.
:current
Set to true if the offer is still current.
:time
The first known offering of this product/service by the organization for the asking price.
:expires
Set if the offer has a known expiration date.
:price
The asking price of the product or service.
:currency
The currency of the asking price.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
biz:prodtype
A product type taxonomy.
The base type for the form can be found at biz:prodtype.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
biz:product
A product which is available for purchase.
The base type for the form can be found at biz:product.
- Properties:
name
type
doc
opts
:name
The name of the product.
:type
The type of product.
Display:
{'hint': 'taxonomy'}
:summary
A brief summary of the product.
Display:
{'hint': 'text'}
:maker
A contact for the maker of the product.
:madeby:org
Deprecated. Please use biz:product:maker.
Deprecated:
True
:madeby:orgname
Deprecated. Please use biz:product:maker.
Deprecated:
True
:madeby:orgfqdn
Deprecated. Please use biz:product:maker.
Deprecated:
True
:price:retail
The MSRP price of the product.
:price:bottom
The minimum offered or observed price of the product.
:price:currency
The currency of the retail and bottom price properties.
:bundles
An array of bundles included with the product.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
biz:rfp
An RFP (Request for Proposal) soliciting proposals.
The base type for the form can be found at biz:rfp.
- Properties:
name
type
doc
opts
:ext:id
An externally specified identifier for the RFP.
:title
The title of the RFP.
:summary
A brief summary of the RFP.
Display:
{'hint': 'text'}
:status
The status of the RFP.
Display:
{'hint': 'enum'}
:url
The official URL for the RFP.
:file
The RFP document.
:posted
The date/time that the RFP was posted.
:quesdue
The date/time that questions are due.
:propdue
The date/time that proposals are due.
:contact
The contact information given for the org requesting offers.
:purchases
Any known purchases that resulted from the RFP.
:requirements
A typed array which indexes each field.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
biz:service
A service which is performed by a specific organization.
The base type for the form can be found at biz:service.
- Properties:
name
type
doc
opts
:provider
The contact info of the entity which performs the service.
:name
The name of the service being performed.
:summary
A brief summary of the service.
Display:
{'hint': 'text'}
:type
A taxonomy of service types.
:launched
The time when the operator first made the service available.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
biz:stake
A stake or partial ownership in a company.
The base type for the form can be found at biz:stake.
- Properties:
name
type
doc
:vitals
The ou:vitals snapshot this stake is part of.
:org
The resolved org.
:orgname
The org name as reported by the source of the vitals.
:orgfqdn
The org FQDN as reported by the source of the vitals.
:name
An arbitrary name for this stake. Can be non-contact like “pool”.
:asof
The time the stake is being measured. Likely as part of an ou:vitals.
:shares
The number of shares represented by the stake.
:invested
The amount of money invested in the cap table iteration.
:value
The monetary value of the stake.
:percent
The percentage ownership represented by this stake.
:owner
Contact information of the owner of the stake.
:purchase
The purchase event for the stake.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:algorithm
A cryptographic algorithm name.
The base type for the form can be found at crypto:algorithm.
An example of crypto:algorithm
:
aes256
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:currency:address
An individual crypto currency address.
The base type for the form can be found at crypto:currency:address.
An example of crypto:currency:address
:
btc/1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2
- Properties:
name
type
doc
opts
:coin
The crypto coin to which the address belongs.
Read Only:
True
:seed
The cryptographic key and or password used to generate the address.
:iden
The coin specific address identifier.
Read Only:
True
:desc
A free-form description of the address.
:contact
Contact information associated with the address.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:currency:block
An individual crypto currency block record on the blockchain.
The base type for the form can be found at crypto:currency:block.
- Properties:
name
type
doc
opts
:coin
The coin/blockchain this block resides on.
Read Only:
True
:offset
The index of this block.
Read Only:
True
:hash
The unique hash for the block.
:minedby
The address which mined the block.
:time
Time timestamp embedded in the block by the miner.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:currency:client
A fused node representing a crypto currency address used by an Internet client.
The base type for the form can be found at crypto:currency:client.
An example of crypto:currency:client
:
(1.2.3.4, (btc, 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2))
- Properties:
name
type
doc
opts
:inetaddr
The Internet client address observed using the crypto currency address.
Read Only:
True
:coinaddr
The crypto currency address observed in use by the Internet client.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:currency:coin
An individual crypto currency type.
The base type for the form can be found at crypto:currency:coin.
An example of crypto:currency:coin
:
btc
- Properties:
name
type
doc
:name
The full name of the crypto coin.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:currency:transaction
An individual crypto currency transaction recorded on the blockchain.
The base type for the form can be found at crypto:currency:transaction.
- Properties:
name
type
doc
opts
:hash
The unique transaction hash for the transaction.
:desc
An analyst specified description of the transaction.
:block
The block which records the transaction.
:block:coin
The coin/blockchain of the block which records this transaction.
:block:offset
The offset of the block which records this transaction.
:success
Set to true if the transaction was successfully executed and recorded.
:status:code
A coin specific status code which may represent an error reason.
:status:message
A coin specific status message which may contain an error reason.
:to
The destination address of the transaction.
:from
The source address of the transaction.
:inputs
Deprecated. Please use crypto:payment:input:transaction.
Deprecated:
True
:outputs
Deprecated. Please use crypto:payment:output:transaction.
Deprecated:
True
:fee
The total fee paid to execute the transaction.
:value
The total value of the transaction.
:time
The time this transaction was initiated.
:eth:gasused
The amount of gas used to execute this transaction.
:eth:gaslimit
The ETH gas limit specified for this transaction.
:eth:gasprice
The gas price (in ETH) specified for this transaction.
:contract:input
Input value to a smart contract call.
:contract:output
Output value of a smart contract call.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:key
A cryptographic key and algorithm.
The base type for the form can be found at crypto:key.
- Properties:
name
type
doc
opts
:algorithm
The cryptographic algorithm which uses the key material.
Example:
aes256
:mode
The algorithm specific mode in use.
:iv
The hex encoded initialization vector.
:public
The hex encoded public key material if the algorithm has a public/private key pair.
:public:md5
The MD5 hash of the public key in raw binary form.
:public:sha1
The SHA1 hash of the public key in raw binary form.
:public:sha256
The SHA256 hash of the public key in raw binary form.
:private
The hex encoded private key material. All symmetric keys are private.
:private:md5
The MD5 hash of the private key in raw binary form.
:private:sha1
The SHA1 hash of the private key in raw binary form.
:private:sha256
The SHA256 hash of the private key in raw binary form.
:seed:passwd
The seed password used to generate the key material.
:seed:algorithm
The algorithm used to generate the key from the seed password.
Example:
pbkdf2
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:payment:input
A payment made into a transaction.
The base type for the form can be found at crypto:payment:input.
- Properties:
name
type
doc
:transaction
The transaction the payment was input to.
:address
The address which paid into the transaction.
:value
The value of the currency paid into the transaction.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:payment:output
A payment received from a transaction.
The base type for the form can be found at crypto:payment:output.
- Properties:
name
type
doc
:transaction
The transaction the payment was output from.
:address
The address which received payment from the transaction.
:value
The value of the currency received from the transaction.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:smart:contract
A smart contract.
The base type for the form can be found at crypto:smart:contract.
- Properties:
name
type
doc
:transaction
The transaction which created the contract.
:address
The address of the contract.
:bytecode
The bytecode which implements the contract.
:token:name
The ERC-20 token name.
:token:symbol
The ERC-20 token symbol.
:token:totalsupply
The ERC-20 totalSupply value.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:smart:effect:burntoken
A smart contract effect which destroys a non-fungible token.
The base type for the form can be found at crypto:smart:effect:burntoken.
- Properties:
name
type
doc
:token
The non-fungible token that was destroyed.
:index
The order of the effect within the effects of one transaction.
:transaction
The transaction where the smart contract was called.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:smart:effect:edittokensupply
A smart contract effect which increases or decreases the supply of a fungible token.
The base type for the form can be found at crypto:smart:effect:edittokensupply.
- Properties:
name
type
doc
:contract
The contract which defines the tokens.
:amount
The number of tokens added or removed if negative.
:totalsupply
The total supply of tokens after this modification.
:index
The order of the effect within the effects of one transaction.
:transaction
The transaction where the smart contract was called.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:smart:effect:minttoken
A smart contract effect which creates a new non-fungible token.
The base type for the form can be found at crypto:smart:effect:minttoken.
- Properties:
name
type
doc
:token
The non-fungible token that was created.
:index
The order of the effect within the effects of one transaction.
:transaction
The transaction where the smart contract was called.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:smart:effect:proxytoken
A smart contract effect which grants a non-owner address the ability to manipulate a specific non-fungible token.
The base type for the form can be found at crypto:smart:effect:proxytoken.
- Properties:
name
type
doc
:owner
The address granting proxy authority to manipulate non-fungible tokens.
:proxy
The address granted proxy authority to manipulate non-fungible tokens.
:token
The specific token being granted access to.
:index
The order of the effect within the effects of one transaction.
:transaction
The transaction where the smart contract was called.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:smart:effect:proxytokenall
A smart contract effect which grants a non-owner address the ability to manipulate all non-fungible tokens of the owner.
The base type for the form can be found at crypto:smart:effect:proxytokenall.
- Properties:
name
type
doc
:contract
The contract which defines the tokens.
:owner
The address granting/denying proxy authority to manipulate all non-fungible tokens of the owner.
:proxy
The address granted/denied proxy authority to manipulate all non-fungible tokens of the owner.
:approval
The approval status.
:index
The order of the effect within the effects of one transaction.
:transaction
The transaction where the smart contract was called.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:smart:effect:proxytokens
A smart contract effect which grants a non-owner address the ability to manipulate fungible tokens.
The base type for the form can be found at crypto:smart:effect:proxytokens.
- Properties:
name
type
doc
:contract
The contract which defines the tokens.
:owner
The address granting proxy authority to manipulate fungible tokens.
:proxy
The address granted proxy authority to manipulate fungible tokens.
:amount
The hex encoded amount of tokens the proxy is allowed to manipulate.
:index
The order of the effect within the effects of one transaction.
:transaction
The transaction where the smart contract was called.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:smart:effect:transfertoken
A smart contract effect which transfers ownership of a non-fungible token.
The base type for the form can be found at crypto:smart:effect:transfertoken.
- Properties:
name
type
doc
:token
The non-fungible token that was transferred.
:from
The address the NFT was transferred from.
:to
The address the NFT was transferred to.
:index
The order of the effect within the effects of one transaction.
:transaction
The transaction where the smart contract was called.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:smart:effect:transfertokens
A smart contract effect which transfers fungible tokens.
The base type for the form can be found at crypto:smart:effect:transfertokens.
- Properties:
name
type
doc
:contract
The contract which defines the tokens.
:from
The address the tokens were transferred from.
:to
The address the tokens were transferred to.
:amount
The number of tokens transferred.
:index
The order of the effect within the effects of one transaction.
:transaction
The transaction where the smart contract was called.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:smart:token
A token managed by a smart contract.
The base type for the form can be found at crypto:smart:token.
- Properties:
name
type
doc
opts
:contract
The smart contract which defines and manages the token.
Read Only:
True
:tokenid
The token ID.
Read Only:
True
:owner
The address which currently owns the token.
:nft:url
The URL which hosts the NFT metadata.
:nft:meta
The raw NFT metadata.
:nft:meta:name
The name field from the NFT metadata.
:nft:meta:description
The description field from the NFT metadata.
Display:
{'hint': 'text'}
:nft:meta:image
The image URL from the NFT metadata.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:x509:cert
A unique X.509 certificate.
The base type for the form can be found at crypto:x509:cert.
- Properties:
name
type
doc
:file
The file that the certificate metadata was parsed from.
:subject
The subject identifier, commonly in X.500/LDAP format, to which the certificate was issued.
:issuer
The Distinguished Name (DN) of the Certificate Authority (CA) which issued the certificate.
:issuer:cert
The certificate used by the issuer to sign this certificate.
:serial
zeropad:40
The certificate serial number as a big endian hex value.
:version
enums:((0, 'v1'), (2, 'v3'))
The version integer in the certificate. (ex. 2 == v3 ).
:validity:notbefore
The timestamp for the beginning of the certificate validity period.
:validity:notafter
The timestamp for the end of the certificate validity period.
:md5
The MD5 fingerprint for the certificate.
:sha1
The SHA1 fingerprint for the certificate.
:sha256
The SHA256 fingerprint for the certificate.
:rsa:key
The optional RSA public key associated with the certificate.
:algo
The X.509 signature algorithm OID.
:signature
The hexadecimal representation of the digital signature.
:ext:sans
The Subject Alternate Names (SANs) listed in the certificate.
:ext:crls
A list of Subject Alternate Names (SANs) for Distribution Points.
:identities:fqdns
The fused list of FQDNs identified by the cert CN and SANs.
:identities:emails
The fused list of e-mail addresses identified by the cert CN and SANs.
:identities:ipv4s
The fused list of IPv4 addresses identified by the cert CN and SANs.
:identities:ipv6s
The fused list of IPv6 addresses identified by the cert CN and SANs.
:identities:urls
The fused list of URLs identified by the cert CN and SANs.
:crl:urls
The extracted URL values from the CRLs extension.
:selfsigned
Whether this is a self-signed certificate.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:x509:crl
A unique X.509 Certificate Revocation List.
The base type for the form can be found at crypto:x509:crl.
- Properties:
name
type
doc
:file
The file containing the CRL.
:url
The URL where the CRL was published.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:x509:revoked
A revocation relationship between a CRL and an X.509 certificate.
The base type for the form can be found at crypto:x509:revoked.
- Properties:
name
type
doc
opts
:crl
The CRL which revoked the certificate.
Read Only:
True
:cert
The certificate revoked by the CRL.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
crypto:x509:signedfile
A digital signature relationship between an X.509 certificate and a file.
The base type for the form can be found at crypto:x509:signedfile.
- Properties:
name
type
doc
opts
:cert
The certificate for the key which signed the file.
Read Only:
True
:file
The file which was signed by the certificates key.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
econ:acct:balance
A snapshot of the balance of an account at a point in time.
The base type for the form can be found at econ:acct:balance.
- Properties:
name
type
doc
:time
The time the balance was recorded.
:pay:card
The payment card holding the balance.
:crypto:address
The crypto currency address holding the balance.
:amount
The account balance at the time.
:currency
The currency of the balance amount.
:delta
The change since last regular sample.
:total:received
The total amount of currency received by the account.
:total:sent
The total amount of currency sent from the account.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
econ:acct:payment
A payment or crypto currency transaction.
The base type for the form can be found at econ:acct:payment.
- Properties:
name
type
doc
:txnid
strip:True
A payment processor specific transaction id.
:fee
The transaction fee paid by the recipient to the payment processor.
:from:pay:card
The payment card making the payment.
:from:contract
A contract used as an aggregate payment source.
:from:coinaddr
The crypto currency address making the payment.
:from:contact
Contact information for the entity making the payment.
:to:coinaddr
The crypto currency address receiving the payment.
:to:contact
Contact information for the person/org being paid.
:to:contract
A contract used as an aggregate payment destination.
:time
The time the payment was processed.
:purchase
The purchase which the payment was paying for.
:amount
The amount of money transferred in the payment.
:currency
The currency of the payment.
:memo
A small note specified by the payer common in financial transactions.
:crypto:transaction
A crypto currency transaction that initiated the payment.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
econ:acquired
Deprecated. Please use econ:purchase -(acquired)> *.
The base type for the form can be found at econ:acquired.
- Properties:
name
type
doc
opts
:purchase
The purchase event which acquired an item.
Read Only:
True
:item
A reference to the item that was acquired.
Read Only:
True
:item:form
The form of item purchased.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
econ:fin:bar
A sample of the open, close, high, low prices of a security in a specific time window.
The base type for the form can be found at econ:fin:bar.
- Properties:
name
type
doc
:security
The security measured by the bar.
:ival
The interval of measurement.
:price:open
The opening price of the security.
:price:close
The closing price of the security.
:price:low
The low price of the security.
:price:high
The high price of the security.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
econ:fin:exchange
A financial exchange where securities are traded.
The base type for the form can be found at econ:fin:exchange.
- Properties:
name
type
doc
opts
:name
A simple name for the exchange.
Example:
nasdaq
:org
The organization that operates the exchange.
:currency
The currency used for all transactions in the exchange.
Example:
usd
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
econ:fin:security
A financial security which is typically traded on an exchange.
The base type for the form can be found at econ:fin:security.
- Properties:
name
type
doc
:exchange
The exchange on which the security is traded.
:ticker
The identifier for this security within the exchange.
:type
A user defined type such as stock, bond, option, future, or forex.
:price
The last known/available price of the security.
:time
The time of the last know price sample.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
econ:fin:tick
A sample of the price of a security at a single moment in time.
The base type for the form can be found at econ:fin:tick.
- Properties:
name
type
doc
:security
The security measured by the tick.
:time
The time the price was sampled.
:price
The price of the security at the time.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
econ:pay:card
A single payment card.
The base type for the form can be found at econ:pay:card.
- Properties:
name
type
doc
:pan
The payment card number.
:pan:mii
The payment card MII.
:pan:iin
The payment card IIN.
:name
The name as it appears on the card.
:expr
The expiration date for the card.
:cvv
The Card Verification Value on the card.
:pin
The Personal Identification Number on the card.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
econ:pay:iin
An Issuer Id Number (IIN).
The base type for the form can be found at econ:pay:iin.
- Properties:
name
type
doc
:org
The issuer organization.
:name
lower:True
The registered name of the issuer.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
econ:purchase
A purchase event.
The base type for the form can be found at econ:purchase.
- Properties:
name
type
doc
:by:contact
The contact information used to make the purchase.
:from:contact
The contact information used to sell the item.
:time
The time of the purchase.
:place
The place where the purchase took place.
:paid
Set to True if the purchase has been paid in full.
:paid:time
The point in time where the purchase was paid in full.
:settled
The point in time where the purchase was settled.
:campaign
The campaign that the purchase was in support of.
:price
The econ:price of the purchase.
:currency
The econ:price of the purchase.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
econ:receipt:item
A line item included as part of a purchase.
The base type for the form can be found at econ:receipt:item.
- Properties:
name
type
doc
:purchase
The purchase that contains this line item.
:count
min:1
The number of items included in this line item.
:price
The total cost of this receipt line item.
:product
The product being being purchased in this line item.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
edge:has
A digraph edge which records that N1 has N2.
The base type for the form can be found at edge:has.
- Properties:
name
type
doc
opts
:n1
The node definition type for a (form,valu) compound field.
Read Only:
True
:n1:form
The base string type.
Read Only:
True
:n2
The node definition type for a (form,valu) compound field.
Read Only:
True
:n2:form
The base string type.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
edge:refs
A digraph edge which records that N1 refers to or contains N2.
The base type for the form can be found at edge:refs.
- Properties:
name
type
doc
opts
:n1
The node definition type for a (form,valu) compound field.
Read Only:
True
:n1:form
The base string type.
Read Only:
True
:n2
The node definition type for a (form,valu) compound field.
Read Only:
True
:n2:form
The base string type.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
edge:wentto
A digraph edge which records that N1 went to N2 at a specific time.
The base type for the form can be found at edge:wentto.
- Properties:
name
type
doc
opts
:n1
The node definition type for a (form,valu) compound field.
Read Only:
True
:n1:form
The base string type.
Read Only:
True
:n2
The node definition type for a (form,valu) compound field.
Read Only:
True
:n2:form
The base string type.
Read Only:
True
:time
A date/time value.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
edu:class
An instance of an edu:course taught at a given time.
The base type for the form can be found at edu:class.
- Properties:
name
type
doc
:course
The course being taught in the class.
:instructor
The primary instructor for the class.
:assistants
An array of assistant/co-instructor contacts.
:date:first
The date of the first day of class.
:date:last
The date of the last day of class.
:isvirtual
Set if the class is known to be virtual.
:virtual:url
The URL a student would use to attend the virtual class.
:virtual:provider
Contact info for the virtual infrastructure provider.
:place
The place that the class is held.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
edu:course
A course of study taught by an org.
The base type for the form can be found at edu:course.
- Properties:
name
type
doc
opts
:name
The name of the course.
Example:
organic chemistry for beginners
:desc
A brief course description.
:code
The course catalog number or designator.
Example:
chem101
:institution
The org or department which teaches the course.
:prereqs
The pre-requisite courses for taking this course.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:archive:entry
An archive entry representing a file and metadata within a parent archive file.
The base type for the form can be found at file:archive:entry.
- Properties:
name
type
doc
:parent
The parent archive file.
:file
The file contained within the archive.
:path
The file path of the archived file.
:user
The name of the user who owns the archived file.
:added
The time that the file was added to the archive.
:created
The created time of the archived file.
:modified
The modified time of the archived file.
:comment
The comment field for the file entry within the archive.
:posix:uid
The POSIX UID of the user who owns the archived file.
:posix:gid
The POSIX GID of the group who owns the archived file.
:posix:perms
The POSIX permissions mask of the archived file.
:archived:size
The encoded or compressed size of the archived file within the parent.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:base
A file name with no path.
The base type for the form can be found at file:base.
An example of file:base
:
woot.exe
- Properties:
name
type
doc
opts
:ext
The file extension (if any).
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:bytes
The file bytes type with SHA256 based primary property.
The base type for the form can be found at file:bytes.
- Properties:
name
type
doc
:size
The file size in bytes.
:md5
The md5 hash of the file.
:sha1
The sha1 hash of the file.
:sha256
The sha256 hash of the file.
:sha512
The sha512 hash of the file.
:name
The best known base name for the file.
:mime
The “best” mime type name for the file.
:mime:x509:cn
The Common Name (CN) attribute of the x509 Subject.
:mime:pe:size
The size of the executable file according to the PE file header.
:mime:pe:imphash
The PE import hash of the file as calculated by pefile; https://github.com/erocarrera/pefile .
:mime:pe:compiled
The compile time of the file according to the PE header.
:mime:pe:pdbpath
The PDB string according to the PE.
:mime:pe:exports:time
The export time of the file according to the PE.
:mime:pe:exports:libname
The export library name according to the PE.
:mime:pe:richhdr
The sha256 hash of the rich header bytes.
:exe:compiler
The software used to compile the file.
:exe:packer
The packer software used to encode the file.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:filepath
The fused knowledge of the association of a file:bytes node and a file:path.
The base type for the form can be found at file:filepath.
- Properties:
name
type
doc
opts
:file
The file seen at a path.
Read Only:
True
:path
The path a file was seen at.
Read Only:
True
:path:dir
The parent directory.
Read Only:
True
:path:base
The name of the file.
Read Only:
True
:path:base:ext
The extension of the file name.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:ismime
Records one, of potentially multiple, mime types for a given file.
The base type for the form can be found at file:ismime.
- Properties:
name
type
doc
opts
:file
The file node that is an instance of the named mime type.
Read Only:
True
:mime
The mime type of the file.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:mime
A file mime name string.
The base type for the form can be found at file:mime.
An example of file:mime
:
text/plain
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:mime:gif
The GUID of a set of mime metadata for a .gif file.
The base type for the form can be found at file:mime:gif.
- Properties:
name
type
doc
:desc
MIME specific description field extracted from metadata.
:comment
MIME specific comment field extracted from metadata.
:created
MIME specific creation timestamp extracted from metadata.
:imageid
MIME specific unique identifier extracted from metadata.
:author
MIME specific contact information extracted from metadata.
:latlong
MIME specific lat/long information extracted from metadata.
:altitude
MIME specific altitude information extracted from metadata.
:file
The file that the mime info was parsed from.
:file:offs
The optional offset where the mime info was parsed from.
:file:data
A mime specific arbitrary data structure for non-indexed data.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:mime:jpg
The GUID of a set of mime metadata for a .jpg file.
The base type for the form can be found at file:mime:jpg.
- Properties:
name
type
doc
:desc
MIME specific description field extracted from metadata.
:comment
MIME specific comment field extracted from metadata.
:created
MIME specific creation timestamp extracted from metadata.
:imageid
MIME specific unique identifier extracted from metadata.
:author
MIME specific contact information extracted from metadata.
:latlong
MIME specific lat/long information extracted from metadata.
:altitude
MIME specific altitude information extracted from metadata.
:file
The file that the mime info was parsed from.
:file:offs
The optional offset where the mime info was parsed from.
:file:data
A mime specific arbitrary data structure for non-indexed data.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:mime:macho:loadcmd
A generic load command pulled from the Mach-O headers.
The base type for the form can be found at file:mime:macho:loadcmd.
- Properties:
name
type
doc
:file
The Mach-O file containing the load command.
:type
enums:((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))
The type of the load command.
:size
The size of the load command structure in bytes.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:mime:macho:section
A section inside a Mach-O binary denoting a named region of bytes inside a segment.
The base type for the form can be found at file:mime:macho:section.
- Properties:
name
type
doc
:segment
The Mach-O segment that contains this section.
:name
Name of the section.
:size
Size of the section in bytes.
:type
enums:((0, 'regular'), (1, 'zero fill on demand'), (2, 'only literal C strings'), (3, 'only 4 byte literals'), (4, 'only 8 byte literals'), (5, 'only pointers to literals'), (6, 'only non-lazy symbol pointers'), (7, 'only lazy symbol pointers'), (8, 'only symbol stubs'), (9, 'only function pointers for init'), (10, 'only function pointers for fini'), (11, 'contains symbols to be coalesced'), (12, 'zero fill on deman (greater than 4gb)'), (13, 'only pairs of function pointers for interposing'), (14, 'only 16 byte literals'), (15, 'dtrace object format'), (16, 'only lazy symbols pointers to lazy dynamic libraries'))
The type of the section.
:sha256
The sha256 hash of the bytes of the Mach-O section.
:offset
The file offset to the beginning of the section.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:mime:macho:segment
A named region of bytes inside a Mach-O binary.
The base type for the form can be found at file:mime:macho:segment.
- Properties:
name
type
doc
:name
The name of the Mach-O segment.
:memsize
The size of the segment in bytes, when resident in memory, according to the load command structure.
:disksize
The size of the segment in bytes, when on disk, according to the load command structure.
:sha256
The sha256 hash of the bytes of the segment.
:offset
The file offset to the beginning of the segment.
:file
The Mach-O file containing the load command.
:type
enums:((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))
The type of the load command.
:size
The size of the load command structure in bytes.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:mime:macho:uuid
A specific load command denoting a UUID used to uniquely identify the Mach-O binary.
The base type for the form can be found at file:mime:macho:uuid.
- Properties:
name
type
doc
:uuid
The UUID of the Mach-O application (as defined in an LC_UUID load command).
:file
The Mach-O file containing the load command.
:type
enums:((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))
The type of the load command.
:size
The size of the load command structure in bytes.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:mime:macho:version
A specific load command used to denote the version of the source used to build the Mach-O binary.
The base type for the form can be found at file:mime:macho:version.
- Properties:
name
type
doc
:version
The version of the Mach-O file encoded in an LC_VERSION load command.
:file
The Mach-O file containing the load command.
:type
enums:((1, 'segment'), (2, 'symbol table'), (3, 'gdb symbol table'), (4, 'thread'), (5, 'unix thread'), (6, 'fixed VM shared library'), (7, 'fixed VM shared library identification'), (8, 'object identification'), (9, 'fixed VM file inclusion'), (10, 'prepage'), (11, 'dynamic link-edit symbol table'), (12, 'load dynamically linked shared library'), (13, 'dynamically linked shared library identifier'), (14, 'load dynamic linker'), (15, 'dynamic linker identification'), (16, 'prebound dynamically linked shared library'), (17, 'image routines'), (18, 'sub framework'), (19, 'sub umbrella'), (20, 'sub client'), (21, 'sub library'), (22, 'two level namespace lookup hints'), (23, 'prebind checksum'), (24, 'weak import dynamically linked shared library'), (25, '64bit segment'), (26, '64bit image routines'), (27, 'uuid'), (28, 'runpath additions'), (29, 'code signature'), (30, 'split segment info'), (31, 'load and re-export dynamic library'), (32, 'delay load of dynamic library'), (33, 'encrypted segment information'), (34, 'compressed dynamic library information'), (35, 'load upward dylib'), (36, 'minimum osx version'), (37, 'minimum ios version'), (38, 'compressed table of function start addresses'), (39, 'environment variable string for dynamic library'), (40, 'unix thread replacement'), (41, 'table of non-instructions in __text'), (42, 'source version used to build binary'), (43, 'Code signing DRs copied from linked dynamic libraries'))
The type of the load command.
:size
The size of the load command structure in bytes.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:mime:msdoc
The GUID of a set of mime metadata for a Microsoft Word file.
The base type for the form can be found at file:mime:msdoc.
- Properties:
name
type
doc
:title
The title extracted from Microsoft Office metadata.
:author
The author extracted from Microsoft Office metadata.
:subject
The subject extracted from Microsoft Office metadata.
:application
The creating_application extracted from Microsoft Office metadata.
:created
The create_time extracted from Microsoft Office metadata.
:lastsaved
The last_saved_time extracted from Microsoft Office metadata.
:file
The file that the mime info was parsed from.
:file:offs
The optional offset where the mime info was parsed from.
:file:data
A mime specific arbitrary data structure for non-indexed data.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:mime:msppt
The GUID of a set of mime metadata for a Microsoft Powerpoint file.
The base type for the form can be found at file:mime:msppt.
- Properties:
name
type
doc
:title
The title extracted from Microsoft Office metadata.
:author
The author extracted from Microsoft Office metadata.
:subject
The subject extracted from Microsoft Office metadata.
:application
The creating_application extracted from Microsoft Office metadata.
:created
The create_time extracted from Microsoft Office metadata.
:lastsaved
The last_saved_time extracted from Microsoft Office metadata.
:file
The file that the mime info was parsed from.
:file:offs
The optional offset where the mime info was parsed from.
:file:data
A mime specific arbitrary data structure for non-indexed data.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:mime:msxls
The GUID of a set of mime metadata for a Microsoft Excel file.
The base type for the form can be found at file:mime:msxls.
- Properties:
name
type
doc
:title
The title extracted from Microsoft Office metadata.
:author
The author extracted from Microsoft Office metadata.
:subject
The subject extracted from Microsoft Office metadata.
:application
The creating_application extracted from Microsoft Office metadata.
:created
The create_time extracted from Microsoft Office metadata.
:lastsaved
The last_saved_time extracted from Microsoft Office metadata.
:file
The file that the mime info was parsed from.
:file:offs
The optional offset where the mime info was parsed from.
:file:data
A mime specific arbitrary data structure for non-indexed data.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:mime:pe:export
The fused knowledge of a file:bytes node containing a pe named export.
The base type for the form can be found at file:mime:pe:export.
- Properties:
name
type
doc
opts
:file
The file containing the export.
Read Only:
True
:name
The name of the export in the file.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:mime:pe:resource
The fused knowledge of a file:bytes node containing a pe resource.
The base type for the form can be found at file:mime:pe:resource.
- Properties:
name
type
doc
opts
:file
The file containing the resource.
Read Only:
True
:type
The typecode for the resource.
Read Only:
True
:langid
The language code for the resource.
Read Only:
True
:resource
The sha256 hash of the resource bytes.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:mime:pe:section
The fused knowledge a file:bytes node containing a pe section.
The base type for the form can be found at file:mime:pe:section.
- Properties:
name
type
doc
opts
:file
The file containing the section.
Read Only:
True
:name
The textual name of the section.
Read Only:
True
:sha256
The sha256 hash of the section. Relocations must be zeroed before hashing.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:mime:pe:vsvers:info
knowledge of a file:bytes node containing vsvers info.
The base type for the form can be found at file:mime:pe:vsvers:info.
- Properties:
name
type
doc
opts
:file
The file containing the vsversion keyval pair.
Read Only:
True
:keyval
The vsversion info keyval in this file:bytes node.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:mime:pe:vsvers:keyval
A key value pair found in a PE vsversion info structure.
The base type for the form can be found at file:mime:pe:vsvers:keyval.
- Properties:
name
type
doc
opts
:name
The key for the vsversion keyval pair.
Read Only:
True
:value
The value for the vsversion keyval pair.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:mime:png
The GUID of a set of mime metadata for a .png file.
The base type for the form can be found at file:mime:png.
- Properties:
name
type
doc
:desc
MIME specific description field extracted from metadata.
:comment
MIME specific comment field extracted from metadata.
:created
MIME specific creation timestamp extracted from metadata.
:imageid
MIME specific unique identifier extracted from metadata.
:author
MIME specific contact information extracted from metadata.
:latlong
MIME specific lat/long information extracted from metadata.
:altitude
MIME specific altitude information extracted from metadata.
:file
The file that the mime info was parsed from.
:file:offs
The optional offset where the mime info was parsed from.
:file:data
A mime specific arbitrary data structure for non-indexed data.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:mime:rtf
The GUID of a set of mime metadata for a .rtf file.
The base type for the form can be found at file:mime:rtf.
- Properties:
name
type
doc
:guid
The parsed GUID embedded in the .rtf file.
:file
The file that the mime info was parsed from.
:file:offs
The optional offset where the mime info was parsed from.
:file:data
A mime specific arbitrary data structure for non-indexed data.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:mime:tif
The GUID of a set of mime metadata for a .tif file.
The base type for the form can be found at file:mime:tif.
- Properties:
name
type
doc
:desc
MIME specific description field extracted from metadata.
:comment
MIME specific comment field extracted from metadata.
:created
MIME specific creation timestamp extracted from metadata.
:imageid
MIME specific unique identifier extracted from metadata.
:author
MIME specific contact information extracted from metadata.
:latlong
MIME specific lat/long information extracted from metadata.
:altitude
MIME specific altitude information extracted from metadata.
:file
The file that the mime info was parsed from.
:file:offs
The optional offset where the mime info was parsed from.
:file:data
A mime specific arbitrary data structure for non-indexed data.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:path
A normalized file path.
The base type for the form can be found at file:path.
An example of file:path
:
c:/windows/system32/calc.exe
- Properties:
name
type
doc
opts
:dir
The parent directory.
Read Only:
True
:base
The file base name.
Read Only:
True
:base:ext
The file extension.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:string
Deprecated. Please use the edge -(refs)> it:dev:str.
The base type for the form can be found at file:string.
- Properties:
name
type
doc
opts
:file
The file containing the string.
Read Only:
True
:string
The string contained in this file:bytes node.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
file:subfile
A parent file that fully contains the specified child file.
The base type for the form can be found at file:subfile.
- Properties:
name
type
doc
opts
:parent
The parent file containing the child file.
Read Only:
True
:child
The child file contained in the parent file.
Read Only:
True
:name
Deprecated, please use the :path property.
Deprecated:
True
:path
The path that the parent uses to refer to the child file.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
geo:name
An unstructured place name or address.
The base type for the form can be found at geo:name.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
geo:nloc
Records a node latitude/longitude in space-time.
The base type for the form can be found at geo:nloc.
- Properties:
name
type
doc
opts
:ndef
The node with location in geospace and time.
Read Only:
True
:ndef:form
The form of node referenced by the ndef.
Read Only:
True
:latlong
The latitude/longitude the node was observed.
Read Only:
True
:time
The time the node was observed at location.
Read Only:
True
:place
The place corresponding to the latlong property.
:loc
The geo-political location string for the node.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
geo:place
A GUID for a geographic place.
The base type for the form can be found at geo:place.
- Properties:
name
type
doc
opts
:name
The name of the place.
:type
The type of place.
:names
An array of alternative place names.
:parent
Deprecated. Please use a -(contains)> edge.
Deprecated:
True
:desc
A long form description of the place.
:loc
The geo-political location string for the node.
:address
The street/mailing address for the place.
:geojson
A GeoJSON representation of the place.
:latlong
The lat/long position for the place.
:bbox
A bounding box which encompasses the place.
:radius
An approximate radius to use for bounding box calculation.
:photo
The image file to use as the primary image of the place.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
geo:place
-(contains)>
geo:place
The source place completely contains the target place.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
geo:place
-(contains)>
geo:place
None
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
geo:place:taxonomy
A taxonomy of place types.
The base type for the form can be found at geo:place:taxonomy.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
geo:telem
A geospatial position of a node at a given time. The node should be linked via -(seenat)> edges.
The base type for the form can be found at geo:telem.
- Properties:
name
type
doc
:time
The time that the node was at the position.
:desc
A description of the telemetry sample.
:latlong
The latitude/longitude reading at the time.
:accuracy
The reported accuracy of the latlong telemetry reading.
:place
The place which includes the latlong value.
:place:name
The purported place name. Used for entity resolution.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
gov:cn:icp
A Chinese Internet Content Provider ID.
The base type for the form can be found at gov:cn:icp.
- Properties:
name
type
doc
:org
The org with the Internet Content Provider ID.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
gov:cn:mucd
A Chinese PLA MUCD.
The base type for the form can be found at gov:cn:mucd.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
gov:us:cage
A Commercial and Government Entity (CAGE) code.
The base type for the form can be found at gov:us:cage.
- Properties:
name
type
doc
:name0
The name of the organization.
:name1
lower:True
Name Part 1.
:street
lower:True
The base string type.
:city
lower:True
The base string type.
:state
lower:True
The base string type.
:zip
A US Postal Zip Code.
:cc
The 2 digit ISO 3166 country code.
:country
lower:True
The base string type.
:phone0
A phone number.
:phone1
A phone number.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
gov:us:ssn
A US Social Security Number (SSN).
The base type for the form can be found at gov:us:ssn.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
gov:us:zip
A US Postal Zip Code.
The base type for the form can be found at gov:us:zip.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
graph:cluster
A generic node, used in conjunction with Edge types, to cluster arbitrary nodes to a single node in the model.
The base type for the form can be found at graph:cluster.
- Properties:
name
type
doc
:name
lower:True
A human friendly name for the cluster.
:desc
lower:True
A human friendly long form description for the cluster.
:type
lower:True
An optional type field used to group clusters.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
graph:edge
A generic digraph edge to show relationships outside the model.
The base type for the form can be found at graph:edge.
- Properties:
name
type
doc
opts
:n1
The node definition type for a (form,valu) compound field.
Read Only:
True
:n1:form
The base string type.
Read Only:
True
:n2
The node definition type for a (form,valu) compound field.
Read Only:
True
:n2:form
The base string type.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
graph:event
A generic event node to represent events outside the model.
The base type for the form can be found at graph:event.
- Properties:
name
type
doc
:time
The time of the event.
:type
A arbitrary type string for the event.
:name
A name for the event.
:data
Arbitrary non-indexed msgpack data attached to the event.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
graph:node
A generic node used to represent objects outside the model.
The base type for the form can be found at graph:node.
- Properties:
name
type
doc
:type
The type name for the non-model node.
:name
A human readable name for this record.
:data
Arbitrary non-indexed msgpack data attached to the node.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
graph:timeedge
A generic digraph time edge to show relationships outside the model.
The base type for the form can be found at graph:timeedge.
- Properties:
name
type
doc
opts
:time
A date/time value.
Read Only:
True
:n1
The node definition type for a (form,valu) compound field.
Read Only:
True
:n1:form
The base string type.
Read Only:
True
:n2
The node definition type for a (form,valu) compound field.
Read Only:
True
:n2:form
The base string type.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
hash:md5
A hex encoded MD5 hash.
The base type for the form can be found at hash:md5.
An example of hash:md5
:
d41d8cd98f00b204e9800998ecf8427e
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
hash:sha1
A hex encoded SHA1 hash.
The base type for the form can be found at hash:sha1.
An example of hash:sha1
:
da39a3ee5e6b4b0d3255bfef95601890afd80709
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
hash:sha256
A hex encoded SHA256 hash.
The base type for the form can be found at hash:sha256.
An example of hash:sha256
:
ad9f4fe922b61e674a09530831759843b1880381de686a43460a76864ca0340c
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
hash:sha384
A hex encoded SHA384 hash.
The base type for the form can be found at hash:sha384.
An example of hash:sha384
:
d425f1394e418ce01ed1579069a8bfaa1da8f32cf823982113ccbef531fa36bda9987f389c5af05b5e28035242efab6c
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
hash:sha512
A hex encoded SHA512 hash.
The base type for the form can be found at hash:sha512.
An example of hash:sha512
:
ca74fe2ff2d03b29339ad7d08ba21d192077fece1715291c7b43c20c9136cd132788239189f3441a87eb23ce2660aa243f334295902c904b5520f6e80ab91f11
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:asn
An Autonomous System Number (ASN).
The base type for the form can be found at inet:asn.
- Properties:
name
type
doc
:name
lower:True
The name of the organization currently responsible for the ASN.
:owner
The guid of the organization currently responsible for the ASN.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:asnet4
An Autonomous System Number (ASN) and its associated IPv4 address range.
The base type for the form can be found at inet:asnet4.
An example of inet:asnet4
:
(54959, (1.2.3.4, 1.2.3.20))
- Properties:
name
type
doc
opts
:asn
The Autonomous System Number (ASN) of the netblock.
Read Only:
True
:net4
The IPv4 address range assigned to the ASN.
Read Only:
True
:net4:min
The first IPv4 in the range assigned to the ASN.
Read Only:
True
:net4:max
The last IPv4 in the range assigned to the ASN.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:asnet6
An Autonomous System Number (ASN) and its associated IPv6 address range.
The base type for the form can be found at inet:asnet6.
An example of inet:asnet6
:
(54959, (ff::00, ff::02))
- Properties:
name
type
doc
opts
:asn
The Autonomous System Number (ASN) of the netblock.
Read Only:
True
:net6
The IPv6 address range assigned to the ASN.
Read Only:
True
:net6:min
The first IPv6 in the range assigned to the ASN.
Read Only:
True
:net6:max
The last IPv6 in the range assigned to the ASN.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:cidr4
An IPv4 address block in Classless Inter-Domain Routing (CIDR) notation.
The base type for the form can be found at inet:cidr4.
An example of inet:cidr4
:
1.2.3.0/24
- Properties:
name
type
doc
opts
:broadcast
The broadcast IP address from the CIDR notation.
Read Only:
True
:mask
The mask from the CIDR notation.
Read Only:
True
:network
The network IP address from the CIDR notation.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:cidr6
An IPv6 address block in Classless Inter-Domain Routing (CIDR) notation.
The base type for the form can be found at inet:cidr6.
An example of inet:cidr6
:
2001:db8::/101
- Properties:
name
type
doc
opts
:broadcast
The broadcast IP address from the CIDR notation.
Read Only:
True
:mask
The mask from the CIDR notation.
Read Only:
True
:network
The network IP address from the CIDR notation.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:client
A network client address.
The base type for the form can be found at inet:client.
An example of inet:client
:
tcp://1.2.3.4:80
- Properties:
name
type
doc
opts
:proto
lower:True
The network protocol of the client.
Read Only:
True
:ipv4
The IPv4 of the client.
Read Only:
True
:ipv6
The IPv6 of the client.
Read Only:
True
:host
The it:host node for the client.
Read Only:
True
:port
The client tcp/udp port.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:dns:a
The result of a DNS A record lookup.
The base type for the form can be found at inet:dns:a.
An example of inet:dns:a
:
(vertex.link,1.2.3.4)
- Properties:
name
type
doc
opts
:fqdn
The domain queried for its DNS A record.
Read Only:
True
:ipv4
The IPv4 address returned in the A record.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:dns:aaaa
The result of a DNS AAAA record lookup.
The base type for the form can be found at inet:dns:aaaa.
An example of inet:dns:aaaa
:
(vertex.link,2607:f8b0:4004:809::200e)
- Properties:
name
type
doc
opts
:fqdn
The domain queried for its DNS AAAA record.
Read Only:
True
:ipv6
The IPv6 address returned in the AAAA record.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:dns:answer
A single answer from within a DNS reply.
The base type for the form can be found at inet:dns:answer.
- Properties:
name
type
doc
:ttl
The base 64 bit signed integer type.
:request
A single instance of a DNS resolver request and optional reply info.
:a
The DNS A record returned by the lookup.
:ns
The DNS NS record returned by the lookup.
:rev
The DNS PTR record returned by the lookup.
:aaaa
The DNS AAAA record returned by the lookup.
:rev6
The DNS PTR record returned by the lookup of an IPv6 address.
:cname
The DNS CNAME record returned by the lookup.
:mx
The DNS MX record returned by the lookup.
:mx:priority
The DNS MX record priority.
:soa
The domain queried for its SOA record.
:txt
The DNS TXT record returned by the lookup.
:time
The time that the DNS response was transmitted.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:dns:cname
The result of a DNS CNAME record lookup.
The base type for the form can be found at inet:dns:cname.
An example of inet:dns:cname
:
(foo.vertex.link,vertex.link)
- Properties:
name
type
doc
opts
:fqdn
The domain queried for its CNAME record.
Read Only:
True
:cname
The domain returned in the CNAME record.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:dns:dynreg
A dynamic DNS registration.
The base type for the form can be found at inet:dns:dynreg.
- Properties:
name
type
doc
:fqdn
The FQDN registered within a dynamic DNS provider.
:provider
The organization which provides the dynamic DNS FQDN.
:provider:name
The name of the organization which provides the dynamic DNS FQDN.
:provider:fqdn
The FQDN of the organization which provides the dynamic DNS FQDN.
:contact
The contact information of the registrant.
:created
The time that the dynamic DNS registration was first created.
:client
The network client address used to register the dynamic FQDN.
:client:ipv4
The client IPv4 address used to register the dynamic FQDN.
:client:ipv6
The client IPv6 address used to register the dynamic FQDN.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:dns:mx
The result of a DNS MX record lookup.
The base type for the form can be found at inet:dns:mx.
An example of inet:dns:mx
:
(vertex.link,mail.vertex.link)
- Properties:
name
type
doc
opts
:fqdn
The domain queried for its MX record.
Read Only:
True
:mx
The domain returned in the MX record.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:dns:ns
The result of a DNS NS record lookup.
The base type for the form can be found at inet:dns:ns.
An example of inet:dns:ns
:
(vertex.link,ns.dnshost.com)
- Properties:
name
type
doc
opts
:zone
The domain queried for its DNS NS record.
Read Only:
True
:ns
The domain returned in the NS record.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:dns:query
A DNS query unique to a given client.
The base type for the form can be found at inet:dns:query.
An example of inet:dns:query
:
(1.2.3.4, woot.com, 1)
- Properties:
name
type
doc
opts
:client
A network client address.
Read Only:
True
:name
A DNS query name string. Likely an FQDN but not always.
Read Only:
True
:name:ipv4
An IPv4 address.
:name:ipv6
An IPv6 address.
:name:fqdn
A Fully Qualified Domain Name (FQDN).
:type
The base 64 bit signed integer type.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:dns:request
A single instance of a DNS resolver request and optional reply info.
The base type for the form can be found at inet:dns:request.
- Properties:
name
type
doc
:time
A date/time value.
:query
A DNS query unique to a given client.
:query:name
A DNS query name string. Likely an FQDN but not always.
:query:name:ipv4
An IPv4 address.
:query:name:ipv6
An IPv6 address.
:query:name:fqdn
A Fully Qualified Domain Name (FQDN).
:query:type
The base 64 bit signed integer type.
:server
A network server address.
:reply:code
The DNS server response code.
:exe
The file containing the code that attempted the DNS lookup.
:proc
The process that attempted the DNS lookup.
:host
The host that attempted the DNS lookup.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:dns:rev
The transformed result of a DNS PTR record lookup.
The base type for the form can be found at inet:dns:rev.
An example of inet:dns:rev
:
(1.2.3.4,vertex.link)
- Properties:
name
type
doc
opts
:ipv4
The IPv4 address queried for its DNS PTR record.
Read Only:
True
:fqdn
The domain returned in the PTR record.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:dns:rev6
The transformed result of a DNS PTR record for an IPv6 address.
The base type for the form can be found at inet:dns:rev6.
An example of inet:dns:rev6
:
(2607:f8b0:4004:809::200e,vertex.link)
- Properties:
name
type
doc
opts
:ipv6
The IPv6 address queried for its DNS PTR record.
Read Only:
True
:fqdn
The domain returned in the PTR record.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:dns:soa
The result of a DNS SOA record lookup.
The base type for the form can be found at inet:dns:soa.
- Properties:
name
type
doc
:fqdn
The domain queried for its SOA record.
:ns
The domain (MNAME) returned in the SOA record.
The email address (RNAME) returned in the SOA record.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:dns:txt
The result of a DNS MX record lookup.
The base type for the form can be found at inet:dns:txt.
An example of inet:dns:txt
:
(hehe.vertex.link,"fancy TXT record")
- Properties:
name
type
doc
opts
:fqdn
The domain queried for its TXT record.
Read Only:
True
:txt
The string returned in the TXT record.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:dns:wild:a
A DNS A wild card record and the IPv4 it resolves to.
The base type for the form can be found at inet:dns:wild:a.
- Properties:
name
type
doc
opts
:fqdn
The domain containing a wild card record.
Read Only:
True
:ipv4
The IPv4 address returned by wild card resolutions.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:dns:wild:aaaa
A DNS AAAA wild card record and the IPv6 it resolves to.
The base type for the form can be found at inet:dns:wild:aaaa.
- Properties:
name
type
doc
opts
:fqdn
The domain containing a wild card record.
Read Only:
True
:ipv6
The IPv6 address returned by wild card resolutions.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:download
An instance of a file downloaded from a server.
The base type for the form can be found at inet:download.
- Properties:
name
type
doc
:time
The time the file was downloaded.
:fqdn
The FQDN used to resolve the server.
:file
The file that was downloaded.
:server
The inet:addr of the server.
:server:host
The it:host node for the server.
:server:ipv4
The IPv4 of the server.
:server:ipv6
The IPv6 of the server.
:server:port
The server tcp/udp port.
:server:proto
lower:True
The server network layer protocol.
:client
The inet:addr of the client.
:client:host
The it:host node for the client.
:client:ipv4
The IPv4 of the client.
:client:ipv6
The IPv6 of the client.
:client:port
The client tcp/udp port.
:client:proto
lower:True
The client network layer protocol.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:egress
A host using a specific network egress client address.
The base type for the form can be found at inet:egress.
- Properties:
name
type
doc
:host
The host that used the network egress.
:client
The client address the host used as a network egress.
:client:ipv4
The client IPv4 address the host used as a network egress.
:client:ipv6
The client IPv6 address the host used as a network egress.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:email
An e-mail address.
The base type for the form can be found at inet:email.
- Properties:
name
type
doc
opts
:user
The username of the email address.
Read Only:
True
:fqdn
The domain of the email address.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:email:header
A unique email message header.
The base type for the form can be found at inet:email:header.
- Properties:
name
type
doc
opts
:name
The name of the email header.
Read Only:
True
:value
The value of the email header.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:email:message
An individual email message delivered to an inbox.
The base type for the form can be found at inet:email:message.
- Properties:
name
type
doc
opts
:to
The email address of the recipient.
:from
The email address of the sender.
:replyto
The email address parsed from the “reply-to” header.
:cc
Email addresses parsed from the “cc” header.
:subject
The email message subject parsed from the “subject” header.
:body
The body of the email message.
Display:
{'hint': 'text'}
:date
The time the email message was delivered.
:bytes
The file bytes which contain the email message.
:headers
type: inet:email:headerAn array of email headers from the message.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:email:message:attachment
A file which was attached to an email message.
The base type for the form can be found at inet:email:message:attachment.
- Properties:
name
type
doc
opts
:message
The message containing the attached file.
Read Only:
True
:file
The attached file.
Read Only:
True
:name
The name of the attached file.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:email:message:link
A url/link embedded in an email message.
The base type for the form can be found at inet:email:message:link.
- Properties:
name
type
doc
opts
:message
The message containing the embedded link.
Read Only:
True
:url
The url contained within the email message.
Read Only:
True
:text
The displayed hyperlink text if it was not the raw URL.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:flow
An individual network connection between a given source and destination.
The base type for the form can be found at inet:flow.
- Properties:
name
type
doc
opts
:time
The time the network connection was initiated.
:duration
The duration of the flow in seconds.
:from
The ingest source file/iden. Used for reparsing.
:dst
The destination address / port for a connection.
:dst:ipv4
The destination IPv4 address.
:dst:ipv6
The destination IPv6 address.
:dst:port
The destination port.
:dst:proto
lower:True
The destination protocol.
:dst:host
The guid of the destination host.
:dst:proc
The guid of the destination process.
:dst:exe
The file (executable) that received the connection.
:dst:txcount
The number of packets sent by the destination host.
:dst:txbytes
The number of bytes sent by the destination host.
:dst:handshake
A text representation of the initial handshake sent by the server.
Display:
{'hint': 'text'}
:src
The source address / port for a connection.
:src:ipv4
The source IPv4 address.
:src:ipv6
The source IPv6 address.
:src:port
The source port.
:src:proto
lower:True
The source protocol.
:src:host
The guid of the source host.
:src:proc
The guid of the source process.
:src:exe
The file (executable) that created the connection.
:src:txcount
The number of packets sent by the source host.
:src:txbytes
The number of bytes sent by the source host.
:tot:txcount
The number of packets sent in both directions.
:tot:txbytes
The number of bytes sent in both directions.
:src:handshake
A text representation of the initial handshake sent by the client.
Display:
{'hint': 'text'}
:dst:cpes
An array of NIST CPEs identified on the destination host.
:dst:softnames
An array of software names identified on the destination host.
:src:cpes
An array of NIST CPEs identified on the source host.
:src:softnames
An array of software names identified on the source host.
:ip:proto
The IP protocol number of the flow.
:ip:tcp:flags
An aggregation of observed TCP flags commonly provided by flow APIs.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
:src:ssl:cert
The x509 certificate sent by the client as part of an SSL/TLS negotiation.
:dst:ssl:cert
The x509 certificate sent by the server as part of an SSL/TLS negotiation.
:src:rdp:hostname
The hostname sent by the client as part of an RDP session setup.
:src:rdp:keyboard:layout
The keyboard layout sent by the client as part of an RDP session setup.
:src:ssh:key
The key sent by the client as part of an SSH session setup.
:dst:ssh:key
The key sent by the server as part of an SSH session setup.
:raw
A raw record used to create the flow which may contain additional protocol details.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:fqdn
A Fully Qualified Domain Name (FQDN).
The base type for the form can be found at inet:fqdn.
An example of inet:fqdn
:
vertex.link
- Properties:
name
type
doc
opts
:domain
The parent domain for the FQDN.
Read Only:
True
:host
lower:True
The host part of the FQDN.
Read Only:
True
:issuffix
True if the FQDN is considered a suffix.
:iszone
True if the FQDN is considered a zone.
:zone
The zone level parent for this FQDN.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:group
A group name string.
The base type for the form can be found at inet:group.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:http:param
An HTTP request path query parameter.
The base type for the form can be found at inet:http:param.
- Properties:
name
type
doc
opts
:name
lower:True
The name of the HTTP query parameter.
Read Only:
True
:value
The value of the HTTP query parameter.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:http:request
A single HTTP request.
The base type for the form can be found at inet:http:request.
- Properties:
name
type
doc
:method
The HTTP request method string.
:path
The requested HTTP path (without query parameters).
:url
The reconstructed URL for the request if known.
:query
The HTTP query string which optionally follows the path.
:headers
An array of HTTP headers from the request.
:body
The body of the HTTP request.
:referer
The referer URL parsed from the “Referer:” header in the request.
:cookies
An array of HTTP cookie values parsed from the “Cookies:” header in the request.
:response:time
A date/time value.
:response:code
The base 64 bit signed integer type.
:response:reason
The base string type.
:response:headers
An array of HTTP headers from the response.
:response:body
The file bytes type with SHA256 based primary property.
:session
The HTTP session this request was part of.
:flow
The raw inet:flow containing the request.
:client
The inet:addr of the client.
:client:ipv4
The server IPv4 address that the request was sent from.
:client:ipv6
The server IPv6 address that the request was sent from.
:client:host
The host that the request was sent from.
:server
The inet:addr of the server.
:server:ipv4
The server IPv4 address that the request was sent to.
:server:ipv6
The server IPv6 address that the request was sent to.
:server:port
The server port that the request was sent to.
:server:host
The host that the request was sent to.
:exe
The executable file which caused the activity.
:proc
The host process which caused the activity.
:thread
The host thread which caused the activity.
:host
The host on which the activity occurred.
:time
The time that the activity started.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:http:request:header
An HTTP request header.
The base type for the form can be found at inet:http:request:header.
- Properties:
name
type
doc
opts
:name
The name of the HTTP request header.
Read Only:
True
:value
The value of the HTTP request header.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:http:response:header
An HTTP response header.
The base type for the form can be found at inet:http:response:header.
- Properties:
name
type
doc
opts
:name
The name of the HTTP response header.
Read Only:
True
:value
The value of the HTTP response header.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:http:session
An HTTP session.
The base type for the form can be found at inet:http:session.
- Properties:
name
type
doc
:contact
The ps:contact which owns the session.
:cookies
An array of cookies used to identify this specific session.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:iface
A network interface with a set of associated protocol addresses.
The base type for the form can be found at inet:iface.
- Properties:
name
type
doc
:host
The guid of the host the interface is associated with.
:network
The guid of the it:network the interface connected to.
:type
lower:True
The free-form interface type.
:mac
The ethernet (MAC) address of the interface.
:ipv4
The IPv4 address of the interface.
:ipv6
The IPv6 address of the interface.
:phone
The telephone number of the interface.
:wifi:ssid
The wifi SSID of the interface.
:wifi:bssid
The wifi BSSID of the interface.
:adid
An advertising ID associated with the interface.
:mob:imei
The IMEI of the interface.
:mob:imsi
The IMSI of the interface.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:ipv4
An IPv4 address.
The base type for the form can be found at inet:ipv4.
An example of inet:ipv4
:
1.2.3.4
- Properties:
name
type
doc
:asn
The ASN to which the IPv4 address is currently assigned.
:latlong
The best known latitude/longitude for the node.
:loc
The geo-political location string for the IPv4.
:place
The geo:place associated with the latlong property.
:type
The type of IP address (e.g., private, multicast, etc.).
:dns:rev
The most current DNS reverse lookup for the IPv4.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
inet:whois:iprec
-(ipwhois)>
inet:ipv4
The source IP whois record describes the target IPv4 address.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:ipv6
An IPv6 address.
The base type for the form can be found at inet:ipv6.
An example of inet:ipv6
:
2607:f8b0:4004:809::200e
- Properties:
name
type
doc
:asn
The ASN to which the IPv6 address is currently assigned.
:ipv4
The mapped ipv4.
:latlong
The last known latitude/longitude for the node.
:place
The geo:place associated with the latlong property.
:dns:rev
The most current DNS reverse lookup for the IPv6.
:loc
The geo-political location string for the IPv6.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
inet:whois:iprec
-(ipwhois)>
inet:ipv6
The source IP whois record describes the target IPv6 address.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:mac
A 48-bit Media Access Control (MAC) address.
The base type for the form can be found at inet:mac.
An example of inet:mac
:
aa:bb:cc:dd:ee:ff
- Properties:
name
type
doc
:vendor
The vendor associated with the 24-bit prefix of a MAC address.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:passwd
A password string.
The base type for the form can be found at inet:passwd.
- Properties:
name
type
doc
opts
:md5
The MD5 hash of the password.
Read Only:
True
:sha1
The SHA1 hash of the password.
Read Only:
True
:sha256
The SHA256 hash of the password.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:proto
A network protocol name.
The base type for the form can be found at inet:proto.
- Properties:
name
type
doc
:port
The default port this protocol typically uses if applicable.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:rfc2822:addr
An RFC 2822 Address field.
The base type for the form can be found at inet:rfc2822:addr.
An example of inet:rfc2822:addr
:
"Visi Kenshoto" <visi@vertex.link>
- Properties:
name
type
doc
opts
:name
The name field parsed from an RFC 2822 address string.
Read Only:
True
The email field parsed from an RFC 2822 address string.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:search:query
An instance of a search query issued to a search engine.
The base type for the form can be found at inet:search:query.
- Properties:
name
type
doc
opts
:text
The search query text.
Display:
{'hint': 'text'}
:time
The time the web search was issued.
:acct
The account that the query was issued as.
:host
The host that issued the query.
:engine
lower:True
A simple name for the search engine used.
Example:
:request
The HTTP request used to issue the query.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:search:result
A single result from a web search.
The base type for the form can be found at inet:search:result.
- Properties:
name
type
doc
:query
The search query that produced the result.
:title
lower:True
The title of the matching web page.
:rank
The rank/order of the query result.
:url
The URL hosting the matching content.
:text
lower:True
Extracted/matched text from the matched content.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:server
A network server address.
The base type for the form can be found at inet:server.
An example of inet:server
:
tcp://1.2.3.4:80
- Properties:
name
type
doc
opts
:proto
lower:True
The network protocol of the server.
Read Only:
True
:ipv4
The IPv4 of the server.
Read Only:
True
:ipv6
The IPv6 of the server.
Read Only:
True
:host
The it:host node for the server.
Read Only:
True
:port
The server tcp/udp port.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:servfile
A file hosted on a server for access over a network protocol.
The base type for the form can be found at inet:servfile.
- Properties:
name
type
doc
opts
:file
The file hosted by the server.
Read Only:
True
:server
The inet:addr of the server.
Read Only:
True
:server:proto
lower:True
The network protocol of the server.
Read Only:
True
:server:ipv4
The IPv4 of the server.
Read Only:
True
:server:ipv6
The IPv6 of the server.
Read Only:
True
:server:host
The it:host node for the server.
Read Only:
True
:server:port
The server tcp/udp port.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:ssl:cert
An SSL certificate file served by a server.
The base type for the form can be found at inet:ssl:cert.
An example of inet:ssl:cert
:
(1.2.3.4:443, guid:d41d8cd98f00b204e9800998ecf8427e)
- Properties:
name
type
doc
opts
:file
The file bytes for the SSL certificate.
Read Only:
True
:server
The server that presented the SSL certificate.
Read Only:
True
:server:ipv4
The SSL server IPv4 address.
Read Only:
True
:server:ipv6
The SSL server IPv6 address.
Read Only:
True
:server:port
The SSL server listening port.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:ssl:jarmhash
A TLS JARM fingerprint hash.
The base type for the form can be found at inet:ssl:jarmhash.
- Properties:
name
type
doc
opts
:ciphers
The encoded cipher and TLS version of the server.
Read Only:
True
:extensions
The truncated SHA256 of the TLS server extensions.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:ssl:jarmsample
A JARM hash sample taken from a server.
The base type for the form can be found at inet:ssl:jarmsample.
- Properties:
name
type
doc
opts
:jarmhash
The JARM hash computed from the server responses.
Read Only:
True
:server
The server that was sampled to compute the JARM hash.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:tunnel
A specific sequence of hosts forwarding connections such as a VPN or proxy.
The base type for the form can be found at inet:tunnel.
- Properties:
name
type
doc
:anon
Indicates that this tunnel provides anonymization.
:type
The type of tunnel such as vpn or proxy.
:ingress
The server where client traffic enters the tunnel.
:egress
The server where client traffic leaves the tunnel.
:operator
The contact information for the tunnel operator.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:tunnel:type:taxonomy
A taxonomy of network tunnel types.
The base type for the form can be found at inet:tunnel:type:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:url
A Universal Resource Locator (URL).
The base type for the form can be found at inet:url.
An example of inet:url
:
http://www.woot.com/files/index.html
- Properties:
name
type
doc
opts
:fqdn
The fqdn used in the URL (e.g., http://www.woot.com/page.html).
Read Only:
True
:ipv4
The IPv4 address used in the URL (e.g., http://1.2.3.4/page.html).
Read Only:
True
:ipv6
The IPv6 address used in the URL.
Read Only:
True
:passwd
The optional password used to access the URL.
Read Only:
True
:base
The base scheme, user/pass, fqdn, port and path w/o parameters.
Read Only:
True
:path
The path in the URL w/o parameters.
Read Only:
True
:params
The URL parameter string.
Read Only:
True
:port
The port of the URL. URLs prefixed with http will be set to port 80 and URLs prefixed with https will be set to port 443 unless otherwise specified.
Read Only:
True
:proto
lower:True
The protocol in the URL.
Read Only:
True
:user
The optional username used to access the URL.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:url:mirror
A URL mirror site.
The base type for the form can be found at inet:url:mirror.
- Properties:
name
type
doc
opts
:of
The URL being mirrored.
Read Only:
True
:at
The URL of the mirror.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:urlfile
A file hosted at a specific Universal Resource Locator (URL).
The base type for the form can be found at inet:urlfile.
- Properties:
name
type
doc
opts
:url
The URL where the file was hosted.
Read Only:
True
:file
The file that was hosted at the URL.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:urlredir
A URL that redirects to another URL, such as via a URL shortening service or an HTTP 302 response.
The base type for the form can be found at inet:urlredir.
An example of inet:urlredir
:
(http://foo.com/,http://bar.com/)
- Properties:
name
type
doc
opts
:src
The original/source URL before redirect.
Read Only:
True
:src:fqdn
The FQDN within the src URL (if present).
Read Only:
True
:dst
The redirected/destination URL.
Read Only:
True
:dst:fqdn
The FQDN within the dst URL (if present).
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:user
A username string.
The base type for the form can be found at inet:user.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:web:acct
An account with a given Internet-based site or service.
The base type for the form can be found at inet:web:acct.
An example of inet:web:acct
:
twitter.com/invisig0th
- Properties:
name
type
doc
opts
:avatar
The file representing the avatar (e.g., profile picture) for the account.
:banner
The file representing the banner for the account.
:dob
A self-declared date of birth for the account (if the account belongs to a person).
The email address associated with the account.
:linked:accts
Linked accounts specified in the account profile.
:latlong
The last known latitude/longitude for the node.
:place
The geo:place associated with the latlong property.
:loc
A self-declared location for the account.
:name
The localized name associated with the account (may be different from the account identifier, e.g., a display name).
:name:en
The English version of the name associated with the (may be different from the account identifier, e.g., a display name).
:aliases
An array of alternate names for the user.
:occupation
lower:True
A self-declared occupation for the account.
:passwd
The current password for the account.
:phone
The phone number associated with the account.
:realname
The localized version of the real name of the account owner / registrant.
:realname:en
The English version of the real name of the account owner / registrant.
:signup
The date and time the account was registered.
:signup:client
The client address used to sign up for the account.
:signup:client:ipv4
The IPv4 address used to sign up for the account.
:signup:client:ipv6
The IPv6 address used to sign up for the account.
:site
The site or service associated with the account.
Read Only:
True
:tagline
The text of the account status or tag line.
:url
The service provider URL where the account is hosted.
:user
The unique identifier for the account (may be different from the common name or display name).
Read Only:
True
:webpage
A related URL specified by the account (e.g., a personal or company web page, blog, etc.).
:recovery:email
An email address registered as a recovery email address for the account.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:web:action
An instance of an account performing an action at an Internet-based site or service.
The base type for the form can be found at inet:web:action.
- Properties:
name
type
doc
:act
The action performed by the account.
:acct
The web account associated with the action.
:acct:site
The site or service associated with the account.
:acct:user
The unique identifier for the account.
:time
The date and time the account performed the action.
:client
The source client address of the action.
:client:ipv4
The source IPv4 address of the action.
:client:ipv6
The source IPv6 address of the action.
:loc
The location of the user executing the web action.
:latlong
The latlong of the user when executing the web action.
:place
The geo:place of the user when executing the web action.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:web:attachment
An instance of a file being sent to a web service by an account.
The base type for the form can be found at inet:web:attachment.
- Properties:
name
type
doc
opts
:acct
The account that uploaded the file.
:post
The optional web post that the file was attached to.
:mesg
The optional web message that the file was attached to.
:proto
The protocol used to transmit the file to the web service.
Example:
https
:interactive
Set to true if the upload was interactive. False if automated.
:file
The file that was sent.
:name
The name of the file at the time it was sent.
:time
The time the file was sent.
:client
The client address which initiated the upload.
:client:ipv4
The IPv4 address of the client that initiated the upload.
:client:ipv6
The IPv6 address of the client that initiated the upload.
:place
The place the file was sent from.
:place:loc
The geopolitical location that the file was sent from.
:place:name
The reported name of the place that the file was sent from.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:web:channel
A channel within a web service or instance such as slack or discord.
The base type for the form can be found at inet:web:channel.
- Properties:
name
type
doc
opts
:url
The primary URL used to identify the channel.
Example:
https://app.slack.com/client/T2XK1223Y/C2XHHNDS7
:id
strip:True
The operator specified ID of this channel.
Example:
C2XHHNDS7
:instance
The instance which contains the channel.
:name
strip:True
The visible name of the channel.
Example:
general
:topic
strip:True
The visible topic of the channel.
Example:
Synapse Discussion - Feel free to invite others!
:created
The time the channel was created.
:creator
The account which created the channel.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:web:chprofile
A change to a web account. Used to capture historical properties associated with an account, as opposed to current data in the inet:web:acct node.
The base type for the form can be found at inet:web:chprofile.
- Properties:
name
type
doc
:acct
The web account associated with the change.
:acct:site
The site or service associated with the account.
:acct:user
The unique identifier for the account.
:client
The source address used to make the account change.
:client:ipv4
The source IPv4 address used to make the account change.
:client:ipv6
The source IPv6 address used to make the account change.
:time
The date and time when the account change occurred.
:pv
The prop=valu of the account property that was changed. Valu should be the old / original value, while the new value should be updated on the inet:web:acct form.
:pv:prop
The property that was changed.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:web:file
A file posted by a web account.
The base type for the form can be found at inet:web:file.
- Properties:
name
type
doc
opts
:acct
The account that owns or is associated with the file.
Read Only:
True
:acct:site
The site or service associated with the account.
Read Only:
True
:acct:user
The unique identifier for the account.
Read Only:
True
:file
The file owned by or associated with the account.
Read Only:
True
:name
The name of the file owned by or associated with the account.
:posted
Deprecated. Instance data belongs on inet:web:attachment.
Deprecated:
True
:client
Deprecated. Instance data belongs on inet:web:attachment.
Deprecated:
True
:client:ipv4
Deprecated. Instance data belongs on inet:web:attachment.
Deprecated:
True
:client:ipv6
Deprecated. Instance data belongs on inet:web:attachment.
Deprecated:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:web:follows
A web account follows or is connected to another web account.
The base type for the form can be found at inet:web:follows.
- Properties:
name
type
doc
opts
:follower
The account following an account.
Read Only:
True
:followee
The account followed by an account.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:web:group
A group hosted within or registered with a given Internet-based site or service.
The base type for the form can be found at inet:web:group.
An example of inet:web:group
:
somesite.com/mycoolgroup
- Properties:
name
type
doc
opts
:site
The site or service associated with the group.
Read Only:
True
:id
The site-specific unique identifier for the group (may be different from the common name or display name).
Read Only:
True
:name
The localized name associated with the group (may be different from the account identifier, e.g., a display name).
:aliases
An array of alternate names for the group.
:name:en
The English version of the name associated with the group (may be different from the localized name).
:url
The service provider URL where the group is hosted.
:avatar
The file representing the avatar (e.g., profile picture) for the group.
:desc
The text of the description of the group.
:webpage
A related URL specified by the group (e.g., primary web site, etc.).
:loc
lower:True
A self-declared location for the group.
:latlong
The last known latitude/longitude for the node.
:place
The geo:place associated with the latlong property.
:signup
The date and time the group was created on the site.
:signup:client
The client address used to create the group.
:signup:client:ipv4
The IPv4 address used to create the group.
:signup:client:ipv6
The IPv6 address used to create the group.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:web:hashtag
A hashtag used in a web post.
The base type for the form can be found at inet:web:hashtag.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:web:instance
An instance of a web service such as slack or discord.
The base type for the form can be found at inet:web:instance.
- Properties:
name
type
doc
opts
:url
The primary URL used to identify the instance.
Example:
https://app.slack.com/client/T2XK1223Y
:id
strip:True
The operator specified ID of this instance.
Example:
T2XK1223Y
:name
strip:True
The visible name of the instance.
Example:
vertex synapse
:created
The time the instance was created.
:creator
The account which created the instance.
:owner
The organization which created the instance.
:owner:fqdn
The FQDN of the organization which created the instance. Used for entity resolution.
Example:
vertex.link
:owner:name
The name of the organization which created the instance. Used for entity resolution.
Example:
the vertex project, llc.
:operator
The organization which operates the instance.
:operator:name
The name of the organization which operates the instance. Used for entity resolution.
Example:
slack
:operator:fqdn
The FQDN of the organization which operates the instance. Used for entity resolution.
Example:
slack.com
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:web:logon
An instance of an account authenticating to an Internet-based site or service.
The base type for the form can be found at inet:web:logon.
- Properties:
name
type
doc
:acct
The web account associated with the logon event.
:acct:site
The site or service associated with the account.
:acct:user
The unique identifier for the account.
:time
The date and time the account logged into the service.
:client
The source address of the logon.
:client:ipv4
The source IPv4 address of the logon.
:client:ipv6
The source IPv6 address of the logon.
:logout
The date and time the account logged out of the service.
:loc
The location of the user executing the logon.
:latlong
The latlong of the user executing the logon.
:place
The geo:place of the user executing the logon.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:web:memb
Deprecated. Please use inet:web:member.
The base type for the form can be found at inet:web:memb.
- Properties:
name
type
doc
opts
:acct
The account that is a member of the group.
Read Only:
True
:group
The group that the account is a member of.
Read Only:
True
:title
lower:True
The title or status of the member (e.g., admin, new member, etc.).
:joined
The date / time the account joined the group.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:web:member
Represents a web account membership in a channel or group.
The base type for the form can be found at inet:web:member.
- Properties:
name
type
doc
:acct
The account that is a member of the group or channel.
:group
The group that the account is a member of.
:channel
The channel that the account is a member of.
:added
The date / time the account was added to the group or channel.
:removed
The date / time the account was removed from the group or channel.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:web:mesg
A message sent from one web account to another web account or channel.
The base type for the form can be found at inet:web:mesg.
An example of inet:web:mesg
:
((twitter.com, invisig0th), (twitter.com, gobbles), 20041012130220)
- Properties:
name
type
doc
opts
:from
The web account that sent the message.
Read Only:
True
:to
The web account that received the message.
Read Only:
True
:client
The source address of the message.
:client:ipv4
The source IPv4 address of the message.
:client:ipv6
The source IPv6 address of the message.
:time
The date and time at which the message was sent.
Read Only:
True
:url
The URL where the message is posted / visible.
:text
The text of the message.
Display:
{'hint': 'text'}
:deleted
The message was deleted.
:file
The file attached to or sent with the message.
:place
The place that the message was reportedly sent from.
:place:name
The name of the place that the message was reportedly sent from. Used for entity resolution.
:instance
The instance where the message was sent.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:web:post
A post made by a web account.
The base type for the form can be found at inet:web:post.
- Properties:
name
type
doc
opts
:acct
The web account that made the post.
:acct:site
The site or service associated with the account.
:client
The source address of the post.
:client:ipv4
The source IPv4 address of the post.
:client:ipv6
The source IPv6 address of the post.
:acct:user
The unique identifier for the account.
:text
The text of the post.
Display:
{'hint': 'text'}
:time
The date and time that the post was made.
:deleted
The message was deleted by the poster.
:url
The URL where the post is published / visible.
:file
The file that was attached to the post.
:replyto
The post that this post is in reply to.
:repost
The original post that this is a repost of.
:hashtags
Hashtags mentioned within the post.
:mentions:users
Accounts mentioned within the post.
:mentions:groups
Groups mentioned within the post.
:loc
The location that the post was reportedly sent from.
:place
The place that the post was reportedly sent from.
:place:name
The name of the place that the post was reportedly sent from. Used for entity resolution.
:latlong
The place that the post was reportedly sent from.
:channel
The channel where the post was made.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:web:post:link
A link contained within post text.
The base type for the form can be found at inet:web:post:link.
- Properties:
name
type
doc
:post
The post containing the embedded link.
:url
The url that the link forwards to.
:text
The displayed hyperlink text if it was not the raw URL.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:whois:contact
An individual contact from a domain whois record.
The base type for the form can be found at inet:whois:contact.
- Properties:
name
type
doc
opts
:rec
The whois record containing the contact data.
Read Only:
True
:rec:fqdn
The domain associated with the whois record.
Read Only:
True
:rec:asof
The date of the whois record.
Read Only:
True
:type
lower:True
The contact type (e.g., registrar, registrant, admin, billing, tech, etc.).
Read Only:
True
:id
lower:True
The ID associated with the contact.
:name
lower:True
The name of the contact.
The email address of the contact.
:orgname
The name of the contact organization.
:address
lower:True
The content of the street address field(s) of the contact.
:city
lower:True
The content of the city field of the contact.
:state
lower:True
The content of the state field of the contact.
:country
lower:True
The two-letter country code of the contact.
:phone
The content of the phone field of the contact.
:fax
The content of the fax field of the contact.
:url
The URL specified for the contact.
:whois:fqdn
The whois server FQDN for the given contact (most likely a registrar).
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:whois:email
An email address associated with an FQDN via whois registration text.
The base type for the form can be found at inet:whois:email.
- Properties:
name
type
doc
opts
:fqdn
The domain with a whois record containing the email address.
Read Only:
True
The email address associated with the domain whois record.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:whois:ipcontact
An individual contact from an IP block record.
The base type for the form can be found at inet:whois:ipcontact.
- Properties:
name
type
doc
:contact
Contact information associated with a registration.
:asof
The date of the record.
:created
The “created” time from the record.
:updated
The “last updated” time from the record.
:role
lower:True
The primary role for the contact.
:roles
Additional roles assigned to the contact.
:asn
The associated Autonomous System Number (ASN).
:id
The registry unique identifier (e.g. NET-74-0-0-0-1).
:links
URLs provided with the record.
:status
lower:True
The state of the registered contact (e.g. validated, obscured).
:contacts
Additional contacts referenced by this contact.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:whois:ipquery
Query details used to retrieve an IP record.
The base type for the form can be found at inet:whois:ipquery.
- Properties:
name
type
doc
:time
The time the request was made.
:url
The query URL when using the HTTP RDAP Protocol.
:fqdn
The FQDN of the host server when using the legacy WHOIS Protocol.
:ipv4
The IPv4 address queried.
:ipv6
The IPv6 address queried.
:success
Whether the host returned a valid response for the query.
:rec
The resulting record from the query.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:whois:iprec
An IPv4/IPv6 block registration record.
The base type for the form can be found at inet:whois:iprec.
- Properties:
name
type
doc
opts
:net4
The IPv4 address range assigned.
:net4:min
The first IPv4 in the range assigned.
:net4:max
The last IPv4 in the range assigned.
:net6
The IPv6 address range assigned.
:net6:min
The first IPv6 in the range assigned.
:net6:max
The last IPv6 in the range assigned.
:asof
The date of the record.
:created
The “created” time from the record.
:updated
The “last updated” time from the record.
:text
lower:True
The full text of the record.
Display:
{'hint': 'text'}
:desc
lower:True
Notes concerning the record.
Display:
{'hint': 'text'}
:asn
The associated Autonomous System Number (ASN).
:id
The registry unique identifier (e.g. NET-74-0-0-0-1).
:name
The name assigned to the network by the registrant.
:parentid
The registry unique identifier of the parent whois record (e.g. NET-74-0-0-0-0).
:registrant
Deprecated. Add the registrant inet:whois:ipcontact to the :contacts array.
Deprecated:
True
:contacts
Additional contacts from the record.
:country
The two-letter ISO 3166 country code.
:status
lower:True
The state of the registered network.
:type
lower:True
The classification of the registered network (e.g. direct allocation).
:links
URLs provided with the record.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
inet:whois:iprec
-(ipwhois)>
inet:ipv4
The source IP whois record describes the target IPv4 address.
inet:whois:iprec
-(ipwhois)>
inet:ipv6
The source IP whois record describes the target IPv6 address.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:whois:rar
A domain registrar.
The base type for the form can be found at inet:whois:rar.
An example of inet:whois:rar
:
godaddy, inc.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:whois:rec
A domain whois record.
The base type for the form can be found at inet:whois:rec.
- Properties:
name
type
doc
opts
:fqdn
The domain associated with the whois record.
Read Only:
True
:asof
The date of the whois record.
Read Only:
True
:text
lower:True
The full text of the whois record.
Display:
{'hint': 'text'}
:created
The “created” time from the whois record.
:updated
The “last updated” time from the whois record.
:expires
The “expires” time from the whois record.
:registrar
The registrar name from the whois record.
:registrant
The registrant name from the whois record.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:whois:recns
A nameserver associated with a domain whois record.
The base type for the form can be found at inet:whois:recns.
- Properties:
name
type
doc
opts
:ns
A nameserver for a domain as listed in the domain whois record.
Read Only:
True
:rec
The whois record containing the nameserver data.
Read Only:
True
:rec:fqdn
The domain associated with the whois record.
Read Only:
True
:rec:asof
The date of the whois record.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:whois:reg
A domain registrant.
The base type for the form can be found at inet:whois:reg.
An example of inet:whois:reg
:
woot hostmaster
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:whois:regid
The registry unique identifier of the registration record.
The base type for the form can be found at inet:whois:regid.
An example of inet:whois:regid
:
NET-10-0-0-0-1
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:wifi:ap
An SSID/MAC address combination for a wireless access point.
The base type for the form can be found at inet:wifi:ap.
- Properties:
name
type
doc
opts
:ssid
The SSID for the wireless access point.
Read Only:
True
:bssid
The MAC address for the wireless access point.
Read Only:
True
:latlong
The best known latitude/longitude for the wireless access point.
:accuracy
The reported accuracy of the latlong telemetry reading.
:channel
The WIFI channel that the AP was last observed operating on.
:encryption
The type of encryption used by the WIFI AP such as “wpa2”.
:place
The geo:place associated with the latlong property.
:loc
The geo-political location string for the wireless access point.
:org
The organization that owns/operates the access point.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
inet:wifi:ssid
A WiFi service set identifier (SSID) name.
The base type for the form can be found at inet:wifi:ssid.
An example of inet:wifi:ssid
:
The Vertex Project
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
iso:oid
An ISO Object Identifier string.
The base type for the form can be found at iso:oid.
- Properties:
name
type
doc
:descr
A description of the value or meaning of the OID.
:identifier
The string identifier for the deepest tree element.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:account
A GUID that represents an account on a host or network.
The base type for the form can be found at it:account.
- Properties:
name
type
doc
opts
:user
The username associated with the account.
:contact
Additional contact information associated with this account.
:host
The host where the account is registered.
:domain
The authentication domain where the account is registered.
:posix:uid
The user ID of the account.
Example:
1001
:posix:gid
The primary group ID of the account.
Example:
1001
:posix:gecos
The GECOS field for the POSIX account.
:posix:home
The path to the POSIX account’s home directory.
Example:
/home/visi
:posix:shell
The path to the POSIX account’s default shell.
Example:
/bin/bash
:windows:sid
The Microsoft Windows Security Identifier of the account.
:groups
An array of groups that the account is a member of.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:adid
An advertising identification string.
The base type for the form can be found at it:adid.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:app:snort:hit
An instance of a snort rule hit.
The base type for the form can be found at it:app:snort:hit.
- Properties:
name
type
doc
:rule
The snort rule that matched the file.
:flow
The inet:flow that matched the snort rule.
:src
The source address of flow that caused the hit.
:src:ipv4
The source IPv4 address of the flow that caused the hit.
:src:ipv6
The source IPv6 address of the flow that caused the hit.
:src:port
The source port of the flow that caused the hit.
:dst
The destination address of the trigger.
:dst:ipv4
The destination IPv4 address of the flow that caused the hit.
:dst:ipv6
The destination IPv4 address of the flow that caused the hit.
:dst:port
The destination port of the flow that caused the hit.
:time
The time of the network flow that caused the hit.
:sensor
The sensor host node that produced the hit.
:version
The version of the rule at the time of match.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:app:snort:rule
A snort rule.
The base type for the form can be found at it:app:snort:rule.
- Properties:
name
type
doc
opts
:id
The snort rule id.
:text
The snort rule text.
Display:
{'hint': 'text'}
:name
The name of the snort rule.
:desc
A brief description of the snort rule.
Display:
{'hint': 'text'}
:engine
The snort engine ID which can parse and evaluate the rule text.
:version
The current version of the rule.
:author
Contact info for the author of the rule.
:created
The time the rule was initially created.
:updated
The time the rule was most recently modified.
:enabled
The rule enabled status to be used for snort evaluation engines.
:family
The name of the software family the rule is designed to detect.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:app:yara:match
A YARA rule match to a file.
The base type for the form can be found at it:app:yara:match.
- Properties:
name
type
doc
opts
:rule
The YARA rule that matched the file.
Read Only:
True
:file
The file that matched the YARA rule.
Read Only:
True
:version
The most recent version of the rule evaluated as a match.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:app:yara:procmatch
An instance of a YARA rule match to a process.
The base type for the form can be found at it:app:yara:procmatch.
- Properties:
name
type
doc
:rule
The YARA rule that matched the file.
:proc
The process that matched the YARA rule.
:time
The time that the YARA engine matched the process to the rule.
:version
The most recent version of the rule evaluated as a match.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:app:yara:rule
A YARA rule unique identifier.
The base type for the form can be found at it:app:yara:rule.
- Properties:
name
type
doc
opts
:text
The YARA rule text.
Display:
{'hint': 'text'}
:ext:id
The YARA rule ID from an external system.
:url
A URL which documents the YARA rule.
:name
The name of the YARA rule.
:author
Contact info for the author of the YARA rule.
:version
The current version of the rule.
:created
The time the YARA rule was initially created.
:updated
The time the YARA rule was most recently modified.
:enabled
The rule enabled status to be used for YARA evaluation engines.
:family
The name of the software family the rule is designed to detect.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:auth:passwdhash
An instance of a password hash.
The base type for the form can be found at it:auth:passwdhash.
- Properties:
name
type
doc
:salt
The (optional) hex encoded salt value used to calculate the password hash.
:hash:md5
The MD5 password hash value.
:hash:sha1
The SHA1 password hash value.
:hash:sha256
The SHA256 password hash value.
:hash:sha512
The SHA512 password hash value.
:hash:lm
The LM password hash value.
:hash:ntlm
The NTLM password hash value.
:passwd
The (optional) clear text password for this password hash.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:av:filehit
A file that triggered an alert on a specific antivirus signature.
The base type for the form can be found at it:av:filehit.
- Properties:
name
type
doc
opts
:file
The file that triggered the signature hit.
Read Only:
True
:sig
The signature that the file triggered on.
Read Only:
True
:sig:name
The signature name.
Read Only:
True
:sig:soft
The anti-virus product which contains the signature.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:av:prochit
An instance of a process triggering an alert on a specific antivirus signature.
The base type for the form can be found at it:av:prochit.
- Properties:
name
type
doc
:proc
The file that triggered the signature hit.
:sig
The signature that the file triggered on.
:time
The time that the AV engine detected the signature.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:av:sig
A signature name within the namespace of an antivirus engine name.
The base type for the form can be found at it:av:sig.
- Properties:
name
type
doc
opts
:soft
The anti-virus product which contains the signature.
Read Only:
True
:name
The signature name.
Read Only:
True
:desc
A free-form description of the signature.
Display:
{'hint': 'text'}
:url
A reference URL for information about the signature.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:av:signame
An antivirus signature name.
The base type for the form can be found at it:av:signame.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:cmd
A unique command-line string.
The base type for the form can be found at it:cmd.
An example of it:cmd
:
foo.exe --dostuff bar
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:dev:int
A developer selected integer constant.
The base type for the form can be found at it:dev:int.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:dev:mutex
A string representing a mutex.
The base type for the form can be found at it:dev:mutex.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:dev:pipe
A string representing a named pipe.
The base type for the form can be found at it:dev:pipe.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:dev:regkey
A Windows registry key.
The base type for the form can be found at it:dev:regkey.
An example of it:dev:regkey
:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:dev:regval
A Windows registry key/value pair.
The base type for the form can be found at it:dev:regval.
- Properties:
name
type
doc
:key
The Windows registry key.
:str
The value of the registry key, if the value is a string.
:int
The value of the registry key, if the value is an integer.
:bytes
The file representing the value of the registry key, if the value is binary data.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:dev:repo
A version control system instance.
The base type for the form can be found at it:dev:repo.
- Properties:
name
type
doc
opts
:name
The name of the repository.
:desc
A free-form description of the repository.
Display:
{'hint': 'text'}
:created
When the repository was created.
:url
A URL where the repository is hosted.
:type
The type of the version control system used.
Example:
svn
:submodules
type: it:dev:repo:commitAn array of other repos that this repo has as submodules, pinned at specific commits.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:dev:repo:branch
A branch in a version control system instance.
The base type for the form can be found at it:dev:repo:branch.
- Properties:
name
type
doc
:parent
The branch this branch was branched from.
:start
The commit in the parent branch this branch was created at.
:name
strip:True
The name of the branch.
:url
The URL where the branch is hosted.
:created
The time this branch was created.
:merged
The time this branch was merged back into its parent.
:deleted
The time this branch was deleted.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:dev:repo:commit
A commit to a repository.
The base type for the form can be found at it:dev:repo:commit.
- Properties:
name
type
doc
opts
:repo
The repository the commit lives in.
:parents
type: it:dev:repo:commitThe commit or commits this commit is immediately based on.
:branch
The name of the branch the commit was made to.
:mesg
The commit message describing the changes in the commit.
Display:
{'hint': 'text'}
:id
The version control system specific commit identifier.
:created
The time the commit was made.
:url
The URL where the commit is hosted.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:dev:repo:diff
A diff of a file being applied in a single commit.
The base type for the form can be found at it:dev:repo:diff.
- Properties:
name
type
doc
:commit
The commit that produced this diff.
:file
The file after the commit has been applied.
:path
The path to the file in the repo that the diff is being applied to.
:url
The URL where the diff is hosted.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:dev:repo:diff:comment
A comment on a diff in a repository.
The base type for the form can be found at it:dev:repo:diff:comment.
- Properties:
name
type
doc
opts
:diff
The diff the comment is being added to.
:text
The body of the comment.
Display:
{'hint': 'text'}
:replyto
The comment that this comment is replying to.
:line
The line in the file that is being commented on.
:offset
The offset in the line in the file that is being commented on.
:url
The URL where the comment is hosted.
:created
The time the comment was created.
:updated
The time the comment was updated.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:dev:repo:issue
An issue raised in a repository.
The base type for the form can be found at it:dev:repo:issue.
- Properties:
name
type
doc
opts
:repo
The repo where the issue was logged.
:title
The title of the issue.
:desc
The text describing the issue.
Display:
{'hint': 'text'}
:created
The time the issue was created.
:updated
The time the issue was updated.
:url
The URL where the issue is hosted.
:id
strip:True
The ID of the issue in the repository system.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:dev:repo:issue:comment
A comment on an issue in a repository.
The base type for the form can be found at it:dev:repo:issue:comment.
- Properties:
name
type
doc
opts
:issue
The issue thread that the comment was made in.
:text
The body of the comment.
Display:
{'hint': 'text'}
:replyto
The comment that this comment is replying to.
:url
The URL where the comment is hosted.
:created
The time the comment was created.
:updated
The time the comment was updated.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:dev:repo:remote
A remote repo that is tracked for changes/branches/etc.
The base type for the form can be found at it:dev:repo:remote.
- Properties:
name
type
doc
opts
:name
The name the repo is using for the remote repo.
Example:
origin
:url
The URL the repo is using to access the remote repo.
:repo
The repo that is tracking the remote repo.
:remote
The instance of the remote repo.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:dev:repo:type:taxonomy
A version control system type taxonomy.
The base type for the form can be found at it:dev:repo:type:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:dev:str
A developer-selected string.
The base type for the form can be found at it:dev:str.
- Properties:
name
type
doc
:norm
lower:True
Lower case normalized version of the it:dev:str.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:domain
A logical boundary of authentication and configuration such as a windows domain.
The base type for the form can be found at it:domain.
- Properties:
name
type
doc
:name
The name of the domain.
:desc
A brief description of the domain.
:org
The org that operates the given domain.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:exec:bind
An instance of a host binding a listening port.
The base type for the form can be found at it:exec:bind.
- Properties:
name
type
doc
:proc
The main process executing code that bound the listening port.
:host
The host running the process that bound the listening port. Typically the same host referenced in :proc, if present.
:exe
The specific file containing code that bound the listening port. May or may not be the same :exe specified in :proc, if present.
:time
The time the port was bound.
:server
The inet:addr of the server when binding the port.
:server:ipv4
The IPv4 address specified to bind().
:server:ipv6
The IPv6 address specified to bind().
:server:port
The bound (listening) TCP port.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:exec:file:add
An instance of a host adding a file to a filesystem.
The base type for the form can be found at it:exec:file:add.
- Properties:
name
type
doc
opts
:proc
The main process executing code that created the new file.
:host
The host running the process that created the new file. Typically the same host referenced in :proc, if present.
:exe
The specific file containing code that created the new file. May or may not be the same :exe specified in :proc, if present.
:time
The time the file was created.
:path
The path where the file was created.
:path:dir
The parent directory of the file path (parsed from :path).
Read Only:
True
:path:ext
The file extension of the file name (parsed from :path).
Read Only:
True
:path:base
The final component of the file path (parsed from :path).
Read Only:
True
:file
The file that was created.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:exec:file:del
An instance of a host deleting a file from a filesystem.
The base type for the form can be found at it:exec:file:del.
- Properties:
name
type
doc
opts
:proc
The main process executing code that deleted the file.
:host
The host running the process that deleted the file. Typically the same host referenced in :proc, if present.
:exe
The specific file containing code that deleted the file. May or may not be the same :exe specified in :proc, if present.
:time
The time the file was deleted.
:path
The path where the file was deleted.
:path:dir
The parent directory of the file path (parsed from :path).
Read Only:
True
:path:ext
The file extension of the file name (parsed from :path).
Read Only:
True
:path:base
The final component of the file path (parsed from :path).
Read Only:
True
:file
The file that was deleted.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:exec:file:read
An instance of a host reading a file from a filesystem.
The base type for the form can be found at it:exec:file:read.
- Properties:
name
type
doc
opts
:proc
The main process executing code that read the file.
:host
The host running the process that read the file. Typically the same host referenced in :proc, if present.
:exe
The specific file containing code that read the file. May or may not be the same :exe specified in :proc, if present.
:time
The time the file was read.
:path
The path where the file was read.
:path:dir
The parent directory of the file path (parsed from :path).
Read Only:
True
:path:ext
The file extension of the file name (parsed from :path).
Read Only:
True
:path:base
The final component of the file path (parsed from :path).
Read Only:
True
:file
The file that was read.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:exec:file:write
An instance of a host writing a file to a filesystem.
The base type for the form can be found at it:exec:file:write.
- Properties:
name
type
doc
opts
:proc
The main process executing code that wrote to / modified the existing file.
:host
The host running the process that wrote to the file. Typically the same host referenced in :proc, if present.
:exe
The specific file containing code that wrote to the file. May or may not be the same :exe specified in :proc, if present.
:time
The time the file was written to/modified.
:path
The path where the file was written to/modified.
:path:dir
The parent directory of the file path (parsed from :path).
Read Only:
True
:path:ext
The file extension of the file name (parsed from :path).
Read Only:
True
:path:base
The final component of the file path (parsed from :path).
Read Only:
True
:file
The file that was modified.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:exec:loadlib
A library load event in a process.
The base type for the form can be found at it:exec:loadlib.
- Properties:
name
type
doc
:proc
The process where the library was loaded.
:va
The base memory address where the library was loaded in the process.
:loaded
The time the library was loaded.
:unloaded
The time the library was unloaded.
:path
The path that the library was loaded from.
:file
The library file that was loaded.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:exec:mmap
A memory mapped segment located in a process.
The base type for the form can be found at it:exec:mmap.
- Properties:
name
type
doc
:proc
The process where the memory was mapped.
:va
The base memory address where the map was created in the process.
:size
The size of the memory map in bytes.
:perms:read
True if the mmap is mapped with read permissions.
:perms:write
True if the mmap is mapped with write permissions.
:perms:execute
True if the mmap is mapped with execute permissions.
:created
The time the memory map was created.
:deleted
The time the memory map was deleted.
:path
The file path if the mmap is a mapped view of a file.
:hash:sha256
A SHA256 hash of the memory map. Bytes may optionally be present in the axon.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:exec:mutex
A mutex created by a process at runtime.
The base type for the form can be found at it:exec:mutex.
- Properties:
name
type
doc
:proc
The main process executing code that created the mutex.
:host
The host running the process that created the mutex. Typically the same host referenced in :proc, if present.
:exe
The specific file containing code that created the mutex. May or may not be the same :exe specified in :proc, if present.
:time
The time the mutex was created.
:name
The mutex string.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:exec:pipe
A named pipe created by a process at runtime.
The base type for the form can be found at it:exec:pipe.
- Properties:
name
type
doc
:proc
The main process executing code that created the named pipe.
:host
The host running the process that created the named pipe. Typically the same host referenced in :proc, if present.
:exe
The specific file containing code that created the named pipe. May or may not be the same :exe specified in :proc, if present.
:time
The time the named pipe was created.
:name
The named pipe string.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:exec:proc
A process executing on a host. May be an actual (e.g., endpoint) or virtual (e.g., malware sandbox) host.
The base type for the form can be found at it:exec:proc.
- Properties:
name
type
doc
opts
:host
The host that executed the process. May be an actual or a virtual / notional host.
:exe
The file considered the “main” executable for the process. For example, rundll32.exe may be considered the “main” executable for DLLs loaded by that program.
:cmd
The command string used to launch the process, including any command line parameters.
Display:
{'hint': 'text'}
:pid
The process ID.
:time
The start time for the process.
:name
The display name specified by the process.
:exited
The time the process exited.
:exitcode
The exit code for the process.
:user
The user name of the process owner.
Deprecated:
True
:account
The account of the process owner.
:path
The path to the executable of the process.
:path:base
The file basename of the executable of the process.
:src:exe
Deprecated. Create :src:proc and set :path.
Deprecated:
True
:src:proc
The process which created the process.
:killedby
The process which killed this process.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:exec:query
An instance of an executed query.
The base type for the form can be found at it:exec:query.
- Properties:
name
type
doc
:text
The query string that was executed.
:opts
An opaque JSON object containing query parameters and options.
:api:url
The URL of the API endpoint the query was sent to.
:language
The name of the language that the query is expressed in.
:exe
The executable file which caused the activity.
:proc
The host process which caused the activity.
:thread
The host thread which caused the activity.
:host
The host on which the activity occurred.
:time
The time that the activity started.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:exec:reg:del
An instance of a host deleting a registry key.
The base type for the form can be found at it:exec:reg:del.
- Properties:
name
type
doc
:proc
The main process executing code that deleted data from the registry.
:host
The host running the process that deleted data from the registry. Typically the same host referenced in :proc, if present.
:exe
The specific file containing code that deleted data from the registry. May or may not be the same :exe referenced in :proc, if present.
:time
The time the data from the registry was deleted.
:reg
The registry key or value that was deleted.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:exec:reg:get
An instance of a host getting a registry key.
The base type for the form can be found at it:exec:reg:get.
- Properties:
name
type
doc
:proc
The main process executing code that read the registry.
:host
The host running the process that read the registry. Typically the same host referenced in :proc, if present.
:exe
The specific file containing code that read the registry. May or may not be the same :exe referenced in :proc, if present.
:time
The time the registry was read.
:reg
The registry key or value that was read.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:exec:reg:set
An instance of a host creating or setting a registry key.
The base type for the form can be found at it:exec:reg:set.
- Properties:
name
type
doc
:proc
The main process executing code that wrote to the registry.
:host
The host running the process that wrote to the registry. Typically the same host referenced in :proc, if present.
:exe
The specific file containing code that wrote to the registry. May or may not be the same :exe referenced in :proc, if present.
:time
The time the registry was written to.
:reg
The registry key or value that was written to.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:exec:thread
A thread executing in a process.
The base type for the form can be found at it:exec:thread.
- Properties:
name
type
doc
:proc
The process which contains the thread.
:created
The time the thread was created.
:exited
The time the thread exited.
:exitcode
The exit code or return value for the thread.
:src:proc
An external process which created the thread.
:src:thread
The thread which created this thread.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:exec:url
An instance of a host requesting a URL.
The base type for the form can be found at it:exec:url.
- Properties:
name
type
doc
:proc
The main process executing code that requested the URL.
:browser
The software version of the browser.
:host
The host running the process that requested the URL. Typically the same host referenced in :proc, if present.
:exe
The specific file containing code that requested the URL. May or may not be the same :exe specified in :proc, if present.
:time
The time the URL was requested.
:url
The URL that was requested.
:page:pdf
The rendered DOM saved as a PDF file.
:page:html
The rendered DOM saved as an HTML file.
:page:image
The rendered DOM saved as an image.
:http:request
The HTTP request made to retrieve the initial URL contents.
:client
The address of the client during the URL retrieval.
:client:ipv4
The IPv4 of the client during the URL retrieval.
:client:ipv6
The IPv6 of the client during the URL retrieval.
:client:port
The client port during the URL retrieval.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:fs:file
A file on a host.
The base type for the form can be found at it:fs:file.
- Properties:
name
type
doc
opts
:host
The host containing the file.
:path
The path for the file.
:path:dir
The parent directory of the file path (parsed from :path).
Read Only:
True
:path:ext
The file extension of the file name (parsed from :path).
Read Only:
True
:path:base
The final component of the file path (parsed from :path).
Read Only:
True
:file
The file on the host.
:ctime
The file creation time.
:mtime
The file modification time.
:atime
The file access time.
:user
The owner of the file.
:group
The group owner of the file.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:group
A GUID that represents a group on a host or network.
The base type for the form can be found at it:group.
- Properties:
name
type
doc
opts
:name
The name of the group.
:desc
A brief description of the group.
:host
The host where the group is registered.
:domain
The authentication domain where the group is registered.
:groups
Groups that are a member of this group.
:posix:gid
The primary group ID of the account.
Example:
1001
:windows:sid
The Microsoft Windows Security Identifier of the group.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:host
A GUID that represents a host or system.
The base type for the form can be found at it:host.
- Properties:
name
type
doc
opts
:name
The name of the host or system.
:desc
A free-form description of the host.
:domain
The authentication domain that the host is a member of.
:ipv4
The last known ipv4 address for the host.
:latlong
The last known location for the host.
:place
The place where the host resides.
:loc
The geo-political location string for the node.
:os
The operating system of the host.
:os:name
A software product name for the host operating system. Used for entity resolution.
:hardware
The hardware specification for this host.
:manu
Please use :hardware:make.
Deprecated:
True
:model
Please use :hardware:model.
Deprecated:
True
:serial
The serial number of the host.
:operator
The operator of the host.
:org
The org that operates the given host.
:ext:id
An external identifier for the host.
:keyboard:layout
The primary keyboard layout configured on the host.
:keyboard:language
The primary keyboard input language configured on the host.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:hostname
The name of a host or system.
The base type for the form can be found at it:hostname.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:hostsoft
A version of a software product which is present on a given host.
The base type for the form can be found at it:hostsoft.
- Properties:
name
type
doc
opts
:host
Host with the software.
Read Only:
True
:softver
Software on the host.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:hosturl
A url hosted on or served by a host or system.
The base type for the form can be found at it:hosturl.
- Properties:
name
type
doc
opts
:host
Host serving a url.
Read Only:
True
:url
URL available on the host.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:log:event
A GUID representing an individual log event.
The base type for the form can be found at it:log:event.
- Properties:
name
type
doc
opts
:mesg
The log message text.
:type
A taxonometric type for the log event.
Example:
windows.eventlog.securitylog
:severity
enums:((10, 'debug'), (20, 'info'), (30, 'notice'), (40, 'warning'), (50, 'err'), (60, 'crit'), (70, 'alert'), (80, 'emerg'))
A log level integer that increases with severity.
:data
A raw JSON record of the log event.
:ext:id
An external id that uniquely identifies this log entry.
:product
The software which produced the log entry.
:exe
The executable file which caused the activity.
:proc
The host process which caused the activity.
:thread
The host thread which caused the activity.
:host
The host on which the activity occurred.
:time
The time that the activity started.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:log:event:type:taxonomy
A taxonomy of log event types.
The base type for the form can be found at it:log:event:type:taxonomy.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:logon
A GUID that represents an individual logon/logoff event.
The base type for the form can be found at it:logon.
- Properties:
name
type
doc
:time
The time the logon occurred.
:success
Set to false to indicate an unsuccessful logon attempt.
:logoff:time
The time the logon session ended.
:host
The host that the account logged in to.
:account
The account that logged in.
:creds
The credentials that were used for the logon.
:duration
The duration of the logon session.
:client:host
The host where the logon originated.
:client:ipv4
The IPv4 where the logon originated.
:client:ipv6
The IPv6 where the logon originated.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:mitre:attack:group
A Mitre ATT&CK Group ID.
The base type for the form can be found at it:mitre:attack:group.
An example of it:mitre:attack:group
:
G0100
- Properties:
name
type
doc
opts
:org
Used to map an ATT&CK group to a synapse ou:org.
:name
The primary name for the ATT&CK group.
:names
An array of alternate names for the ATT&CK group.
:desc
A description of the ATT&CK group.
Display:
{'hint': 'text'}
:isnow
If deprecated, this field may contain the current value for the group.
:url
The URL that documents the ATT&CK group.
:tag
The synapse tag used to annotate nodes included in this ATT&CK group ID.
Example:
cno.mitre.g0100
:references
An array of URLs that document the ATT&CK group.
:techniques
An array of ATT&CK technique IDs used by the group.
:software
An array of ATT&CK software IDs used by the group.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:mitre:attack:mitigation
A Mitre ATT&CK Mitigation ID.
The base type for the form can be found at it:mitre:attack:mitigation.
An example of it:mitre:attack:mitigation
:
M1036
- Properties:
name
type
doc
opts
:name
strip:True
The primary name for the ATT&CK mitigation.
:matrix
The ATT&CK matrix which defines the mitigation.
:desc
strip:True
A description of the ATT&CK mitigation.
Display:
{'hint': 'text'}
:url
The URL that documents the ATT&CK mitigation.
:tag
The synapse tag used to annotate nodes included in this ATT&CK mitigation.
Example:
cno.mitre.m0100
:references
An array of URLs that document the ATT&CK mitigation.
:addresses
An array of ATT&CK technique IDs addressed by the mitigation.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:mitre:attack:software
A Mitre ATT&CK Software ID.
The base type for the form can be found at it:mitre:attack:software.
An example of it:mitre:attack:software
:
S0154
- Properties:
name
type
doc
opts
:software
Used to map an ATT&CK software to a synapse it:prod:soft.
:name
The primary name for the ATT&CK software.
:names
Associated names for the ATT&CK software.
:desc
strip:True
A description of the ATT&CK software.
Display:
{'hint': 'text'}
:isnow
If deprecated, this field may contain the current value for the software.
:url
The URL that documents the ATT&CK software.
:tag
The synapse tag used to annotate nodes included in this ATT&CK software.
Example:
cno.mitre.s0100
:references
An array of URLs that document the ATT&CK software.
:techniques
An array of techniques used by the software.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:mitre:attack:tactic
A Mitre ATT&CK Tactic ID.
The base type for the form can be found at it:mitre:attack:tactic.
An example of it:mitre:attack:tactic
:
TA0040
- Properties:
name
type
doc
opts
:name
strip:True
The primary name for the ATT&CK tactic.
:matrix
The ATT&CK matrix which defines the tactic.
:desc
A description of the ATT&CK tactic.
Display:
{'hint': 'text'}
:url
The URL that documents the ATT&CK tactic.
:tag
The synapse tag used to annotate nodes included in this ATT&CK tactic.
Example:
cno.mitre.ta0100
:references
An array of URLs that document the ATT&CK tactic.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:mitre:attack:technique
A Mitre ATT&CK Technique ID.
The base type for the form can be found at it:mitre:attack:technique.
An example of it:mitre:attack:technique
:
T1548
- Properties:
name
type
doc
opts
:name
strip:True
The primary name for the ATT&CK technique.
:matrix
The ATT&CK matrix which defines the technique.
:status
The status of this ATT&CK technique.
:isnow
If deprecated, this field may contain the current value for the technique.
:desc
strip:True
A description of the ATT&CK technique.
Display:
{'hint': 'text'}
:url
The URL that documents the ATT&CK technique.
:tag
The synapse tag used to annotate nodes included in this ATT&CK technique.
Example:
cno.mitre.t0100
:references
An array of URLs that document the ATT&CK technique.
:parent
The parent ATT&CK technique on this sub-technique.
:tactics
An array of ATT&CK tactics that include this technique.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:network
A GUID that represents a logical network.
The base type for the form can be found at it:network.
- Properties:
name
type
doc
:name
The name of the network.
:desc
A brief description of the network.
:org
The org that owns/operates the network.
:net4
The optional contiguous IPv4 address range of this network.
:net6
The optional contiguous IPv6 address range of this network.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:os:android:aaid
An android advertising identification string.
The base type for the form can be found at it:os:android:aaid.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:os:android:ibroadcast
The given software broadcasts the given Android intent.
The base type for the form can be found at it:os:android:ibroadcast.
- Properties:
name
type
doc
opts
:app
The app software which broadcasts the android intent.
Read Only:
True
:intent
The android intent which is broadcast by the app.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:os:android:ilisten
The given software listens for an android intent.
The base type for the form can be found at it:os:android:ilisten.
- Properties:
name
type
doc
opts
:app
The app software which listens for the android intent.
Read Only:
True
:intent
The android intent which is listened for by the app.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:os:android:intent
An android intent string.
The base type for the form can be found at it:os:android:intent.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:os:android:perm
An android permission string.
The base type for the form can be found at it:os:android:perm.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:os:android:reqperm
The given software requests the android permission.
The base type for the form can be found at it:os:android:reqperm.
- Properties:
name
type
doc
opts
:app
The android app which requests the permission.
Read Only:
True
:perm
The android permission requested by the app.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:os:ios:idfa
An iOS advertising identification string.
The base type for the form can be found at it:os:ios:idfa.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:prod:component
A specific instance of an it:prod:hardware most often as part of an it:host.
The base type for the form can be found at it:prod:component.
- Properties:
name
type
doc
:hardware
The hardware specification of this component.
:serial
The serial number of this component.
:host
The it:host which has this component installed.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:prod:hardware
A specification for a piece of IT hardware.
The base type for the form can be found at it:prod:hardware.
- Properties:
name
type
doc
opts
:name
The display name for this hardware specification.
:type
The type of hardware.
:desc
A brief description of the hardware.
Display:
{'hint': 'text'}
:cpe
The NIST CPE 2.3 string specifying this hardware.
:make
The name of the organization which manufactures this hardware.
:model
The model name or number for this hardware specification.
:version
Version string associated with this hardware specification.
:released
The initial release date for this hardware.
:parts
An array of it:prod:hardware parts included in this hardware specification.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:prod:hardwaretype
An IT hardware type taxonomy.
The base type for the form can be found at it:prod:hardwaretype.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:prod:soft
A software product.
The base type for the form can be found at it:prod:soft.
- Properties:
name
type
doc
opts
:name
Name of the software.
:type
The software type.
:names
Observed/variant names for this software.
:desc
A description of the software.
Display:
{'hint': 'text'}
:desc:short
lower:True
A short description of the software.
:cpe
The NIST CPE 2.3 string specifying this software.
:author
The contact information of the org or person who authored the software.
:author:org
Deprecated. Please use :author to link to a ps:contact.
Deprecated:
True
:author:acct
Deprecated. Please use :author to link to a ps:contact.
Deprecated:
True
:author:email
Deprecated. Please use :author to link to a ps:contact.
Deprecated:
True
:author:person
Deprecated. Please use :author to link to a ps:contact.
Deprecated:
True
:url
URL relevant for the software.
:isos
Set to True if the software is an operating system.
:islib
Set to True if the software is a library.
:techniques
Deprecated for scalability. Please use -(uses)> ou:technique.
Deprecated:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
it:prod:soft
-(uses)>
ou:technique
The software uses the technique.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:prod:soft:taxonomy
A software type taxonomy.
The base type for the form can be found at it:prod:soft:taxonomy.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:prod:softfile
A file is distributed by a specific software version.
The base type for the form can be found at it:prod:softfile.
- Properties:
name
type
doc
opts
:soft
The software which distributes the file.
Read Only:
True
:file
The file distributed by the software.
Read Only:
True
:path
The default installation path of the file.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:prod:softid
An identifier issued to a given host by a specific software application.
The base type for the form can be found at it:prod:softid.
- Properties:
name
type
doc
:id
The ID issued by the software to the host.
:host
The host which was issued the ID by the software.
:soft
The software which issued the ID to the host.
:soft:name
The name of the software which issued the ID to the host.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:prod:softlib
A software version contains a library software version.
The base type for the form can be found at it:prod:softlib.
- Properties:
name
type
doc
opts
:soft
The software version that contains the library.
Read Only:
True
:lib
The library software version.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:prod:softname
A software product name.
The base type for the form can be found at it:prod:softname.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:prod:softos
The software version is known to be compatible with the given os software version.
The base type for the form can be found at it:prod:softos.
- Properties:
name
type
doc
opts
:soft
The software which can run on the operating system.
Read Only:
True
:os
The operating system which the software can run on.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:prod:softreg
A registry entry is created by a specific software version.
The base type for the form can be found at it:prod:softreg.
- Properties:
name
type
doc
opts
:softver
The software which creates the registry entry.
Read Only:
True
:regval
The registry entry created by the software.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:prod:softver
A specific version of a software product.
The base type for the form can be found at it:prod:softver.
- Properties:
name
type
doc
opts
:software
Software associated with this version instance.
:software:name
Deprecated. Please use it:prod:softver:name.
Deprecated:
True
:name
Name of the software version.
:names
Observed/variant names for this software version.
:desc
A description of the software.
Display:
{'hint': 'text'}
:cpe
The NIST CPE 2.3 string specifying this software version.
:cves
A list of CVEs that apply to this software version.
:vers
Version string associated with this version instance.
:vers:norm
lower:True
Normalized version of the version string.
:arch
Software architecture.
:released
Timestamp for when this version of the software was released.
:semver
System normalized semantic version number.
:semver:major
Version major number.
:semver:minor
Version minor number.
:semver:patch
Version patch number.
:semver:pre
Semver prerelease string.
:semver:build
Semver build string.
:url
URL where a specific version of the software is available from.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:query
A unique query string.
The base type for the form can be found at it:query.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:reveng:filefunc
An instance of a function in an executable.
The base type for the form can be found at it:reveng:filefunc.
- Properties:
name
type
doc
opts
:function
The guid matching the function.
Read Only:
True
:file
The file that contains the function.
Read Only:
True
:va
The virtual address of the first codeblock of the function.
:rank
The function rank score used to evaluate if it exhibits interesting behavior.
:complexity
The complexity of the function.
:funccalls
Other function calls within the scope of the function.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:reveng:funcstr
A reference to a string inside a function.
The base type for the form can be found at it:reveng:funcstr.
- Properties:
name
type
doc
opts
:function
The guid matching the function.
Read Only:
True
:string
The string that the function references.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:reveng:function
A function inside an executable.
The base type for the form can be found at it:reveng:function.
- Properties:
name
type
doc
:name
The name of the function.
:description
Notes concerning the function.
:impcalls
Calls to imported library functions within the scope of the function.
:strings
An array of strings referenced within the function.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:reveng:impfunc
A function from an imported library.
The base type for the form can be found at it:reveng:impfunc.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:screenshot
A screenshot of a host.
The base type for the form can be found at it:screenshot.
- Properties:
name
type
doc
opts
:image
The image file.
:desc
A brief description of the screenshot.
Display:
{'hint': 'text'}
:exe
The executable file which caused the activity.
:proc
The host process which caused the activity.
:thread
The host thread which caused the activity.
:host
The host on which the activity occurred.
:time
The time that the activity started.
:sandbox:file
The initial sample given to a sandbox environment to analyze.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:sec:c2:config
An extracted C2 config from an executable.
The base type for the form can be found at it:sec:c2:config.
- Properties:
name
type
doc
:family
The name of the software family which uses the config.
:file
The file that the C2 config was extracted from.
:decoys
An array of URLs used as decoy connections to obfuscate the C2 servers.
:servers
An array of connection URLs built from host/port/passwd combinations.
:proxies
An array of proxy URLs used to communicate with the C2 server.
:listens
An array of listen URLs that the software should bind.
:dns:resolvers
type: inet:serverAn array of inet:servers to use when resolving DNS names.
:mutex
The mutex that the software uses to prevent multiple-installations.
:campaigncode
The operator selected string used to identify the campaign or group of targets.
:crypto:key
Static key material used to encrypt C2 communications.
:connect:delay
The time delay from first execution to connecting to the C2 server.
:connect:interval
The configured duration to sleep between connections to the C2 server.
:raw
A JSON blob containing the raw config extracted from the binary.
:http:headers
type: inet:http:headerAn array of HTTP headers that the sample should transmit to the C2 server.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:sec:cpe
A NIST CPE 2.3 Formatted String.
The base type for the form can be found at it:sec:cpe.
- Properties:
name
type
doc
opts
:v2_2
The CPE 2.2 string which is equivalent to the primary property.
:part
The “part” field from the CPE 2.3 string.
Read Only:
True
:vendor
The “vendor” field from the CPE 2.3 string.
Read Only:
True
:product
The “product” field from the CPE 2.3 string.
Read Only:
True
:version
The “version” field from the CPE 2.3 string.
Read Only:
True
:update
The “update” field from the CPE 2.3 string.
Read Only:
True
:edition
The “edition” field from the CPE 2.3 string.
Read Only:
True
:language
The “language” field from the CPE 2.3 string.
Read Only:
True
:sw_edition
The “sw_edition” field from the CPE 2.3 string.
Read Only:
True
:target_sw
The “target_sw” field from the CPE 2.3 string.
Read Only:
True
:target_hw
The “target_hw” field from the CPE 2.3 string.
Read Only:
True
:other
The “other” field from the CPE 2.3 string.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:sec:cve
A vulnerability as designated by a Common Vulnerabilities and Exposures (CVE) number.
The base type for the form can be found at it:sec:cve.
An example of it:sec:cve
:
cve-2012-0158
- Properties:
name
type
doc
opts
:desc
Deprecated. Please use risk:vuln:cve:desc.
Deprecated:
True
:url
Deprecated. Please use risk:vuln:cve:url.
Deprecated:
True
:references
Deprecated. Please use risk:vuln:cve:references.
Deprecated:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:sec:cwe
NIST NVD Common Weaknesses Enumeration Specification.
The base type for the form can be found at it:sec:cwe.
An example of it:sec:cwe
:
CWE-120
- Properties:
name
type
doc
opts
:name
The CWE description field.
Example:
Buffer Copy without Checking Size of Input (Classic Buffer Overflow)
:desc
The CWE description field.
Display:
{'hint': 'text'}
:url
A URL linking this CWE to a full description.
:parents
An array of ChildOf CWE Relationships.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:sec:metrics
A node used to track metrics of an organization’s infosec program.
The base type for the form can be found at it:sec:metrics.
- Properties:
name
type
doc
:org
The organization whose security program is being measured.
:org:name
The organization name. Used for entity resolution.
:org:fqdn
The organization FQDN. Used for entity resolution.
:period
The time period used to compute the metrics.
:alerts:meantime:triage
The mean time to triage alerts generated within the time period.
:alerts:count
The total number of alerts generated within the time period.
:alerts:falsepos
The number of alerts generated within the time period that were determined to be false positives.
:assets:hosts
The total number of hosts within scope for the information security program.
:assets:users
The total number of users within scope for the information security program.
:assets:vulns:count
The number of asset vulnerabilities being tracked at the end of the time period.
:assets:vulns:preexisting
The number of asset vulnerabilities being tracked at the beginning of the time period.
:assets:vulns:discovered
The number of asset vulnerabilities discovered during the time period.
:assets:vulns:mitigated
The number of asset vulnerabilities mitigated during the time period.
:assets:vulns:meantime:mitigate
The mean time to mitigate for vulnerable assets mitigated during the time period.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:sec:stix:bundle
A STIX bundle.
The base type for the form can be found at it:sec:stix:bundle.
- Properties:
name
type
doc
:id
The id field from the STIX bundle.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:sec:stix:indicator
A STIX indicator pattern.
The base type for the form can be found at it:sec:stix:indicator.
- Properties:
name
type
doc
:id
The STIX id field from the indicator pattern.
:name
The name of the STIX indicator pattern.
:pattern
The STIX indicator pattern text.
:created
The time that the indicator pattern was first created.
:updated
The time that the indicator pattern was last modified.
:labels
The label strings embedded in the STIX indicator pattern.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:sec:vuln:scan
An instance of running a vulnerability scan.
The base type for the form can be found at it:sec:vuln:scan.
- Properties:
name
type
doc
opts
:time
The time that the scan was started.
:desc
Description of the scan and scope.
Display:
{'hint': 'text'}
:ext:id
An externally generated ID for the scan.
:ext:url
An external URL which documents the scan.
:software
The scanning software used.
:software:name
The name of the scanner software.
:operator
Contact information for the scan operator.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
it:sec:vuln:scan:result
A vulnerability scan result for an asset.
The base type for the form can be found at it:sec:vuln:scan:result.
- Properties:
name
type
doc
:scan
The scan that discovered the vulnerability in the asset.
:vuln
The vulnerability detected in the asset.
:asset
The node which is vulnerable.
:desc
A description of the vulnerability and how it was detected in the asset.
:time
The time that the scan result was produced.
:ext:id
An externally generated ID for the scan result.
:ext:url
An external URL which documents the scan result.
:mitigation
The mitigation used to address this asset vulnerability.
:mitigated
The time that the vulnerability in the asset was mitigated.
:priority
The priority of mitigating the vulnerability.
:severity
The severity of the vulnerability in the asset. Use “none” for no vulnerability discovered.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
lang:idiom
Deprecated. Please use lang:translation.
The base type for the form can be found at lang:idiom.
- Properties:
name
type
doc
opts
:url
Authoritative URL for the idiom.
:desc:en
English description.
Display:
{'hint': 'text'}
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
lang:language
A specific written or spoken language.
The base type for the form can be found at lang:language.
- Properties:
name
type
doc
:code
The language code for this language.
:name
The primary name of the language.
:names
An array of alternative names for the language.
:skill
The skill used to annotate proficiency in the language.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
lang:name
A name used to refer to a language.
The base type for the form can be found at lang:name.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
lang:trans
Deprecated. Please use lang:translation.
The base type for the form can be found at lang:trans.
- Properties:
name
type
doc
opts
:text:en
English translation.
Display:
{'hint': 'text'}
:desc:en
English description.
Display:
{'hint': 'text'}
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
lang:translation
A translation of text from one language to another.
The base type for the form can be found at lang:translation.
- Properties:
name
type
doc
opts
:input
The input text.
Example:
hola
:input:lang
The input language code.
:output
The output text.
Example:
hi
:output:lang
The output language code.
:desc
A description of the meaning of the output.
Example:
A standard greeting
:engine
The translation engine version used.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
mat:item
A GUID assigned to a material object.
The base type for the form can be found at mat:item.
- Properties:
name
type
doc
:name
lower:True
The name of the material item.
:type
The taxonomy type of the item.
:spec
The specification which defines this item.
:place
The most recent place the item is known to reside.
:latlong
The last known lat/long location of the node.
:loc
The geo-political location string for the node.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
mat:itemimage
The base type for compound node fields.
The base type for the form can be found at mat:itemimage.
- Properties:
name
type
doc
opts
:item
The item contained within the image file.
Read Only:
True
:file
The file containing an image of the item.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
mat:spec
A GUID assigned to a material specification.
The base type for the form can be found at mat:spec.
- Properties:
name
type
doc
:name
lower:True
The name of the material specification.
:type
The taxonomy type for the specification.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
mat:specimage
The base type for compound node fields.
The base type for the form can be found at mat:specimage.
- Properties:
name
type
doc
opts
:spec
The spec contained within the image file.
Read Only:
True
:file
The file containing an image of the spec.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
media:news
A GUID for a news article or report.
The base type for the form can be found at media:news.
- Properties:
name
type
doc
opts
:url
The (optional) URL where the news was published.
Example:
http://cnn.com/news/mars-lander.html
:url:fqdn
The FQDN within the news URL.
Example:
cnn.com
:type
A taxonomy for the type of reporting or news.
:file
The (optional) file blob containing or published as the news.
:title
lower:True
Title/Headline for the news.
Example:mars lander reaches mars
Display:{'hint': 'text'}
:summary
A brief summary of the news item.
Example:lorum ipsum
Display:{'hint': 'text'}
:publisher
The organization which published the news.
:publisher:name
The name of the publishing org used to publish the news.
:published
The date the news item was published.
Example:
20161201180433
:updated
ismax:True
The last time the news item was updated.
Example:
20161201180433
:org
Deprecated. Please use :publisher:name.
Deprecated:
True
:author
Deprecated. Please use :authors array of ps:contact nodes.
Deprecated:
True
:authors
An array of authors of the news item.
:rss:feed
The RSS feed that published the news.
:ext:id
An external identifier specified by the publisher.
:topics
An array of relevant topics discussed in the report.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
media:news:taxonomy
A taxonomy of types or sources of news.
The base type for the form can be found at media:news:taxonomy.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
media:topic
A topic string.
The base type for the form can be found at media:topic.
- Properties:
name
type
doc
:desc
A brief description of the topic.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
meta:event
An analytically relevant event in a curated timeline.
The base type for the form can be found at meta:event.
- Properties:
name
type
doc
opts
:timeline
The timeline containing the event.
:title
A title for the event.
:summary
A prose summary of the event.
Display:
{'hint': 'text'}
:time
The time that the event occurred.
:duration
The duration of the event.
:type
Type of event.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
meta:event:taxonomy
A taxonomy of event types for meta:event nodes.
The base type for the form can be found at meta:event:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
meta:note
An analyst note about nodes linked with -(about)> edges.
The base type for the form can be found at meta:note.
- Properties:
name
type
doc
opts
:type
The note type.
:text
The analyst authored note text.
Display:
{'hint': 'text'}
:author
The contact information of the author.
:creator
The synapse user who authored the note.
:created
The time the note was created.
:updated
The time the note was updated.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
meta:note
-(about)>
*
The meta:note is about the target node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
meta:note:type:taxonomy
An analyst note type taxonomy.
The base type for the form can be found at meta:note:type:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
meta:rule
A generic rule linked to matches with -(matches)> edges.
The base type for the form can be found at meta:rule.
- Properties:
name
type
doc
opts
:name
A name for the rule.
:desc
A description of the rule.
Display:
{'hint': 'text'}
:text
The text of the rule logic.
Display:
{'hint': 'text'}
:author
The contact information of the rule author.
:created
The time the rule was initially created.
:updated
The time the rule was most recently modified.
:url
A URL which documents the rule.
:ext:id
An external identifier for the rule.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:ruleset
-(has)>
meta:rule
The meta:ruleset includes the meta:rule.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
meta:ruleset
A set of rules linked with -(has)> edges.
The base type for the form can be found at meta:ruleset.
- Properties:
name
type
doc
opts
:name
A name for the ruleset.
:desc
A description of the ruleset.
Display:
{'hint': 'text'}
:author
The contact information of the ruleset author.
:created
The time the ruleset was initially created.
:updated
The time the ruleset was most recently modified.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
meta:ruleset
-(has)>
meta:rule
The meta:ruleset includes the meta:rule.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
meta:seen
Annotates that the data in a node was obtained from or observed by a given source.
The base type for the form can be found at meta:seen.
- Properties:
name
type
doc
opts
:source
The source which observed or provided the node.
Read Only:
True
:node
The node which was observed by or received from the source.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
meta:source
A data source unique identifier.
The base type for the form can be found at meta:source.
- Properties:
name
type
doc
:name
lower:True
A human friendly name for the source.
:type
lower:True
An optional type field used to group sources.
:url
A URL which documents the meta source.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
meta:source
-(seen)>
*
The meta:source observed the target node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
meta:timeline
A curated timeline of analytically relevant events.
The base type for the form can be found at meta:timeline.
- Properties:
name
type
doc
opts
:title
A title for the timeline.
Example:
The history of the Vertex Project
:summary
A prose summary of the timeline.
Display:
{'hint': 'text'}
:type
The type of timeline.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
meta:timeline:taxonomy
A taxonomy of timeline types for meta:timeline nodes.
The base type for the form can be found at meta:timeline:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:attendee
A node representing a person attending a meeting, conference, or event.
The base type for the form can be found at ou:attendee.
- Properties:
name
type
doc
:person
The contact information for the person who attended the event.
:arrived
The time when the person arrived.
:departed
The time when the person departed.
:roles
List of the roles the person had at the event.
:meet
The meeting that the person attended.
:conference
The conference that the person attended.
:conference:event
The conference event that the person attended.
:contest
The contest that the person attended.
:preso
The presentation that the person attended.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:award
An award issued by an organization.
The base type for the form can be found at ou:award.
- Properties:
name
type
doc
opts
:name
The name of the award.
Example:
Bachelors of Science
:type
The type of award.
Example:
certification
:org
The organization which issues the award.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:campaign
Represents an org’s activity in pursuit of a goal.
The base type for the form can be found at ou:campaign.
- Properties:
name
type
doc
opts
:org
The org carrying out the campaign.
:org:name
The name of the org responsible for the campaign. Used for entity resolution.
:org:fqdn
The FQDN of the org responsible for the campaign. Used for entity resolution.
:goal
The assessed primary goal of the campaign.
:actors
Actors who participated in the campaign.
:goals
Additional assessed goals of the campaign.
:success
Records the success/failure status of the campaign if known.
:name
A terse name of the campaign.
Example:
operation overlord
:names
An array of alternate names for the campaign.
:reporter
The organization reporting on the campaign.
:reporter:name
The name of the organization reporting on the campaign.
:type
Deprecated. Use the :camptype taxonomy.
Deprecated:
True
:sophistication
The assessed sophistication of the campaign.
:timeline
A timeline of significant events related to the campaign.
:camptype
The campaign type taxonomy.
Display:
{'hint': 'taxonomy'}
:desc
A description of the campaign.
Display:
{'hint': 'text'}
:period
The time interval when the organization was running the campaign.
:cost
The actual cost to the organization.
:budget
The budget allocated by the organization to execute the campaign.
:currency
The currency used to record econ:price properties.
:goal:revenue
A goal for revenue resulting from the campaign.
:result:revenue
The revenue resulting from the campaign.
:goal:pop
A goal for the number of people affected by the campaign.
:result:pop
The count of people affected by the campaign.
:team
The org team responsible for carrying out the campaign.
:conflict
The conflict in which this campaign is a primary participant.
:techniques
Deprecated for scalability. Please use -(uses)> ou:technique.
Deprecated:
True
:tag
The tag used to annotate nodes that are associated with the campaign.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
ou:technique
The campaign used the technique.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:campname
A campaign name.
The base type for the form can be found at ou:campname.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:camptype
An campaign type taxonomy.
The base type for the form can be found at ou:camptype.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:conference
A conference with a name and sponsoring org.
The base type for the form can be found at ou:conference.
- Properties:
name
type
doc
opts
:org
The org which created/managed the conference.
:organizer
Contact information for the primary organizer of the conference.
:sponsors
An array of contacts which sponsored the conference.
:name
lower:True
The full name of the conference.
Example:
decfon 2017
:desc
lower:True
A description of the conference.
Example:annual cybersecurity conference
Display:{'hint': 'text'}
:base
The base name which is shared by all conference instances.
Example:
defcon
:start
The conference start date / time.
:end
The conference end date / time.
:place
The geo:place node where the conference was held.
:url
The inet:url node for the conference website.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:conference:attendee
Deprecated. Please use ou:attendee.
The base type for the form can be found at ou:conference:attendee.
- Properties:
name
type
doc
opts
:conference
The conference which was attended.
Read Only:
True
:person
The person who attended the conference.
Read Only:
True
:arrived
The time when a person arrived to the conference.
:departed
The time when a person departed from the conference.
:role:staff
The person worked as staff at the conference.
:role:speaker
The person was a speaker or presenter at the conference.
:roles
List of the roles the person had at the conference.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:conference:event
A conference event with a name and associated conference.
The base type for the form can be found at ou:conference:event.
- Properties:
name
type
doc
opts
:conference
The conference to which the event is associated.
Read Only:
True
:organizer
Contact information for the primary organizer of the event.
:sponsors
An array of contacts which sponsored the event.
:place
The geo:place where the event occurred.
:name
lower:True
The name of the conference event.
Example:
foobar conference dinner
:desc
lower:True
A description of the conference event.
Example:foobar conference networking dinner at ridge hotel
Display:{'hint': 'text'}
:url
The inet:url node for the conference event website.
:contact
Contact info for the event.
:start
The event start date / time.
:end
The event end date / time.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:conference:event:attendee
Deprecated. Please use ou:attendee.
The base type for the form can be found at ou:conference:event:attendee.
- Properties:
name
type
doc
opts
:event
The conference event which was attended.
Read Only:
True
:person
The person who attended the conference event.
Read Only:
True
:arrived
The time when a person arrived to the conference event.
:departed
The time when a person departed from the conference event.
:roles
List of the roles the person had at the conference event.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:conflict
Represents a conflict where two or more campaigns have mutually exclusive goals.
The base type for the form can be found at ou:conflict.
- Properties:
name
type
doc
:name
onespace:True
The name of the conflict.
:started
The time the conflict began.
:ended
The time the conflict ended.
:timeline
A timeline of significant events related to the conflict.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:contest
A competitive event resulting in a ranked set of participants.
The base type for the form can be found at ou:contest.
- Properties:
name
type
doc
opts
:name
The name of the contest.
Example:
defcon ctf 2020
:type
The type of contest.
Example:
cyber ctf
:family
A name for a series of recurring contests.
Example:
defcon ctf
:desc
lower:True
A description of the contest.
Example:the capture-the-flag event hosted at defcon 2020
Display:{'hint': 'text'}
:url
The contest website URL.
:start
The contest start date / time.
:end
The contest end date / time.
:loc
The geopolitical affiliation of the contest.
:place
The geo:place where the contest was held.
:latlong
The latlong where the contest was held.
:conference
The conference that the contest is associated with.
:contests
An array of sub-contests that contributed to the rankings.
:sponsors
Contact information for contest sponsors.
:organizers
Contact information for contest organizers.
:participants
Contact information for contest participants.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:contest:result
The results from a single contest participant.
The base type for the form can be found at ou:contest:result.
- Properties:
name
type
doc
opts
:contest
The contest.
Read Only:
True
:participant
The participant.
Read Only:
True
:rank
The rank order of the participant.
:score
The score of the participant.
:url
The contest result website URL.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:contract
An contract between multiple entities.
The base type for the form can be found at ou:contract.
- Properties:
name
type
doc
opts
:title
A terse title for the contract.
:type
The type of contract.
:sponsor
The contract sponsor.
:parties
The non-sponsor entities bound by the contract.
:document
The best/current contract document.
:signed
The date that the contract signing was complete.
:begins
The date that the contract goes into effect.
:expires
The date that the contract expires.
:completed
The date that the contract was completed.
:terminated
The date that the contract was terminated.
:award:price
The value of the contract at time of award.
:budget:price
The amount of money budgeted for the contract.
:currency
The currency of the econ:price values.
:purchase
Purchase details of the contract.
:requirements
The requirements levied upon the parties.
:types
A list of types that apply to the contract.
Deprecated:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:contribution
Represents a specific instance of contributing material support to a campaign.
The base type for the form can be found at ou:contribution.
- Properties:
name
type
doc
:from
The contact information of the contributor.
:campaign
The campaign receiving the contribution.
:value
The assessed value of the contribution.
:currency
The currency used for the assessed value.
:time
The time the contribution occurred.
:material:spec
The specification of material items contributed.
:material:count
The number of material items contributed.
:monetary:payment
Payment details for a monetary contribution.
:personnel:count
Number of personnel contributed to the campaign.
:personnel:jobtitle
Title or designation for the contributed personnel.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:conttype
A contract type taxonomy.
The base type for the form can be found at ou:conttype.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:employment
An employment type taxonomy.
The base type for the form can be found at ou:employment.
An example of ou:employment
:
fulltime.salary
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:goal
An assessed or stated goal which may be abstract or org specific.
The base type for the form can be found at ou:goal.
- Properties:
name
type
doc
opts
:name
A terse name for the goal.
:names
An array of alternate names for the goal. Used to merge/resolve goals.
:type
A type taxonomy entry for the goal.
:desc
A description of the goal.
Display:
{'hint': 'text'}
:prev
Deprecated. Please use ou:goal:type taxonomy.
Deprecated:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:goal:type:taxonomy
A taxonomy of goal types.
The base type for the form can be found at ou:goal:type:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:goalname
A goal name.
The base type for the form can be found at ou:goalname.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:hasalias
The knowledge that an organization has an alias.
The base type for the form can be found at ou:hasalias.
- Properties:
name
type
doc
opts
:org
The org guid which has the alias.
Read Only:
True
:alias
Alias for the organization.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:hasgoal
Deprecated. Please use ou:org:goals.
The base type for the form can be found at ou:hasgoal.
- Properties:
name
type
doc
opts
:org
The org which has the goal.
Read Only:
True
:goal
The goal which the org has.
Read Only:
True
:stated
Set to true/false if the goal is known to be self stated.
:window
Set if a goal has a limited time window.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:id:number
A unique id number issued by a specific organization.
The base type for the form can be found at ou:id:number.
- Properties:
name
type
doc
opts
:type
The type of org id.
Read Only:
True
:value
The value of org id.
Read Only:
True
:status
A freeform status such as valid, suspended, expired.
:issued
The time at which the org issued the ID number.
:expires
The time at which the ID number expires.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:id:type
A type of id number issued by an org.
The base type for the form can be found at ou:id:type.
- Properties:
name
type
doc
:org
The org which issues id numbers of this type.
:name
The friendly name of the id number type.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:id:update
A status update to an org:id:number.
The base type for the form can be found at ou:id:update.
- Properties:
name
type
doc
:number
The id number that was updated.
:status
The updated status of the id number.
:time
The date/time that the id number was updated.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:industry
An industry classification type.
The base type for the form can be found at ou:industry.
- Properties:
name
type
doc
opts
:name
The name of the industry.
:type
An taxonomy entry for the industry.
:names
An array of alternative names for the industry.
:subs
Deprecated. Please use ou:industry:type taxonomy.
:sic
An array of SIC codes that map to the industry.
:naics
An array of NAICS codes that map to the industry.
:isic
An array of ISIC codes that map to the industry.
:desc
A description of the industry.
Display:
{'hint': 'text'}
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
ou:industry
The attack targeted the industry.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
ou:industry
The threat cluster targets the industry.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:industryname
The name of an industry.
The base type for the form can be found at ou:industryname.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:jobtitle
A title for a position within an org.
The base type for the form can be found at ou:jobtitle.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:jobtype
A taxonomy of job types.
The base type for the form can be found at ou:jobtype.
An example of ou:jobtype
:
it.dev.python
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:meet
An informal meeting of people which has no title or sponsor. See also: ou:conference.
The base type for the form can be found at ou:meet.
- Properties:
name
type
doc
:name
lower:True
A human friendly name for the meeting.
:start
The date / time the meet starts.
:end
The date / time the meet ends.
:place
The geo:place node where the meet was held.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:meet:attendee
Deprecated. Please use ou:attendee.
The base type for the form can be found at ou:meet:attendee.
- Properties:
name
type
doc
opts
:meet
The meeting which was attended.
Read Only:
True
:person
The person who attended the meeting.
Read Only:
True
:arrived
The time when a person arrived to the meeting.
:departed
The time when a person departed from the meeting.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:member
Deprecated. Please use ou:position.
The base type for the form can be found at ou:member.
- Properties:
name
type
doc
opts
:org
The GUID of the org the person is a member of.
Read Only:
True
:person
The GUID of the person that is a member of an org.
Read Only:
True
:title
The persons normalized title.
:start
ismin:True
Earliest known association of the person with the org.
:end
ismax:True
Most recent known association of the person with the org.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:name
The name of an organization. This may be a formal name or informal name of the organization.
The base type for the form can be found at ou:name.
An example of ou:name
:
acme corporation
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:opening
A job/work opening within an org.
The base type for the form can be found at ou:opening.
- Properties:
name
type
doc
:org
The org which has the opening.
:orgname
The name of the organization as listed in the opening.
:orgfqdn
The FQDN of the organization as listed in the opening.
:posted
The date/time that the job opening was posted.
:removed
The date/time that the job opening was removed.
:postings
URLs where the opening is listed.
:contact
The contact details to inquire about the opening.
:loc
The geopolitical boundary of the opening.
:jobtype
The job type taxonomy.
:employment
The type of employment.
:jobtitle
The title of the opening.
:remote
Set to true if the opening will allow a fully remote worker.
:yearlypay
The yearly income associated with the opening.
:paycurrency
The currency that the yearly pay was delivered in.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:org
A GUID for a human organization such as a company or military unit.
The base type for the form can be found at ou:org.
- Properties:
name
type
doc
opts
:loc
Location for an organization.
:name
The localized name of an organization.
:type
The type of organization.
Deprecated:
True
:orgtype
The type of organization.
Display:
{'hint': 'taxonomy'}
:vitals
The most recent/accurate ou:vitals for the org.
:desc
A description of the org.
Display:
{'hint': 'text'}
:logo
An image file representing the logo for the organization.
:names
A list of alternate names for the organization.
:alias
The default alias for an organization.
:phone
The primary phone number for the organization.
:sic
The Standard Industrial Classification code for the organization.
Deprecated:
True
:naics
The North American Industry Classification System code for the organization.
Deprecated:
True
:industries
The industries associated with the org.
:us:cage
The Commercial and Government Entity (CAGE) code for the organization.
:founded
The date on which the org was founded.
:dissolved
The date on which the org was dissolved.
:url
The primary url for the organization.
:subs
An set of sub-organizations.
:orgchart
The root node for an orgchart made up ou:position nodes.
:hq
A collection of contact information for the “main office” of an org.
:locations
An array of contacts for facilities operated by the org.
:country
The organization’s country of origin.
:country:code
The 2 digit ISO 3166 country code for the organization’s country of origin.
:dns:mx
An array of MX domains used by email addresses issued by the org.
:techniques
Deprecated for scalability. Please use -(uses)> ou:technique.
Deprecated:
True
:goals
The assessed goals of the organization.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
ou:technique
The org uses the technique.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:org:has
An org owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time.
The base type for the form can be found at ou:org:has.
- Properties:
name
type
doc
opts
:org
The org who owns or controls the object or resource.
Read Only:
True
:node
The object or resource that is owned or controlled by the org.
Read Only:
True
:node:form
The form of the object or resource that is owned or controlled by the org.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:orgnet4
An organization’s IPv4 netblock.
The base type for the form can be found at ou:orgnet4.
- Properties:
name
type
doc
opts
:org
The org guid which owns the netblock.
Read Only:
True
:net
Netblock owned by the organization.
Read Only:
True
:name
The name that the organization assigns to this netblock.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:orgnet6
An organization’s IPv6 netblock.
The base type for the form can be found at ou:orgnet6.
- Properties:
name
type
doc
opts
:org
The org guid which owns the netblock.
Read Only:
True
:net
Netblock owned by the organization.
Read Only:
True
:name
The name that the organization assigns to this netblock.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:orgtype
An org type taxonomy.
The base type for the form can be found at ou:orgtype.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:position
A position within an org. May be organized into an org chart.
The base type for the form can be found at ou:position.
- Properties:
name
type
doc
:org
The org which has the position.
:team
The team that the position is a member of.
:contact
The contact info for the person who holds the position.
:title
The title of the position.
:reports
An array of positions which report to this position.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:preso
A webinar, conference talk, or other type of presentation.
The base type for the form can be found at ou:preso.
- Properties:
name
type
doc
opts
:organizer
Contact information for the primary organizer of the presentation.
:sponsors
A set of contacts which sponsored the presentation.
:presenters
A set of contacts which gave the presentation.
:title
lower:True
The full name of the presentation.
Example:
Synapse 101 - 2021/06/22
:desc
lower:True
A description of the presentation.
Display:
{'hint': 'text'}
:time
The scheduled presentation start time.
:duration
The scheduled duration of the presentation.
:loc
The geopolitical location string for where the presentation was given.
:place
The geo:place node where the presentation was held.
:deck:url
The URL hosting a copy of the presentation materials.
:deck:file
A file containing the presentation materials.
:attendee:url
The URL visited by live attendees of the presentation.
:recording:url
The URL hosting a recording of the presentation.
:recording:file
A file containing a recording of the presentation.
:conference
The conference which hosted the presentation.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:suborg
Any parent/child relationship between two orgs. May represent ownership, organizational structure, etc.
The base type for the form can be found at ou:suborg.
- Properties:
name
type
doc
opts
:org
The org which owns the sub organization.
Read Only:
True
:sub
The sub org which owned by the org.
Read Only:
True
:perc
The optional percentage of sub which is owned by org.
:founded
The date on which the suborg relationship was founded.
:dissolved
The date on which the suborg relationship was dissolved.
:current
Bool indicating if the suborg relationship still current.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:team
A GUID for a team within an organization.
The base type for the form can be found at ou:team.
- Properties:
name
type
doc
:org
A GUID for a human organization such as a company or military unit.
:name
The name of an organization. This may be a formal name or informal name of the organization.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:technique
A specific technique used to achieve a goal.
The base type for the form can be found at ou:technique.
- Properties:
name
type
doc
opts
:name
The normalized name of the technique.
:type
The taxonomy classification of the technique.
:sophistication
The assessed sophistication of the technique.
:desc
A description of the technique.
Display:
{'hint': 'text'}
:tag
The tag used to annotate nodes where the technique was employed.
:mitre:attack:technique
A mapping to a Mitre ATT&CK technique if applicable.
:reporter
The organization reporting on the technique.
:reporter:name
The name of the organization reporting on the technique.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
it:prod:soft
-(uses)>
ou:technique
The software uses the technique.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
ou:technique
The campaign used the technique.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
ou:technique
The org uses the technique.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
ou:technique
The attackers used the technique in the attack.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:compromise
-(uses)>
ou:technique
The attackers used the technique in the compromise.
risk:mitigation
-(addresses)>
ou:technique
The mitigation addresses the technique.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
ou:technique
The threat cluster uses the technique.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
ou:technique
The tool uses the technique.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:technique:taxonomy
An analyst defined taxonomy to classify techniques in different disciplines.
The base type for the form can be found at ou:technique:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:user
A user name within an organization.
The base type for the form can be found at ou:user.
- Properties:
name
type
doc
opts
:org
The org guid which owns the netblock.
Read Only:
True
:user
The username associated with the organization.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ou:vitals
Vital statistics about an org for a given time period.
The base type for the form can be found at ou:vitals.
- Properties:
name
type
doc
:asof
The time that the vitals represent.
:org
The resolved org.
:orgname
The org name as reported by the source of the vitals.
:orgfqdn
The org FQDN as reported by the source of the vitals.
:currency
The currency of the econ:price values.
:costs
The costs/expenditures over the period.
:revenue
The gross revenue over the period.
:profit
The net profit over the period.
:valuation
The assessed value of the org.
:shares
The number of shares outstanding.
:population
The population of the org.
:delta:costs
The change in costs over last period.
:delta:revenue
The change in revenue over last period.
:delta:profit
The change in profit over last period.
:delta:valuation
The change in valuation over last period.
:delta:population
The change in population over last period.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
pol:candidate
A candidate for office in a specific race.
The base type for the form can be found at pol:candidate.
- Properties:
name
type
doc
:contact
The contact information of the candidate.
:race
The race the candidate is participating in.
:campaign
The official campaign to elect the candidate.
:winner
Records the outcome of the race.
:party
The declared political party of the candidate.
:incumbent
Set to true if the candidate is an incumbent in this race.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
pol:country
A GUID for a country.
The base type for the form can be found at pol:country.
- Properties:
name
type
doc
opts
:flag
A thumbnail image of the flag of the country.
:iso2
The 2 digit ISO 3166 country code.
:iso3
The 3 digit ISO 3166 country code.
:isonum
The ISO integer country code.
:pop
Deprecated. Please use :vitals::population.
Deprecated:
True
:tld
A Fully Qualified Domain Name (FQDN).
:name
The name of the country.
:names
An array of alternate or localized names for the country.
:government
The ou:org node which represents the government of the country.
:place
A geo:place node representing the geospatial properties of the country.
:founded
The date that the country was founded.
:dissolved
The date that the country was dissolved.
:vitals
The most recent known vitals for the country.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
pol:election
An election involving one or more races for office.
The base type for the form can be found at pol:election.
- Properties:
name
type
doc
opts
:name
The name of the election.
Example:
2022 united states congressional midterm election
:time
The date of the election.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
pol:immigration:status
A node which tracks the immigration status of a contact.
The base type for the form can be found at pol:immigration:status.
- Properties:
name
type
doc
opts
:contact
The contact information for the immigration status record.
:country
The country that the contact is/has immigrated to.
:type
A taxonomy entry for the immigration status type.
Example:
citizen.naturalized
:state
enums:requested,active,rejected,revoked,renounced
The state of the immigration status.
:began
The time when the status was granted to the contact.
:ended
The time when the status no longer applied to the contact.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
pol:immigration:status:type:taxonomy
A taxonomy of immigration types.
The base type for the form can be found at pol:immigration:status:type:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
pol:office
An elected or appointed office.
The base type for the form can be found at pol:office.
- Properties:
name
type
doc
opts
:title
The title of the political office.
Example:
united states senator
:position
The position this office holds in the org chart for the governing body.
:termlimit
The maximum number of times a single person may hold the office.
:govbody
The governmental body which contains the office.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
pol:pollingplace
An official place where ballots may be cast for a specific election.
The base type for the form can be found at pol:pollingplace.
- Properties:
name
type
doc
:election
The election that the polling place is designated for.
:name
The name of the polling place at the time of the election. This may differ from the official place name.
:place
The place where votes were cast.
:opens
The time that the polling place is scheduled to open.
:closes
The time that the polling place is scheduled to close.
:opened
The time that the polling place opened.
:closed
The time that the polling place closed.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
pol:race
An individual race for office.
The base type for the form can be found at pol:race.
- Properties:
name
type
doc
:election
The election that includes the race.
:office
The political office that the candidates in the race are running for.
:voters
The number of eligible voters for this race.
:turnout
The number of individuals who voted in this race.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
pol:term
A term in office held by a specific individual.
The base type for the form can be found at pol:term.
- Properties:
name
type
doc
:office
The office held for the term.
:start
The start of the term of office.
:end
The end of the term of office.
:race
The race that determined who held office during the term.
:contact
The contact information of the person who held office during the term.
:party
The political party of the person who held office during the term.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
pol:vitals
A set of vital statistics about a country.
The base type for the form can be found at pol:vitals.
- Properties:
name
type
doc
:country
The country that the statistics are about.
:asof
The time that the vitals were measured.
:area
The area of the country.
:population
The total number of people living in the country.
:currency
The national currency.
:econ:currency
The currency used to record price properties.
:econ:gdp
The gross domestic product of the country.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
proj:attachment
A file attachment added to a ticket or comment.
The base type for the form can be found at proj:attachment.
- Properties:
name
type
doc
:name
The name of the file that was attached.
:file
The file that was attached.
:creator
The synapse user who added the attachment.
:created
The time the attachment was added.
:ticket
The ticket the attachment was added to.
:comment
The comment the attachment was added to.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
proj:comment
A user comment on a ticket.
The base type for the form can be found at proj:comment.
- Properties:
name
type
doc
:creator
The synapse user who added the comment.
:created
The time the comment was added.
:updated
ismax:True
The last time the comment was updated.
:ticket
The ticket the comment was added to.
:text
The text of the comment.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
proj:epic
A collection of tickets related to a topic.
The base type for the form can be found at proj:epic.
- Properties:
name
type
doc
:name
onespace:True
The name of the epic.
:project
The project containing the epic.
:creator
The synapse user who created the epic.
:created
The time the epic was created.
:updated
ismax:True
The last time the epic was updated.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
proj:project
A project in a ticketing system.
The base type for the form can be found at proj:project.
- Properties:
name
type
doc
opts
:name
The project name.
:desc
The project description.
Display:
{'hint': 'text'}
:creator
The synapse user who created the project.
:created
The time the project was created.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
proj:sprint
A timeboxed period to complete a set amount of work.
The base type for the form can be found at proj:sprint.
- Properties:
name
type
doc
:name
The name of the sprint.
:status
enums:planned,current,completed
The sprint status.
:project
The project containing the sprint.
:creator
The synapse user who created the sprint.
:created
The date the sprint was created.
:period
The interval for the sprint.
:desc
A description of the sprint.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
proj:ticket
A ticket in a ticketing system.
The base type for the form can be found at proj:ticket.
- Properties:
name
type
doc
:project
The project containing the ticket.
:ext:id
strip:True
A ticket ID from an external system.
:ext:url
A URL to the ticket in an external system.
:ext:creator
Ticket creator contact information from an external system.
:epic
The epic that includes the ticket.
:created
The time the ticket was created.
:updated
ismax:True
The last time the ticket was updated.
:name
onespace:True
The name of the ticket.
:desc
A description of the ticket.
:points
Optional SCRUM style story points value.
:status
enums:((0, 'new'), (10, 'in validation'), (20, 'in backlog'), (30, 'in sprint'), (40, 'in progress'), (50, 'in review'), (60, 'completed'), (70, 'done'), (80, 'blocked'))
The ticket completion status.
:sprint
The sprint that contains the ticket.
:priority
enums:((0, 'none'), (10, 'lowest'), (20, 'low'), (30, 'medium'), (40, 'high'), (50, 'highest'))
The priority of the ticket.
:type
The type of ticket. (eg story / bug).
:creator
The synapse user who created the ticket.
:assignee
The synapse user who the ticket is assigned to.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ps:achievement
An instance of an individual receiving an award.
The base type for the form can be found at ps:achievement.
- Properties:
name
type
doc
:awardee
The recipient of the award.
:award
The award bestowed on the awardee.
:awarded
The date the award was granted to the awardee.
:expires
The date the award or certification expires.
:revoked
The date the award was revoked by the org.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ps:contact
A GUID for a contact info record.
The base type for the form can be found at ps:contact.
- Properties:
name
type
doc
opts
:org
The org which this contact represents.
:type
The type of contact which may be used for entity resolution.
:asof
A date/time value.
date:
The time this contact was created or modified.
:person
The ps:person GUID which owns this contact.
:vitals
The most recent known vitals for the contact.
:name
The person name listed for the contact.
:desc
A description of this contact.
:title
The job/org title listed for this contact.
:photo
The photo listed for this contact.
:orgname
The listed org/company name for this contact.
:orgfqdn
The listed org/company FQDN for this contact.
:user
The username or handle for this contact.
:web:acct
The social media account for this contact.
:web:group
A web group representing this contact.
:birth:place
A fully resolved place of birth for this contact.
:birth:place:loc
The loc of the place of birth of this contact.
:birth:place:name
The name of the place of birth of this contact.
:death:place
A fully resolved place of death for this contact.
:death:place:loc
The loc of the place of death of this contact.
:death:place:name
The name of the place of death of this contact.
:dob
The date of birth for this contact.
:dod
The date of death for this contact.
:url
The home or main site for this contact.
The main email address for this contact.
:email:work
The work email address for this contact.
:loc
Best known contact geopolitical location.
:address
The street address listed for the contact.
Display:
{'hint': 'text'}
:place
The place associated with this contact.
:place:name
The reported name of the place associated with this contact.
:phone
The main phone number for this contact.
:phone:fax
The fax number for this contact.
:phone:work
The work phone number for this contact.
:id:number
An ID number issued by an org and associated with this contact.
:adid
A Advertising ID associated with this contact.
:imid
An IMID associated with the contact.
:imid:imei
An IMEI associated with the contact.
:imid:imsi
An IMSI associated with the contact.
:names
An array of associated names/aliases for the person.
:orgnames
An array of associated names/aliases for the organization.
:emails
An array of secondary/associated email addresses.
:web:accts
An array of secondary/associated web accounts.
:id:numbers
An array of secondary/associated IDs.
:users
An array of secondary/associated user names.
:crypto:address
A crypto currency address associated with the contact.
:lang
The language specified for the contact.
:langs
type: lang:languageAn array of alternative languages specified for the contact.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ps:contact:type:taxonomy
A taxonomy of contact types.
The base type for the form can be found at ps:contact:type:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ps:contactlist
A GUID for a list of associated contacts.
The base type for the form can be found at ps:contactlist.
- Properties:
name
type
doc
:contacts
The array of contacts contained in the list.
:source:host
The host from which the contact list was extracted.
:source:file
The file from which the contact list was extracted.
:source:acct
The web account from which the contact list was extracted.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ps:education
A period of education for an individual.
The base type for the form can be found at ps:education.
- Properties:
name
type
doc
:student
The contact of the person being educated.
:institution
The contact info for the org providing educational services.
:attended:first
The first date the student attended a class.
:attended:last
The last date the student attended a class.
:classes
The classes attended by the student.
:achievement
The achievement awarded to the individual.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ps:name
An arbitrary, lower spaced string with normalized whitespace.
The base type for the form can be found at ps:name.
An example of ps:name
:
robert grey
- Properties:
name
type
doc
:sur
The surname part of the name.
:middle
The middle name part of the name.
:given
The given name part of the name.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ps:person
A GUID for a person.
The base type for the form can be found at ps:person.
- Properties:
name
type
doc
opts
:dob
The date on which the person was born.
:dod
The date on which the person died.
:img
Deprecated: use ps:person:photo.
Deprecated:
True
:photo
The primary image of a person.
:nick
A username commonly used by the person.
:vitals
The most recent known vitals for the person.
:name
The localized name for the person.
:name:sur
The surname of the person.
:name:middle
The middle name of the person.
:name:given
The given name of the person.
:names
Variations of the name for the person.
:nicks
Usernames used by the person.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ps:person:has
A person owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time.
The base type for the form can be found at ps:person:has.
- Properties:
name
type
doc
opts
:person
The person who owns or controls the object or resource.
Read Only:
True
:node
The object or resource that is owned or controlled by the person.
Read Only:
True
:node:form
The form of the object or resource that is owned or controlled by the person.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ps:persona
A GUID for a suspected person.
The base type for the form can be found at ps:persona.
- Properties:
name
type
doc
:person
The real person behind the persona.
:dob
The Date of Birth (DOB) if known.
:img
The primary image of a suspected person.
:nick
A username commonly used by the suspected person.
:name
The localized name for the suspected person.
:name:sur
The surname of the suspected person.
:name:middle
The middle name of the suspected person.
:name:given
The given name of the suspected person.
:names
Variations of the name for a persona.
:nicks
Usernames used by the persona.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ps:persona:has
A persona owns, controls, or has exclusive use of an object or resource, potentially during a specific period of time.
The base type for the form can be found at ps:persona:has.
- Properties:
name
type
doc
opts
:persona
The persona who owns or controls the object or resource.
Read Only:
True
:node
The object or resource that is owned or controlled by the persona.
Read Only:
True
:node:form
The form of the object or resource that is owned or controlled by the persona.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ps:proficiency
The assessment that a given contact possesses a specific skill.
The base type for the form can be found at ps:proficiency.
- Properties:
name
type
doc
:skill
The skill in which the contact is proficient.
:contact
The contact which is proficient in the skill.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ps:skill
A specific skill which a person or organization may have.
The base type for the form can be found at ps:skill.
- Properties:
name
type
doc
:name
The name of the skill.
:type
The type of skill as a taxonomy.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ps:skill:type:taxonomy
A taxonomy of skill types.
The base type for the form can be found at ps:skill:type:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ps:tokn
A single name element (potentially given or sur).
The base type for the form can be found at ps:tokn.
An example of ps:tokn
:
robert
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ps:vitals
Statistics and demographic data about a person or contact.
The base type for the form can be found at ps:vitals.
- Properties:
name
type
doc
:asof
The time the vitals were gathered or computed.
:contact
The contact that the vitals are about.
:person
The person that the vitals are about.
:height
The height of the person or contact.
:weight
The weight of the person or contact.
:econ:currency
The currency that the price values are recorded using.
:econ:net:worth
The net worth of the contact.
:econ:annual:income
The yearly income of the contact.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
ps:workhist
A GUID representing entry in a contact’s work history.
The base type for the form can be found at ps:workhist.
- Properties:
name
type
doc
:contact
The contact which has the work history.
:org
The org that this work history orgname refers to.
:orgname
The reported name of the org the contact worked for.
:orgfqdn
The reported fqdn of the org the contact worked for.
:jobtype
The type of job.
:employment
The type of employment.
:jobtitle
The job title.
:started
The date that the contact began working.
:ended
The date that the contact stopped working.
:duration
The duration of the period of work.
:pay
The estimated/average yearly pay for the work.
:currency
The currency that the yearly pay was delivered in.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
risk:alert
An instance of an alert which indicates the presence of a risk.
The base type for the form can be found at risk:alert.
- Properties:
name
type
doc
opts
:type
A type for the alert, as a taxonomy entry.
:name
A brief name for the alert.
:desc
A free-form description / overview of the alert.
Display:
{'hint': 'text'}
:benign
Set to true if the alert has been confirmed benign. Set to false if malicious.
:priority
A numeric value used to rank alerts by priority.
:verdict
A verdict about why the alert is malicious or benign, as a taxonomy entry.
Example:
benign.false_positive
:engine
The software that generated the alert.
:detected
The time the alerted condition was detected.
:vuln
The optional vulnerability that the alert indicates.
:attack
A confirmed attack that this alert indicates.
:url
A URL which documents the alert.
:ext:id
An external identifier for the alert.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
risk:alert:taxonomy
A taxonomy of alert types.
The base type for the form can be found at risk:alert:taxonomy.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
risk:alert:verdict:taxonomy
A taxonomy of verdicts for the origin and validity of the alert.
The base type for the form can be found at risk:alert:verdict:taxonomy.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
risk:attack
An instance of an actor attacking a target.
The base type for the form can be found at risk:attack.
- Properties:
name
type
doc
opts
:desc
A description of the attack.
Display:
{'hint': 'text'}
:type
A type for the attack, as a taxonomy entry.
Example:
cno.phishing
:reporter
The organization reporting on the attack.
:reporter:name
The name of the organization reporting on the attack.
:time
Set if the time of the attack is known.
:detected
The first confirmed detection time of the attack.
:success
Set if the attack was known to have succeeded or not.
:targeted
Set if the attack was assessed to be targeted or not.
:goal
The tactical goal of this specific attack.
:campaign
Set if the attack was part of a larger campaign.
:compromise
A compromise that this attack contributed to.
:severity
An integer based relative severity score for the attack.
:sophistication
The assessed sophistication of the attack.
:prev
The previous/parent attack in a list or hierarchy.
:actor:org
Deprecated. Please use :attacker to allow entity resolution.
Deprecated:
True
:actor:person
Deprecated. Please use :attacker to allow entity resolution.
Deprecated:
True
:attacker
Contact information representing the attacker.
:target
Deprecated. Please use -(targets)> light weight edges.
Deprecated:
True
:target:org
Deprecated. Please use -(targets)> light weight edges.
Deprecated:
True
:target:host
Deprecated. Please use -(targets)> light weight edges.
Deprecated:
True
:target:person
Deprecated. Please use -(targets)> light weight edges.
Deprecated:
True
:target:place
Deprecated. Please use -(targets)> light weight edges.
Deprecated:
True
:via:ipv4
Deprecated. Please use -(uses)> light weight edges.
Deprecated:
True
:via:ipv6
Deprecated. Please use -(uses)> light weight edges.
Deprecated:
True
:via:email
Deprecated. Please use -(uses)> light weight edges.
Deprecated:
True
:via:phone
Deprecated. Please use -(uses)> light weight edges.
Deprecated:
True
:used:vuln
Deprecated. Please use -(uses)> light weight edges.
Deprecated:
True
:used:url
Deprecated. Please use -(uses)> light weight edges.
Deprecated:
True
:used:host
Deprecated. Please use -(uses)> light weight edges.
Deprecated:
True
:used:email
Deprecated. Please use -(uses)> light weight edges.
Deprecated:
True
:used:file
Deprecated. Please use -(uses)> light weight edges.
Deprecated:
True
:used:server
Deprecated. Please use -(uses)> light weight edges.
Deprecated:
True
:used:software
Deprecated. Please use -(uses)> light weight edges.
Deprecated:
True
:techniques
Deprecated for scalability. Please use -(uses)> ou:technique.
Deprecated:
True
:url
A URL which documents the attack.
:ext:id
An external unique ID for the attack.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
risk:attack
-(targets)>
ou:industry
The attack targeted the industry.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
ou:technique
The attackers used the technique in the attack.
risk:attack
-(uses)>
risk:vuln
The attack used the vulnerability.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
risk:attacktype
A taxonomy of attack types.
The base type for the form can be found at risk:attacktype.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
risk:availability
A taxonomy of availability status values.
The base type for the form can be found at risk:availability.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
risk:compromise
An instance of a compromise and its aggregate impact.
The base type for the form can be found at risk:compromise.
- Properties:
name
type
doc
opts
:name
A brief name for the compromise event.
:desc
A prose description of the compromise event.
Display:
{'hint': 'text'}
:reporter
The organization reporting on the compromise.
:reporter:name
The name of the organization reporting on the compromise.
:type
A type for the compromise, as a taxonomy entry.
Example:
cno.breach
:vector
The attack assessed to be the initial compromise vector.
:target
Contact information representing the target.
:attacker
Contact information representing the attacker.
:campaign
The campaign that this compromise is part of.
:time
Earliest known evidence of compromise.
:lasttime
Last known evidence of compromise.
:duration
The duration of the compromise.
:detected
The first confirmed detection time of the compromise.
:loss:pii
The number of records compromised which contain PII.
:loss:econ
The total economic cost of the compromise.
:loss:life
The total loss of life due to the compromise.
:loss:bytes
An estimate of the volume of data compromised.
:ransom:paid
The value of the ransom paid by the target.
:ransom:price
The value of the ransom demanded by the attacker.
:response:cost
The economic cost of the response and mitigation efforts.
:theft:price
The total value of the theft of assets.
:econ:currency
The currency type for the econ:price fields.
:severity
An integer based relative severity score for the compromise.
:goal
The assessed primary goal of the attacker for the compromise.
:goals
An array of assessed attacker goals for the compromise.
:techniques
Deprecated for scalability. Please use -(uses)> ou:technique.
Deprecated:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:compromise
-(uses)>
ou:technique
The attackers used the technique in the compromise.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
risk:compromisetype
A taxonomy of compromise types.
The base type for the form can be found at risk:compromisetype.
An example of risk:compromisetype
:
cno.breach
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
risk:hasvuln
An instance of a vulnerability present in a target.
The base type for the form can be found at risk:hasvuln.
- Properties:
name
type
doc
:vuln
The vulnerability present in the target.
:person
The vulnerable person.
:org
The vulnerable org.
:place
The vulnerable place.
:software
The vulnerable software.
:hardware
The vulnerable hardware.
:spec
The vulnerable material specification.
:item
The vulnerable material item.
:host
The vulnerable host.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
risk:mitigation
A mitigation for a specific risk:vuln.
The base type for the form can be found at risk:mitigation.
- Properties:
name
type
doc
opts
:vuln
The vulnerability that this mitigation addresses.
:name
A brief name for this risk mitigation.
:desc
A description of the mitigation approach for the vulnerability.
Display:
{'hint': 'text'}
:software
A software version which implements a fix for the vulnerability.
:hardware
A hardware version which implements a fix for the vulnerability.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
risk:mitigation
-(addresses)>
ou:technique
The mitigation addresses the technique.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
risk:threat
A threat cluster or subgraph of threat activity, as reported by a specific organization.
The base type for the form can be found at risk:threat.
- Properties:
name
type
doc
opts
:name
A brief descriptive name for the threat cluster.
Example:
apt1 (mandiant)
:type
A type for the threat, as a taxonomy entry.
:desc
A description of the threat cluster.
:tag
The tag used to annotate nodes that are associated with the threat cluster.
:active
An interval for when the threat cluster is assessed to have been active.
:reporter
The organization reporting on the threat cluster.
:reporter:name
The name of the organization reporting on the threat cluster.
:reporter:discovered
The time that the reporting organization first discovered the threat cluster.
:reporter:published
The time that the reporting organization first publicly disclosed the threat cluster.
:org
The authoritative organization for the threat cluster.
:org:loc
The reporting organization’s assessed location of the threat cluster.
:org:name
The reporting organization’s name for the threat cluster.
Example:
apt1
:org:names
An array of alternate names for the threat cluster, according to the reporting organization.
:country
The reporting organization’s assessed country of origin of the threat cluster.
:country:code
The 2 digit ISO 3166 country code for the threat cluster’s assessed country of origin.
:goals
The reporting organization’s assessed goals of the threat cluster.
:sophistication
The reporting organization’s assessed sophistication of the threat cluster.
:techniques
Deprecated for scalability. Please use -(uses)> ou:technique.
Deprecated:
True
:merged:time
The time that the reporting organization merged this threat cluster into another.
:merged:isnow
The threat cluster that the reporting organization merged this cluster into.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
risk:threat
-(targets)>
ou:industry
The threat cluster targets the industry.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
ou:technique
The threat cluster uses the technique.
risk:threat
-(uses)>
risk:vuln
The threat cluster uses the vulnerability.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:tool:software
-(uses)>
*
The tool uses the target node.
risk:threat:type:taxonomy
A taxonomy of threat types.
The base type for the form can be found at risk:threat:type:taxonomy.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
risk:tool:software
A software tool used in threat activity, as reported by a specific organization.
The base type for the form can be found at risk:tool:software.
- Properties:
name
type
doc
opts
:tag
The tag used to annotate nodes that are associated with the tool.
Example:
rep.mandiant.tabcteng
:desc
A description of the tool.
:type
A type for the tool, as a taxonomy entry.
:used
An interval for when the tool is assessed to have been deployed.
:availability
The reporting organization’s assessed availability of the tool.
:sophistication
The reporting organization’s assessed sophistication of the tool.
:reporter
The organization reporting on the tool.
:reporter:name
The name of the organization reporting on the tool.
:reporter:discovered
The time that the reporting organization first discovered the tool.
:reporter:published
The time that the reporting organization first publicly disclosed the tool.
:soft
The authoritative software family for the tool.
:soft:name
The reporting organization’s name for the tool.
:soft:names
An array of alternate names for the tool, according to the reporting organization.
:techniques
Deprecated for scalability. Please use -(uses)> ou:technique.
Deprecated:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
risk:tool:software
-(uses)>
ou:technique
The tool uses the technique.
risk:tool:software
-(uses)>
risk:vuln
The tool uses the vulnerability.
risk:tool:software
-(uses)>
*
The tool uses the target node.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software:taxonomy
A taxonomy of software / tool types.
The base type for the form can be found at risk:tool:software:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
risk:vuln
A unique vulnerability.
The base type for the form can be found at risk:vuln.
- Properties:
name
type
doc
opts
:name
A user specified name for the vulnerability.
:names
An array of alternate names for the vulnerability.
:type
A taxonomy type entry for the vulnerability.
:desc
A description of the vulnerability.
Display:
{'hint': 'text'}
:reporter
The organization reporting on the vulnerability.
:reporter:name
The name of the organization reporting on the vulnerability.
:mitigated
Set to true if a mitigation/fix is available for the vulnerability.
:exploited
Set to true if the vulnerability has been exploited in the wild.
:timeline:discovered
ismin:True
The earliest known discovery time for the vulnerability.
:timeline:published
ismin:True
The earliest known time the vulnerability was published.
:timeline:vendor:notified
ismin:True
The earliest known vendor notification time for the vulnerability.
:timeline:vendor:fixed
ismin:True
The earliest known time the vendor issued a fix for the vulnerability.
:timeline:exploited
ismin:True
The earliest known time when the vulnerability was exploited in the wild.
:cve
The CVE ID of the vulnerability.
:cve:desc
The description of the vulnerability according to the CVE database.
Display:
{'hint': 'text'}
:cve:url
A URL linking this vulnerability to the CVE description.
:cve:references
An array of documentation URLs provided by the CVE database.
:nist:nvd:source
The name of the organization which reported the vulnerability to NIST.
:nist:nvd:published
The date the vulnerability was first published in the NVD.
:nist:nvd:modified
ismax:True
The date the vulnerability was last modified in the NVD.
:cisa:kev:name
The name of the vulnerability according to the CISA KEV database.
:cisa:kev:desc
The description of the vulnerability according to the CISA KEV database.
:cisa:kev:action
The action to mitigate the vulnerability according to the CISA KEV database.
:cisa:kev:vendor
The vendor name listed in the CISA KEV database.
:cisa:kev:product
The product name listed in the CISA KEV database.
:cisa:kev:added
The date the vulnerability was added to the CISA KEV database.
:cisa:kev:duedate
The date the action is due according to the CISA KEV database.
:cvss:v2
The CVSS v2 vector for the vulnerability.
:cvss:v2_0:score
The CVSS v2.0 overall score for the vulnerability.
:cvss:v2_0:score:base
The CVSS v2.0 base score for the vulnerability.
:cvss:v2_0:score:temporal
The CVSS v2.0 temporal score for the vulnerability.
:cvss:v2_0:score:environmental
The CVSS v2.0 environmental score for the vulnerability.
:cvss:v3
The CVSS v3 vector for the vulnerability.
:cvss:v3_0:score
The CVSS v3.0 overall score for the vulnerability.
:cvss:v3_0:score:base
The CVSS v3.0 base score for the vulnerability.
:cvss:v3_0:score:temporal
The CVSS v3.0 temporal score for the vulnerability.
:cvss:v3_0:score:environmental
The CVSS v3.0 environmental score for the vulnerability.
:cvss:v3_1:score
The CVSS v3.1 overall score for the vulnerability.
:cvss:v3_1:score:base
The CVSS v3.1 base score for the vulnerability.
:cvss:v3_1:score:temporal
The CVSS v3.1 temporal score for the vulnerability.
:cvss:v3_1:score:environmental
The CVSS v3.1 environmental score for the vulnerability.
:cvss:av
enums:N,A,P,L
Deprecated. Please use :cvss:v3.
Deprecated:
True
:cvss:ac
enums:L,H
Deprecated. Please use :cvss:v3.
Display:{'enums': (('Low', 'L'), ('High', 'H'))}
Deprecated:True
:cvss:pr
enums:N,L,H
Deprecated. Please use :cvss:v3.
Display:{'enums': ({'title': 'None', 'value': 'N', 'doc': 'FIXME privs stuff'}, {'title': 'Low', 'value': 'L', 'doc': 'FIXME privs stuff'}, {'title': 'High', 'value': 'H', 'doc': 'FIXME privs stuff'})}
Deprecated:True
:cvss:ui
enums:N,R
Deprecated. Please use :cvss:v3.
Deprecated:
True
:cvss:s
enums:U,C
Deprecated. Please use :cvss:v3.
Deprecated:
True
:cvss:c
enums:N,L,H
Deprecated. Please use :cvss:v3.
Deprecated:
True
:cvss:i
enums:N,L,H
Deprecated. Please use :cvss:v3.
Deprecated:
True
:cvss:a
enums:N,L,H
Deprecated. Please use :cvss:v3.
Deprecated:
True
:cvss:e
enums:X,U,P,F,H
Deprecated. Please use :cvss:v3.
Deprecated:
True
:cvss:rl
enums:X,O,T,W,U
Deprecated. Please use :cvss:v3.
Deprecated:
True
:cvss:rc
enums:X,U,R,C
Deprecated. Please use :cvss:v3.
Deprecated:
True
:cvss:mav
enums:X,N,A,L,P
Deprecated. Please use :cvss:v3.
Deprecated:
True
:cvss:mac
enums:X,L,H
Deprecated. Please use :cvss:v3.
Deprecated:
True
:cvss:mpr
enums:X,N,L,H
Deprecated. Please use :cvss:v3.
Deprecated:
True
:cvss:mui
enums:X,N,R
Deprecated. Please use :cvss:v3.
Deprecated:
True
:cvss:ms
enums:X,U,C
Deprecated. Please use :cvss:v3.
Deprecated:
True
:cvss:mc
enums:X,N,L,H
Deprecated. Please use :cvss:v3.
Deprecated:
True
:cvss:mi
enums:X,N,L,H
Deprecated. Please use :cvss:v3.
Deprecated:
True
:cvss:ma
enums:X,N,L,H
Deprecated. Please use :cvss:v3.
Deprecated:
True
:cvss:cr
enums:X,L,M,H
Deprecated. Please use :cvss:v3.
Deprecated:
True
:cvss:ir
enums:X,L,M,H
Deprecated. Please use :cvss:v3.
Deprecated:
True
:cvss:ar
enums:X,L,M,H
Deprecated. Please use :cvss:v3.
Deprecated:
True
:cvss:score
Deprecated. Please use version specific score properties.
Deprecated:
True
:cvss:score:base
Deprecated. Please use version specific score properties.
Deprecated:
True
:cvss:score:temporal
Deprecated. Please use version specific score properties.
Deprecated:
True
:cvss:score:environmental
Deprecated. Please use version specific score properties.
Deprecated:
True
:cwes
An array of MITRE CWE values that apply to the vulnerability.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
risk:vuln
The attack used the vulnerability.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
risk:vuln
The threat cluster uses the vulnerability.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
risk:vuln
The tool uses the vulnerability.
risk:tool:software
-(uses)>
*
The tool uses the target node.
risk:vuln:soft:range
A contiguous range of software versions which contain a vulnerability.
The base type for the form can be found at risk:vuln:soft:range.
- Properties:
name
type
doc
:vuln
The vulnerability present in this software version range.
:version:min
The minimum version which is vulnerable in this range.
:version:max
The maximum version which is vulnerable in this range.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
risk:vuln:type:taxonomy
A taxonomy of vulnerability types.
The base type for the form can be found at risk:vuln:type:taxonomy.
- Properties:
name
type
doc
opts
:title
A brief title of the definition.
:summary
Deprecated. Please use title/desc.
Deprecated:True
Display:{'hint': 'text'}
:desc
A definition of the taxonomy entry.
Display:
{'hint': 'text'}
:sort
A display sort order for siblings.
:base
The base taxon.
Read Only:
True
:depth
The depth indexed from 0.
Read Only:
True
:parent
The taxonomy parent.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
risk:vulnname
A vulnerability name such as log4j or rowhammer.
The base type for the form can be found at risk:vulnname.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
rsa:key
An RSA keypair modulus and public exponent.
The base type for the form can be found at rsa:key.
- Properties:
name
type
doc
opts
:mod
The RSA key modulus.
Read Only:
True
:pub:exp
The public exponent of the key.
Read Only:
True
:bits
The length of the modulus in bits.
:priv:exp
The private exponent of the key.
:priv:p
One of the two private primes.
:priv:q
One of the two private primes.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
syn:cmd
A Synapse storm command.
The base type for the form can be found at syn:cmd.
- Properties:
name
type
doc
opts
:doc
strip:True
Description of the command.
Display:
{'hint': 'text'}
:package
strip:True
Storm package which provided the command.
:svciden
strip:True
Storm service iden which provided the package.
:input
The list of forms accepted by the command as input.
uniq:True
sorted:True
Read Only:True
:output
The list of forms produced by the command as output.
uniq:True
sorted:True
Read Only:True
:nodedata
type: syn:nodedataThe list of nodedata that may be added by the command.
uniq:True
sorted:True
Read Only:True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
syn:cron
A Cortex cron job.
The base type for the form can be found at syn:cron.
- Properties:
name
type
doc
opts
:doc
A description of the cron job.
Display:
{'hint': 'text'}
:name
A user friendly name/alias for the cron job.
:storm
The storm query executed by the cron job.
Read Only:True
Display:{'hint': 'text'}
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
syn:form
A Synapse form used for representing nodes in the graph.
The base type for the form can be found at syn:form.
- Properties:
name
type
doc
opts
:doc
strip:True
The docstring for the form.
Read Only:
True
:type
Synapse type for this form.
Read Only:
True
:runt
Whether or not the form is runtime only.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
syn:prop
A Synapse property.
The base type for the form can be found at syn:prop.
- Properties:
name
type
doc
opts
:doc
strip:True
Description of the property definition.
:form
The form of the property.
Read Only:
True
:type
The synapse type for this property.
Read Only:
True
:relname
strip:True
Relative property name.
Read Only:
True
:univ
Specifies if a prop is universal.
Read Only:
True
:base
strip:True
Base name of the property.
Read Only:
True
:ro
If the property is read-only after being set.
Read Only:
True
:extmodel
If the property is an extended model property or not.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
syn:splice
A splice from a layer.
The base type for the form can be found at syn:splice.
- Properties:
name
type
doc
opts
:type
strip:True
Type of splice.
Read Only:
True
:iden
The iden of the node involved in the splice.
Read Only:
True
:form
strip:True
The form involved in the splice.
Read Only:
True
:prop
strip:True
Property modified in the splice.
Read Only:
True
:tag
strip:True
Tag modified in the splice.
Read Only:
True
:valu
The value being set in the splice.
Read Only:
True
:oldv
The value before the splice.
Read Only:
True
:user
The user who caused the splice.
Read Only:
True
:prov
The provenance stack of the splice.
Read Only:
True
:time
The time the splice occurred.
Read Only:
True
:splice
The splice.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
syn:tag
The base type for a synapse tag.
The base type for the form can be found at syn:tag.
- Properties:
name
type
doc
opts
:up
The parent tag for the tag.
Read Only:
True
:isnow
Set to an updated tag if the tag has been renamed.
:doc
A short definition for the tag.
Display:
{'hint': 'text'}
:doc:url
A URL link to additional documentation about the tag.
:depth
How deep the tag is in the hierarchy.
Read Only:
True
:title
A display title for the tag.
:base
The tag base name. Eg baz for foo.bar.baz .
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
syn:tagprop
A user defined tag property.
The base type for the form can be found at syn:tagprop.
- Properties:
name
type
doc
opts
:doc
strip:True
Description of the tagprop definition.
:type
The synapse type for this tagprop.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
syn:trigger
A Cortex trigger.
The base type for the form can be found at syn:trigger.
- Properties:
name
type
doc
opts
:vers
Trigger version.
Read Only:
True
:doc
A documentation string describing the trigger.
Display:
{'hint': 'text'}
:name
A user friendly name/alias for the trigger.
:cond
The trigger condition.
Read Only:
True
:user
User who owns the trigger.
Read Only:
True
:storm
The Storm query for the trigger.
Read Only:True
Display:{'hint': 'text'}
:enabled
Trigger enabled status.
Read Only:
True
:form
Form the trigger is watching for.
:prop
Property the trigger is watching for.
:tag
Tag the trigger is watching for.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
syn:type
A Synapse type used for normalizing nodes and properties.
The base type for the form can be found at syn:type.
- Properties:
name
type
doc
opts
:doc
strip:True
The docstring for the type.
Read Only:
True
:ctor
strip:True
The python ctor path for the type object.
Read Only:
True
:subof
Type which this inherits from.
Read Only:
True
:opts
Arbitrary type options.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
tel:call
A guid for a telephone call record.
The base type for the form can be found at tel:call.
- Properties:
name
type
doc
opts
:src
The source phone number for a call.
:dst
The destination phone number for a call.
:time
The time the call was initiated.
:duration
The duration of the call in seconds.
:connected
Indicator of whether the call was connected.
:text
The text transcription of the call.
Display:
{'hint': 'text'}
:file
A file containing related media.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
tel:mob:carrier
The fusion of a MCC/MNC.
The base type for the form can be found at tel:mob:carrier.
- Properties:
name
type
doc
opts
:mcc
ITU Mobile Country Code.
Read Only:
True
:mnc
ITU Mobile Network Code.
Read Only:
True
:org
Organization operating the carrier.
:loc
Location the carrier operates from.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
tel:mob:cell
A mobile cell site which a phone may connect to.
The base type for the form can be found at tel:mob:cell.
- Properties:
name
type
doc
opts
:carrier
Mobile carrier.
Read Only:
True
:carrier:mcc
Mobile Country Code.
Read Only:
True
:carrier:mnc
Mobile Network Code.
Read Only:
True
:lac
Location Area Code. LTE networks may call this a TAC.
Read Only:
True
:cid
The Cell ID.
Read Only:
True
:radio
Cell radio type.
:latlong
Last known location of the cell site.
:loc
Location at which the cell is operated.
:place
The place associated with the latlong property.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
tel:mob:imei
An International Mobile Equipment Id.
The base type for the form can be found at tel:mob:imei.
An example of tel:mob:imei
:
490154203237518
- Properties:
name
type
doc
opts
:tac
The Type Allocate Code within the IMEI.
Read Only:
True
:serial
The serial number within the IMEI.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
tel:mob:imid
Fused knowledge of an IMEI/IMSI used together.
The base type for the form can be found at tel:mob:imid.
An example of tel:mob:imid
:
(490154203237518, 310150123456789)
- Properties:
name
type
doc
opts
:imei
The IMEI for the phone hardware.
Read Only:
True
:imsi
The IMSI for the phone subscriber.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
tel:mob:imsi
An International Mobile Subscriber Id.
The base type for the form can be found at tel:mob:imsi.
An example of tel:mob:imsi
:
310150123456789
- Properties:
name
type
doc
opts
:mcc
The Mobile Country Code.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
tel:mob:imsiphone
Fused knowledge of an IMSI assigned phone number.
The base type for the form can be found at tel:mob:imsiphone.
An example of tel:mob:imsiphone
:
(310150123456789, "+7(495) 124-59-83")
- Properties:
name
type
doc
opts
:phone
The phone number assigned to the IMSI.
Read Only:
True
:imsi
The IMSI with the assigned phone number.
Read Only:
True
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
tel:mob:mcc
ITU Mobile Country Code.
The base type for the form can be found at tel:mob:mcc.
- Properties:
name
type
doc
:loc
Location assigned to the MCC.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
tel:mob:tac
A mobile Type Allocation Code.
The base type for the form can be found at tel:mob:tac.
An example of tel:mob:tac
:
49015420
- Properties:
name
type
doc
:org
The org guid for the manufacturer.
:manu
lower:1
The TAC manufacturer name.
:model
lower:1
The TAC model name.
:internal
lower:1
The TAC internal model name.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
tel:mob:telem
A single mobile telemetry measurement.
The base type for the form can be found at tel:mob:telem.
- Properties:
name
type
doc
:time
A date/time value.
:latlong
A Lat/Long string specifying a point on Earth.
:http:request
The HTTP request that the telemetry was extracted from.
:host
The host that generated the mobile telemetry data.
:place
The place representing the location of the mobile telemetry sample.
:loc
The geo-political location of the mobile telemetry sample.
:accuracy
The reported accuracy of the latlong telemetry reading.
:cell
A mobile cell site which a phone may connect to.
:cell:carrier
The fusion of a MCC/MNC.
:imsi
An International Mobile Subscriber Id.
:imei
An International Mobile Equipment Id.
:phone
A phone number.
:mac
A 48-bit Media Access Control (MAC) address.
:ipv4
An IPv4 address.
:ipv6
An IPv6 address.
:wifi
An SSID/MAC address combination for a wireless access point.
:wifi:ssid
A WiFi service set identifier (SSID) name.
:wifi:bssid
A 48-bit Media Access Control (MAC) address.
:adid
An advertising identification string.
:aaid
An android advertising identification string.
:idfa
An iOS advertising identification string.
:name
An arbitrary, lower spaced string with normalized whitespace.
An e-mail address.
:acct
An account with a given Internet-based site or service.
:app
A specific version of a software product.
:data
Arbitrary json compatible data.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
tel:phone
A phone number.
The base type for the form can be found at tel:phone.
An example of tel:phone
:
+15558675309
- Properties:
name
type
doc
:loc
The location associated with the number.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
tel:txtmesg
A guid for an individual text message.
The base type for the form can be found at tel:txtmesg.
- Properties:
name
type
doc
opts
:from
The phone number assigned to the sender.
:to
The phone number assigned to the primary recipient.
:recipients
An array of phone numbers for additional recipients of the message.
:svctype
The message service type (sms, mms, rcs).
:time
The time the message was sent.
:text
The text of the message.
Display:
{'hint': 'text'}
:file
A file containing related media.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
transport:air:craft
An individual aircraft.
The base type for the form can be found at transport:air:craft.
- Properties:
name
type
doc
:tailnum
The aircraft tail number.
:type
The type of aircraft.
:built
The date the aircraft was constructed.
:make
The make of the aircraft.
:model
The model of the aircraft.
:serial
strip:True
The serial number of the aircraft.
:operator
Contact info representing the person or org that operates the aircraft.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
transport:air:flight
An individual instance of a flight.
The base type for the form can be found at transport:air:flight.
- Properties:
name
type
doc
:num
The flight number of this flight.
:scheduled:departure
The time this flight was originally scheduled to depart.
:scheduled:arrival
The time this flight was originally scheduled to arrive.
:departed
The time this flight departed.
:arrived
The time this flight arrived.
:carrier
The org which operates the given flight number.
:craft
The aircraft that flew this flight.
:tailnum
The tail/registration number at the time the aircraft flew this flight.
:to:port
The destination airport of this flight.
:from:port
The origin airport of this flight.
:stops
type: transport:air:portAn ordered list of airport codes for stops which occurred during this flight.
:cancelled
Set to true for cancelled flights.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
transport:air:flightnum
A commercial flight designator including airline and serial.
The base type for the form can be found at transport:air:flightnum.
An example of transport:air:flightnum
:
ua2437
- Properties:
name
type
doc
:carrier
The org which operates the given flight number.
:to:port
The most recently registered destination for the flight number.
:from:port
The most recently registered origin for the flight number.
:stops
type: transport:air:portAn ordered list of aiport codes for the flight segments.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
transport:air:occupant
An occupant of a specific flight.
The base type for the form can be found at transport:air:occupant.
- Properties:
name
type
doc
:type
lower:True
The type of occupant such as pilot, crew or passenger.
:flight
The flight that the occupant was aboard.
:seat
lower:True
The seat assigned to the occupant.
:contact
The contact information of the occupant.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
transport:air:port
An IATA assigned airport code.
The base type for the form can be found at transport:air:port.
- Properties:
name
type
doc
:name
The name of the airport.
:place
The place where the IATA airport code is assigned.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
transport:air:tailnum
An aircraft registration number or military aircraft serial number.
The base type for the form can be found at transport:air:tailnum.
An example of transport:air:tailnum
:
ff023
- Properties:
name
type
doc
:loc
The geopolitical location that the tailnumber is allocated to.
:type
A type which may be specific to the country prefix.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
transport:air:telem
A telemetry sample from an aircraft in transit.
The base type for the form can be found at transport:air:telem.
- Properties:
name
type
doc
:flight
The flight being measured.
:latlong
The lat/lon of the aircraft at the time.
:loc
The location of the aircraft at the time.
:place
The place that the lat/lon geocodes to.
:accuracy
The horizontal accuracy of the latlong sample.
:course
The direction, in degrees from true North, that the aircraft is traveling.
:heading
The direction, in degrees from true North, that the nose of the aircraft is pointed.
:speed
The ground speed of the aircraft at the time.
:airspeed
The air speed of the aircraft at the time.
:verticalspeed
relative:True
The relative vertical speed of the aircraft at the time.
:altitude
The altitude of the aircraft at the time.
:altitude:accuracy
The vertical accuracy of the altitude measurement.
:time
The time the telemetry sample was taken.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
transport:land:license
A license to operate a land vehicle issued to a contact.
The base type for the form can be found at transport:land:license.
- Properties:
name
type
doc
:id
strip:True
The license ID.
:contact
The contact info of the registrant.
:issued
The time the license was issued.
:expires
The time the license expires.
:issuer
The org which issued the license.
:issuer:name
The name of the org which issued the license.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
transport:land:registration
Registration issued to a contact for a land vehicle.
The base type for the form can be found at transport:land:registration.
- Properties:
name
type
doc
:id
strip:True
The vehicle registration ID or license plate.
:contact
The contact info of the registrant.
:license
The license used to register the vehicle.
:issued
The time the vehicle registration was issued.
:expires
The time the vehicle registration expires.
:vehicle
The vehicle being registered.
:issuer
The org which issued the registration.
:issuer:name
The name of the org which issued the registration.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
transport:land:vehicle
An individual vehicle.
The base type for the form can be found at transport:land:vehicle.
- Properties:
name
type
doc
:serial
strip:True
The serial number or VIN of the vehicle.
:built
The date the vehicle was constructed.
:make
The make of the vehicle.
:model
The model of the vehicle.
:registration
The current vehicle registration information.
:owner
The contact info of the owner of the vehicle.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
transport:sea:telem
A telemetry sample from a vessel in transit.
The base type for the form can be found at transport:sea:telem.
- Properties:
name
type
doc
:vessel
The vessel being measured.
:time
The time the telemetry was sampled.
:latlong
The lat/lon of the vessel at the time.
:loc
The location of the vessel at the time.
:place
The place that the lat/lon geocodes to.
:accuracy
The horizontal accuracy of the latlong sample.
:course
The direction, in degrees from true North, that the vessel is traveling.
:heading
The direction, in degrees from true North, that the bow of the vessel is pointed.
:speed
The speed of the vessel at the time.
:draft
The keel depth at the time.
:airdraft
The maximum height of the ship from the waterline.
:destination
The fully resolved destination that the vessel has declared.
:destination:name
The name of the destination that the vessel has declared.
:destination:eta
The estimated time of arrival that the vessel has declared.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
transport:sea:vessel
An individual sea vessel.
The base type for the form can be found at transport:sea:vessel.
- Properties:
name
type
doc
:imo
The International Maritime Organization number for the vessel.
:name
The name of the vessel.
:length
The official overall vessel length.
:beam
The official overall vessel beam.
:flag
The country the vessel is flagged to.
:mmsi
The Maritime Mobile Service Identifier assigned to the vessel.
:built
The year the vessel was constructed.
:make
The make of the vessel.
:model
The model of the vessel.
:operator
The contact information of the operator.
- Source Edges:
source
verb
target
doc
*
-(refs)>
*
The source node contains a reference to the target node.
*
-(seenat)>
geo:telem
The source node was seen at the geo:telem node place and time.
- Target Edges:
source
verb
target
doc
*
-(refs)>
*
None
econ:purchase
-(acquired)>
*
The purchase was used to acquire the target node.
it:app:snort:rule
-(detects)>
*
The snort rule is intended for use in detecting the target node.
it:app:yara:rule
-(detects)>
*
The YARA rule is intended for use in detecting the target node.
it:exec:query
-(found)>
*
The target node was returned as a result of running the query.
meta:note
-(about)>
*
The meta:note is about the target node.
meta:rule
-(detects)>
*
The meta:rule is designed to detect instances of the target node.
meta:rule
-(matches)>
*
The meta:rule has matched on target node.
meta:source
-(seen)>
*
The meta:source observed the target node.
ou:campaign
-(targets)>
*
The campaign targeted the target nodes.
ou:campaign
-(uses)>
*
The campaign made use of the target node.
ou:contribution
-(includes)>
*
The contribution includes the specific node.
ou:org
-(targets)>
*
The organization targets the target node.
ou:org
-(uses)>
*
The ou:org makes use of the target node.
risk:attack
-(targets)>
*
The attack targeted the target node.
risk:attack
-(uses)>
*
The attack used the target node to facilitate the attack.
risk:compromise
-(stole)>
*
The target node was stolen or copied as a result of the compromise.
risk:threat
-(targets)>
*
The threat cluster targeted the target node.
risk:threat
-(uses)>
*
The threat cluster uses the target node.
risk:tool:software
-(uses)>
*
The tool uses the target node.
Universal Properties
Universal props are system level properties which may be present on every node.
These properties are not specific to a particular form and exist outside of a particular namespace.
.created
The time the node was created in the cortex. It has the following property options set:
Read Only:
True
The universal property type is time. Its type has the following options set:
ismin:
True
.seen
The time interval for first/last observation of the node.
The universal property type is ival.