From c0521c4b3bfb06047ae15d887083fda95eb74982 Mon Sep 17 00:00:00 2001
From: sullivandaly <sullivan@vaticle.com>
Date: Tue, 13 Jun 2023 15:21:46 +0100
Subject: [PATCH 01/75] add CTI

---
 cyber-threat-intelligence/.DS_Store           |  Bin 0 -> 6148 bytes
 cyber-threat-intelligence/dataset.tql         |  493 +++++
 cyber-threat-intelligence/examples/query1.tql |    7 +
 cyber-threat-intelligence/examples/query2.tql |    7 +
 cyber-threat-intelligence/examples/query3.tql |   18 +
 cyber-threat-intelligence/examples/query4.tql |    6 +
 cyber-threat-intelligence/schema.tql          | 1658 +++++++++++++++++
 7 files changed, 2189 insertions(+)
 create mode 100644 cyber-threat-intelligence/.DS_Store
 create mode 100644 cyber-threat-intelligence/dataset.tql
 create mode 100644 cyber-threat-intelligence/examples/query1.tql
 create mode 100644 cyber-threat-intelligence/examples/query2.tql
 create mode 100644 cyber-threat-intelligence/examples/query3.tql
 create mode 100644 cyber-threat-intelligence/examples/query4.tql
 create mode 100644 cyber-threat-intelligence/schema.tql

diff --git a/cyber-threat-intelligence/.DS_Store b/cyber-threat-intelligence/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..2b31a72497758a771de27637343c7b368329c2b7
GIT binary patch
literal 6148
zcmeHK!Ab-%3{7-}0WW*>;Gy^j^9SQH`U7+EsO!oK&TI!o@z|g9;9vRDMA%^q${s|P
z1lpITN!ocZZ9_!7cwN;*b0VtH1X+}Vh`Bg*WX>l*&N)Wv>49GQb=?&b{YR7Ry~3W~
z>5c~4+W&nV#;pzS_zbaamwjAH{KfUt=gs-YWhvJXSHJQbAM5U?HQ&1DO&>RFtOLGX
zoB?OR8E^)ifxQ^8JES_@E82sc0cYTl8IbcKpb0jHNiiQC=yC}FoWYz0y3`U96AT-}
zq=*>^Yba1d*-8x7aM*+SHHJx1!-=i<U|adSc;UP{@`vnB+$ehQ3^)T*299+&m;3(;
zzf7^npN9Cz8E^&;i~*jtUAw?X+1<MHd2-hVv|BV0@k^pWpidqF7|1ztmM3*Shz`HT
WFeyqFvFC80KLj!%-Z=w*z`z%hcQiEs

literal 0
HcmV?d00001

diff --git a/cyber-threat-intelligence/dataset.tql b/cyber-threat-intelligence/dataset.tql
new file mode 100644
index 0000000..71df261
--- /dev/null
+++ b/cyber-threat-intelligence/dataset.tql
@@ -0,0 +1,493 @@
+# These examples below demonstrate how to use STIX 2.1 concepts for common use cases. 
+# They are useful for linking multiple concepts together and provide more detail regarding STIX objects and properties.
+# Source: 
+# https://oasiss-open.github.io/cti-documentation/stix/examples.html
+
+
+# Example from: https://oasis-open.github.io/cti-documentation/examples/identifying-a-threat-actor-profile
+# Identifying a Threat Actor Profile
+insert 
+$ta isa threat_actor, has name "Disco Team Threat Actor Group", 
+    has spec_version "2.1",
+    has stix_id "threat_actor__dfaa8d77_07e2_4e28_b2c8_92e9f7b04428",
+    has created 2014-11-19T23:39:03.893,
+    has modified 2014-11-19T23:39:03.893,
+    has aliases "disco_team@stealthemail.com", 
+    has aliases "Equipo del Discoteca",
+    has description "This organized threat actor group operates to create profit from all types of crime.",
+    has aliases "Equipo del Discoteca",
+    has stix_role "agent",
+    has goals "Steal Credit Card Information", 
+    has sophistication "expert",
+    has resource_level "organization", 
+    has threat_actor_types "crime syndicate", 
+    has primary_motivation "personal_gain";
+$id isa organization, has name "Disco Team", has spec_version "2.1", 
+    has stix_id "identity__733c5838_34d9_4fbf_949c_62aba761184c",
+    has created 2016-08-23T18:05:49.307, has modified 2016-08-23T18:05:49.307,
+    has description "Disco Team is the name of an organized threat actor crime_syndicate.", 
+    has contact_information "disco_team@stealthemail.com"; 
+
+(attributing: $ta, attributed: $id) isa attributed_to, has spec_version "2.1", 
+    has stix_id "relationship__a2e3efb5_351d_4d46_97a0_6897ee7c77a0",
+    has created 2020-02-29T18:01:28.577,
+    has modified 2020-02-29T18:01:28.577;
+
+# Example from: https://oasis-open.github.io/cti-documentation/examples/indicator-for-malicious-url
+# Identicator for malicious URL
+insert 
+$in isa indicator, has name "Malicious site hosting downloader",
+    has spec_version "2.1", 
+    has description "This organized threat actor group operates to create profit from all types of crime.",
+    has created 2014-06-29T13:49:37.079,
+    has modified 2014-06-29T13:49:37.079,
+    has stix_id "indicator__d81f86b9_975b_4c0b_875e_810c5ad45a4f",
+    has pattern "[url:value = 'http://x4z9arb.cn/4712/']", 
+    has pattern_type "stix", 
+    has valid_from 2014-06-29T13:49:37.079,
+    has indicator_type "malicious_activity";
+$ma isa malware, has name "x4z9arb backdoor", 
+    has spec_version "2.1", 
+    has stix_id "malware__162d917e_766f_4611_b5d6_652791454fca", 
+    has created 2014-06-30T09:15:17.182, 
+    has modified 2014-06-30T09:15:17.182, 
+    has description "This malware attempts to download remote files after establishing a foothold as a backdoor.", 
+    has malware_types "backdoor",
+    has malware_types "remote_access_trojan",
+    has is_family false;
+$kill_chain_phase isa kill_chain_phase, 
+    has kill_chain_name "mandiant_attack_lifecycle_model",
+    has kill_chain_phase_name "establish_foothold"; 
+
+(used: $ma, using: $kill_chain_phase) isa kill_chain_phases;
+(indicating: $in, indicated: $ma) isa indicates, 
+    has spec_version "2.1",
+    has stix_id "relationship__864af2ea_46f9_4d23_b3a2_1c2adf81c265", 
+    has created 2020-02-29T18:03:58.029,
+    has modified 2020-02-29T18:03:58.029;
+
+# Example from: https://oasis-open.github.io/cti-documentation/examples/malware-indicator-for-file-hash
+# Malware indicator for file hash
+insert
+$in isa indicator, has name "File hash for Poison Ivy variant", 
+    has spec_version "2.1", 
+    has stix_id "indicator__a932fcc6_e032_476c_826f_cb970a5a1ade", 
+    has created 2014-02-20T09:16:08.989, 
+    has modified 2014-02-20T09:16:08.989, 
+    has description "This file hash indicates that a sample of Poison Ivy is present.",
+    has indicator_type "malicious_activity",
+    has pattern "[file:hashes.'SHA_256' = 'ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c']", 
+    has pattern_type "stix",
+    has valid_from 2014-02-20T09:00:00;
+$m isa malware, has name "Poison Ivy",
+    has spec_version "2.1", 
+    has stix_id "malware__fdd60b30_b67c_41e3_b0b9_f01faf20d111", 
+    has created 2014-02-20T09:16:08.989, 
+    has modified 2014-02-20T09:16:08.989,
+    has malware_types "remote_access_trojan", 
+    has is_family false; 
+(indicating: $in, indicated: $m) isa indicates, 
+    has spec_version "2.1", 
+    has stix_id "relationship__29dcdf68_1b0c_4e16_94ed_bcc7a9572f69", 
+    has created 2020-02-29T18:09:12.808,
+    has modified 2020-02-29T18:09:12.808;
+
+# Example from: https://oasis-open.github.io/cti-documentation/examples/sighting-of-an-indicator
+# Sighting of an Indicator
+insert
+$malicious_url isa indicator, has name "Malicious URL", 
+    has spec_version "2.1",
+    has stix_id "indicator__9299f726_ce06_492e_8472_2b52ccb53191", 
+    has created 2017-02-27T13:57:10.515, 
+    has modified 2017-02-27T13:57:10.515, 
+    has description "This URL is potentially associated with malicious activity and is listed on several blacklist sites.", 
+    has indicator_type "malicious_activity", 
+    has pattern "[url:value = 'http://paypa1.banking.com']", 
+    has pattern_type "stix", 
+    has valid_from 2015-06-29T09:10:15.915;
+$alpha isa organization, has name "Alpha Threat Analysis Org.", 
+    has spec_version "2.1",
+    has stix_id "identity__39012926_a052_44c4_ae48_caaf4a10ee6e", 
+    has created 2017-02-24T15:50:10.564, 
+    has modified 2017-02-24T15:50:10.564, 
+    has stix_role "Cyber Security", 
+    has sector "technology", 
+    has contact_information "info@alpha.org"; 
+$beta isa organization, has name "Beta Cyber Intelligence Company", 
+    has spec_version "2.1",
+    has stix_id "identity__5206ba14_478f_4b0b_9a48_395f690c20a2", 
+    has created 2017-02-26T17:55:10.442, 
+    has modified 2017-02-26T17:55:10.442, 
+    has stix_role "Cyber Security",  
+    has sector "technology", 
+    has contact_information "info@beta.com"; 
+(observed_data: $beta, sighting_of: $malicious_url) isa sighting, has stix_id "5206ba14_478f_4b0b_9a48_395f690c20a2";
+(creator: $alpha, created: $malicious_url) isa created_by; 
+
+# Example from: https://oasis-open.github.io/cti-documentation/examples/sighting-of-observed-data
+# Sighting of Observed Data
+insert
+$pym isa organization, has name "Pym Technologies", 
+    has spec_version "2.1",
+    has stix_id "identity__7865b6d2_a4af_45c5_b582_afe5ec376c33",
+    has created 2013-04-14T13:07:49.812, 
+    has modified 2013-04-14T13:07:49.812, 
+    has sector "technology",
+    has contact_information "hank@pymtech.com";
+$oscorp isa organization, has name "Oscorp Industries", 
+    has spec_version "2.1" , 
+    has stix_id "identity__987eeee1_413a_44ac_96cc_0a8acdcc2f2c", 
+    has created 2017-01-14T13:07:49.812, 
+    has modified 2017-01-14T13:07:49.812, 
+    has sector "technology", 
+    has contact_information "norman@oscorp.com";
+$malware isa malware, has name "Online Job Site Trojan", 
+    has spec_version "2.1", 
+    has stix_id "malware__ae560258_a5cb_4be8_8f05_013d6712295f", 
+    has created 2014-02-20T09:16:08.989, 
+    has modified 2014-02-20T09:16:08.989, 
+    has description "Trojan that is disguised as the executable file resume.pdf., it also creates a registry key.",
+    has malware_types "remote_access_trojan", 
+    has is_family false;
+$file isa file, 
+    has stix_id "file__364fe3e5_b1f4_5ba3_b951_ee5983b3538d",
+    has spec_version "2.1",
+    has size 83968, 
+    has name "resume.pdf";
+$ploup isa hash_value;
+$ploup "1717b7fff97d37a1e1a0029d83492de1";
+$plip isa hash_value; 
+$plip "1717b7fff97d37a1e1a0aa29d83492de1";
+(hash_value: $ploup, hashes_owner: $file) isa hashes, has hash_algorithm "MD5";
+(hash_value: $plip, hashes_owner: $file) isa hashes, has hash_algorithm "SHA-1";
+$data1 isa observed_data, 
+    has spec_version "2.1",
+    has stix_id "observed_data__cf8eaa41_6f4c_482e_89b9_9cd2d6a83cb1", 
+    has created 2017-02-28T19:37:11.213, 
+    has modified 2017-02-28T19:37:11.213,
+    has first_observed 2017-02-27T21:37:11.213, 
+    has last_observed 2017-02-27T21:37:11.213,
+    has number_observed 1;
+$key isa windows_registry_key,
+    has stix_id "windows_registry_key__16b80d14_d574_5620_abad_10ff304b1c26", 
+    has spec_version "2.1", 
+    has attribute_key "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WSALG2";
+$data2 isa observed_data, 
+    has spec_version "2.1",
+    has stix_id "observed_data__a0d34360_66ad_4977_b255_d9e1080421c4", 
+    has created 2017-02-28T19:37:11.213, 
+    has modified 2017-02-28T19:37:11.213, 
+    has first_observed 2017-02-27T21:37:11.213, 
+    has last_observed 2017-02-27T21:37:11.213, 
+    has number_observed 1;
+(creator: $oscorp, created: $data2) isa created_by;
+(creator: $oscorp, created: $data1) isa created_by;
+(creator: $pym, created: $malware) isa created_by;
+(sighting_of: $malware, observed_data: $data1, observed_data: $data2) isa sighting,
+   has spec_version "2.1",
+   has stix_id "sighting__779c4ae8_e134_4180_baa4_03141095d971",
+   has created 2017-02-28T19:37:11.213, 
+   has modified 2017-02-28T19:37:11.213,
+   has first_seen 2017-02-28T19:07:24.856, 
+   has last_seen 2017-02-28T19:07:24.857,
+   has count 1;
+(referencing: $data1, referenced: $file) isa external_references; 
+(referencing: $data2, referenced: $key) isa external_references; 
+
+# Example from: https://oasis-open.github.io/cti-documentation/examples/threat-actor-leveraging-attack-patterns-and-malware
+# Threat Actor Leveraging Attack Patterns and Malware
+insert
+$bravo_ta isa threat_actor, 
+    has spec_version "2.1",
+    has stix_id "threat_actor__9a8a0d25_7636_429b_a99e_b2a73cd0f11f", 
+    has created 2015-05-07T14:22:14.760, 
+    has modified 2015-05-07T14:22:14.760, 
+    has name "Adversary Bravo", 
+    has description "Adversary Bravo is known to use phishing attacks to deliver remote access malware to the targets.",
+    has threat_actor_types "spy", 
+    has threat_actor_types "criminal";
+$poison_ivy isa malware,
+    has spec_version "2.1", 
+    has stix_id "malware__d1c612bc_146f_4b65_b7b0_9a54a14150a4",
+    has created 2015-04-23T11:12:34.760, 
+    has modified 2015-04-23T11:12:34.760, 
+    has name "Poison Ivy Variant d1c6", 
+    has is_family false, 
+    has malware_types "remote_access_trojan";
+$kill_chain_phase isa kill_chain_phase, 
+    has kill_chain_name "mandiant_attack_lifecycle_model",
+    has kill_chain_phase_name "initial_compromise"; 
+(used: $poison_ivy, using: $kill_chain_phase) isa kill_chain_phases;
+$phishing isa attack_pattern, 
+    has spec_version "2.1", 
+    has stix_id "attack_pattern__8ac90ff3_ecf8_4835_95b8_6aea6a623df5", 
+    has created 2015-05-07T14:22:14.760, 
+    has modified 2015-05-07T14:22:14.760, 
+    has name "Phishing", 
+    has description "Spear phishing used as a delivery mechanism for malware.";
+(used: $phishing, using: $kill_chain_phase) isa kill_chain_phases; 
+
+$bravo_id isa id_unknown, 
+    has spec_version "2.1",
+    has stix_id "identity__1621d4d4_b67d_41e3_9670_f01faf20d111",
+    has created 2015-05-10T16:27:17.760, 
+    has modified 2015-05-10T16:27:17.760, 
+    has name "Adversary Bravo", 
+    has description "Adversary Bravo is a threat actor that utilizes phishing attacks.";
+(used_by: $bravo_ta, used: $poison_ivy) isa uses, 
+    has spec_version "2.1",
+    has stix_id "relationship__d44019b6_b8f7_4cb3_837e_7fd3c5724b87",
+    has created 2020-02-29T18:18:08.661,
+    has modified 2020-02-29T18:18:08.661;
+(used_by: $bravo_ta, used: $phishing) isa uses,
+    has spec_version "2.1",
+    has stix_id "relationship__3cd2d6f9_0ded_486b_8dca_606283a8997f", 
+    has created 2020-02-29T18:18:08.661,
+    has modified 2020-02-29T18:18:08.661;
+(attributing: $bravo_ta, attributed: $bravo_id) isa attributed_to,
+    has spec_version "2.1",
+    has stix_id "relationship__56e5f1c8_08f3_4e24_9e8e_f87d844672ec", 
+    has created 2020-02-29T18:18:08.661, 
+    has modified 2020-02-29T18:18:08.661;
+
+# Example from: https://oasis-open.github.io/cti-documentation/examples/malware-indicator-for-file-hash
+# Malware Indicator for File Hash
+insert 
+$in isa indicator, has name "Malicious site hosting downloader",
+    has spec_version "2.1", 
+    has description "File hash for Poison Ivy variant",
+    has created 2014-02-20T09:16:08.989,
+    has modified 2014-02-20T09:16:08.989,
+    has stix_id "indicator--a932fcc6-e032-476c-826f-cb970a5a1ade",
+    has pattern "[file:hashes.'SHA-256' = 'ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c']", 
+    has pattern_type "stix", 
+    has valid_from 2014-02-20T09:00:00,
+    has indicator_type "malicious_activity";
+$ma isa malware, has name "Poison Ivy", 
+    has spec_version "2.1", 
+    has stix_id "malware--fdd60b30-b67c-41e3-b0b9-f01faf20d111", 
+    has created 2014-02-20T09:16:08.989, 
+    has modified 2014-02-20T09:16:08.989, 
+    has malware_types "backdoor",
+    has malware_types "remote_access_trojan",
+    has is_family false;
+
+(indicating: $in, indicated: $ma) isa indicates, 
+    has spec_version "2.1",
+    has stix_id "relationship--29dcdf68-1b0c-4e16-94ed-bcc7a9572f69", 
+    has created 2020-02-29T18:09:12.808,
+    has modified 2020-02-29T18:09:12.808;
+
+# Example from: https://oasis-open.github.io/cti-documentation/examples/defining-campaign-ta-is
+# Defining Campaigns vs. Threat Actors vs. Intrusion Sets
+insert
+$bpp_ta isa threat_actor, 
+    has spec_version "2.1",
+    has stix_id "threat-actor--56f3f0db-b5d5-431c-ae56-c18f02caf500", 
+    has created 2016-08-08T15:50:10.983, 
+    has modified 2016-08-08T15:50:10.983, 
+    has name "Fake BPP (Branistan Peoples Party)", 
+    has threat_actor_types "nation-state", 
+    has roles "director",
+    has goals "Influence the election in Branistan",
+    has sophistication "strategic",
+    has resource_level "government",
+    has primary_motivation "ideology",
+    has secondary_motivations "dominance";
+
+$id1 isa identity,
+    has spec_version "2.1",
+    has stix_id "identity--8c6af861-7b20-41ef-9b59-6344fd872a8f",
+    has created 2016-08-08T15:50:10.983,
+    has modified 2016-08-08T15:50:10.983,
+    has name "Franistan Intelligence",
+    has identity_class "organization";
+
+$id2 isa identity,
+    has spec_version "2.1",
+    has stix_id "identity--ddfe7140-2ba4-48e4-b19a-df069432103b",
+    has created 2016-08-08T15:50:10.983,
+    has modified 2016-08-08T15:50:10.983,
+    has name "Branistan Peoples Party",
+    has identity_class "organization";
+
+$er1 isa external_reference,
+    has source_name "website",
+    has url_link "http://www.bpp.bn";
+
+(referencing: $id2, referenced: $er1) isa external_references;
+
+$at1 isa attack_pattern,
+    has spec_version "2.1",
+    has stix_id "attack-pattern--19da6e1c-71ab-4c2f-886d-d620d09d3b5a",
+    has created 2016-08-08T15:50:10.983,
+    has modified 2017-01-30T21:15:04.127,
+    has name "Content Spoofing";
+
+$er2 isa external_reference,
+    has source_name "capec",
+    has url_link "https://capec.mitre.org/data/definitions/148.html",
+    has external_id "CAPEC-148";
+
+(referencing: $at1, referenced: $er2) isa external_references;
+
+$at2 isa attack_pattern,
+    has spec_version "2.1",
+    has stix_id "attack-pattern--f6050ea6-a9a3-4524-93ed-c27858d6cb3c",
+    has created 2016-08-08T15:50:10.983,
+    has modified 2017-01-30T21:15:04.127,
+    has name "HTTP Flood";
+
+$er3 isa external_reference,
+    has source_name "capec",
+    has url_link "https://capec.mitre.org/data/definitions/488.html",
+    has external_id "CAPEC-488";
+
+(referencing: $at2, referenced: $er3) isa external_references;
+
+$ca1 isa campaign,
+    has spec_version "2.1",
+    has stix_id "campaign--e5268b6e-4931-42f1-b379-87f48eb41b1e",
+    has created 2016-08-08T15:50:10.983,
+    has modified 2016-08-08T15:50:10.983,
+    has name "Operation Bran Flakes",
+    has description "A concerted effort to insert false information into the BPP's web pages.",
+    has aliases "OBF",
+    has first_seen 2016-01-08T12:50:40.123,
+    has objective "Hack www.bpp.bn";
+
+$ca2 isa campaign,
+    has spec_version "2.1",
+    has stix_id "campaign--1d8897a7-fdc2-4e59-afc9-becbe04df727",
+    has created 2016-08-08T15:50:10.983,
+    has modified 2016-08-08T15:50:10.983,
+    has name "Operation Raisin Bran",
+    has description "A DDOS campaign to flood BPP web servers.",
+    has aliases "ORB",
+    has first_seen 2016-02-07T19:45:32.126,
+    has objective "Flood www.bpp.bn";
+
+$is1 isa intrusion_set,
+    has spec_version "2.1",
+    has stix_id "intrusion-set--ed69450a-f067-4b51-9ba2-c4616b9a6713",
+    has created 2016-08-08T15:50:10.983,
+    has modified 2016-08-08T15:50:10.983,
+    has name "APT BPP",
+    has description "An advanced persistent threat that seeks to disrupt Branistan's election with multiple attacks.",
+    has aliases "Bran-teaser",
+    has first_seen 2016-01-08T12:50:40.123,
+    has goals "Influence the Branistan election",
+    has goals "Disrupt the BPP",
+    has sophistication "strategic",
+    has resource_level "government",
+    has primary_motivation "ideology",
+    has secondary_motivations "dominance";
+
+$ato1 (attributing: $ca1, attributed: $bpp_ta) isa attributed_to;
+$ato1 has spec_version "2.1",
+    has stix_id "relationship--98765000-efdf-4a86-8681-36481ceae57f",
+    has created 2020-02-29T17:41:44.938,
+    has modified 2020-02-29T17:41:44.938;
+
+$ato2 (attributing: $ca2, attributed: $bpp_ta) isa attributed_to;
+$ato2 has spec_version "2.1",
+    has stix_id "relationship--53a55c73-f2c8-47b9-8e50-ae34d8c5da4d",
+    has created 2020-02-29T17:41:44.938,
+    has modified 2020-02-29T17:41:44.938;
+
+$ato3 (attributing: $ca1, attributed: $is1) isa attributed_to;
+$ato3 has spec_version "2.1",
+    has stix_id "relationship--5047c2c0-524b-4afd-9cd6-e197efe59495",
+    has created 2020-02-29T17:41:44.939,
+    has modified 2020-02-29T17:41:44.939;
+
+$ato4 (attributing: $ca2, attributed: $is1) isa attributed_to;
+$ato4 has spec_version "2.1",
+    has stix_id "relationship--9cc131ca-b64d-4ab1-a300-5e4a0073280a",
+    has created 2020-02-29T17:41:44.939,
+    has modified 2020-02-29T17:41:44.939;
+
+$ato5 (attributing: $is1, attributed: $bpp_ta) isa attributed_to;
+$ato5 has spec_version "2.1",
+    has stix_id "relationship--c171fd27-2a8a-42b7-8293-34016b70c1c8",
+    has created 2020-02-29T17:41:44.939,
+    has modified 2020-02-29T17:41:44.939;
+
+$ato6 (targeting: $is1, targeted: $id2) isa targets;
+$ato6 has spec_version "2.1",
+    has stix_id "relationship--554e3341-d7b1-4b3c-a522-28ef52fbb49b",
+    has created 2020-02-29T17:41:44.939,
+    has modified 2020-02-29T17:41:44.939;
+
+$ato7 (used_by: $is1, used: $at1) isa uses;
+$ato7 has spec_version "2.1",
+    has stix_id "relationship--06964095-5750-41fe-a9af-6c6a9d995489",
+    has created 2020-02-29T17:41:44.940,
+    has modified 2020-02-29T17:41:44.940;
+
+$ato8 (used_by: $is1, used: $at2) isa uses;
+$ato8 has spec_version "2.1",
+    has stix_id "relationship--4fe5dab1-fd6d-41aa-b8b1-d3118a708284",
+    has created 2020-02-29T17:41:44.940,
+    has modified 2020-02-29T17:41:44.940;
+
+$ato9 (targeting: $ca1, targeted: $id2) isa targets;
+$ato9 has spec_version "2.1",
+    has stix_id "relationship--d8b7932d-0ecb-4891-b021-c78ff2b63747",
+    has created 2020-02-29T17:41:44.940,
+    has modified 2020-02-29T17:41:44.940;
+
+$ato10 (targeting: $ca2, targeted: $id2) isa targets;
+$ato10 has spec_version "2.1",
+    has stix_id "relationship--96cfbc6f-5c08-4372-b811-b90fbb2ec180",
+    has created 2020-02-29T17:41:44.940,
+    has modified 2020-02-29T17:41:44.940;
+
+$ato11 (used_by: $ca1, used: $at1) isa uses;
+$ato11 has spec_version "2.1",
+    has stix_id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0a",
+    has created 2020-02-29T17:41:44.940,
+    has modified 2020-02-29T17:41:44.940;
+
+$ato12 (used_by: $ca2, used: $at2) isa uses;
+$ato12 has spec_version "2.1",
+    has stix_id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0b",
+    has created 2020-02-29T17:41:44.940,
+    has modified 2020-02-29T17:41:44.940;
+
+$ato13 (impersonating: $bpp_ta, impersonated: $id2) isa impersonates;
+$ato13 has spec_version "2.1",
+    has stix_id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0c",
+    has created 2020-02-29T17:41:44.940,
+    has modified 2020-02-29T17:41:44.940;
+
+$ato14 (targeting: $bpp_ta, targeted: $id2) isa targets;
+$ato14 has spec_version "2.1",
+    has stix_id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0d",
+    has created 2020-02-29T17:41:44.940,
+    has modified 2020-02-29T17:41:44.940;
+
+$ato15 (attributing: $bpp_ta, attributed: $id1) isa attributed_to;
+$ato15 has spec_version "2.1",
+    has stix_id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0e",
+    has created 2020-02-29T17:41:44.940,
+    has modified 2020-02-29T17:41:44.940;
+
+$ato16 (targeting: $ca2, targeted: $id1) isa targets;
+$ato16 has spec_version "2.1",
+    has stix_id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0f",
+    has created 2020-02-29T17:41:44.940,
+    has modified 2020-02-29T17:41:44.940;
+
+$ato17 (used_by: $bpp_ta, used: $at1) isa uses;
+$ato17 has spec_version "2.1",
+    has stix_id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b10",
+    has created 2020-02-29T17:41:44.940,
+    has modified 2020-02-29T17:41:44.940;
+
+$ato18 (used_by: $bpp_ta, used: $at2) isa uses;
+$ato18 has spec_version "2.1",
+    has stix_id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b11",
+    has created 2020-02-29T17:41:44.940,
+    has modified 2020-02-29T17:41:44.940;
+
diff --git a/cyber-threat-intelligence/examples/query1.tql b/cyber-threat-intelligence/examples/query1.tql
new file mode 100644
index 0000000..f0741a1
--- /dev/null
+++ b/cyber-threat-intelligence/examples/query1.tql
@@ -0,0 +1,7 @@
+# Example 01:
+
+# We are querying for a list of id_unkown in the database:
+
+match 
+
+$t isa id_unknown, has $all;
diff --git a/cyber-threat-intelligence/examples/query2.tql b/cyber-threat-intelligence/examples/query2.tql
new file mode 100644
index 0000000..3316275
--- /dev/null
+++ b/cyber-threat-intelligence/examples/query2.tql
@@ -0,0 +1,7 @@
+# Example 02:
+
+# We are querying for a list of identity in the database:
+
+match 
+
+$t isa identity, has $all;
diff --git a/cyber-threat-intelligence/examples/query3.tql b/cyber-threat-intelligence/examples/query3.tql
new file mode 100644
index 0000000..2b747fb
--- /dev/null
+++ b/cyber-threat-intelligence/examples/query3.tql
@@ -0,0 +1,18 @@
+match
+$t isa id_unknown, has name "Adversary Bravo";
+insert
+$bravo_ta isa threat_actor, 
+    has spec_version "2.1",
+    has stix_id "bravo_threat", 
+    has created 2022-05-07T14:22:14.760, 
+    has modified 2022-05-07T14:22:14.760, 
+    has name "Bravo Attacker", 
+    has threat_actor_types "spy", 
+    has threat_actor_types "criminal";
+(attributing: $bravo_ta, attributed: $bravo_id) isa attributed_to,
+    has spec_version "2.1",
+    has stix_id "bravo_rel", 
+    has created 2023-02-29T18:18:08.661, 
+    has modified 2023-02-29T18:18:08.661;;
+
+
diff --git a/cyber-threat-intelligence/examples/query4.tql b/cyber-threat-intelligence/examples/query4.tql
new file mode 100644
index 0000000..12732d0
--- /dev/null
+++ b/cyber-threat-intelligence/examples/query4.tql
@@ -0,0 +1,6 @@
+match
+$t isa id_unknown, has name "Adversary Bravo";
+$bravo_ta isa threat_actor, has stix_id "bravo_threat";
+
+insert
+(targeting: $bravo_ta, targeted: $t) isa targets;
diff --git a/cyber-threat-intelligence/schema.tql b/cyber-threat-intelligence/schema.tql
new file mode 100644
index 0000000..0c55c2d
--- /dev/null
+++ b/cyber-threat-intelligence/schema.tql
@@ -0,0 +1,1658 @@
+define
+
+# Based on https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_disnqa06jm5
+
+### TODO
+# - check the !!! marking
+# - DISCUSSION marking
+# - What to do with the stix_type field?
+# - TO CONTINUE
+
+### 1 Base Entities ###
+
+stix_entity sub entity,
+    abstract;
+
+stix_object sub stix_entity,
+    owns stix_type,
+    owns stix_id @key,
+    owns custom_attribute,
+
+    plays granular_marking:marking;
+
+stix_core_object sub stix_object,
+    owns spec_version, # for SDOs
+
+    plays object_marking:marked,
+    plays created_by:created,
+    plays derivation:derived_from,
+    plays derivation:deriving,
+    plays duplicate_of:duplicated_object;
+
+
+stix_domain_object sub stix_core_object,
+    owns created,
+    owns modified,
+    owns revoked,
+    owns labels,
+    owns confidence,
+    owns langs,
+
+    # Rel
+    plays sighting:sighting_of,
+    plays external_references:referencing,
+
+    # RRel
+    plays kill_chain_phases:used,
+    plays sighting:observed_data,
+    plays external_references:referenced;
+
+
+stix_cyber_observable_object sub stix_core_object,
+    owns defanged,
+    
+    # Rel
+    # !!! TAKE CARE !!!
+    plays external_references:referencing,
+    plays contains_ref:containing,
+
+    # RRel
+    plays external_references:referenced;
+
+stix_sub_object sub stix_entity,
+    owns created,
+    owns modified,
+
+    plays granular_marking:marking;
+
+
+### 2 Data Types ###
+
+external_reference sub stix_sub_object,
+    owns source_name,
+    owns description,
+    owns url_link,
+    owns external_id,
+
+    plays hashes:hashes_owner,
+    plays external_references:referenced;
+
+### TODO USED 
+kill_chain_phase sub stix_sub_object,
+    owns kill_chain_name,
+    owns kill_chain_phase_name,
+
+    plays kill_chain_phases:using;
+
+### 3 SDOs ###
+
+attack_pattern sub stix_domain_object,
+    owns name,
+    owns description,
+    owns aliases, # LIST
+
+    # Rel
+    plays delivers:delivering,
+    plays targets:targeting,
+    plays uses:used_by,
+
+    # RRel
+    plays indicates:indicated,
+    plays uses:used,
+    plays mitigates:mitigated;
+
+campaign sub stix_domain_object,
+    owns name,
+    owns description,
+    owns aliases,
+    owns first_seen,
+    owns last_seen,
+    owns objective,
+
+    # Rel
+    plays targets:targeting,
+    plays attributed_to:attributing,
+    plays uses:used_by,
+    plays compromises:compromising,
+    plays originates_from:originating,
+
+    # RRel
+    plays indicates:indicated;
+
+course_of_action sub stix_domain_object,
+    owns name,
+    owns description,
+    owns action,
+
+    # Rel
+    plays investigates:investigating,
+    plays mitigates:mitigating,
+    plays remediates:remediating;
+
+grouping sub stix_domain_object,
+    owns name,
+    owns description,
+    owns context;
+
+
+
+identity sub stix_domain_object,
+    owns name,
+    owns description,
+    owns stix_role,
+    owns identity_class,
+    owns sector,
+    owns contact_information,
+
+    plays created_by:creator,
+
+    # Rel
+    plays located_at:locating,
+
+    # RRel
+    plays targets:targeted,
+    plays attributed_to:attributed,
+    plays impersonates:impersonated;
+
+individual sub identity;
+group sub identity;
+system sub identity;
+organization sub identity;
+class sub identity;
+id_unknown sub identity;
+
+incident sub stix_domain_object,
+    owns name,
+    owns description;
+
+indicator sub stix_domain_object,
+    owns name,
+    owns description,
+    owns indicator_type,
+    owns pattern,
+    owns pattern_type,
+    owns pattern_version,
+    owns valid_from,
+    owns valid_until,
+
+    # Rel
+    plays indicates:indicating,
+    plays based_on:basing,
+
+    # RRel
+    plays investigates:investigated,
+    plays mitigates:mitigated;
+
+infrastructure sub stix_domain_object,
+    owns name,
+    owns description,
+    owns infrastructure_types,
+    owns aliases,
+    owns first_seen,
+    owns last_seen,
+
+    # Rel
+    plays delivers:delivering,
+    plays uses:used_by,
+    plays located_at:locating,
+    plays communicates_with:communicating,
+    plays consist_of:consisting,
+    plays controls:controlling,
+    plays have:having,
+    plays hosts:hosting,
+
+    # RRel
+    plays controls:controlled,
+    plays communicates_with:communicated,
+    plays compromises:compromised,
+    plays indicates:indicated,
+    plays uses:used,
+    plays targets:targeted,
+    plays hosts:hosted,
+    plays beacons_to:beaconed_to,
+    plays exfiltrates_to:exfiltrated_to,
+    plays ownerships:owned;
+
+intrusion_set sub stix_domain_object,
+    owns name,
+    owns description,
+    owns aliases,
+    owns first_seen,
+    owns last_seen,
+    owns goals,
+    owns sophistication,
+    owns resource_level,
+    owns primary_motivation,
+    owns secondary_motivations,
+
+    # Rel
+    plays targets:targeting,
+    plays uses:used_by,
+    plays attributed_to:attributing,
+    plays compromises:compromising,
+    plays originates_from:originating,
+    plays hosts:hosting,
+    plays ownerships:owning,
+
+    # RRel
+    plays indicates:indicated,
+    plays attributed_to:attributed,
+    plays authored_by:authored;
+
+malware sub stix_domain_object,
+    owns name,
+    owns description,
+    owns malware_types,
+    owns is_family,
+    owns aliases,
+    owns first_seen,
+    owns last_seen,
+    owns architecture_execution_envs,
+    owns implementation_languages,
+    owns capabilities,
+
+    # Rel
+    plays targets:targeting,
+    plays uses:used_by,
+    plays originates_from:originating,
+    plays controls:controlling,
+    plays hosts:hosting,
+    plays authored_by:authoring,
+    plays beacons_to:beaconing_to,
+    plays exfiltrates_to:exfiltrating_to,
+    plays downloads:downloading,
+    plays drops:dropping,
+    plays exploits:exploiting,
+    plays variant_of:varianted_from,
+    plays communicates_with:communicating,
+
+    # RRel
+    plays controls:controlled,
+    plays remediates:remediated,
+    plays mitigates:mitigated,
+    plays uses:used,
+    plays delivers:delivered,
+    plays indicates:indicated,
+    plays downloads:downloaded,
+    plays drops:dropped,
+    plays variant_of:varianted,
+    plays characterizes:characterized,
+    plays analysis_of:analysed,
+    plays static_analysis_of:analysed,
+    plays dynamic_analysis_of:analysed;
+
+location sub stix_domain_object,
+    owns name,
+    owns description,
+    owns latitude,
+    owns longitude,
+    owns precision,
+    owns region,
+    owns country,
+    owns administrative_area,
+    owns city,
+    owns street_address,
+    owns postal_code,
+
+    # RRel
+    plays targets:targeted,
+    plays originates_from:originated,
+    plays located_at:located;
+
+malware_analysis sub stix_domain_object,
+    owns product,
+    owns version,
+    owns configuration_version,
+    owns module,
+    owns analysis_engine_version,
+    owns analysis_definition_version,
+    owns submitted,
+    owns analysis_started,
+    owns analysis_ended,
+    owns result_name,
+    owns result,
+
+    # Rel
+    plays characterizes:characterizing,
+    plays analysis_of:analysing,
+    plays static_analysis_of:analysing,
+    plays dynamic_analysis_of:analysing;
+
+note sub stix_domain_object,
+    owns note_abstract,
+    owns content,
+    owns authors;
+
+opinion sub stix_domain_object,
+    owns explanation,
+    owns authors,
+    owns opinion_enum;
+
+observed_data sub stix_domain_object,
+    owns first_observed,
+    owns last_observed,
+    owns number_observed,
+
+    # RRel
+    plays based_on:based,
+    plays consist_of:consisted;
+
+report sub stix_domain_object,
+    owns name,
+    owns description,
+    owns report_type,
+    owns published;
+
+threat_actor sub stix_domain_object,
+    owns name,
+    owns description,
+    owns aliases,
+    owns stix_role,
+    owns first_seen,
+    owns last_seen,
+    owns goals,
+    owns resource_level,
+    owns primary_motivation,
+    owns secondary_motivations,
+    owns sophistication,
+    owns personal_characteristics,
+    owns roles,
+    owns threat_actor_types,
+
+    # Rel
+    plays targets:targeting,
+    plays uses:used_by,
+    plays attributed_to:attributing,
+    plays compromises:compromising,
+    plays located_at:locating,
+    plays impersonates:impersonating,
+    plays hosts:hosting,
+    plays ownerships:owning,
+
+    # RRel
+    plays attributed_to:attributed,
+    plays indicates:indicated,
+    plays authored_by:authored;
+
+tool sub stix_domain_object,
+    owns name,
+    owns description,
+    owns tool_types,
+    owns aliases,
+    owns first_seen,
+    owns last_seen,
+    owns tool_version,
+
+    # Rel
+    plays delivers:delivering,
+    plays targets:targeting,
+    plays uses:used_by,
+    plays have:having,
+    plays drops:dropping,
+
+    # RRel
+    plays uses:used,
+    plays indicates:indicated,
+    plays mitigates:mitigated,
+    plays hosts:hosted,
+    plays downloads:downloaded,
+    plays drops:dropped;
+
+custom_object sub stix_domain_object,
+    owns name,
+    owns description,
+    owns aliases,
+    owns first_seen,
+    owns last_seen,
+    owns objective,
+
+    # Rel
+    plays delivers:delivering,
+    plays targets:targeting,
+    plays uses:used_by,
+
+    # RRel
+    plays uses:used,
+    plays mitigates:mitigated;
+
+vulnerability sub stix_domain_object,
+    owns name,
+    owns description,
+
+    # RRel
+    plays targets:targeted,
+    plays mitigates:mitigated,
+    plays remediates:remediated,
+    plays have:had,
+    plays exploits:exploited;
+
+### 5 SROs ###
+stix_core_relationship sub relation,
+    # Required
+    owns spec_version,
+    owns stix_id @key,
+    owns created,
+    owns modified,
+    owns stix_type,
+
+    # Optional
+    owns description,
+    owns revoked,
+    owns labels,
+    owns confidence,
+    owns langs,
+    owns custom_attribute,
+
+    relates source,
+    relates target,
+
+    plays created_by:created,
+    plays granular_marking:marking,
+    plays external_references:referenced;
+
+delivers sub stix_core_relationship,
+    relates delivering as source,
+    relates delivered as target;
+
+targets sub stix_core_relationship,
+    relates targeting as source,
+    relates targeted as target;
+
+attributed_to sub stix_core_relationship,
+    relates attributing as source,
+    relates attributed as target;
+
+uses sub stix_core_relationship,
+    relates used_by as source,
+    relates used as target;
+
+indicates sub stix_core_relationship,
+    relates indicating as source,
+    relates indicated as target;
+
+compromises sub stix_core_relationship,
+    relates compromising as source,
+    relates compromised as target;
+
+originates_from sub stix_core_relationship,
+    relates originating as source,
+    relates originated as target;
+
+investigates sub stix_core_relationship,
+    relates investigating as source,
+    relates investigated as target;
+
+mitigates sub stix_core_relationship,
+    relates mitigating as source,
+    relates mitigated as target;
+
+remediates sub stix_core_relationship,
+    relates remediating as source,
+    relates remediated as target;
+
+located_at sub stix_core_relationship,
+    relates locating as source,
+    relates located as target;
+
+impersonates sub stix_core_relationship,
+    relates impersonating as source,
+    relates impersonated as target;
+
+based_on sub stix_core_relationship,
+    relates basing as source,
+    relates based as target;
+
+
+### !!! TODO SCOs !!! ###
+communicates_with sub stix_core_relationship,
+    relates communicating as source,
+    relates communicated as target;
+
+consist_of sub stix_core_relationship,
+    relates consisting as source,
+    relates consisted as target;
+
+controls sub stix_core_relationship,
+    relates controlling as source,
+    relates controlled as target;
+
+have sub stix_core_relationship,
+    relates having as source,
+    relates had as target;
+
+hosts sub stix_core_relationship,
+    relates hosting as source,
+    relates hosted as target;
+
+authored_by sub stix_core_relationship,
+    relates authoring as source,
+    relates authored as target;
+
+beacons_to sub stix_core_relationship,
+    relates beaconing_to as source,
+    relates beaconed_to as target;
+
+exfiltrates_to sub stix_core_relationship,
+    relates exfiltrating_to as source,
+    relates exfiltrated_to as target;
+
+### !!! TODO SCOs !!! ###
+downloads sub stix_core_relationship,
+    relates downloading as source,
+    relates downloaded as target;
+
+### !!! TODO SCOs !!! ###
+drops sub stix_core_relationship,
+    relates dropping as source,
+    relates dropped as target;
+
+exploits sub stix_core_relationship,
+    relates exploiting as source,
+    relates exploited as target;
+
+variant_of sub stix_core_relationship,
+    relates varianted_from as source,
+    relates varianted as target;
+
+characterizes sub stix_core_relationship,
+    relates characterizing as source,
+    relates characterized as target;
+
+analysis sub stix_core_relationship,
+    relates analysing as source,
+    relates analysed as target;
+
+analysis_of sub analysis;
+static_analysis_of sub analysis;
+dynamic_analysis_of sub analysis;
+
+ownerships sub stix_core_relationship,
+    relates owning as source,
+    relates owned as target;
+
+ref sub relation,
+    relates source,
+    relates target;
+
+from_ref sub ref;
+sender_ref sub ref;
+raw_email_ref sub ref;
+body_raw_ref sub ref;
+parent_directory_ref sub ref;
+content_ref sub ref;
+optional_header sub ref,
+    relates from as source;
+belongs_to_ref sub ref;
+src_ref sub ref;
+dst_ref sub ref;
+src_payload_ref sub ref;
+dst_payload_ref sub ref;
+encapsulated_by_ref sub ref;
+massage_body_data_ref sub ref;
+creator_user_ref sub ref;
+image_ref sub ref;
+parent_ref sub ref;
+message_body_data_ref sub ref,
+    relates from as source;
+
+# Possible relationships between SDOs
+# infrastructure _> infrastructure_types
+# identity _> sector
+
+derivation sub relation,
+    relates derived_from,
+    relates deriving;
+
+duplicate_of sub relation,
+    relates duplicated_object;
+
+
+sighting sub stix_core_relationship,
+    owns first_seen,
+    owns last_seen,
+    owns count,
+    owns summary,
+
+    relates sighting_of,
+    relates observed_data;
+
+
+
+### 6 SCOs ###
+
+artifact sub stix_cyber_observable_object,
+    owns mime_type,
+    owns payload_bin,
+    owns url_link,
+    owns encryption_algorithm,
+    owns decryption_key,
+
+    # RRel
+    plays body_raw_ref:target,
+    plays raw_email_ref:target,
+    plays content_ref:target,
+    plays message_body_data_ref:target;
+
+autonomous_system sub stix_cyber_observable_object,
+    owns number,
+    owns name,
+    owns rir,
+
+    # RRel
+    plays belongs_to_refs:belonging;
+
+directory sub stix_cyber_observable_object,
+    owns path,
+    owns path_enc,
+    owns ctime,
+    owns mtime,
+    owns atime,
+
+    # Rel
+    plays contains_ref:contained,
+
+    # RRel
+    plays parent_directory_ref:target;
+
+domain_name sub stix_cyber_observable_object,
+    owns stix_value,
+
+    # Rel
+    plays resolves_to_refs:resolved,
+
+    # RRel
+    plays resolves_to_refs:resolving,
+    plays communicates_with:communicated;
+
+
+email_addr sub stix_cyber_observable_object,
+    owns stix_value,
+    owns display_name,
+
+    # Rel
+    plays belongs_to_ref:source,
+    
+    # RRel
+    plays from_ref:target,
+    plays sender_ref:target,
+    plays to_refs:to,
+    plays cc_refs:to,
+    plays bcc_refs:to;
+
+email_message sub stix_cyber_observable_object,
+    owns is_multipart,
+    owns date,
+    owns content_type,
+    owns message_id,
+    owns subject,
+    owns body,
+
+    # Rel
+    plays from_ref:source,
+    plays sender_ref:source,
+    plays to_refs:from,
+    plays cc_refs:from,
+    plays bcc_refs:from,
+    plays received_lines:owner, # LinkedList
+    plays body_multipart:to,
+    plays raw_email_ref:source;
+
+
+email_mime_part sub stix_sub_object,
+    owns body,
+    owns content_type,
+    owns content_disposition,
+
+    # Rel
+    plays body_raw_ref:source,
+
+    # RRel
+    plays body_multipart:from;
+
+file sub stix_cyber_observable_object,
+    owns size,
+    owns name,
+    owns name_enc,
+    owns magic_number_hex,
+    owns mime_type,
+    owns ctime,
+    owns mtime,
+    owns atime,
+
+    # Rel
+    plays hashes:hashes_owner,
+    plays parent_directory_ref:source,
+    plays contains_ref:contained,
+    plays content_ref:source,
+
+    # RRel
+    plays downloads:downloaded,
+    plays body_raw_ref:target,
+    plays image_ref:target,
+    plays service_dll_refs:to;
+
+archive_ext sub file,
+    owns comment;
+
+ntfs_ext sub file,
+    owns sid,
+    
+    # Rel
+    plays alternate_data_streams:from;
+
+alternate_data_stream sub file,
+
+    # RRel
+    plays alternate_data_streams:to;
+
+pdf_ext sub stix_cyber_observable_object,
+    owns version,
+    owns is_optimized,
+    owns pdfid0,
+    owns pdfid1,
+
+    # Rel
+    plays document_info_dict:document_owner;
+
+raster_image_ext sub file,
+    owns image_height,
+    owns image_width,
+    owns bits_per_pixel,
+    
+    # Rel
+    plays exif_tags:exif_owner;
+
+windows_pebinary_ext sub file,
+    owns pe_type,
+    owns imphash,
+    owns machine_hex,
+    owns number_of_sections,
+    owns time_date_stamp,
+    owns pointer_to_symbol_table_hex,
+    owns number_of_symbols,
+    owns size_of_optional_header,
+    owns characterstics_hex,
+
+    # Rel  
+    plays optional_header:from,
+    plays sections:from;
+
+windows_pe_optional_header_type sub entity,
+    owns magic_hex,
+    owns major_linker_version,
+    owns minor_linker_version,
+    owns size_of_code,
+    owns size_of_initialized_data,
+    owns size_ofuninitialized_data,
+    owns address_of_entry_point,
+    owns base_of_code,
+    owns base_of_data,
+    owns image_base,
+    owns section_alignment,
+    owns file_alignment,
+    owns major_os_version,
+    owns minor_os_version,
+    owns major_image_version,
+    owns minor_image_version,
+    owns major_subsystem_version,
+    owns minor_subsystem_version,
+    owns win32_version_value_hex,
+    owns size_of_image,
+    owns size_of_headers,
+    owns checksum_hex,
+    owns subsystem_hex,
+    owns dll_characteristics_hex,
+    owns size_of_stack_reserve,
+    owns size_of_stack_commit,
+    owns size_of_heap_reserve,
+    owns size_of_heap_commit,
+    owns loader_flags_hex,
+    owns number_of_rva_and_sizes,
+
+    # Rel
+    plays hashes:hashes_owner,
+
+    # RRel
+    plays optional_header:target;
+
+windows_pe_section sub entity,
+    owns name,
+    owns size,
+    owns entropy,
+
+    # Rel
+    plays hashes:hashes_owner,
+
+    # RRel
+    plays sections:to;
+
+ipv4_address sub stix_cyber_observable_object,
+    owns stix_value,
+
+    # Rel
+    plays resolves_to_refs:resolved,
+    plays belongs_to_refs:belonged,
+
+    # RRel
+    plays resolves_to_refs:resolving,
+    plays communicates_with:communicated;
+
+
+
+ipv6_address sub stix_cyber_observable_object,
+    owns stix_value,
+
+    # Rel
+    plays resolves_to_refs:resolved,
+    plays belongs_to_refs:belonged,
+
+    # RRel
+    plays resolves_to_refs:resolving,
+    plays communicates_with:communicated;
+
+
+mac_addr sub stix_cyber_observable_object,
+    owns stix_value,
+
+    # RRel
+    plays resolves_to_refs:resolving;
+
+
+mutex sub stix_cyber_observable_object,
+    owns name;
+
+
+network_traffic sub stix_cyber_observable_object,
+    owns start,
+    owns end,
+    owns is_active,
+    owns src_port,
+    owns dst_port,
+
+    # Rel
+    plays src_ref:source,
+    plays dst_ref:source,
+    plays src_payload_ref:source,
+    plays dst_payload_ref:source,
+    plays encapsulated_by_ref:source,
+    plays protocols:from,
+    plays ipfix:ipfix_owner,
+    plays encapsulates_refs:encapsulated,
+
+    # RRel
+    plays encapsulates_refs:encapsulating,
+    plays encapsulated_by_ref:target,
+    plays opened_connection_refs:opening;
+
+# TODO: Should be a hierarchy or a relation?
+http_request_ext sub network_traffic,
+    owns request_method,
+    owns request_value,
+    owns request_version,
+    owns message_body_length,
+
+    # Rel
+    plays request_header:header_owner,
+    plays message_body_data_ref:from;
+
+icmp_ext sub network_traffic,
+    owns icmp_type_hex,
+    owns icmp_code_hex;
+
+socket_ext sub network_traffic,
+    owns address_family,
+    owns is_blocking,
+    owns is_listening,
+    owns socket_type,
+    owns socket_descriptor,
+    owns socket_handle,
+
+    # Rel
+    plays options:options_owner;
+
+tcp_ext sub network_traffic,
+    owns src_flags_hex,
+    owns dst_flags_hex;
+
+process sub stix_cyber_observable_object,
+    owns is_hidden,
+    owns pid,
+    owns created_time,
+    owns cwd,
+    owns command_line,
+
+    # Rel
+    plays environment_variables:variables_owner,
+    plays opened_connection_refs:opened,
+    plays creator_user_ref:source,
+    plays image_ref:source,
+    plays parent_ref:source,
+    plays child_refs:parent,
+    
+    # RRel
+    plays parent_ref:target,
+    plays child_refs:child;
+
+windows_process_ext sub process,
+    owns aslr_enabled,
+    owns dep_enabled,
+    owns priority,
+    owns owner_sid,
+    owns window_title,
+    owns integrity_level,
+
+    # Rel
+    plays startup_info:info_owner;
+
+windows_service_ext sub process,
+    owns service_name,
+    owns display_name,
+    owns group_name,
+    owns start_type,
+    owns service_type,
+    owns service_status,
+    owns descriptions,
+    
+    # Rel
+    plays service_dll_refs:from;
+
+software sub stix_cyber_observable_object,
+    owns name,
+    owns spe,
+    owns swid,
+    owns vendor,
+    owns version,
+    owns languages;
+    
+url sub stix_cyber_observable_object,
+    owns stix_value,
+
+    # RRel
+    plays communicates_with:communicated;
+
+
+user_account sub stix_cyber_observable_object,
+    owns user_id,
+    owns credential,
+    owns account_login,
+    owns account_type,
+    owns display_name,
+    owns is_service_account,
+    owns is_privileged,
+    owns can_escalate_privs,
+    owns is_disabled,
+    owns account_created,
+    owns account_expires,
+    owns credential_last_changed,
+    owns account_first_login,
+    owns account_last_login,
+
+    # RRel
+    plays belongs_to_ref:target,
+    plays creator_user_ref:target;
+
+unix_account_ext sub user_account,
+    owns gid,
+    owns home_dir,
+    owns shell,
+    owns groups;
+
+
+windows_registry_key sub stix_cyber_observable_object,
+    owns attribute_key,
+    owns modified_time,
+    owns number_subkeys,
+    
+    # Rel
+    plays values:from,
+    plays creator_user_ref:source;
+    
+windows_registry_value_type sub stix_cyber_observable_object,
+    owns name,
+    owns data,
+    owns data_type,
+    
+    # RRel
+    plays values:to;
+    
+x509_certificate sub stix_cyber_observable_object,
+    owns is_self_signed,
+    owns version,
+    owns serial_number,
+    owns signature_algorithm,
+    owns issuer,
+    owns validity_not_before,
+    owns validity_not_after,
+    owns subject,
+    owns subject_public_key_algorithm,
+    owns subject_public_key_modulus,
+    owns subject_public_key_exponent,
+
+    # Rel
+    plays hashes:hashes_owner;
+
+x509_v3_extensions sub x509_certificate,
+    owns basic_constraints,
+    owns name_constraints,
+    owns policy_constraints,
+    owns key_usage,
+    owns extended_key_usage,
+    owns subject_key_identifier,
+    owns authority_key_identifier,
+    owns subject_alternative_name,
+    owns issuer_alternative_name,
+    owns subject_directory_attributes,
+    owns crl_distribution_points,
+    owns inhibit_any_policy,
+    owns private_key_usage_period_not_before,
+    owns private_key_usage_period_not_after,
+    owns certificate_policies,
+    owns policy_mappings;
+
+# TODO
+# Embended relations to deal with ownership of SDOs
+# CREATE SUBTYPES OF stix_attribute
+
+marking_definition sub stix_object,
+    owns created,
+    owns modified,
+    owns name,
+    owns spec_version,
+
+    plays created_by:created,
+    plays data_marking:marking,
+    plays external_references:referencing;
+
+statement_marking sub marking_definition,
+    owns statement;
+
+tlp_marking sub marking_definition,
+    owns color; # TODO REGEX red/amber/green/clear
+
+
+# This is not a List but a Set
+# We keep the list name for consistancy with STIX2.1
+list sub relation,
+    relates list_item,
+    relates owner;
+
+linked_list sub list,
+    plays first_element:list,
+    plays last_element:list,
+    plays list_element:list;
+
+first_element sub relation,
+    relates first,
+    relates list;
+
+last_element sub relation,
+    relates last,
+    relates list;
+
+list_element sub relation,
+    relates element,
+    relates list;
+
+node sub relation,
+    relates next,
+    relates listed,
+
+    # Rel
+    plays node:next,
+
+    # RRel
+    plays list_element:element,
+    plays last_element:last,
+    plays first_element:first;
+
+dict sub relation,
+    relates dict_item,
+    relates owner,
+    owns key_abstract,
+    abstract;
+
+
+hashes sub dict,
+    relates hash_value as dict_item,
+    relates hashes_owner as owner,
+    owns hash_algorithm as key_abstract; # TODO REGEX SUB KEY
+
+document_info_dict sub dict,
+    relates document_info as dict_item,
+    relates document_owner as owner,
+    owns key as key_abstract;
+
+exif_tags sub dict,
+    relates exif_tag as dict_item,
+    relates exif_owner as owner,
+    owns key as key_abstract;
+
+ipfix sub dict,
+    relates ipfix_field as dict_item,
+    relates ipfix_owner as owner,
+    owns key as key_abstract;
+
+request_header sub dict,
+    relates header as dict_item,
+    relates header_owner as owner,
+    owns key as key_abstract;
+
+options sub dict,
+    relates option as dict_item,
+    relates options_owner as owner,
+    owns key as key_abstract;
+
+environment_variables sub dict,
+    relates variable as dict_item,
+    relates variables_owner as owner,
+    owns key as key_abstract;
+
+startup_info sub dict,
+    relates info as dict_item,
+    relates info_owner as owner,
+    owns key as key_abstract;
+
+### !!! DISCUSSION !!! ###
+
+additional_header_fields sub relation, # Dict of List
+    relates dict_item,
+    relates owner,
+
+    plays header_fields:owner,
+
+    owns key;
+
+header_fields sub list,
+    plays additional_header_fields:dict_item;
+
+### !!! FIN DISCUSSION !!! ###
+
+external_references sub list,
+    relates referencing as list_item,
+    relates referenced as owner;
+
+### TODO USED
+kill_chain_phases sub list,
+    relates using as list_item,
+    relates used as owner;
+
+data_marking sub list,
+    relates marking as list_item,
+    relates marked as owner,
+
+    plays granular_marking:marking;
+
+### TODO MARKED
+object_marking sub list,
+    relates marking as list_item,
+    relates marked as owner;
+
+granular_marking sub list,
+    relates marking as list_item,
+    relates marked as owner;
+
+created_by sub list,
+    relates creator as list_item,
+    relates created as owner;
+
+resolves_to_refs sub list,
+    relates resolving as list_item,
+    relates resolved as owner;
+
+belongs_to_refs sub list,
+    relates belonging as list_item,
+    relates belonged as owner;
+
+contains_ref sub list,
+    relates containing as list_item,
+    relates contained as owner;
+
+to_refs sub list,
+    relates to as list_item,
+    relates from as owner;
+
+cc_refs sub list,
+    relates to as list_item,
+    relates from as owner;
+
+bcc_refs sub list,
+    relates to as list_item,
+    relates from as owner;
+
+body_multipart sub list,
+    relates to as list_item,
+    relates from as owner;
+
+alternate_data_streams sub list,
+    relates to as list_item,
+    relates from as owner;
+
+sections sub list,
+    relates to as list_item,
+    relates from as owner;
+
+protocols sub list,
+    relates to as list_item,
+    relates from as owner;
+
+encapsulates_refs sub list,
+    relates encapsulating as list_item,
+    relates encapsulated as owner;
+
+opened_connection_refs sub list,
+    relates opening as list_item,
+    relates opened as owner;
+
+child_refs sub list,
+    relates child as list_item,
+    relates parent as owner;
+
+service_dll_refs sub list,
+    relates to as list_item,
+    relates from as owner;
+
+
+values sub list,
+    relates to as list_item,
+    relates from as owner;
+
+received_lines sub linked_list;
+
+stix_attribute_string sub attribute,
+    value string,
+
+    plays granular_marking:marking,
+    abstract;
+
+
+stix_type sub stix_attribute_string;
+stix_id sub stix_attribute_string;
+stix_role sub stix_attribute_string;
+spec_version sub stix_attribute_string;
+labels sub stix_attribute_string;
+langs sub stix_attribute_string;
+defanged sub stix_attribute_string;
+source_name sub stix_attribute_string;
+url_link sub stix_attribute_string;
+external_id sub stix_attribute_string;
+name sub stix_attribute_string;
+name_enc sub stix_attribute_string;
+magic_number_hex sub stix_attribute_string;
+mime_type sub stix_attribute_string;
+aliases sub stix_attribute_string;
+objective sub stix_attribute_string;
+action sub stix_attribute_string;
+context sub stix_attribute_string;
+identity_class sub stix_attribute_string;
+sector sub stix_attribute_string; ### REL ???
+infrastructure_types sub stix_attribute_string; ### REL ???
+contact_information sub stix_attribute_string;
+indicator_type sub stix_attribute_string;
+pattern sub stix_attribute_string;
+pattern_type sub stix_attribute_string;
+pattern_version sub stix_attribute_string;
+goals sub stix_attribute_string;
+resource_level sub stix_attribute_string;
+primary_motivation sub stix_attribute_string;
+secondary_motivations sub stix_attribute_string;
+malware_types sub stix_attribute_string;
+architecture_execution_envs sub stix_attribute_string;
+implementation_languages sub stix_attribute_string;
+capabilities sub stix_attribute_string;
+region sub stix_attribute_string;
+country sub stix_attribute_string;
+administrative_area sub stix_attribute_string;
+city sub stix_attribute_string;
+street_address sub stix_attribute_string;
+postal_code sub stix_attribute_string;
+version sub stix_attribute_string;
+configuration_version sub stix_attribute_string;
+module sub stix_attribute_string;
+analysis_engine_version sub stix_attribute_string;
+analysis_definition_version sub stix_attribute_string;
+result_name sub stix_attribute_string;
+result sub stix_attribute_string;
+note_abstract sub stix_attribute_string;
+content sub stix_attribute_string;
+authors sub stix_attribute_string;
+explanation sub stix_attribute_string;
+opinion_enum sub stix_attribute_string;
+report_type sub stix_attribute_string;
+sophistication sub stix_attribute_string;
+personal_characteristics sub stix_attribute_string;
+roles sub stix_attribute_string;
+threat_actor_types sub stix_attribute_string;
+tool_types sub stix_attribute_string;
+tool_version sub stix_attribute_string;
+vulnerability_types sub stix_attribute_string;
+kill_chain_name sub stix_attribute_string;
+kill_chain_phase_name sub stix_attribute_string;
+summary sub stix_attribute_string;
+payload_bin sub stix_attribute_string;
+decryption_key sub stix_attribute_string;
+path sub stix_attribute_string;
+path_enc sub stix_attribute_string;
+rir sub stix_attribute_string;
+display_name sub stix_attribute_string;
+content_type sub stix_attribute_string;
+message_id sub stix_attribute_string;
+subject sub stix_attribute_string;
+body sub stix_attribute_string;
+content_disposition sub stix_attribute_string;
+comment sub stix_attribute_string;
+sid sub stix_attribute_string;
+owner_sid sub stix_attribute_string;
+pdfid0 sub stix_attribute_string;
+pdfid1 sub stix_attribute_string;
+pe_type sub stix_attribute_string;
+imphash sub stix_attribute_string;
+machine_hex sub stix_attribute_string;
+pointer_to_symbol_table_hex sub stix_attribute_string;
+characterstics_hex sub stix_attribute_string;
+win32_version_value_hex sub stix_attribute_string;
+checksum_hex sub stix_attribute_string;
+subsystem_hex sub stix_attribute_string;
+dll_characteristics_hex sub stix_attribute_string;
+loader_flags_hex sub stix_attribute_string;
+magic_hex sub stix_attribute_string;
+request_method sub stix_attribute_string;
+request_value sub stix_attribute_string;
+request_version sub stix_attribute_string;
+icmp_type_hex sub stix_attribute_string;
+icmp_code_hex sub stix_attribute_string;
+service_name sub stix_attribute_string;
+subject_public_key_algorithm sub stix_attribute_string;
+subject_public_key_modulus sub stix_attribute_string;
+certificate_policies sub stix_attribute_string;
+crl_distribution_points sub stix_attribute_string;
+subject_directory_attributes sub stix_attribute_string;
+key_usage sub stix_attribute_string;
+subject_alternative_name sub stix_attribute_string;
+subject_key_identifier sub stix_attribute_string;
+extended_key_usage sub stix_attribute_string;
+name_constraints sub stix_attribute_string;
+policy_mappings sub stix_attribute_string;
+policy_constraints sub stix_attribute_string;
+basic_constraints sub stix_attribute_string;
+inhibit_any_policy sub stix_attribute_string;
+authority_key_identifier sub stix_attribute_string;
+issuer_alternative_name sub stix_attribute_string;
+data sub stix_attribute_string;
+user_id sub stix_attribute_string;
+priority sub stix_attribute_string;
+stix_value sub stix_attribute_string;
+cwd sub stix_attribute_string;
+command_line sub stix_attribute_string;
+account_login sub stix_attribute_string;
+group_name sub stix_attribute_string;
+dst_flags_hex sub stix_attribute_string;
+src_flags_hex sub stix_attribute_string;
+product sub stix_attribute_string;
+spe sub stix_attribute_string;
+exif_tag_string sub stix_attribute_string;
+window_title sub stix_attribute_string;
+statement sub stix_attribute_string;
+home_dir sub stix_attribute_string;
+account_type sub stix_attribute_string;
+credential sub stix_attribute_string;
+attribute_key sub stix_attribute_string;
+shell sub stix_attribute_string;
+swid sub stix_attribute_string;
+vendor sub stix_attribute_string;
+description sub stix_attribute_string;
+descriptions sub stix_attribute_string;
+languages sub stix_attribute_string;
+groups sub stix_attribute_string;
+
+received sub stix_attribute_string,
+    plays node:listed;
+document_info sub stix_attribute_string,
+    plays document_info_dict:document_info;
+protocol sub stix_attribute_string,
+    plays protocols:to;
+ipfix_string sub stix_attribute_string,
+    plays ipfix:ipfix_field;
+header sub stix_attribute_string,
+    plays request_header:header;
+environment_variable sub stix_attribute_string,
+    plays environment_variables:variable;
+startup sub stix_attribute_string,
+    plays startup_info:info;
+
+
+
+issuer sub stix_attribute_string;
+serial_number sub stix_attribute_string;
+signature_algorithm sub stix_attribute_string;
+subject_public_key_exponent sub stix_attribute_string;
+
+hash_value sub stix_attribute_string,
+    plays hashes:hash_value;
+key_abstract sub stix_attribute_string,
+    abstract;
+key sub key_abstract;
+hash_algorithm sub key_abstract,
+    regex "^(MD5|SHA-1|SHA-256|SHA-512|SHA3-256|SHA3-512|SSDEEP|TLSH)$";
+encryption_algorithm sub stix_attribute_string,
+    regex "^(AES_256_GCM|ChaCha20_Poly1305|mime_type_indicated)$";
+address_family sub stix_attribute_string,
+    regex "^(AF_UNSPEC|AF_INET|AF_IPX|AF_APPLETALK|AF_NETBIOS|AF_INET6|AF_IRDA|AF_BTH)$";
+socket_type sub stix_attribute_string,
+    regex "^(SOCK_STREAM|SOCK_DGRAM|SOCK_RAW|SOCK_RDM|SOCK_SEQPACKET)$";
+opinion_enum sub stix_attribute_string,
+    regex "^(strongly_disagree|disagree|neutral|agree|strongly_agree)$";
+integrity_level sub stix_attribute_string,
+    regex "^(low|medium|high|system)$";
+data_type sub stix_attribute_string,
+    regex "^(REG_NONE|REG_SZ|REG_EXPAND_SZ|REG_BINARY|REG_DWORD|REG_DWORD_BIG_ENDIAN|REG_LINK|REG_MULTI_SZ|REG_RESOURCE_LIST|REG_FULL_RESOURCE_DESCRIPTION|REG_RESOURCE_REQUIREMENTS_LIST|REG_QWORD|REG_INVALID_TYPE)$";
+start_type sub stix_attribute_string,
+    regex "^(SERVICE_AUTO_START|SERVICE_BOOT_START|SERVICE_DEMAND_START|SERVICE_DISABLED|SERVICE_SYSTEM_ALERT)$";
+service_type sub stix_attribute_string,
+    regex "^(SERVICE_KERNEL_DRIVER|SERVICE_FILE_SYSTEM_DRIVER|SERVICE_WIN32_OWN_PROCESS|SERVICE_WIN32_SHARE_PROCESS)$";
+service_status sub stix_attribute_string,
+    regex "^(SERVICE_CONTINUE_PENDING|SERVICE_PAUSE_PENDING|SERVICE_PAUSED|SERVICE_RUNNING|SERVICE_START_PENDING|SERVICE_STOP_PENDING|SERVICE_STOPPED)$";
+color sub stix_attribute_string,
+    regex "^(white|green|amber|red|clear)$";
+stix_attribute_double sub attribute,
+    value double,
+
+    plays granular_marking:marked,
+    abstract;
+
+number sub stix_attribute_double;
+latitude sub stix_attribute_double;
+longitude sub stix_attribute_double;
+precision sub stix_attribute_double;
+number_observed sub stix_attribute_double;
+count sub stix_attribute_double;
+entropy sub stix_attribute_double;
+size_ofuninitialized_data sub stix_attribute_double;
+
+stix_attribute_integer sub attribute,
+    value long,
+
+    plays granular_marking:marked,
+    abstract;
+
+size sub stix_attribute_integer;
+gid sub stix_attribute_integer;
+image_height sub stix_attribute_integer;
+image_width sub stix_attribute_integer;
+bits_per_pixel sub stix_attribute_integer;
+confidence sub stix_attribute_integer;
+number_of_sections sub stix_attribute_integer;
+number_of_symbols sub stix_attribute_integer;
+size_of_optional_header sub stix_attribute_integer;
+major_linker_version sub stix_attribute_integer;
+minor_linker_version sub stix_attribute_integer;
+size_of_code sub stix_attribute_integer;
+size_of_initialized_data sub stix_attribute_integer;
+size_of_uninitialized_data sub stix_attribute_integer;
+address_of_entry_point sub stix_attribute_integer;
+base_of_code sub stix_attribute_integer;
+base_of_data sub stix_attribute_integer;
+image_base sub stix_attribute_integer;
+section_alignment sub stix_attribute_integer;
+file_alignment sub stix_attribute_integer;
+major_os_version sub stix_attribute_integer;
+minor_os_version sub stix_attribute_integer;
+major_image_version sub stix_attribute_integer;
+minor_image_version sub stix_attribute_integer;
+major_subsystem_version sub stix_attribute_integer;
+minor_subsystem_version sub stix_attribute_integer;
+size_of_image sub stix_attribute_integer;
+size_of_headers sub stix_attribute_integer;
+size_of_stack_reserve sub stix_attribute_integer;
+size_of_stack_commit sub stix_attribute_integer;
+size_of_heap_reserve sub stix_attribute_integer;
+size_of_heap_commit sub stix_attribute_integer;
+number_of_rva_and_sizes sub stix_attribute_integer;
+message_body_length sub stix_attribute_integer;
+number_subkeys sub stix_attribute_integer;
+exif_tag_int sub stix_attribute_integer;
+src_port sub stix_attribute_integer;
+dst_port sub stix_attribute_integer;
+src_byte_count sub stix_attribute_integer;
+dst_byte_count sub stix_attribute_integer;
+src_packets sub stix_attribute_integer;
+dst_packets sub stix_attribute_integer;
+socket_descriptor sub stix_attribute_integer;
+socket_handle sub stix_attribute_integer;
+pid sub stix_attribute_integer;
+option sub stix_attribute_integer,
+    plays options:option;
+ipfix_integer sub stix_attribute_integer,
+    plays ipfix:ipfix_field;
+
+stix_attribute_boolean sub attribute,
+    value boolean,
+
+    plays granular_marking:marked,
+    abstract;
+
+is_family sub stix_attribute_boolean;
+is_optimized sub stix_attribute_boolean;
+is_self_signed sub stix_attribute_boolean;
+dep_enabled sub stix_attribute_boolean;
+is_active sub stix_attribute_boolean;
+is_hidden sub stix_attribute_boolean;
+is_blocking sub stix_attribute_boolean;
+is_listening sub stix_attribute_boolean;
+can_escalate_privs sub stix_attribute_boolean;
+is_service_account sub stix_attribute_boolean;
+is_privileged sub stix_attribute_boolean;
+can_escalate_privs sub stix_attribute_boolean;
+is_disabled sub stix_attribute_boolean;
+is_multipart sub stix_attribute_boolean;
+aslr_enabled sub stix_attribute_boolean;
+revoked sub stix_attribute_boolean;
+
+
+stix_attribute_timestamp sub attribute,
+    value datetime,
+
+    plays granular_marking:marked,
+    abstract;
+
+
+date sub stix_attribute_timestamp;
+ctime sub stix_attribute_timestamp;
+atime sub stix_attribute_timestamp;
+mtime sub stix_attribute_timestamp;
+created sub stix_attribute_timestamp;
+modified sub stix_attribute_timestamp;
+submitted sub stix_attribute_timestamp;
+valid_from sub stix_attribute_timestamp;
+valid_until sub stix_attribute_timestamp;
+first_observed sub stix_attribute_timestamp;
+last_observed sub stix_attribute_timestamp;
+analysis_started sub stix_attribute_timestamp;
+analysis_ended sub stix_attribute_timestamp;
+published sub stix_attribute_timestamp;
+first_seen sub stix_attribute_timestamp;
+last_seen sub stix_attribute_timestamp;
+time_date_stamp sub stix_attribute_timestamp;
+end sub stix_attribute_timestamp;
+start sub stix_attribute_timestamp;
+created_time sub stix_attribute_timestamp;
+modified_time sub stix_attribute_timestamp;
+account_created sub stix_attribute_timestamp;
+account_expires sub stix_attribute_timestamp;
+credential_last_changed sub stix_attribute_timestamp;
+account_first_login sub stix_attribute_timestamp;
+account_last_login sub stix_attribute_timestamp;
+validity_not_before sub stix_attribute_timestamp;
+validity_not_after sub stix_attribute_timestamp;
+private_key_usage_period_not_after sub stix_attribute_timestamp;
+private_key_usage_period_not_before sub stix_attribute_timestamp;
+
+
+custom_attribute sub attribute, value string, 
+    plays granular_marking:marked,
+    owns attribute_type; 
+
+attribute_type sub attribute, value string;
+
+
+rule transitive_use:
+when {
+    $x isa stix_domain_object, has name $name1;
+    $y isa stix_domain_object, has name $name2;
+    $z isa stix_domain_object, has name $name3;
+    $use1 (used_by: $x, used: $y) isa uses;
+    $use2 (used_by: $y, used: $z) isa uses;
+} then {
+    (used_by: $x, used: $z) isa uses;
+};
+
+rule attributed_to_when_using:
+when {
+    (attributing: $x, attributed: $y) isa attributed_to;
+    (used_by: $y, used: $z) isa uses;
+} then {
+    (used_by: $x, used: $z) isa uses;
+};
+
+rule attributed_to_when_targeting:
+when {
+    (attributing: $x, attributed: $y) isa attributed_to;
+    (targeting: $y, targeted: $z) isa targets;
+} then {
+    (targeting: $x, targeted: $z) isa targets;
+};
+
+
+
+rule linked_list_item:
+when {
+    { (list: $x, first: $z) isa first_element;}
+    or {
+        (list: $x, element: $y) isa list_element;
+        $y (next: $z) isa node;
+    };
+    $x isa linked_list;
+    $z isa node;
+    $y isa node;
+} then {
+    (list: $x, element: $z) isa list_element;
+};
+
+
+rule last_element_linked_list:
+when {
+    (list: $x, element: $y) isa list_element;
+    not {
+        $z isa node;
+        $y (next: $z);
+    };
+    $x isa linked_list;
+    $y isa node;
+    $z isa node;
+} then {
+    (list: $x, last: $y) isa last_element;
+};
+
+
+
+
+

From ef7d41e4fc64c6d434321f75e666ffc3771d6add Mon Sep 17 00:00:00 2001
From: sullivandaly <sullivan@vaticle.com>
Date: Wed, 14 Jun 2023 09:35:23 +0100
Subject: [PATCH 02/75] add queries + readme

---
 README.md                                     |  2 +-
 cyber-threat-intelligence/README.md           | 39 +++++++++++++++++++
 cyber-threat-intelligence/dataset.tql         |  6 +++
 cyber-threat-intelligence/examples/query5.tql |  3 ++
 4 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 cyber-threat-intelligence/README.md
 create mode 100644 cyber-threat-intelligence/examples/query5.tql

diff --git a/README.md b/README.md
index 8c65ca9..c9d79e4 100644
--- a/README.md
+++ b/README.md
@@ -31,7 +31,7 @@ to automate permission inheritance and policy enforcement at the schema level us
 
 ### Cyber threat intelligence
 
-COMING SOON!
+A guided tutorial to learn how to use TypeDB in a Cyber Threat Intelligence (CTI) context in order to identify threats using powerful queries and inferenced ruling.
 
 ## Advanced
 
diff --git a/cyber-threat-intelligence/README.md b/cyber-threat-intelligence/README.md
new file mode 100644
index 0000000..72e88ec
--- /dev/null
+++ b/cyber-threat-intelligence/README.md
@@ -0,0 +1,39 @@
+# Cyber Threat Intelligence 
+
+## Introduction
+
+In this demo, you'll learn how to use TypeDB as the database for a Cyber Threat Intelligence context. We'll cover
+some basic operations like listing the identities and subtyped of it with the help of type-inferenced queries.
+We will then move on to some more advanced examples that take advantage of rules. 
+We'll see how we can automate threats discovery at the schema level with the creation of a new rule.
+
+## Required knowledge
+
+This demo assumes knowledge of:
+
+- General identity and access management concepts.
+- TypeDB's transaction system.
+- All basic TypeQL syntax elements.
+- TypeDB Studio's interface.
+
+For more information, please see our [documentation](https://docs.vaticle.com/docs/general/introduction). 
+
+## Getting started
+
+Start your TypeDB server and open TypeDB Studio. Make sure you are on a `schema-write` transaction and run the following
+TypeQL file:
+
+```schema.tql```
+
+Then switch to a `data-write` transaction and run the following:
+
+```dataset.tql```
+
+Remember to click on the green tick after running each of these scripts to commit the changes to the database.
+
+## Running the examples
+
+To get started, try running the examples. They are intended to be run once each and in order, so be aware that running
+them more than once or out of order might generate data errors. If anything goes wrong, you can run the
+`dataset.tql` script again to reset everything. All the examples use `data` sessions, but you'll have to switch
+between `read` and `write` transactions depending on the queries in the example, and remember to commit after writes.
diff --git a/cyber-threat-intelligence/dataset.tql b/cyber-threat-intelligence/dataset.tql
index 71df261..725a4d1 100644
--- a/cyber-threat-intelligence/dataset.tql
+++ b/cyber-threat-intelligence/dataset.tql
@@ -4,6 +4,12 @@
 # https://oasiss-open.github.io/cti-documentation/stix/examples.html
 
 
+# Clean old data:
+
+match $t isa thing; delete $t isa thing;
+match $t isa threat_actor; insert $t has full-name "Bravo";
+
+
 # Example from: https://oasis-open.github.io/cti-documentation/examples/identifying-a-threat-actor-profile
 # Identifying a Threat Actor Profile
 insert 
diff --git a/cyber-threat-intelligence/examples/query5.tql b/cyber-threat-intelligence/examples/query5.tql
new file mode 100644
index 0000000..9c7aaf5
--- /dev/null
+++ b/cyber-threat-intelligence/examples/query5.tql
@@ -0,0 +1,3 @@
+match
+
+$t($x, $y) isa uses;
\ No newline at end of file

From 4375300fcf94edff2fc0694ee7b712306b838b30 Mon Sep 17 00:00:00 2001
From: sullivandaly <sullivan@vaticle.com>
Date: Wed, 14 Jun 2023 10:03:49 +0100
Subject: [PATCH 03/75] change README

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index c9d79e4..19fbd86 100644
--- a/README.md
+++ b/README.md
@@ -29,7 +29,7 @@ For users with some experience. Learn more complex features while assuming knowl
 Learn how to use TypeDB as the database for an identity and access management (IAM) system. Uses a flexible data model
 to automate permission inheritance and policy enforcement at the schema level using rule-inference.
 
-### Cyber threat intelligence
+### [Cyber threat intelligence](https://github.com/vaticle/typedb-examples/tree/master/cyber-threat-intelligence)
 
 A guided tutorial to learn how to use TypeDB in a Cyber Threat Intelligence (CTI) context in order to identify threats using powerful queries and inferenced ruling.
 

From 04228aafe20df7e76b5d5254d69a4f8c763ff388 Mon Sep 17 00:00:00 2001
From: sullivandaly <sullivan@vaticle.com>
Date: Wed, 14 Jun 2023 10:58:34 +0100
Subject: [PATCH 04/75] Deal with DS_Store

---
 .gitignore                          |   1 +
 cyber-threat-intelligence/.DS_Store | Bin 6148 -> 0 bytes
 2 files changed, 1 insertion(+)
 create mode 100644 .gitignore
 delete mode 100644 cyber-threat-intelligence/.DS_Store

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..79b5594
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+**/.DS_Store
diff --git a/cyber-threat-intelligence/.DS_Store b/cyber-threat-intelligence/.DS_Store
deleted file mode 100644
index 2b31a72497758a771de27637343c7b368329c2b7..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6148
zcmeHK!Ab-%3{7-}0WW*>;Gy^j^9SQH`U7+EsO!oK&TI!o@z|g9;9vRDMA%^q${s|P
z1lpITN!ocZZ9_!7cwN;*b0VtH1X+}Vh`Bg*WX>l*&N)Wv>49GQb=?&b{YR7Ry~3W~
z>5c~4+W&nV#;pzS_zbaamwjAH{KfUt=gs-YWhvJXSHJQbAM5U?HQ&1DO&>RFtOLGX
zoB?OR8E^)ifxQ^8JES_@E82sc0cYTl8IbcKpb0jHNiiQC=yC}FoWYz0y3`U96AT-}
zq=*>^Yba1d*-8x7aM*+SHHJx1!-=i<U|adSc;UP{@`vnB+$ehQ3^)T*299+&m;3(;
zzf7^npN9Cz8E^&;i~*jtUAw?X+1<MHd2-hVv|BV0@k^pWpidqF7|1ztmM3*Shz`HT
WFeyqFvFC80KLj!%-Z=w*z`z%hcQiEs


From 1ead4993bc7af6dc7375813affa90890db38bee2 Mon Sep 17 00:00:00 2001
From: sullivandaly <sullivan@vaticle.com>
Date: Fri, 16 Jun 2023 16:45:29 +0100
Subject: [PATCH 05/75] add queries

---
 cyber-threat-intelligence/dataset.tql         | 55 +++++++++++--------
 cyber-threat-intelligence/examples/query4.tql | 22 +++++++-
 2 files changed, 51 insertions(+), 26 deletions(-)

diff --git a/cyber-threat-intelligence/dataset.tql b/cyber-threat-intelligence/dataset.tql
index 725a4d1..58feb97 100644
--- a/cyber-threat-intelligence/dataset.tql
+++ b/cyber-threat-intelligence/dataset.tql
@@ -205,7 +205,7 @@ $data2 isa observed_data,
 insert
 $bravo_ta isa threat_actor, 
     has spec_version "2.1",
-    has stix_id "threat_actor__9a8a0d25_7636_429b_a99e_b2a73cd0f11f", 
+    has stix_id "threat_actor_bravo", 
     has created 2015-05-07T14:22:14.760, 
     has modified 2015-05-07T14:22:14.760, 
     has name "Adversary Bravo", 
@@ -235,26 +235,26 @@ $phishing isa attack_pattern,
 
 $bravo_id isa id_unknown, 
     has spec_version "2.1",
-    has stix_id "identity__1621d4d4_b67d_41e3_9670_f01faf20d111",
+    has stix_id "bravo_id_unknown",
     has created 2015-05-10T16:27:17.760, 
     has modified 2015-05-10T16:27:17.760, 
     has name "Adversary Bravo", 
     has description "Adversary Bravo is a threat actor that utilizes phishing attacks.";
-(used_by: $bravo_ta, used: $poison_ivy) isa uses, 
-    has spec_version "2.1",
-    has stix_id "relationship__d44019b6_b8f7_4cb3_837e_7fd3c5724b87",
-    has created 2020-02-29T18:18:08.661,
-    has modified 2020-02-29T18:18:08.661;
-(used_by: $bravo_ta, used: $phishing) isa uses,
-    has spec_version "2.1",
-    has stix_id "relationship__3cd2d6f9_0ded_486b_8dca_606283a8997f", 
-    has created 2020-02-29T18:18:08.661,
-    has modified 2020-02-29T18:18:08.661;
-(attributing: $bravo_ta, attributed: $bravo_id) isa attributed_to,
-    has spec_version "2.1",
-    has stix_id "relationship__56e5f1c8_08f3_4e24_9e8e_f87d844672ec", 
-    has created 2020-02-29T18:18:08.661, 
-    has modified 2020-02-29T18:18:08.661;
+# (using: $bravo_ta, used: $poison_ivy) isa uses, 
+#     has spec_version "2.1",
+#     has stix_id "relationship__d44019b6_b8f7_4cb3_837e_7fd3c5724b87",
+#     has created 2020-02-29T18:18:08.661,
+#     has modified 2020-02-29T18:18:08.661;
+# (using: $bravo_ta, used: $phishing) isa uses,
+#     has spec_version "2.1",
+#     has stix_id "relationship__3cd2d6f9_0ded_486b_8dca_606283a8997f", 
+#     has created 2020-02-29T18:18:08.661,
+#     has modified 2020-02-29T18:18:08.661;
+# (attributing: $bravo_ta, attributed: $bravo_id) isa attributed_to,
+#     has spec_version "2.1",
+#     has stix_id "relationship__56e5f1c8_08f3_4e24_9e8e_f87d844672ec", 
+#     has created 2020-02-29T18:18:08.661, 
+#     has modified 2020-02-29T18:18:08.661;
 
 # Example from: https://oasis-open.github.io/cti-documentation/examples/malware-indicator-for-file-hash
 # Malware Indicator for File Hash
@@ -287,6 +287,14 @@ $ma isa malware, has name "Poison Ivy",
 # Example from: https://oasis-open.github.io/cti-documentation/examples/defining-campaign-ta-is
 # Defining Campaigns vs. Threat Actors vs. Intrusion Sets
 insert
+
+$bravo_at isa attack_pattern,
+    has spec_version "2.1",
+    has stix_id "attack_pattern_bravo",
+    has created 2015-05-10T16:27:16.760,
+    has modified 2015-05-10T16:27:16.760,
+    has name "Attack Pattern Bravo";
+
 $bpp_ta isa threat_actor, 
     has spec_version "2.1",
     has stix_id "threat-actor--56f3f0db-b5d5-431c-ae56-c18f02caf500", 
@@ -425,13 +433,13 @@ $ato6 has spec_version "2.1",
     has created 2020-02-29T17:41:44.939,
     has modified 2020-02-29T17:41:44.939;
 
-$ato7 (used_by: $is1, used: $at1) isa uses;
+$ato7 (using: $is1, used: $at1) isa uses;
 $ato7 has spec_version "2.1",
     has stix_id "relationship--06964095-5750-41fe-a9af-6c6a9d995489",
     has created 2020-02-29T17:41:44.940,
     has modified 2020-02-29T17:41:44.940;
 
-$ato8 (used_by: $is1, used: $at2) isa uses;
+$ato8 (using: $is1, used: $at2) isa uses;
 $ato8 has spec_version "2.1",
     has stix_id "relationship--4fe5dab1-fd6d-41aa-b8b1-d3118a708284",
     has created 2020-02-29T17:41:44.940,
@@ -449,13 +457,13 @@ $ato10 has spec_version "2.1",
     has created 2020-02-29T17:41:44.940,
     has modified 2020-02-29T17:41:44.940;
 
-$ato11 (used_by: $ca1, used: $at1) isa uses;
+$ato11 (using: $ca1, used: $at1) isa uses;
 $ato11 has spec_version "2.1",
     has stix_id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0a",
     has created 2020-02-29T17:41:44.940,
     has modified 2020-02-29T17:41:44.940;
 
-$ato12 (used_by: $ca2, used: $at2) isa uses;
+$ato12 (using: $ca2, used: $at2) isa uses;
 $ato12 has spec_version "2.1",
     has stix_id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0b",
     has created 2020-02-29T17:41:44.940,
@@ -485,15 +493,16 @@ $ato16 has spec_version "2.1",
     has created 2020-02-29T17:41:44.940,
     has modified 2020-02-29T17:41:44.940;
 
-$ato17 (used_by: $bpp_ta, used: $at1) isa uses;
+$ato17 (using: $bpp_ta, used: $at1) isa uses;
 $ato17 has spec_version "2.1",
     has stix_id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b10",
     has created 2020-02-29T17:41:44.940,
     has modified 2020-02-29T17:41:44.940;
 
-$ato18 (used_by: $bpp_ta, used: $at2) isa uses;
+$ato18 (using: $bpp_ta, used: $at2) isa uses;
 $ato18 has spec_version "2.1",
     has stix_id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b11",
     has created 2020-02-29T17:41:44.940,
     has modified 2020-02-29T17:41:44.940;
 
+
diff --git a/cyber-threat-intelligence/examples/query4.tql b/cyber-threat-intelligence/examples/query4.tql
index 12732d0..c995dc1 100644
--- a/cyber-threat-intelligence/examples/query4.tql
+++ b/cyber-threat-intelligence/examples/query4.tql
@@ -1,6 +1,22 @@
+# Example 03:
+
+# Now let's insert a new targets relation between a specific malware and a specific id_unknown:
+
 match
-$t isa id_unknown, has name "Adversary Bravo";
-$bravo_ta isa threat_actor, has stix_id "bravo_threat";
+$bravo_id isa id_unknown, has name "Adversary Bravo";
+$bravo_ma isa malware, has stix_id "bravo_malware";
 
 insert
-(targeting: $bravo_ta, targeted: $t) isa targets;
+(targeting: $bravo_ma, targeted: $bravo_id) isa targets,
+    has stix_id "bravo_targets";
+    
+#--------------------------------------------------
+# Exercise 04:
+
+# Write a new query to find the attack_pattern with stix_id "attack_pattern_bravo" 
+# as well as the malware with stix_id "bravo_malware"
+# and then, create a uses relationship to descibe the fact that the attack_pattern is using the malware
+# Keyword hints: match, insert
+# Type hints: attack_pattern, malware, uses
+
+#--------------------------------------------------

From 3b9ceb6dc457f211abfa3d83c639ca1570f985bd Mon Sep 17 00:00:00 2001
From: sullivandaly <sullivan@vaticle.com>
Date: Fri, 16 Jun 2023 16:47:05 +0100
Subject: [PATCH 06/75] add queries

---
 cyber-threat-intelligence/examples/query1.tql |  8 ++
 cyber-threat-intelligence/examples/query2.tql |  8 ++
 cyber-threat-intelligence/examples/query3.tql | 28 ++++--
 cyber-threat-intelligence/examples/query5.tql | 18 +++-
 cyber-threat-intelligence/examples/query6.tql | 39 +++++++++
 cyber-threat-intelligence/examples/query7.tql | 12 +++
 cyber-threat-intelligence/examples/query8.tql |  6 ++
 cyber-threat-intelligence/schema.tql          | 87 +++++++++----------
 8 files changed, 154 insertions(+), 52 deletions(-)
 create mode 100644 cyber-threat-intelligence/examples/query6.tql
 create mode 100644 cyber-threat-intelligence/examples/query7.tql
 create mode 100644 cyber-threat-intelligence/examples/query8.tql

diff --git a/cyber-threat-intelligence/examples/query1.tql b/cyber-threat-intelligence/examples/query1.tql
index f0741a1..376e9e2 100644
--- a/cyber-threat-intelligence/examples/query1.tql
+++ b/cyber-threat-intelligence/examples/query1.tql
@@ -5,3 +5,11 @@
 match 
 
 $t isa id_unknown, has $all;
+
+#--------------------------------------------------
+# Exercise 01:
+
+# Edit this query to show only the name and description of our id_unknown.
+# Type hints: name, description
+
+#--------------------------------------------------
diff --git a/cyber-threat-intelligence/examples/query2.tql b/cyber-threat-intelligence/examples/query2.tql
index 3316275..3159ec8 100644
--- a/cyber-threat-intelligence/examples/query2.tql
+++ b/cyber-threat-intelligence/examples/query2.tql
@@ -5,3 +5,11 @@
 match 
 
 $t isa identity, has $all;
+
+#--------------------------------------------------
+# Exercise 02:
+
+# Edit this query to list only id_unknown and identity.
+# Keyword hints: negation, not
+
+#--------------------------------------------------
diff --git a/cyber-threat-intelligence/examples/query3.tql b/cyber-threat-intelligence/examples/query3.tql
index 2b747fb..418a149 100644
--- a/cyber-threat-intelligence/examples/query3.tql
+++ b/cyber-threat-intelligence/examples/query3.tql
@@ -1,5 +1,7 @@
-match
-$t isa id_unknown, has name "Adversary Bravo";
+# Example 03:
+
+# Now let's insert a new threat actor, a new malware and add them an attributed_to relation:
+
 insert
 $bravo_ta isa threat_actor, 
     has spec_version "2.1",
@@ -9,10 +11,24 @@ $bravo_ta isa threat_actor,
     has name "Bravo Attacker", 
     has threat_actor_types "spy", 
     has threat_actor_types "criminal";
-(attributing: $bravo_ta, attributed: $bravo_id) isa attributed_to,
+    
+$bravo_ma isa malware,
     has spec_version "2.1",
-    has stix_id "bravo_rel", 
-    has created 2023-02-29T18:18:08.661, 
-    has modified 2023-02-29T18:18:08.661;;
+    has stix_id "bravo_malware",
+    has created 2022-05-07T14:22:14.760,
+    has modified 2022-05-07T14:22:14.760,
+    has description "Bravo Malware";   
+
+(attributing: $bravo_ta, attributed: $bravo_ma) isa attributed_to,
+    has spec_version "2.1",
+    has stix_id "bravo_threat_attributed_to_bravo_id"; 
+
+#--------------------------------------------------
+# Exercise 03:
 
+# Write a new query to give bravo_threat a third threat_actor_types: "insider". Try re-running Example 03 to
+# see the results of this addition queries.
+# Keyword hints: match, insert
+# Type hints: threat_actor, threat_actor_types
 
+#--------------------------------------------------
diff --git a/cyber-threat-intelligence/examples/query5.tql b/cyber-threat-intelligence/examples/query5.tql
index 9c7aaf5..3667eb9 100644
--- a/cyber-threat-intelligence/examples/query5.tql
+++ b/cyber-threat-intelligence/examples/query5.tql
@@ -1,3 +1,19 @@
+# Example 05:
+
+# Now let's research the attack we described earlier using the id_unknown and threat_actor stix_id
+
 match
 
-$t($x, $y) isa uses;
\ No newline at end of file
+$t($x, $y) isa targets;
+$c($a, $b) isa attributed_to;
+$b has stix_id "bravo_threat";
+$x has stix_id "bravo_id_unknown";
+
+
+#--------------------------------------------------
+# Exercise 05:
+
+# Try to run again the same query activating inference
+# Keyword hints: infer
+
+#--------------------------------------------------
diff --git a/cyber-threat-intelligence/examples/query6.tql b/cyber-threat-intelligence/examples/query6.tql
new file mode 100644
index 0000000..c2dcb3b
--- /dev/null
+++ b/cyber-threat-intelligence/examples/query6.tql
@@ -0,0 +1,39 @@
+# Example 06:
+
+# Now let's research the attack we described earlier using the id_unknown and threat_actor stix_id
+
+match
+$bravo_ap isa attack_pattern, has stix_id "attack_pattern_bravo";
+$bravo_ma isa malware, has stix_id "bravo_malware";
+$bravo_ta isa threat_actor, has stix_id "bravo_threat";
+
+insert
+$u1 (used: $bravo_ap, using:$bravo_ma) isa uses,
+    has stix_id "bravo_uses_1";
+$u2 (used: $bravo_ma, using:$bravo_ta) isa uses, 
+    has stix_id "bravo_uses_2";
+
+
+#rule attributed_to_when_using:
+#when {
+#    (attributing: $z, attributed: $x) isa attributed_to;
+#    (targeting: $x, targeted: $y) isa targets;
+#} then {
+#    (using: $z, used: $y) isa uses;
+#};
+
+#--------------------------------------------------
+# Exercise 06:
+
+
+# Create a rule in order to create by inference a transitivity 
+
+# match
+
+# $t($x, $y) isa targets;
+# $c($a, $b) isa attributed_to;
+# $h($m, $n) isa uses;
+# $b has stix_id "bravo_threat";
+# $x has stix_id "bravo_id_unknown";
+
+#--------------------------------------------------
diff --git a/cyber-threat-intelligence/examples/query7.tql b/cyber-threat-intelligence/examples/query7.tql
new file mode 100644
index 0000000..b965eea
--- /dev/null
+++ b/cyber-threat-intelligence/examples/query7.tql
@@ -0,0 +1,12 @@
+# Example 07:
+
+# Now let's research the attack we described earlier using the id_unknown and threat_actor stix_id
+
+match
+
+$e has external_id $eid;
+$a isa attack_pattern, has name $an;
+$i isa intrusion_set, has name $in;
+$rel (referencing: $a, referenced: $e) isa external_references;
+$u (used: $a, using: $i) isa uses;
+
diff --git a/cyber-threat-intelligence/examples/query8.tql b/cyber-threat-intelligence/examples/query8.tql
new file mode 100644
index 0000000..3e9ffb0
--- /dev/null
+++ b/cyber-threat-intelligence/examples/query8.tql
@@ -0,0 +1,6 @@
+match 
+$e isa external_reference;
+$e has $eid;
+$a isa attack_pattern;
+$rel (referencing: $a, referenced: $e) isa external_references;
+
diff --git a/cyber-threat-intelligence/schema.tql b/cyber-threat-intelligence/schema.tql
index 0c55c2d..0d12ad5 100644
--- a/cyber-threat-intelligence/schema.tql
+++ b/cyber-threat-intelligence/schema.tql
@@ -94,7 +94,7 @@ attack_pattern sub stix_domain_object,
     # Rel
     plays delivers:delivering,
     plays targets:targeting,
-    plays uses:used_by,
+    plays uses:using,
 
     # RRel
     plays indicates:indicated,
@@ -112,7 +112,7 @@ campaign sub stix_domain_object,
     # Rel
     plays targets:targeting,
     plays attributed_to:attributing,
-    plays uses:used_by,
+    plays uses:using,
     plays compromises:compromising,
     plays originates_from:originating,
 
@@ -148,8 +148,10 @@ identity sub stix_domain_object,
 
     # Rel
     plays located_at:locating,
+    plays uses:using,
 
     # RRel
+    plays uses:used,
     plays targets:targeted,
     plays attributed_to:attributed,
     plays impersonates:impersonated;
@@ -193,7 +195,7 @@ infrastructure sub stix_domain_object,
 
     # Rel
     plays delivers:delivering,
-    plays uses:used_by,
+    plays uses:using,
     plays located_at:locating,
     plays communicates_with:communicating,
     plays consist_of:consisting,
@@ -227,7 +229,7 @@ intrusion_set sub stix_domain_object,
 
     # Rel
     plays targets:targeting,
-    plays uses:used_by,
+    plays uses:using,
     plays attributed_to:attributing,
     plays compromises:compromising,
     plays originates_from:originating,
@@ -253,7 +255,7 @@ malware sub stix_domain_object,
 
     # Rel
     plays targets:targeting,
-    plays uses:used_by,
+    plays uses:using,
     plays originates_from:originating,
     plays controls:controlling,
     plays hosts:hosting,
@@ -267,6 +269,7 @@ malware sub stix_domain_object,
     plays communicates_with:communicating,
 
     # RRel
+    plays attributed_to:attributed,
     plays controls:controlled,
     plays remediates:remediated,
     plays mitigates:mitigated,
@@ -361,7 +364,7 @@ threat_actor sub stix_domain_object,
 
     # Rel
     plays targets:targeting,
-    plays uses:used_by,
+    plays uses:using,
     plays attributed_to:attributing,
     plays compromises:compromising,
     plays located_at:locating,
@@ -386,7 +389,7 @@ tool sub stix_domain_object,
     # Rel
     plays delivers:delivering,
     plays targets:targeting,
-    plays uses:used_by,
+    plays uses:using,
     plays have:having,
     plays drops:dropping,
 
@@ -409,7 +412,7 @@ custom_object sub stix_domain_object,
     # Rel
     plays delivers:delivering,
     plays targets:targeting,
-    plays uses:used_by,
+    plays uses:using,
 
     # RRel
     plays uses:used,
@@ -463,7 +466,7 @@ attributed_to sub stix_core_relationship,
     relates attributed as target;
 
 uses sub stix_core_relationship,
-    relates used_by as source,
+    relates using as source,
     relates used as target;
 
 indicates sub stix_core_relationship,
@@ -1419,8 +1422,6 @@ environment_variable sub stix_attribute_string,
 startup sub stix_attribute_string,
     plays startup_info:info;
 
-
-
 issuer sub stix_attribute_string;
 serial_number sub stix_attribute_string;
 signature_algorithm sub stix_attribute_string;
@@ -1547,14 +1548,12 @@ is_multipart sub stix_attribute_boolean;
 aslr_enabled sub stix_attribute_boolean;
 revoked sub stix_attribute_boolean;
 
-
 stix_attribute_timestamp sub attribute,
     value datetime,
 
     plays granular_marking:marked,
     abstract;
 
-
 date sub stix_attribute_timestamp;
 ctime sub stix_attribute_timestamp;
 atime sub stix_attribute_timestamp;
@@ -1586,43 +1585,12 @@ validity_not_after sub stix_attribute_timestamp;
 private_key_usage_period_not_after sub stix_attribute_timestamp;
 private_key_usage_period_not_before sub stix_attribute_timestamp;
 
-
 custom_attribute sub attribute, value string, 
     plays granular_marking:marked,
     owns attribute_type; 
 
 attribute_type sub attribute, value string;
 
-
-rule transitive_use:
-when {
-    $x isa stix_domain_object, has name $name1;
-    $y isa stix_domain_object, has name $name2;
-    $z isa stix_domain_object, has name $name3;
-    $use1 (used_by: $x, used: $y) isa uses;
-    $use2 (used_by: $y, used: $z) isa uses;
-} then {
-    (used_by: $x, used: $z) isa uses;
-};
-
-rule attributed_to_when_using:
-when {
-    (attributing: $x, attributed: $y) isa attributed_to;
-    (used_by: $y, used: $z) isa uses;
-} then {
-    (used_by: $x, used: $z) isa uses;
-};
-
-rule attributed_to_when_targeting:
-when {
-    (attributing: $x, attributed: $y) isa attributed_to;
-    (targeting: $y, targeted: $z) isa targets;
-} then {
-    (targeting: $x, targeted: $z) isa targets;
-};
-
-
-
 rule linked_list_item:
 when {
     { (list: $x, first: $z) isa first_element;}
@@ -1637,7 +1605,6 @@ when {
     (list: $x, element: $z) isa list_element;
 };
 
-
 rule last_element_linked_list:
 when {
     (list: $x, element: $y) isa list_element;
@@ -1652,6 +1619,36 @@ when {
     (list: $x, last: $y) isa last_element;
 };
 
+rule transitive_use:
+when {
+    $x isa stix_domain_object, has name $name1;
+    $y isa stix_domain_object, has name $name2;
+    $z isa stix_domain_object, has name $name3;
+    $use1 (using: $x, used: $y) isa uses;
+    $use2 (using: $y, used: $z) isa uses;
+} then {
+    (using: $x, used: $z) isa uses;
+};
+
+rule attributed_to_when_using:
+when {
+    (attributing: $z, attributed: $x) isa attributed_to;
+    (using: $x, used: $y) isa uses;
+} then {
+    (using: $z, used: $y) isa uses;
+};
+
+rule attributed_to_when_targeting:
+when {
+    (attributing: $z, attributed: $x) isa attributed_to;
+    (targeting: $x, targeted: $y) isa targets;
+} then {
+    (targeting: $z, targeted: $y) isa targets;
+};
+
+
+
+
 
 
 

From d47ed94a7698703f8cdc0664de8bd21ea453fbd8 Mon Sep 17 00:00:00 2001
From: sullivandaly <sullivan@vaticle.com>
Date: Fri, 16 Jun 2023 16:49:07 +0100
Subject: [PATCH 07/75] add comments

---
 cyber-threat-intelligence/dataset.tql         | 1 -
 cyber-threat-intelligence/examples/query3.tql | 2 +-
 cyber-threat-intelligence/examples/query4.tql | 2 +-
 3 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/cyber-threat-intelligence/dataset.tql b/cyber-threat-intelligence/dataset.tql
index 58feb97..d7f46f1 100644
--- a/cyber-threat-intelligence/dataset.tql
+++ b/cyber-threat-intelligence/dataset.tql
@@ -505,4 +505,3 @@ $ato18 has spec_version "2.1",
     has created 2020-02-29T17:41:44.940,
     has modified 2020-02-29T17:41:44.940;
 
-
diff --git a/cyber-threat-intelligence/examples/query3.tql b/cyber-threat-intelligence/examples/query3.tql
index 418a149..cea4201 100644
--- a/cyber-threat-intelligence/examples/query3.tql
+++ b/cyber-threat-intelligence/examples/query3.tql
@@ -31,4 +31,4 @@ $bravo_ma isa malware,
 # Keyword hints: match, insert
 # Type hints: threat_actor, threat_actor_types
 
-#--------------------------------------------------
+#--------------------------------------------------
\ No newline at end of file
diff --git a/cyber-threat-intelligence/examples/query4.tql b/cyber-threat-intelligence/examples/query4.tql
index c995dc1..22026b8 100644
--- a/cyber-threat-intelligence/examples/query4.tql
+++ b/cyber-threat-intelligence/examples/query4.tql
@@ -19,4 +19,4 @@ insert
 # Keyword hints: match, insert
 # Type hints: attack_pattern, malware, uses
 
-#--------------------------------------------------
+#--------------------------------------------------
\ No newline at end of file

From 41bf41fd94e7006bf8a82433dbfec373934d1f8b Mon Sep 17 00:00:00 2001
From: sullivandaly <sullivan@vaticle.com>
Date: Fri, 23 Jun 2023 15:38:44 +0100
Subject: [PATCH 08/75] pre_review

---
 .../{query1.tql => 01-list-id_unknown.tql}    |  3 +
 .../{query2.tql => 02-list-identity.tql}      |  5 +-
 .../{query3.tql => 03-create-malware.tql}     | 10 +--
 .../{query4.tql => 04-assign-target.tql}      |  2 +-
 .../{query5.tql => 05-infered-uses.tql}       |  0
 .../{query6.tql => 06-uses-chain.tql}         | 18 +-----
 .../examples/07-external-reference.tql        | 25 ++++++++
 .../examples/08-check-intrusion-set.tql       | 20 ++++++
 .../examples/exercise-solutions.tql           | 64 +++++++++++++++++++
 cyber-threat-intelligence/examples/query7.tql | 12 ----
 cyber-threat-intelligence/examples/query8.tql |  6 --
 11 files changed, 124 insertions(+), 41 deletions(-)
 rename cyber-threat-intelligence/examples/{query1.tql => 01-list-id_unknown.tql} (63%)
 rename cyber-threat-intelligence/examples/{query2.tql => 02-list-identity.tql} (56%)
 rename cyber-threat-intelligence/examples/{query3.tql => 03-create-malware.tql} (78%)
 rename cyber-threat-intelligence/examples/{query4.tql => 04-assign-target.tql} (93%)
 rename cyber-threat-intelligence/examples/{query5.tql => 05-infered-uses.tql} (100%)
 rename cyber-threat-intelligence/examples/{query6.tql => 06-uses-chain.tql} (58%)
 create mode 100644 cyber-threat-intelligence/examples/07-external-reference.tql
 create mode 100644 cyber-threat-intelligence/examples/08-check-intrusion-set.tql
 create mode 100644 cyber-threat-intelligence/examples/exercise-solutions.tql
 delete mode 100644 cyber-threat-intelligence/examples/query7.tql
 delete mode 100644 cyber-threat-intelligence/examples/query8.tql

diff --git a/cyber-threat-intelligence/examples/query1.tql b/cyber-threat-intelligence/examples/01-list-id_unknown.tql
similarity index 63%
rename from cyber-threat-intelligence/examples/query1.tql
rename to cyber-threat-intelligence/examples/01-list-id_unknown.tql
index 376e9e2..c626c1c 100644
--- a/cyber-threat-intelligence/examples/query1.tql
+++ b/cyber-threat-intelligence/examples/01-list-id_unknown.tql
@@ -1,6 +1,9 @@
 # Example 01:
 
 # We are querying for a list of id_unkown in the database:
+# $t and $all are variables, which can be used in the query.
+# The query is a match statement, which is a pattern matching statement.
+# The query will return all the id_unknown in the database.
 
 match 
 
diff --git a/cyber-threat-intelligence/examples/query2.tql b/cyber-threat-intelligence/examples/02-list-identity.tql
similarity index 56%
rename from cyber-threat-intelligence/examples/query2.tql
rename to cyber-threat-intelligence/examples/02-list-identity.tql
index 3159ec8..ee9df26 100644
--- a/cyber-threat-intelligence/examples/query2.tql
+++ b/cyber-threat-intelligence/examples/02-list-identity.tql
@@ -1,6 +1,9 @@
 # Example 02:
 
-# We are querying for a list of identity in the database:
+# We are querying for a list of identity in the database.
+# We are using the match keyword to match the identity type.
+# As we can see identity exists in the database but also referenced other subtypes.
+
 
 match 
 
diff --git a/cyber-threat-intelligence/examples/query3.tql b/cyber-threat-intelligence/examples/03-create-malware.tql
similarity index 78%
rename from cyber-threat-intelligence/examples/query3.tql
rename to cyber-threat-intelligence/examples/03-create-malware.tql
index cea4201..ad52742 100644
--- a/cyber-threat-intelligence/examples/query3.tql
+++ b/cyber-threat-intelligence/examples/03-create-malware.tql
@@ -1,6 +1,8 @@
 # Example 03:
 
-# Now let's insert a new threat actor, a new malware and add them an attributed_to relation:
+# Now let's insert a new threat actor, a new malware and add them an attributed_to relation.
+# We will also add a new malware, bravo_malware as well as a new threat_actor, bravo_threat.
+# We will then use them both to create a new attributed_to relation.
 
 insert
 $bravo_ta isa threat_actor, 
@@ -20,9 +22,9 @@ $bravo_ma isa malware,
     has description "Bravo Malware";   
 
 (attributing: $bravo_ta, attributed: $bravo_ma) isa attributed_to,
-    has spec_version "2.1",
+    has spec_version "2.01",
     has stix_id "bravo_threat_attributed_to_bravo_id"; 
-
+    
 #--------------------------------------------------
 # Exercise 03:
 
@@ -31,4 +33,4 @@ $bravo_ma isa malware,
 # Keyword hints: match, insert
 # Type hints: threat_actor, threat_actor_types
 
-#--------------------------------------------------
\ No newline at end of file
+#--------------------------------------------------
diff --git a/cyber-threat-intelligence/examples/query4.tql b/cyber-threat-intelligence/examples/04-assign-target.tql
similarity index 93%
rename from cyber-threat-intelligence/examples/query4.tql
rename to cyber-threat-intelligence/examples/04-assign-target.tql
index 22026b8..c995dc1 100644
--- a/cyber-threat-intelligence/examples/query4.tql
+++ b/cyber-threat-intelligence/examples/04-assign-target.tql
@@ -19,4 +19,4 @@ insert
 # Keyword hints: match, insert
 # Type hints: attack_pattern, malware, uses
 
-#--------------------------------------------------
\ No newline at end of file
+#--------------------------------------------------
diff --git a/cyber-threat-intelligence/examples/query5.tql b/cyber-threat-intelligence/examples/05-infered-uses.tql
similarity index 100%
rename from cyber-threat-intelligence/examples/query5.tql
rename to cyber-threat-intelligence/examples/05-infered-uses.tql
diff --git a/cyber-threat-intelligence/examples/query6.tql b/cyber-threat-intelligence/examples/06-uses-chain.tql
similarity index 58%
rename from cyber-threat-intelligence/examples/query6.tql
rename to cyber-threat-intelligence/examples/06-uses-chain.tql
index c2dcb3b..45010ee 100644
--- a/cyber-threat-intelligence/examples/query6.tql
+++ b/cyber-threat-intelligence/examples/06-uses-chain.tql
@@ -14,26 +14,10 @@ $u2 (used: $bravo_ma, using:$bravo_ta) isa uses,
     has stix_id "bravo_uses_2";
 
 
-#rule attributed_to_when_using:
-#when {
-#    (attributing: $z, attributed: $x) isa attributed_to;
-#    (targeting: $x, targeted: $y) isa targets;
-#} then {
-#    (using: $z, used: $y) isa uses;
-#};
-
 #--------------------------------------------------
 # Exercise 06:
 
+# Create a rule in order to create by inference a transitivity of the uses relation.
 
-# Create a rule in order to create by inference a transitivity 
-
-# match
-
-# $t($x, $y) isa targets;
-# $c($a, $b) isa attributed_to;
-# $h($m, $n) isa uses;
-# $b has stix_id "bravo_threat";
-# $x has stix_id "bravo_id_unknown";
 
 #--------------------------------------------------
diff --git a/cyber-threat-intelligence/examples/07-external-reference.tql b/cyber-threat-intelligence/examples/07-external-reference.tql
new file mode 100644
index 0000000..2773e85
--- /dev/null
+++ b/cyber-threat-intelligence/examples/07-external-reference.tql
@@ -0,0 +1,25 @@
+# Example 07:
+
+# From the previous example, we can see that some attack patterns are used by intrusion sets.
+# We can also see that some attack patterns have external references.
+# We can use the same approach to find attack patterns that are used by intrusion sets and have external references.
+
+match 
+
+$e isa external_reference;
+$e has $eid;
+$a isa attack_pattern;
+$rel (referencing: $a, referenced: $e) isa external_references;
+
+    
+#--------------------------------------------------
+# Exercise 07:
+
+# Find all attack patterns that are used by intrusion sets and have external references.
+# Return the name of the attack pattern, the name of the intrusion set, and the external reference ID.
+# Order by the name of the attack pattern.
+# Keyword hints: match, sort
+# Type hints: attack_pattern, intrusion_set, external_reference
+
+#--------------------------------------------------
+
diff --git a/cyber-threat-intelligence/examples/08-check-intrusion-set.tql b/cyber-threat-intelligence/examples/08-check-intrusion-set.tql
new file mode 100644
index 0000000..c359669
--- /dev/null
+++ b/cyber-threat-intelligence/examples/08-check-intrusion-set.tql
@@ -0,0 +1,20 @@
+# Example 08:
+
+# This example shows how to use the match command to find all the
+# relationships between an attack pattern and an intrusion set that
+# are referenced by a specific external reference.
+
+match
+
+$a isa attack_pattern, has name $an;
+$i isa intrusion_set, has name $in;
+$rel (referencing: $a, referenced: $e) isa external_references;
+$u (used: $a, using: $i) isa uses;
+
+#------------------------------------------------------------
+# Exercise 08:
+
+# Create a intrusion_set as well as an external_reference and external_references
+# relationship that references to be able to display our previously created bravo_*.
+
+#------------------------------------------------------------
diff --git a/cyber-threat-intelligence/examples/exercise-solutions.tql b/cyber-threat-intelligence/examples/exercise-solutions.tql
new file mode 100644
index 0000000..ba55b76
--- /dev/null
+++ b/cyber-threat-intelligence/examples/exercise-solutions.tql
@@ -0,0 +1,64 @@
+# Solutions
+
+# The solutions to each of the exercises can be found here. To run the query in a solution: make sure the correct
+# session and transaction type are selected, highlight the intended query, right click and select "Run Selection".
+
+#--------------------------------------------------
+# Exercise 01 solution:
+
+
+match 
+$t isa id_unknown, has name, has description;
+
+#--------------------------------------------------
+# Exercise 02 solution:
+
+match 
+$t isa identity, has $all;
+not{$t isa organization;};
+
+#--------------------------------------------------
+# Exercise 03 solution:
+
+match
+$t isa threat_actor, has stix_id $n;
+$n = "bravo_threat";
+
+insert 
+$t has threat_actor_types "insider";
+
+#--------------------------------------------------
+# Exercise 04 solution:
+
+match
+$bravo_id isa id_unknown, has name "Adversary Bravo";
+$bravo_ma isa malware, has stix_id "bravo_malware";
+
+insert
+(used: $bravo_ma, using: $bravo_id) isa uses,
+    has stix_id "bravo_use";
+    
+
+#--------------------------------------------------
+# Exercise 06 solution:
+
+rule transitive_use:
+when {
+    $x isa stix_domain_object, has name $name1;
+    $y isa stix_domain_object, has name $name2;
+    $z isa stix_domain_object, has name $name3;
+    $use1 (used_by: $x, used: $y) isa uses;
+    $use2 (used_by: $y, used: $z) isa uses;
+} then {
+    (used_by: $x, used: $z) isa uses;
+};
+
+#--------------------------------------------------
+# Exercise 07 solution:
+
+match 
+
+$e isa external_reference, has url_link $c;
+$e has $eid;
+$a isa attack_pattern, has name $d;
+$rel (referencing: $a, referenced: $e) isa external_references; sort $d;
\ No newline at end of file
diff --git a/cyber-threat-intelligence/examples/query7.tql b/cyber-threat-intelligence/examples/query7.tql
deleted file mode 100644
index b965eea..0000000
--- a/cyber-threat-intelligence/examples/query7.tql
+++ /dev/null
@@ -1,12 +0,0 @@
-# Example 07:
-
-# Now let's research the attack we described earlier using the id_unknown and threat_actor stix_id
-
-match
-
-$e has external_id $eid;
-$a isa attack_pattern, has name $an;
-$i isa intrusion_set, has name $in;
-$rel (referencing: $a, referenced: $e) isa external_references;
-$u (used: $a, using: $i) isa uses;
-
diff --git a/cyber-threat-intelligence/examples/query8.tql b/cyber-threat-intelligence/examples/query8.tql
deleted file mode 100644
index 3e9ffb0..0000000
--- a/cyber-threat-intelligence/examples/query8.tql
+++ /dev/null
@@ -1,6 +0,0 @@
-match 
-$e isa external_reference;
-$e has $eid;
-$a isa attack_pattern;
-$rel (referencing: $a, referenced: $e) isa external_references;
-

From 6a5ece53813f543cff14b1af72b4d079570c10b9 Mon Sep 17 00:00:00 2001
From: sullivandaly <sullivan@vaticle.com>
Date: Mon, 26 Jun 2023 13:14:38 +0100
Subject: [PATCH 09/75] Changing name + last changes

---
 .../{schema.tql => define-schema.tql}         | 46 ++++---------------
 .../examples/06-uses-chain.tql                |  6 ++-
 .../examples/exercise-solutions.tql           | 22 ++++-----
 .../{dataset.tql => insert-data.tql}          |  0
 4 files changed, 23 insertions(+), 51 deletions(-)
 rename cyber-threat-intelligence/{schema.tql => define-schema.tql} (97%)
 rename cyber-threat-intelligence/{dataset.tql => insert-data.tql} (100%)

diff --git a/cyber-threat-intelligence/schema.tql b/cyber-threat-intelligence/define-schema.tql
similarity index 97%
rename from cyber-threat-intelligence/schema.tql
rename to cyber-threat-intelligence/define-schema.tql
index 0d12ad5..8b1cae0 100644
--- a/cyber-threat-intelligence/schema.tql
+++ b/cyber-threat-intelligence/define-schema.tql
@@ -2,12 +2,6 @@ define
 
 # Based on https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_disnqa06jm5
 
-### TODO
-# - check the !!! marking
-# - DISCUSSION marking
-# - What to do with the stix_type field?
-# - TO CONTINUE
-
 ### 1 Base Entities ###
 
 stix_entity sub entity,
@@ -21,7 +15,7 @@ stix_object sub stix_entity,
     plays granular_marking:marking;
 
 stix_core_object sub stix_object,
-    owns spec_version, # for SDOs
+    owns spec_version,
 
     plays object_marking:marked,
     plays created_by:created,
@@ -52,7 +46,6 @@ stix_cyber_observable_object sub stix_core_object,
     owns defanged,
     
     # Rel
-    # !!! TAKE CARE !!!
     plays external_references:referencing,
     plays contains_ref:containing,
 
@@ -77,7 +70,6 @@ external_reference sub stix_sub_object,
     plays hashes:hashes_owner,
     plays external_references:referenced;
 
-### TODO USED 
 kill_chain_phase sub stix_sub_object,
     owns kill_chain_name,
     owns kill_chain_phase_name,
@@ -89,7 +81,7 @@ kill_chain_phase sub stix_sub_object,
 attack_pattern sub stix_domain_object,
     owns name,
     owns description,
-    owns aliases, # LIST
+    owns aliases,
 
     # Rel
     plays delivers:delivering,
@@ -505,8 +497,6 @@ based_on sub stix_core_relationship,
     relates basing as source,
     relates based as target;
 
-
-### !!! TODO SCOs !!! ###
 communicates_with sub stix_core_relationship,
     relates communicating as source,
     relates communicated as target;
@@ -539,12 +529,10 @@ exfiltrates_to sub stix_core_relationship,
     relates exfiltrating_to as source,
     relates exfiltrated_to as target;
 
-### !!! TODO SCOs !!! ###
 downloads sub stix_core_relationship,
     relates downloading as source,
     relates downloaded as target;
 
-### !!! TODO SCOs !!! ###
 drops sub stix_core_relationship,
     relates dropping as source,
     relates dropped as target;
@@ -598,10 +586,6 @@ parent_ref sub ref;
 message_body_data_ref sub ref,
     relates from as source;
 
-# Possible relationships between SDOs
-# infrastructure _> infrastructure_types
-# identity _> sector
-
 derivation sub relation,
     relates derived_from,
     relates deriving;
@@ -696,7 +680,7 @@ email_message sub stix_cyber_observable_object,
     plays to_refs:from,
     plays cc_refs:from,
     plays bcc_refs:from,
-    plays received_lines:owner, # LinkedList
+    plays received_lines:owner,
     plays body_multipart:to,
     plays raw_email_ref:source;
 
@@ -887,7 +871,6 @@ network_traffic sub stix_cyber_observable_object,
     plays encapsulated_by_ref:target,
     plays opened_connection_refs:opening;
 
-# TODO: Should be a hierarchy or a relation?
 http_request_ext sub network_traffic,
     owns request_method,
     owns request_value,
@@ -1052,10 +1035,6 @@ x509_v3_extensions sub x509_certificate,
     owns certificate_policies,
     owns policy_mappings;
 
-# TODO
-# Embended relations to deal with ownership of SDOs
-# CREATE SUBTYPES OF stix_attribute
-
 marking_definition sub stix_object,
     owns created,
     owns modified,
@@ -1070,11 +1049,8 @@ statement_marking sub marking_definition,
     owns statement;
 
 tlp_marking sub marking_definition,
-    owns color; # TODO REGEX red/amber/green/clear
-
+    owns color;
 
-# This is not a List but a Set
-# We keep the list name for consistancy with STIX2.1
 list sub relation,
     relates list_item,
     relates owner;
@@ -1118,7 +1094,7 @@ dict sub relation,
 hashes sub dict,
     relates hash_value as dict_item,
     relates hashes_owner as owner,
-    owns hash_algorithm as key_abstract; # TODO REGEX SUB KEY
+    owns hash_algorithm as key_abstract; 
 
 document_info_dict sub dict,
     relates document_info as dict_item,
@@ -1155,9 +1131,7 @@ startup_info sub dict,
     relates info_owner as owner,
     owns key as key_abstract;
 
-### !!! DISCUSSION !!! ###
-
-additional_header_fields sub relation, # Dict of List
+additional_header_fields sub relation, 
     relates dict_item,
     relates owner,
 
@@ -1168,13 +1142,10 @@ additional_header_fields sub relation, # Dict of List
 header_fields sub list,
     plays additional_header_fields:dict_item;
 
-### !!! FIN DISCUSSION !!! ###
-
 external_references sub list,
     relates referencing as list_item,
     relates referenced as owner;
 
-### TODO USED
 kill_chain_phases sub list,
     relates using as list_item,
     relates used as owner;
@@ -1185,7 +1156,6 @@ data_marking sub list,
 
     plays granular_marking:marking;
 
-### TODO MARKED
 object_marking sub list,
     relates marking as list_item,
     relates marked as owner;
@@ -1287,8 +1257,8 @@ objective sub stix_attribute_string;
 action sub stix_attribute_string;
 context sub stix_attribute_string;
 identity_class sub stix_attribute_string;
-sector sub stix_attribute_string; ### REL ???
-infrastructure_types sub stix_attribute_string; ### REL ???
+sector sub stix_attribute_string;
+infrastructure_types sub stix_attribute_string;
 contact_information sub stix_attribute_string;
 indicator_type sub stix_attribute_string;
 pattern sub stix_attribute_string;
diff --git a/cyber-threat-intelligence/examples/06-uses-chain.tql b/cyber-threat-intelligence/examples/06-uses-chain.tql
index 45010ee..d4a9526 100644
--- a/cyber-threat-intelligence/examples/06-uses-chain.tql
+++ b/cyber-threat-intelligence/examples/06-uses-chain.tql
@@ -17,7 +17,9 @@ $u2 (used: $bravo_ma, using:$bravo_ta) isa uses,
 #--------------------------------------------------
 # Exercise 06:
 
-# Create a rule in order to create by inference a transitivity of the uses relation.
-
+# With inference on we can now query for the attack pattern and malware that are used by the threat actor
+# Create a query that finds the attack pattern and malware that are used by the threat actor
+# Keyword hints: match, or
+# Type hints: attack_pattern, malware, threat_actor, uses
 
 #--------------------------------------------------
diff --git a/cyber-threat-intelligence/examples/exercise-solutions.tql b/cyber-threat-intelligence/examples/exercise-solutions.tql
index ba55b76..d2487d4 100644
--- a/cyber-threat-intelligence/examples/exercise-solutions.tql
+++ b/cyber-threat-intelligence/examples/exercise-solutions.tql
@@ -42,16 +42,16 @@ insert
 #--------------------------------------------------
 # Exercise 06 solution:
 
-rule transitive_use:
-when {
-    $x isa stix_domain_object, has name $name1;
-    $y isa stix_domain_object, has name $name2;
-    $z isa stix_domain_object, has name $name3;
-    $use1 (used_by: $x, used: $y) isa uses;
-    $use2 (used_by: $y, used: $z) isa uses;
-} then {
-    (used_by: $x, used: $z) isa uses;
-};
+match 
+{$bravo_1 isa attack_pattern, has stix_id "attack_pattern_bravo";} or
+{$bravo_1 isa malware, has stix_id "bravo_malware";} or
+{$bravo_1 isa threat_actor, has stix_id "bravo_threat";};
+
+{$bravo_2 isa attack_pattern, has stix_id "attack_pattern_bravo";} or
+{$bravo_2 isa malware, has stix_id "bravo_malware";} or
+{$bravo_2 isa threat_actor, has stix_id "bravo_threat";};
+
+$new ($bravo_1, $bravo_2) isa uses;
 
 #--------------------------------------------------
 # Exercise 07 solution:
@@ -61,4 +61,4 @@ match
 $e isa external_reference, has url_link $c;
 $e has $eid;
 $a isa attack_pattern, has name $d;
-$rel (referencing: $a, referenced: $e) isa external_references; sort $d;
\ No newline at end of file
+$rel (referencing: $a, referenced: $e) isa external_references; sort $d;
diff --git a/cyber-threat-intelligence/dataset.tql b/cyber-threat-intelligence/insert-data.tql
similarity index 100%
rename from cyber-threat-intelligence/dataset.tql
rename to cyber-threat-intelligence/insert-data.tql

From 66415b1980d58ccf78324bf3e0d1a1d395f5ee12 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Mon, 26 Jun 2023 14:51:57 +0100
Subject: [PATCH 10/75] test

---
 cyber-threat-intelligence/define-schema.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/define-schema.tql b/cyber-threat-intelligence/define-schema.tql
index 8b1cae0..5cf7bb5 100644
--- a/cyber-threat-intelligence/define-schema.tql
+++ b/cyber-threat-intelligence/define-schema.tql
@@ -5,7 +5,7 @@ define
 ### 1 Base Entities ###
 
 stix_entity sub entity,
-    abstract;
+    abstract; 
 
 stix_object sub stix_entity,
     owns stix_type,

From 68ea73f3c49235fadb6ca1912596e9a239ecf64b Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Tue, 27 Jun 2023 16:51:57 +0100
Subject: [PATCH 11/75] Update
 cyber-threat-intelligence/examples/07-external-reference.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/07-external-reference.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/07-external-reference.tql b/cyber-threat-intelligence/examples/07-external-reference.tql
index 2773e85..f85e3e8 100644
--- a/cyber-threat-intelligence/examples/07-external-reference.tql
+++ b/cyber-threat-intelligence/examples/07-external-reference.tql
@@ -1,6 +1,6 @@
 # Example 07:
 
-# From the previous example, we can see that some attack patterns are used by intrusion sets.
+# From the Example 06, we can see that some attack patterns are used by intrusion sets.
 # We can also see that some attack patterns have external references.
 # We can use the same approach to find attack patterns that are used by intrusion sets and have external references.
 

From fca6d2ae76b3cce72250d90d8392cacbf144b26a Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Tue, 27 Jun 2023 16:52:08 +0100
Subject: [PATCH 12/75] Update
 cyber-threat-intelligence/examples/06-uses-chain.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/06-uses-chain.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/06-uses-chain.tql b/cyber-threat-intelligence/examples/06-uses-chain.tql
index d4a9526..0daba7e 100644
--- a/cyber-threat-intelligence/examples/06-uses-chain.tql
+++ b/cyber-threat-intelligence/examples/06-uses-chain.tql
@@ -20,6 +20,6 @@ $u2 (used: $bravo_ma, using:$bravo_ta) isa uses,
 # With inference on we can now query for the attack pattern and malware that are used by the threat actor
 # Create a query that finds the attack pattern and malware that are used by the threat actor
 # Keyword hints: match, or
-# Type hints: attack_pattern, malware, threat_actor, uses
+# Type hints: attack_pattern, malware, threat_actor, uses, stix_id
 
 #--------------------------------------------------

From 41bd7ee5a116a627d14815428fc74c7ce45affbf Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Tue, 27 Jun 2023 16:52:26 +0100
Subject: [PATCH 13/75] Update
 cyber-threat-intelligence/examples/06-uses-chain.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/06-uses-chain.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/06-uses-chain.tql b/cyber-threat-intelligence/examples/06-uses-chain.tql
index 0daba7e..c8a9962 100644
--- a/cyber-threat-intelligence/examples/06-uses-chain.tql
+++ b/cyber-threat-intelligence/examples/06-uses-chain.tql
@@ -17,7 +17,7 @@ $u2 (used: $bravo_ma, using:$bravo_ta) isa uses,
 #--------------------------------------------------
 # Exercise 06:
 
-# With inference on we can now query for the attack pattern and malware that are used by the threat actor
+# With inference switched on, we can now query for the attack pattern and malware that are used by the threat actor
 # Create a query that finds the attack pattern and malware that are used by the threat actor
 # Keyword hints: match, or
 # Type hints: attack_pattern, malware, threat_actor, uses, stix_id

From a711ae836337baf53fdedc702f85636947b497bb Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Tue, 27 Jun 2023 16:53:12 +0100
Subject: [PATCH 14/75] Update README.md

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 19fbd86..2e16f4b 100644
--- a/README.md
+++ b/README.md
@@ -31,7 +31,7 @@ to automate permission inheritance and policy enforcement at the schema level us
 
 ### [Cyber threat intelligence](https://github.com/vaticle/typedb-examples/tree/master/cyber-threat-intelligence)
 
-A guided tutorial to learn how to use TypeDB in a Cyber Threat Intelligence (CTI) context in order to identify threats using powerful queries and inferenced ruling.
+Learn how to use TypeDB in a cyber threat intelligence (CTI) context in order to identify threats using powerful queries and rule-inference.
 
 ## Advanced
 

From ee8fd1fb46a0fa57081509ba69b1888270aee9d7 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Tue, 27 Jun 2023 16:53:19 +0100
Subject: [PATCH 15/75] Update cyber-threat-intelligence/README.md

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/README.md b/cyber-threat-intelligence/README.md
index 72e88ec..8bf7dc0 100644
--- a/cyber-threat-intelligence/README.md
+++ b/cyber-threat-intelligence/README.md
@@ -1,4 +1,4 @@
-# Cyber Threat Intelligence 
+# Cyber threat intelligence 
 
 ## Introduction
 

From 8f401158e06dbb9dde9710c0b8704042e521a367 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Tue, 27 Jun 2023 16:53:26 +0100
Subject: [PATCH 16/75] Update cyber-threat-intelligence/README.md

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/README.md b/cyber-threat-intelligence/README.md
index 8bf7dc0..45fabb4 100644
--- a/cyber-threat-intelligence/README.md
+++ b/cyber-threat-intelligence/README.md
@@ -2,7 +2,7 @@
 
 ## Introduction
 
-In this demo, you'll learn how to use TypeDB as the database for a Cyber Threat Intelligence context. We'll cover
+In this demo, you'll learn how to use TypeDB as the database in a cyber threat intelligence context. We'll cover
 some basic operations like listing the identities and subtyped of it with the help of type-inferenced queries.
 We will then move on to some more advanced examples that take advantage of rules. 
 We'll see how we can automate threats discovery at the schema level with the creation of a new rule.

From 473def04accab8c68e25d7f070eb9c8c5859052b Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Tue, 27 Jun 2023 16:53:33 +0100
Subject: [PATCH 17/75] Update cyber-threat-intelligence/README.md

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/README.md b/cyber-threat-intelligence/README.md
index 45fabb4..933e2dd 100644
--- a/cyber-threat-intelligence/README.md
+++ b/cyber-threat-intelligence/README.md
@@ -3,7 +3,7 @@
 ## Introduction
 
 In this demo, you'll learn how to use TypeDB as the database in a cyber threat intelligence context. We'll cover
-some basic operations like listing the identities and subtyped of it with the help of type-inferenced queries.
+some basic operations like listing identities and their subtypes with the help of type-inference.
 We will then move on to some more advanced examples that take advantage of rules. 
 We'll see how we can automate threats discovery at the schema level with the creation of a new rule.
 

From 91854dc2cfcb0c565de664666e1f3e5281142ca4 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Tue, 27 Jun 2023 16:53:40 +0100
Subject: [PATCH 18/75] Update cyber-threat-intelligence/README.md

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/README.md b/cyber-threat-intelligence/README.md
index 933e2dd..09153f2 100644
--- a/cyber-threat-intelligence/README.md
+++ b/cyber-threat-intelligence/README.md
@@ -5,7 +5,7 @@
 In this demo, you'll learn how to use TypeDB as the database in a cyber threat intelligence context. We'll cover
 some basic operations like listing identities and their subtypes with the help of type-inference.
 We will then move on to some more advanced examples that take advantage of rules. 
-We'll see how we can automate threats discovery at the schema level with the creation of a new rule.
+We'll see how we can automate threat discovery at the schema level with the creation of a new rule.
 
 ## Required knowledge
 

From 73bc0beb75f0ef002e09002581cd964f6f0dcd72 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Tue, 27 Jun 2023 16:57:29 +0100
Subject: [PATCH 19/75] Update cyber-threat-intelligence/README.md

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/README.md b/cyber-threat-intelligence/README.md
index 09153f2..61feeba 100644
--- a/cyber-threat-intelligence/README.md
+++ b/cyber-threat-intelligence/README.md
@@ -23,7 +23,7 @@ For more information, please see our [documentation](https://docs.vaticle.com/do
 Start your TypeDB server and open TypeDB Studio. Make sure you are on a `schema-write` transaction and run the following
 TypeQL file:
 
-```schema.tql```
+```define-schema.tql```
 
 Then switch to a `data-write` transaction and run the following:
 

From f45873a06f5361eaab31a4ee3fd0c4f9b5a364ea Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Tue, 27 Jun 2023 16:57:51 +0100
Subject: [PATCH 20/75] Update cyber-threat-intelligence/README.md

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/README.md b/cyber-threat-intelligence/README.md
index 61feeba..f94710f 100644
--- a/cyber-threat-intelligence/README.md
+++ b/cyber-threat-intelligence/README.md
@@ -27,7 +27,7 @@ TypeQL file:
 
 Then switch to a `data-write` transaction and run the following:
 
-```dataset.tql```
+```insert-data.tql```
 
 Remember to click on the green tick after running each of these scripts to commit the changes to the database.
 

From a17fbee0482e311cf5d977ccdf8741847bf527d8 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Tue, 27 Jun 2023 16:58:08 +0100
Subject: [PATCH 21/75] Update cyber-threat-intelligence/README.md

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/README.md b/cyber-threat-intelligence/README.md
index f94710f..23010e6 100644
--- a/cyber-threat-intelligence/README.md
+++ b/cyber-threat-intelligence/README.md
@@ -35,5 +35,5 @@ Remember to click on the green tick after running each of these scripts to commi
 
 To get started, try running the examples. They are intended to be run once each and in order, so be aware that running
 them more than once or out of order might generate data errors. If anything goes wrong, you can run the
-`dataset.tql` script again to reset everything. All the examples use `data` sessions, but you'll have to switch
+`insert-data.tql` script again to reset everything. All the examples use `data` sessions, but you'll have to switch
 between `read` and `write` transactions depending on the queries in the example, and remember to commit after writes.

From c5f5ceb10946a252a4bac2d33d19ebe4c2b2dd4d Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Tue, 27 Jun 2023 16:58:26 +0100
Subject: [PATCH 22/75] Update
 cyber-threat-intelligence/examples/01-list-id_unknown.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/01-list-id_unknown.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/01-list-id_unknown.tql b/cyber-threat-intelligence/examples/01-list-id_unknown.tql
index c626c1c..7f7efc8 100644
--- a/cyber-threat-intelligence/examples/01-list-id_unknown.tql
+++ b/cyber-threat-intelligence/examples/01-list-id_unknown.tql
@@ -1,6 +1,6 @@
 # Example 01:
 
-# We are querying for a list of id_unkown in the database:
+# We are querying for a list of actors with unknown ids in the database:
 # $t and $all are variables, which can be used in the query.
 # The query is a match statement, which is a pattern matching statement.
 # The query will return all the id_unknown in the database.

From 5ff2aba2f9ef9bd95a44d0133854c80c4ca2dc1f Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Tue, 27 Jun 2023 16:58:45 +0100
Subject: [PATCH 23/75] Update
 cyber-threat-intelligence/examples/01-list-id_unknown.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/01-list-id_unknown.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/01-list-id_unknown.tql b/cyber-threat-intelligence/examples/01-list-id_unknown.tql
index 7f7efc8..a63e5cc 100644
--- a/cyber-threat-intelligence/examples/01-list-id_unknown.tql
+++ b/cyber-threat-intelligence/examples/01-list-id_unknown.tql
@@ -3,7 +3,7 @@
 # We are querying for a list of actors with unknown ids in the database:
 # $t and $all are variables, which can be used in the query.
 # The query is a match statement, which is a pattern matching statement.
-# The query will return all the id_unknown in the database.
+# The query will return all the entities of type id_unknown in the database.
 
 match 
 

From bebaa0f466d61c04a504d00e3657bb6f5f55a18f Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Tue, 27 Jun 2023 16:59:35 +0100
Subject: [PATCH 24/75] Update
 cyber-threat-intelligence/examples/01-list-id_unknown.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/01-list-id_unknown.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/01-list-id_unknown.tql b/cyber-threat-intelligence/examples/01-list-id_unknown.tql
index a63e5cc..b0fa823 100644
--- a/cyber-threat-intelligence/examples/01-list-id_unknown.tql
+++ b/cyber-threat-intelligence/examples/01-list-id_unknown.tql
@@ -2,7 +2,7 @@
 
 # We are querying for a list of actors with unknown ids in the database:
 # $t and $all are variables, which can be used in the query.
-# The query is a match statement, which is a pattern matching statement.
+# The query is a get query containing a single pattern matching statement.
 # The query will return all the entities of type id_unknown in the database.
 
 match 

From 88a7ea57c35d84a210c8ebcfd594e85f451ffa06 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Tue, 27 Jun 2023 16:59:54 +0100
Subject: [PATCH 25/75] Update
 cyber-threat-intelligence/examples/02-list-identity.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/02-list-identity.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/02-list-identity.tql b/cyber-threat-intelligence/examples/02-list-identity.tql
index ee9df26..29ed61c 100644
--- a/cyber-threat-intelligence/examples/02-list-identity.tql
+++ b/cyber-threat-intelligence/examples/02-list-identity.tql
@@ -1,6 +1,6 @@
 # Example 02:
 
-# We are querying for a list of identity in the database.
+# We are querying for a list of identities in the database.
 # We are using the match keyword to match the identity type.
 # As we can see identity exists in the database but also referenced other subtypes.
 

From 76afee76a46d16f9f64785369cec151ad4ceb067 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Tue, 27 Jun 2023 17:00:28 +0100
Subject: [PATCH 26/75] Update
 cyber-threat-intelligence/examples/exercise-solutions.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/exercise-solutions.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/exercise-solutions.tql b/cyber-threat-intelligence/examples/exercise-solutions.tql
index d2487d4..8ea4cdd 100644
--- a/cyber-threat-intelligence/examples/exercise-solutions.tql
+++ b/cyber-threat-intelligence/examples/exercise-solutions.tql
@@ -8,7 +8,7 @@
 
 
 match 
-$t isa id_unknown, has name, has description;
+$t isa id_unknown, has name $n, has description $d;
 
 #--------------------------------------------------
 # Exercise 02 solution:

From dade32cd340ca8fa34d6a54129b36030cd12a7db Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Tue, 27 Jun 2023 17:00:47 +0100
Subject: [PATCH 27/75] Update
 cyber-threat-intelligence/examples/02-list-identity.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/02-list-identity.tql | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/02-list-identity.tql b/cyber-threat-intelligence/examples/02-list-identity.tql
index 29ed61c..0508845 100644
--- a/cyber-threat-intelligence/examples/02-list-identity.tql
+++ b/cyber-threat-intelligence/examples/02-list-identity.tql
@@ -13,6 +13,7 @@ $t isa identity, has $all;
 # Exercise 02:
 
 # Edit this query to list only id_unknown and identity.
-# Keyword hints: negation, not
+# Keyword hints: not
+# Type hints: organization
 
 #--------------------------------------------------

From 4305349e39d8fab4bc35e2664ac89be8d109ff29 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Tue, 27 Jun 2023 17:01:17 +0100
Subject: [PATCH 28/75] Update
 cyber-threat-intelligence/examples/03-create-malware.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/03-create-malware.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/03-create-malware.tql b/cyber-threat-intelligence/examples/03-create-malware.tql
index ad52742..fd4cbee 100644
--- a/cyber-threat-intelligence/examples/03-create-malware.tql
+++ b/cyber-threat-intelligence/examples/03-create-malware.tql
@@ -1,6 +1,6 @@
 # Example 03:
 
-# Now let's insert a new threat actor, a new malware and add them an attributed_to relation.
+# Now let's insert a new threat actor, a new malware and add them create an attribution relation between them.
 # We will also add a new malware, bravo_malware as well as a new threat_actor, bravo_threat.
 # We will then use them both to create a new attributed_to relation.
 

From c35c35373d5fba48f779cab309f8d23ccac96fad Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Tue, 27 Jun 2023 17:01:45 +0100
Subject: [PATCH 29/75] Update
 cyber-threat-intelligence/examples/03-create-malware.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/03-create-malware.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/03-create-malware.tql b/cyber-threat-intelligence/examples/03-create-malware.tql
index fd4cbee..2764f05 100644
--- a/cyber-threat-intelligence/examples/03-create-malware.tql
+++ b/cyber-threat-intelligence/examples/03-create-malware.tql
@@ -1,7 +1,7 @@
 # Example 03:
 
 # Now let's insert a new threat actor, a new malware and add them create an attribution relation between them.
-# We will also add a new malware, bravo_malware as well as a new threat_actor, bravo_threat.
+# We will also add a new malware, bravo_malware, as well as a new threat_actor, bravo_threat.
 # We will then use them both to create a new attributed_to relation.
 
 insert

From dfdf7a2b0324998be4fe43db93fcb90988575f77 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Tue, 27 Jun 2023 17:02:03 +0100
Subject: [PATCH 30/75] Update
 cyber-threat-intelligence/examples/03-create-malware.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/03-create-malware.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/03-create-malware.tql b/cyber-threat-intelligence/examples/03-create-malware.tql
index 2764f05..fa5f3aa 100644
--- a/cyber-threat-intelligence/examples/03-create-malware.tql
+++ b/cyber-threat-intelligence/examples/03-create-malware.tql
@@ -28,7 +28,7 @@ $bravo_ma isa malware,
 #--------------------------------------------------
 # Exercise 03:
 
-# Write a new query to give bravo_threat a third threat_actor_types: "insider". Try re-running Example 03 to
+# Write a new query to give bravo_threat a third threat actor type: "insider". Try re-running Example 03 to
 # see the results of this addition queries.
 # Keyword hints: match, insert
 # Type hints: threat_actor, threat_actor_types

From ecb26f1e799fb88a94b139b2f5e07e18cb90cdda Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Tue, 27 Jun 2023 17:02:48 +0100
Subject: [PATCH 31/75] Update
 cyber-threat-intelligence/examples/03-create-malware.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/03-create-malware.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/03-create-malware.tql b/cyber-threat-intelligence/examples/03-create-malware.tql
index fa5f3aa..c6df195 100644
--- a/cyber-threat-intelligence/examples/03-create-malware.tql
+++ b/cyber-threat-intelligence/examples/03-create-malware.tql
@@ -29,7 +29,7 @@ $bravo_ma isa malware,
 # Exercise 03:
 
 # Write a new query to give bravo_threat a third threat actor type: "insider". Try re-running Example 03 to
-# see the results of this addition queries.
+# see the results of this insert query.
 # Keyword hints: match, insert
 # Type hints: threat_actor, threat_actor_types
 

From f2e4dee915475d6aa68a561b36ff416e94e46491 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Tue, 27 Jun 2023 17:05:27 +0100
Subject: [PATCH 32/75] Update
 cyber-threat-intelligence/examples/04-assign-target.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/04-assign-target.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/04-assign-target.tql b/cyber-threat-intelligence/examples/04-assign-target.tql
index c995dc1..e6fa24e 100644
--- a/cyber-threat-intelligence/examples/04-assign-target.tql
+++ b/cyber-threat-intelligence/examples/04-assign-target.tql
@@ -1,4 +1,4 @@
-# Example 03:
+# Example 04:
 
 # Now let's insert a new targets relation between a specific malware and a specific id_unknown:
 

From 1f481e4bdade869f414465ed2c8c930e0525d295 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Tue, 27 Jun 2023 17:18:48 +0100
Subject: [PATCH 33/75] correct pull/5#discussion_r1242207737

---
 cyber-threat-intelligence/README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/README.md b/cyber-threat-intelligence/README.md
index 23010e6..e246d87 100644
--- a/cyber-threat-intelligence/README.md
+++ b/cyber-threat-intelligence/README.md
@@ -11,13 +11,15 @@ We'll see how we can automate threat discovery at the schema level with the crea
 
 This demo assumes knowledge of:
 
-- General identity and access management concepts.
 - TypeDB's transaction system.
 - All basic TypeQL syntax elements.
 - TypeDB Studio's interface.
 
 For more information, please see our [documentation](https://docs.vaticle.com/docs/general/introduction). 
 
+General knowledge of STIX2.1 would be a plus.
+
+
 ## Getting started
 
 Start your TypeDB server and open TypeDB Studio. Make sure you are on a `schema-write` transaction and run the following

From ac067c077bcc1f63e3d8cc360c70ab4adca5a504 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Tue, 27 Jun 2023 17:20:00 +0100
Subject: [PATCH 34/75] correct pull/5#discussion_r1242256662

---
 cyber-threat-intelligence/examples/01-list-id_unknown.tql | 2 +-
 cyber-threat-intelligence/examples/02-list-identity.tql   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/cyber-threat-intelligence/examples/01-list-id_unknown.tql b/cyber-threat-intelligence/examples/01-list-id_unknown.tql
index b0fa823..2d19d31 100644
--- a/cyber-threat-intelligence/examples/01-list-id_unknown.tql
+++ b/cyber-threat-intelligence/examples/01-list-id_unknown.tql
@@ -7,7 +7,7 @@
 
 match 
 
-$t isa id_unknown, has $all;
+$t isa id_unknown, has $attribute;
 
 #--------------------------------------------------
 # Exercise 01:
diff --git a/cyber-threat-intelligence/examples/02-list-identity.tql b/cyber-threat-intelligence/examples/02-list-identity.tql
index 0508845..ec59000 100644
--- a/cyber-threat-intelligence/examples/02-list-identity.tql
+++ b/cyber-threat-intelligence/examples/02-list-identity.tql
@@ -7,7 +7,7 @@
 
 match 
 
-$t isa identity, has $all;
+$t isa identity, has $attribute;
 
 #--------------------------------------------------
 # Exercise 02:

From 679997f651ef03b389c9801db0c5f9748a0c9f0e Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Tue, 27 Jun 2023 17:20:45 +0100
Subject: [PATCH 35/75] correct pull/5#discussion_r1242263337

---
 cyber-threat-intelligence/examples/02-list-identity.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/02-list-identity.tql b/cyber-threat-intelligence/examples/02-list-identity.tql
index ec59000..b875b8a 100644
--- a/cyber-threat-intelligence/examples/02-list-identity.tql
+++ b/cyber-threat-intelligence/examples/02-list-identity.tql
@@ -2,7 +2,7 @@
 
 # We are querying for a list of identities in the database.
 # We are using the match keyword to match the identity type.
-# As we can see identity exists in the database but also referenced other subtypes.
+# As we can see identity exists in the database but also references other subtypes.
 
 
 match 

From 066c85d32bdb05de667a09e0292df41af109e9ae Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Tue, 27 Jun 2023 17:23:10 +0100
Subject: [PATCH 36/75] correct pull/5#discussion_r1242289469

---
 cyber-threat-intelligence/examples/04-assign-target.tql   | 4 +++-
 cyber-threat-intelligence/examples/exercise-solutions.tql | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/cyber-threat-intelligence/examples/04-assign-target.tql b/cyber-threat-intelligence/examples/04-assign-target.tql
index e6fa24e..d4d39bd 100644
--- a/cyber-threat-intelligence/examples/04-assign-target.tql
+++ b/cyber-threat-intelligence/examples/04-assign-target.tql
@@ -1,6 +1,8 @@
 # Example 04:
 
-# Now let's insert a new targets relation between a specific malware and a specific id_unknown:
+# Now let's insert a new targets relation between a specific malware and a specific id_unknown.
+# We will use the stix_id attribute to identify the malware and the name attribute to identify the id_unknown.
+# We will also use the stix_id attribute to identify the new targets relation.
 
 match
 $bravo_id isa id_unknown, has name "Adversary Bravo";
diff --git a/cyber-threat-intelligence/examples/exercise-solutions.tql b/cyber-threat-intelligence/examples/exercise-solutions.tql
index 8ea4cdd..e546e7b 100644
--- a/cyber-threat-intelligence/examples/exercise-solutions.tql
+++ b/cyber-threat-intelligence/examples/exercise-solutions.tql
@@ -36,7 +36,7 @@ $bravo_ma isa malware, has stix_id "bravo_malware";
 
 insert
 (used: $bravo_ma, using: $bravo_id) isa uses,
-    has stix_id "bravo_use";
+    has stix_id "bravo_uses";
     
 
 #--------------------------------------------------

From cd5e85dbb788e26adabe7b7d21fbbd0079eebbc3 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Tue, 27 Jun 2023 17:26:34 +0100
Subject: [PATCH 37/75] correct pull/5#discussion_r1242292367

---
 .../examples/05-infered-uses.tql               | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/cyber-threat-intelligence/examples/05-infered-uses.tql b/cyber-threat-intelligence/examples/05-infered-uses.tql
index 3667eb9..35b2f1a 100644
--- a/cyber-threat-intelligence/examples/05-infered-uses.tql
+++ b/cyber-threat-intelligence/examples/05-infered-uses.tql
@@ -13,6 +13,24 @@ $x has stix_id "bravo_id_unknown";
 #--------------------------------------------------
 # Exercise 05:
 
+# When we run this query, we get a few results, but let's try toggling the inference button at the top to switch on
+# TypeDB's rule-inference. Now if we run the query again, we get many more results shown in a green outline. This is
+# because of a rule encoded into the schema:
+# 
+# rule transitive_use:
+# when {
+#     $x isa stix_domain_object, has name $name1;
+#     $y isa stix_domain_object, has name $name2;
+#     $z isa stix_domain_object, has name $name3;
+#     $use1 (using: $x, used: $y) isa uses;
+#     $use2 (using: $y, used: $z) isa uses;
+# } then {
+#     (using: $x, used: $z) isa uses;
+# };
+# 
+# This rule makes uses relationship transitive, so if we know that a threat actor uses an unknown id, and that unknown
+# id uses a target, then we can infer that the threat actor uses the target. This is a very powerful feature of TypeDB.
+# 
 # Try to run again the same query activating inference
 # Keyword hints: infer
 

From 93a25eae11252d95eb064c6adf726e2cbee980fe Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Wed, 28 Jun 2023 12:22:38 +0100
Subject: [PATCH 38/75] Change 08 example + provide solution

---
 cyber-threat-intelligence/define-schema.tql   |  6 ++---
 .../examples/06-uses-chain.tql                |  6 ++---
 .../examples/08-check-intrusion-set.tql       |  8 ++++--
 .../examples/exercise-solutions.tql           | 27 +++++++++++++++++++
 4 files changed, 38 insertions(+), 9 deletions(-)

diff --git a/cyber-threat-intelligence/define-schema.tql b/cyber-threat-intelligence/define-schema.tql
index 5cf7bb5..d598f04 100644
--- a/cyber-threat-intelligence/define-schema.tql
+++ b/cyber-threat-intelligence/define-schema.tql
@@ -1591,9 +1591,9 @@ when {
 
 rule transitive_use:
 when {
-    $x isa stix_domain_object, has name $name1;
-    $y isa stix_domain_object, has name $name2;
-    $z isa stix_domain_object, has name $name3;
+    $x isa stix_domain_object;
+    $y isa stix_domain_object;
+    $z isa stix_domain_object;
     $use1 (using: $x, used: $y) isa uses;
     $use2 (using: $y, used: $z) isa uses;
 } then {
diff --git a/cyber-threat-intelligence/examples/06-uses-chain.tql b/cyber-threat-intelligence/examples/06-uses-chain.tql
index c8a9962..0752c6a 100644
--- a/cyber-threat-intelligence/examples/06-uses-chain.tql
+++ b/cyber-threat-intelligence/examples/06-uses-chain.tql
@@ -5,20 +5,18 @@
 match
 $bravo_ap isa attack_pattern, has stix_id "attack_pattern_bravo";
 $bravo_ma isa malware, has stix_id "bravo_malware";
-$bravo_ta isa threat_actor, has stix_id "bravo_threat";
+
 
 insert
 $u1 (used: $bravo_ap, using:$bravo_ma) isa uses,
     has stix_id "bravo_uses_1";
-$u2 (used: $bravo_ma, using:$bravo_ta) isa uses, 
-    has stix_id "bravo_uses_2";
-
 
 #--------------------------------------------------
 # Exercise 06:
 
 # With inference switched on, we can now query for the attack pattern and malware that are used by the threat actor
 # Create a query that finds the attack pattern and malware that are used by the threat actor
+# You can double click on the green infered uses relationship to get an explanation of what triggered the inferred rule.
 # Keyword hints: match, or
 # Type hints: attack_pattern, malware, threat_actor, uses, stix_id
 
diff --git a/cyber-threat-intelligence/examples/08-check-intrusion-set.tql b/cyber-threat-intelligence/examples/08-check-intrusion-set.tql
index c359669..9168b92 100644
--- a/cyber-threat-intelligence/examples/08-check-intrusion-set.tql
+++ b/cyber-threat-intelligence/examples/08-check-intrusion-set.tql
@@ -14,7 +14,11 @@ $u (used: $a, using: $i) isa uses;
 #------------------------------------------------------------
 # Exercise 08:
 
-# Create a intrusion_set as well as an external_reference and external_references
-# relationship that references to be able to display our previously created bravo_*.
+# Create a intrusion_set as well as a uses relation to link it to the malware owning "bravo_malware" as stix_id.
+# You will need to provide a stix_id for both new intrusion_set and new uses relation.
+# Modify the query from the Exercise 06 to include your intrusion_set as a potential roleplayer in the uses relationship.
+# 
+# As you can see, two uses relations are infered creating automatically a link between intrusion_set and threat_actor through attack_pattern.
+
 
 #------------------------------------------------------------
diff --git a/cyber-threat-intelligence/examples/exercise-solutions.tql b/cyber-threat-intelligence/examples/exercise-solutions.tql
index e546e7b..be621fc 100644
--- a/cyber-threat-intelligence/examples/exercise-solutions.tql
+++ b/cyber-threat-intelligence/examples/exercise-solutions.tql
@@ -62,3 +62,30 @@ $e isa external_reference, has url_link $c;
 $e has $eid;
 $a isa attack_pattern, has name $d;
 $rel (referencing: $a, referenced: $e) isa external_references; sort $d;
+
+
+#--------------------------------------------------
+# Exercise 08 solution:
+
+# insert new intrusion_set and uses relation
+match 
+$bravo_2 isa malware, has stix_id "bravo_malware";
+
+insert 
+$intrusion isa intrusion_set, has stix_id "bravo_intrusion";
+$bravo_uses (using: $intrusion, used: $bravo_2) isa uses, has stix_id "bravo_uses_3"; 
+
+
+# search for uses between attack_pattern, malware, threat_actor and intrusion_set
+match 
+{$bravo_1 isa attack_pattern, has stix_id "attack_pattern_bravo";} or
+{$bravo_1 isa malware, has stix_id "bravo_malware";} or
+{$bravo_1 isa threat_actor, has stix_id "bravo_threat";} or
+{$bravo_1 isa intrusion_set, has stix_id "bravo_intrusion";};
+
+{$bravo_2 isa attack_pattern, has stix_id "attack_pattern_bravo";} or
+{$bravo_2 isa malware, has stix_id "bravo_malware";} or
+{$bravo_2 isa threat_actor, has stix_id "bravo_threat";} or
+{$bravo_2 isa intrusion_set, has stix_id "bravo_intrusion";};
+
+$new ($bravo_1, $bravo_2) isa uses;

From bad77d520a030c9dc6a74c987bf42e5b68974133 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Thu, 29 Jun 2023 11:51:18 +0100
Subject: [PATCH 39/75] add comments for context

---
 cyber-threat-intelligence/examples/01-list-id_unknown.tql     | 3 ++-
 cyber-threat-intelligence/examples/02-list-identity.tql       | 3 ++-
 cyber-threat-intelligence/examples/05-infered-uses.tql        | 3 +--
 cyber-threat-intelligence/examples/06-uses-chain.tql          | 4 ++--
 cyber-threat-intelligence/examples/08-check-intrusion-set.tql | 2 --
 5 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/cyber-threat-intelligence/examples/01-list-id_unknown.tql b/cyber-threat-intelligence/examples/01-list-id_unknown.tql
index 2d19d31..9c65365 100644
--- a/cyber-threat-intelligence/examples/01-list-id_unknown.tql
+++ b/cyber-threat-intelligence/examples/01-list-id_unknown.tql
@@ -1,12 +1,13 @@
 # Example 01:
 
+# Let's start by getting a list of id_unknown in the database:
+#
 # We are querying for a list of actors with unknown ids in the database:
 # $t and $all are variables, which can be used in the query.
 # The query is a get query containing a single pattern matching statement.
 # The query will return all the entities of type id_unknown in the database.
 
 match 
-
 $t isa id_unknown, has $attribute;
 
 #--------------------------------------------------
diff --git a/cyber-threat-intelligence/examples/02-list-identity.tql b/cyber-threat-intelligence/examples/02-list-identity.tql
index b875b8a..4f995d1 100644
--- a/cyber-threat-intelligence/examples/02-list-identity.tql
+++ b/cyber-threat-intelligence/examples/02-list-identity.tql
@@ -1,12 +1,13 @@
 # Example 02:
 
+# Now let's see the list of actors in the database.
+# 
 # We are querying for a list of identities in the database.
 # We are using the match keyword to match the identity type.
 # As we can see identity exists in the database but also references other subtypes.
 
 
 match 
-
 $t isa identity, has $attribute;
 
 #--------------------------------------------------
diff --git a/cyber-threat-intelligence/examples/05-infered-uses.tql b/cyber-threat-intelligence/examples/05-infered-uses.tql
index 35b2f1a..8f7f882 100644
--- a/cyber-threat-intelligence/examples/05-infered-uses.tql
+++ b/cyber-threat-intelligence/examples/05-infered-uses.tql
@@ -1,15 +1,14 @@
 # Example 05:
 
 # Now let's research the attack we described earlier using the id_unknown and threat_actor stix_id
+# This query represents the following question: "Who targets the unknown id and what tool is used?"
 
 match
-
 $t($x, $y) isa targets;
 $c($a, $b) isa attributed_to;
 $b has stix_id "bravo_threat";
 $x has stix_id "bravo_id_unknown";
 
-
 #--------------------------------------------------
 # Exercise 05:
 
diff --git a/cyber-threat-intelligence/examples/06-uses-chain.tql b/cyber-threat-intelligence/examples/06-uses-chain.tql
index 0752c6a..fec6d38 100644
--- a/cyber-threat-intelligence/examples/06-uses-chain.tql
+++ b/cyber-threat-intelligence/examples/06-uses-chain.tql
@@ -1,12 +1,12 @@
 # Example 06:
 
-# Now let's research the attack we described earlier using the id_unknown and threat_actor stix_id
+# We will use the stix_id to find the attack pattern using the malware created in the Exercise 03
+# We will then create a uses relationship between the attack pattern and malware
 
 match
 $bravo_ap isa attack_pattern, has stix_id "attack_pattern_bravo";
 $bravo_ma isa malware, has stix_id "bravo_malware";
 
-
 insert
 $u1 (used: $bravo_ap, using:$bravo_ma) isa uses,
     has stix_id "bravo_uses_1";
diff --git a/cyber-threat-intelligence/examples/08-check-intrusion-set.tql b/cyber-threat-intelligence/examples/08-check-intrusion-set.tql
index 9168b92..93778c8 100644
--- a/cyber-threat-intelligence/examples/08-check-intrusion-set.tql
+++ b/cyber-threat-intelligence/examples/08-check-intrusion-set.tql
@@ -5,7 +5,6 @@
 # are referenced by a specific external reference.
 
 match
-
 $a isa attack_pattern, has name $an;
 $i isa intrusion_set, has name $in;
 $rel (referencing: $a, referenced: $e) isa external_references;
@@ -20,5 +19,4 @@ $u (used: $a, using: $i) isa uses;
 # 
 # As you can see, two uses relations are infered creating automatically a link between intrusion_set and threat_actor through attack_pattern.
 
-
 #------------------------------------------------------------

From 4b3ed97e03346afffe343dad5570fcbaabdc39d0 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Thu, 29 Jun 2023 11:51:33 +0100
Subject: [PATCH 40/75] Second batch

---
 cyber-threat-intelligence/examples/07-external-reference.tql | 4 ++--
 cyber-threat-intelligence/examples/exercise-solutions.tql    | 4 ----
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/cyber-threat-intelligence/examples/07-external-reference.tql b/cyber-threat-intelligence/examples/07-external-reference.tql
index f85e3e8..aaf1ffa 100644
--- a/cyber-threat-intelligence/examples/07-external-reference.tql
+++ b/cyber-threat-intelligence/examples/07-external-reference.tql
@@ -3,15 +3,15 @@
 # From the Example 06, we can see that some attack patterns are used by intrusion sets.
 # We can also see that some attack patterns have external references.
 # We can use the same approach to find attack patterns that are used by intrusion sets and have external references.
+# An external reference refers to a link or identifier that points to additional information or context about a specific threat or indicator. 
 
-match 
 
+match 
 $e isa external_reference;
 $e has $eid;
 $a isa attack_pattern;
 $rel (referencing: $a, referenced: $e) isa external_references;
 
-    
 #--------------------------------------------------
 # Exercise 07:
 
diff --git a/cyber-threat-intelligence/examples/exercise-solutions.tql b/cyber-threat-intelligence/examples/exercise-solutions.tql
index be621fc..e58ed8f 100644
--- a/cyber-threat-intelligence/examples/exercise-solutions.tql
+++ b/cyber-threat-intelligence/examples/exercise-solutions.tql
@@ -6,7 +6,6 @@
 #--------------------------------------------------
 # Exercise 01 solution:
 
-
 match 
 $t isa id_unknown, has name $n, has description $d;
 
@@ -38,7 +37,6 @@ insert
 (used: $bravo_ma, using: $bravo_id) isa uses,
     has stix_id "bravo_uses";
     
-
 #--------------------------------------------------
 # Exercise 06 solution:
 
@@ -63,7 +61,6 @@ $e has $eid;
 $a isa attack_pattern, has name $d;
 $rel (referencing: $a, referenced: $e) isa external_references; sort $d;
 
-
 #--------------------------------------------------
 # Exercise 08 solution:
 
@@ -75,7 +72,6 @@ insert
 $intrusion isa intrusion_set, has stix_id "bravo_intrusion";
 $bravo_uses (using: $intrusion, used: $bravo_2) isa uses, has stix_id "bravo_uses_3"; 
 
-
 # search for uses between attack_pattern, malware, threat_actor and intrusion_set
 match 
 {$bravo_1 isa attack_pattern, has stix_id "attack_pattern_bravo";} or

From b12338914eb0d1d1be23157a94d4f4b971ea6e2e Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Thu, 29 Jun 2023 13:47:17 +0100
Subject: [PATCH 41/75] Update
 cyber-threat-intelligence/examples/01-list-id_unknown.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/01-list-id_unknown.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/01-list-id_unknown.tql b/cyber-threat-intelligence/examples/01-list-id_unknown.tql
index 9c65365..d4b039d 100644
--- a/cyber-threat-intelligence/examples/01-list-id_unknown.tql
+++ b/cyber-threat-intelligence/examples/01-list-id_unknown.tql
@@ -1,6 +1,6 @@
 # Example 01:
 
-# Let's start by getting a list of id_unknown in the database:
+# Let's start by getting a list of id_unknown in the database.
 #
 # We are querying for a list of actors with unknown ids in the database:
 # $t and $all are variables, which can be used in the query.

From 08335e7079b6179612c83c27e69e7d78f07bc2b0 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Thu, 29 Jun 2023 13:47:38 +0100
Subject: [PATCH 42/75] Update
 cyber-threat-intelligence/examples/01-list-id_unknown.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/01-list-id_unknown.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/01-list-id_unknown.tql b/cyber-threat-intelligence/examples/01-list-id_unknown.tql
index d4b039d..52fee47 100644
--- a/cyber-threat-intelligence/examples/01-list-id_unknown.tql
+++ b/cyber-threat-intelligence/examples/01-list-id_unknown.tql
@@ -2,7 +2,7 @@
 
 # Let's start by getting a list of id_unknown in the database.
 #
-# We are querying for a list of actors with unknown ids in the database:
+# We are querying for a list of actors with unknown ids.
 # $t and $all are variables, which can be used in the query.
 # The query is a get query containing a single pattern matching statement.
 # The query will return all the entities of type id_unknown in the database.

From 40f80209982a53eac28c84012e47b426cd151f5a Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Thu, 29 Jun 2023 13:47:50 +0100
Subject: [PATCH 43/75] Update
 cyber-threat-intelligence/examples/01-list-id_unknown.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/01-list-id_unknown.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/01-list-id_unknown.tql b/cyber-threat-intelligence/examples/01-list-id_unknown.tql
index 52fee47..3062fd1 100644
--- a/cyber-threat-intelligence/examples/01-list-id_unknown.tql
+++ b/cyber-threat-intelligence/examples/01-list-id_unknown.tql
@@ -5,7 +5,7 @@
 # We are querying for a list of actors with unknown ids.
 # $t and $all are variables, which can be used in the query.
 # The query is a get query containing a single pattern matching statement.
-# The query will return all the entities of type id_unknown in the database.
+# The query will return all the entities of type id_unknown in the database and their attributes.
 
 match 
 $t isa id_unknown, has $attribute;

From 1a45e906194b0bf70676284d96c72c434462db41 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Thu, 29 Jun 2023 13:48:28 +0100
Subject: [PATCH 44/75] Update
 cyber-threat-intelligence/examples/08-check-intrusion-set.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/08-check-intrusion-set.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/08-check-intrusion-set.tql b/cyber-threat-intelligence/examples/08-check-intrusion-set.tql
index 93778c8..5fd81a1 100644
--- a/cyber-threat-intelligence/examples/08-check-intrusion-set.tql
+++ b/cyber-threat-intelligence/examples/08-check-intrusion-set.tql
@@ -17,6 +17,6 @@ $u (used: $a, using: $i) isa uses;
 # You will need to provide a stix_id for both new intrusion_set and new uses relation.
 # Modify the query from the Exercise 06 to include your intrusion_set as a potential roleplayer in the uses relationship.
 # 
-# As you can see, two uses relations are infered creating automatically a link between intrusion_set and threat_actor through attack_pattern.
+# As we can see, two uses relations are infered, automatically creating a link between intrusion_set and threat_actor through attack_pattern.
 
 #------------------------------------------------------------

From ee116582326e7ea58a5b285a6f805273617f5361 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Thu, 29 Jun 2023 13:48:39 +0100
Subject: [PATCH 45/75] Update
 cyber-threat-intelligence/examples/08-check-intrusion-set.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/08-check-intrusion-set.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/08-check-intrusion-set.tql b/cyber-threat-intelligence/examples/08-check-intrusion-set.tql
index 5fd81a1..8e104d3 100644
--- a/cyber-threat-intelligence/examples/08-check-intrusion-set.tql
+++ b/cyber-threat-intelligence/examples/08-check-intrusion-set.tql
@@ -13,7 +13,7 @@ $u (used: $a, using: $i) isa uses;
 #------------------------------------------------------------
 # Exercise 08:
 
-# Create a intrusion_set as well as a uses relation to link it to the malware owning "bravo_malware" as stix_id.
+# Create an intrusion_set as well as a uses relation to link it to the malware owning "bravo_malware" as stix_id.
 # You will need to provide a stix_id for both new intrusion_set and new uses relation.
 # Modify the query from the Exercise 06 to include your intrusion_set as a potential roleplayer in the uses relationship.
 # 

From a6366452a04c20fe5446441b3de2488603329be4 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Thu, 29 Jun 2023 13:48:51 +0100
Subject: [PATCH 46/75] Update
 cyber-threat-intelligence/examples/01-list-id_unknown.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/01-list-id_unknown.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/01-list-id_unknown.tql b/cyber-threat-intelligence/examples/01-list-id_unknown.tql
index 3062fd1..5413808 100644
--- a/cyber-threat-intelligence/examples/01-list-id_unknown.tql
+++ b/cyber-threat-intelligence/examples/01-list-id_unknown.tql
@@ -3,7 +3,7 @@
 # Let's start by getting a list of id_unknown in the database.
 #
 # We are querying for a list of actors with unknown ids.
-# $t and $all are variables, which can be used in the query.
+# $t and $attribute are variables, which are used in the query.
 # The query is a get query containing a single pattern matching statement.
 # The query will return all the entities of type id_unknown in the database and their attributes.
 

From c816ab0f90f8019c5a9608ef982b5917046c3b79 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Thu, 29 Jun 2023 13:49:07 +0100
Subject: [PATCH 47/75] Update
 cyber-threat-intelligence/examples/08-check-intrusion-set.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/08-check-intrusion-set.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/08-check-intrusion-set.tql b/cyber-threat-intelligence/examples/08-check-intrusion-set.tql
index 8e104d3..fb3cd15 100644
--- a/cyber-threat-intelligence/examples/08-check-intrusion-set.tql
+++ b/cyber-threat-intelligence/examples/08-check-intrusion-set.tql
@@ -1,6 +1,6 @@
 # Example 08:
 
-# This example shows how to use the match command to find all the
+# This example shows how to use a get query to find all the
 # relationships between an attack pattern and an intrusion set that
 # are referenced by a specific external reference.
 

From d00adb6c2108075804cf0545bc90dbe765d2f3aa Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Thu, 29 Jun 2023 13:49:33 +0100
Subject: [PATCH 48/75] Update
 cyber-threat-intelligence/examples/02-list-identity.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/02-list-identity.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/02-list-identity.tql b/cyber-threat-intelligence/examples/02-list-identity.tql
index 4f995d1..7ffd886 100644
--- a/cyber-threat-intelligence/examples/02-list-identity.tql
+++ b/cyber-threat-intelligence/examples/02-list-identity.tql
@@ -1,6 +1,6 @@
 # Example 02:
 
-# Now let's see the list of actors in the database.
+# Now let's see a list of actors in the database.
 # 
 # We are querying for a list of identities in the database.
 # We are using the match keyword to match the identity type.

From 08d0fc248a60a43c87b23300b95b6b55b97705a8 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Thu, 29 Jun 2023 13:49:52 +0100
Subject: [PATCH 49/75] Update
 cyber-threat-intelligence/examples/02-list-identity.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/02-list-identity.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/02-list-identity.tql b/cyber-threat-intelligence/examples/02-list-identity.tql
index 7ffd886..3ecc43c 100644
--- a/cyber-threat-intelligence/examples/02-list-identity.tql
+++ b/cyber-threat-intelligence/examples/02-list-identity.tql
@@ -2,7 +2,7 @@
 
 # Now let's see a list of actors in the database.
 # 
-# We are querying for a list of identities in the database.
+# We are querying for a list of identities.
 # We are using the match keyword to match the identity type.
 # As we can see identity exists in the database but also references other subtypes.
 

From 5c18848044efcee8d8de01c483968f47ad64b10b Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Thu, 29 Jun 2023 13:50:10 +0100
Subject: [PATCH 50/75] Update
 cyber-threat-intelligence/examples/02-list-identity.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/02-list-identity.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/02-list-identity.tql b/cyber-threat-intelligence/examples/02-list-identity.tql
index 3ecc43c..274727a 100644
--- a/cyber-threat-intelligence/examples/02-list-identity.tql
+++ b/cyber-threat-intelligence/examples/02-list-identity.tql
@@ -4,7 +4,7 @@
 # 
 # We are querying for a list of identities.
 # We are using the match keyword to match the identity type.
-# As we can see identity exists in the database but also references other subtypes.
+# As we can see, we match both identities and subtypes of identity like organizations.
 
 
 match 

From 31801f24c9531dbc0cee0d99d24a42cac7daa9d6 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Thu, 29 Jun 2023 13:50:28 +0100
Subject: [PATCH 51/75] Update
 cyber-threat-intelligence/examples/exercise-solutions.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/exercise-solutions.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/exercise-solutions.tql b/cyber-threat-intelligence/examples/exercise-solutions.tql
index e58ed8f..0750621 100644
--- a/cyber-threat-intelligence/examples/exercise-solutions.tql
+++ b/cyber-threat-intelligence/examples/exercise-solutions.tql
@@ -13,7 +13,7 @@ $t isa id_unknown, has name $n, has description $d;
 # Exercise 02 solution:
 
 match 
-$t isa identity, has $all;
+$t isa identity, has $attribute;
 not{$t isa organization;};
 
 #--------------------------------------------------

From 9eed94f26e53e944adff7f040769592395bba447 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Thu, 29 Jun 2023 13:50:49 +0100
Subject: [PATCH 52/75] Update
 cyber-threat-intelligence/examples/03-create-malware.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/03-create-malware.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/03-create-malware.tql b/cyber-threat-intelligence/examples/03-create-malware.tql
index c6df195..df26849 100644
--- a/cyber-threat-intelligence/examples/03-create-malware.tql
+++ b/cyber-threat-intelligence/examples/03-create-malware.tql
@@ -1,6 +1,6 @@
 # Example 03:
 
-# Now let's insert a new threat actor, a new malware and add them create an attribution relation between them.
+# Now let's insert a new threat actor, a new malware and create an attribution relation between them.
 # We will also add a new malware, bravo_malware, as well as a new threat_actor, bravo_threat.
 # We will then use them both to create a new attributed_to relation.
 

From caca29f630f113538e78f17457bee57789bfdb98 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Thu, 29 Jun 2023 13:51:18 +0100
Subject: [PATCH 53/75] Update
 cyber-threat-intelligence/examples/04-assign-target.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/04-assign-target.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/04-assign-target.tql b/cyber-threat-intelligence/examples/04-assign-target.tql
index d4d39bd..0a4ab25 100644
--- a/cyber-threat-intelligence/examples/04-assign-target.tql
+++ b/cyber-threat-intelligence/examples/04-assign-target.tql
@@ -2,7 +2,7 @@
 
 # Now let's insert a new targets relation between a specific malware and a specific id_unknown.
 # We will use the stix_id attribute to identify the malware and the name attribute to identify the id_unknown.
-# We will also use the stix_id attribute to identify the new targets relation.
+# We will also assign a stix_id attribute to identify the new targets relation.
 
 match
 $bravo_id isa id_unknown, has name "Adversary Bravo";

From 7dc90092eb94821121e634fc0f8cb6954ae85208 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Thu, 29 Jun 2023 13:51:35 +0100
Subject: [PATCH 54/75] Update
 cyber-threat-intelligence/examples/03-create-malware.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/03-create-malware.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/03-create-malware.tql b/cyber-threat-intelligence/examples/03-create-malware.tql
index df26849..85cfea9 100644
--- a/cyber-threat-intelligence/examples/03-create-malware.tql
+++ b/cyber-threat-intelligence/examples/03-create-malware.tql
@@ -31,6 +31,6 @@ $bravo_ma isa malware,
 # Write a new query to give bravo_threat a third threat actor type: "insider". Try re-running Example 03 to
 # see the results of this insert query.
 # Keyword hints: match, insert
-# Type hints: threat_actor, threat_actor_types
+# Type hints: threat_actor, threat_actor_types, stix_id
 
 #--------------------------------------------------

From f73d9bbeb4679b66768cc6481a5efcf799b9327c Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Thu, 29 Jun 2023 13:52:17 +0100
Subject: [PATCH 55/75] Update
 cyber-threat-intelligence/examples/06-uses-chain.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/06-uses-chain.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/06-uses-chain.tql b/cyber-threat-intelligence/examples/06-uses-chain.tql
index fec6d38..78350a5 100644
--- a/cyber-threat-intelligence/examples/06-uses-chain.tql
+++ b/cyber-threat-intelligence/examples/06-uses-chain.tql
@@ -1,6 +1,6 @@
 # Example 06:
 
-# We will use the stix_id to find the attack pattern using the malware created in the Exercise 03
+# Next, we will use the stix_id to find the attack pattern using the malware created in Exercise 03.
 # We will then create a uses relationship between the attack pattern and malware
 
 match

From b837d11d583bf6e7b781d9d7d3dc8bc9622159bc Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Thu, 29 Jun 2023 13:52:42 +0100
Subject: [PATCH 56/75] Update
 cyber-threat-intelligence/examples/06-uses-chain.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/06-uses-chain.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/06-uses-chain.tql b/cyber-threat-intelligence/examples/06-uses-chain.tql
index 78350a5..3ac2cbf 100644
--- a/cyber-threat-intelligence/examples/06-uses-chain.tql
+++ b/cyber-threat-intelligence/examples/06-uses-chain.tql
@@ -1,7 +1,7 @@
 # Example 06:
 
 # Next, we will use the stix_id to find the attack pattern using the malware created in Exercise 03.
-# We will then create a uses relationship between the attack pattern and malware
+# We will then create a uses relationship between the attack pattern and malware.
 
 match
 $bravo_ap isa attack_pattern, has stix_id "attack_pattern_bravo";

From 24489f8adf4fb2bd28f47457426f0583b0622bb7 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Thu, 29 Jun 2023 13:53:07 +0100
Subject: [PATCH 57/75] Update
 cyber-threat-intelligence/examples/06-uses-chain.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/06-uses-chain.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/06-uses-chain.tql b/cyber-threat-intelligence/examples/06-uses-chain.tql
index 3ac2cbf..bc53d2d 100644
--- a/cyber-threat-intelligence/examples/06-uses-chain.tql
+++ b/cyber-threat-intelligence/examples/06-uses-chain.tql
@@ -15,7 +15,7 @@ $u1 (used: $bravo_ap, using:$bravo_ma) isa uses,
 # Exercise 06:
 
 # With inference switched on, we can now query for the attack pattern and malware that are used by the threat actor
-# Create a query that finds the attack pattern and malware that are used by the threat actor
+# Create a query that finds the attack pattern and malware that are used by the threat actor with stix_id "bravo_threat".
 # You can double click on the green infered uses relationship to get an explanation of what triggered the inferred rule.
 # Keyword hints: match, or
 # Type hints: attack_pattern, malware, threat_actor, uses, stix_id

From a82c6d64117cc800c5ee24952edcc4476b6404df Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Thu, 29 Jun 2023 14:15:06 +0100
Subject: [PATCH 58/75] Solve pull/5#discussion_r1246543600

---
 cyber-threat-intelligence/examples/07-external-reference.tql | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/cyber-threat-intelligence/examples/07-external-reference.tql b/cyber-threat-intelligence/examples/07-external-reference.tql
index aaf1ffa..8f25ef1 100644
--- a/cyber-threat-intelligence/examples/07-external-reference.tql
+++ b/cyber-threat-intelligence/examples/07-external-reference.tql
@@ -1,11 +1,9 @@
 # Example 07:
 
-# From the Example 06, we can see that some attack patterns are used by intrusion sets.
-# We can also see that some attack patterns have external references.
+# From the Example 06, we can see that some attack patterns have external references.
 # We can use the same approach to find attack patterns that are used by intrusion sets and have external references.
 # An external reference refers to a link or identifier that points to additional information or context about a specific threat or indicator. 
 
-
 match 
 $e isa external_reference;
 $e has $eid;

From f8fd8210f96531539fffa8a775d8bc938b3fa003 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Thu, 29 Jun 2023 14:17:45 +0100
Subject: [PATCH 59/75] solve pull/5#discussion_r1246542883

---
 cyber-threat-intelligence/examples/06-uses-chain.tql | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/06-uses-chain.tql b/cyber-threat-intelligence/examples/06-uses-chain.tql
index bc53d2d..450c202 100644
--- a/cyber-threat-intelligence/examples/06-uses-chain.tql
+++ b/cyber-threat-intelligence/examples/06-uses-chain.tql
@@ -14,8 +14,9 @@ $u1 (used: $bravo_ap, using:$bravo_ma) isa uses,
 #--------------------------------------------------
 # Exercise 06:
 
-# With inference switched on, we can now query for the attack pattern and malware that are used by the threat actor
+# With inference switched on, we can now query for the attack pattern and malware that are used by the threat actor.
 # Create a query that finds the attack pattern and malware that are used by the threat actor with stix_id "bravo_threat".
+# To switch on explanations, toggle the "snapshot", "infer", and "explain" buttons to on. 
 # You can double click on the green infered uses relationship to get an explanation of what triggered the inferred rule.
 # Keyword hints: match, or
 # Type hints: attack_pattern, malware, threat_actor, uses, stix_id

From 1abb127ee6bbcf00dd95c43a60bdb50f3adac68c Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Thu, 29 Jun 2023 14:29:28 +0100
Subject: [PATCH 60/75] solve pull/5#discussion_r1246513402

---
 cyber-threat-intelligence/examples/03-create-malware.tql  | 5 +++--
 cyber-threat-intelligence/examples/exercise-solutions.tql | 8 ++++++++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/cyber-threat-intelligence/examples/03-create-malware.tql b/cyber-threat-intelligence/examples/03-create-malware.tql
index 85cfea9..48529c2 100644
--- a/cyber-threat-intelligence/examples/03-create-malware.tql
+++ b/cyber-threat-intelligence/examples/03-create-malware.tql
@@ -28,8 +28,9 @@ $bravo_ma isa malware,
 #--------------------------------------------------
 # Exercise 03:
 
-# Write a new query to give bravo_threat a third threat actor type: "insider". Try re-running Example 03 to
-# see the results of this insert query.
+# Display the threat_actor created in this example.
+# Then Write a new query to give bravo_threat a third threat actor type: "insider". 
+# Try re-display the treat_actor to see the results of this insert query.
 # Keyword hints: match, insert
 # Type hints: threat_actor, threat_actor_types, stix_id
 
diff --git a/cyber-threat-intelligence/examples/exercise-solutions.tql b/cyber-threat-intelligence/examples/exercise-solutions.tql
index 0750621..5c70fd4 100644
--- a/cyber-threat-intelligence/examples/exercise-solutions.tql
+++ b/cyber-threat-intelligence/examples/exercise-solutions.tql
@@ -19,6 +19,12 @@ not{$t isa organization;};
 #--------------------------------------------------
 # Exercise 03 solution:
 
+#display
+match
+$t isa threat_actor, has stix_id $n;
+$n = "bravo_threat";
+
+#insert new threat_actor_types
 match
 $t isa threat_actor, has stix_id $n;
 $n = "bravo_threat";
@@ -26,6 +32,8 @@ $n = "bravo_threat";
 insert 
 $t has threat_actor_types "insider";
 
+
+
 #--------------------------------------------------
 # Exercise 04 solution:
 

From 950f4e53256b3c9165eed12d2360972c07f95857 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Thu, 29 Jun 2023 14:32:06 +0100
Subject: [PATCH 61/75] solve pull/5#discussion_r1246528945

---
 cyber-threat-intelligence/examples/05-infered-uses.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/05-infered-uses.tql b/cyber-threat-intelligence/examples/05-infered-uses.tql
index 8f7f882..f1f41f8 100644
--- a/cyber-threat-intelligence/examples/05-infered-uses.tql
+++ b/cyber-threat-intelligence/examples/05-infered-uses.tql
@@ -12,7 +12,7 @@ $x has stix_id "bravo_id_unknown";
 #--------------------------------------------------
 # Exercise 05:
 
-# When we run this query, we get a few results, but let's try toggling the inference button at the top to switch on
+# When we run this query, we get one result, but let's try toggling the inference button at the top to switch on
 # TypeDB's rule-inference. Now if we run the query again, we get many more results shown in a green outline. This is
 # because of a rule encoded into the schema:
 # 

From bcb2401beed8a0f08fb7e3fef75cc5f4ba0d242e Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Thu, 29 Jun 2023 14:33:51 +0100
Subject: [PATCH 62/75] resolve pull/5#discussion_r1246528945

---
 cyber-threat-intelligence/examples/05-infered-uses.tql | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cyber-threat-intelligence/examples/05-infered-uses.tql b/cyber-threat-intelligence/examples/05-infered-uses.tql
index f1f41f8..209f96d 100644
--- a/cyber-threat-intelligence/examples/05-infered-uses.tql
+++ b/cyber-threat-intelligence/examples/05-infered-uses.tql
@@ -13,8 +13,8 @@ $x has stix_id "bravo_id_unknown";
 # Exercise 05:
 
 # When we run this query, we get one result, but let's try toggling the inference button at the top to switch on
-# TypeDB's rule-inference. Now if we run the query again, we get many more results shown in a green outline. This is
-# because of a rule encoded into the schema:
+# TypeDB's rule-inference. Now if we run the query again, we get more attributes as well as a new relation
+# shown in a green outline. This is because of a rule encoded into the schema:
 # 
 # rule transitive_use:
 # when {

From 99c5731ef945f40312ea6a5e529a3ef3c6c83a2a Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Thu, 29 Jun 2023 14:35:11 +0100
Subject: [PATCH 63/75] solve pull/5#discussion_r1246529654

---
 cyber-threat-intelligence/examples/05-infered-uses.tql | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/cyber-threat-intelligence/examples/05-infered-uses.tql b/cyber-threat-intelligence/examples/05-infered-uses.tql
index 209f96d..c186b7b 100644
--- a/cyber-threat-intelligence/examples/05-infered-uses.tql
+++ b/cyber-threat-intelligence/examples/05-infered-uses.tql
@@ -18,9 +18,9 @@ $x has stix_id "bravo_id_unknown";
 # 
 # rule transitive_use:
 # when {
-#     $x isa stix_domain_object, has name $name1;
-#     $y isa stix_domain_object, has name $name2;
-#     $z isa stix_domain_object, has name $name3;
+#     $x isa stix_domain_object;
+#     $y isa stix_domain_object;
+#     $z isa stix_domain_object;
 #     $use1 (using: $x, used: $y) isa uses;
 #     $use2 (using: $y, used: $z) isa uses;
 # } then {

From 20dfe341cfd8fcd294c4103d7a26775236c989a0 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Thu, 29 Jun 2023 15:07:04 +0100
Subject: [PATCH 64/75] solve issue

---
 cyber-threat-intelligence/examples/05-infered-uses.tql | 1 -
 1 file changed, 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/05-infered-uses.tql b/cyber-threat-intelligence/examples/05-infered-uses.tql
index c186b7b..845879e 100644
--- a/cyber-threat-intelligence/examples/05-infered-uses.tql
+++ b/cyber-threat-intelligence/examples/05-infered-uses.tql
@@ -30,7 +30,6 @@ $x has stix_id "bravo_id_unknown";
 # This rule makes uses relationship transitive, so if we know that a threat actor uses an unknown id, and that unknown
 # id uses a target, then we can infer that the threat actor uses the target. This is a very powerful feature of TypeDB.
 # 
-# Try to run again the same query activating inference
 # Keyword hints: infer
 
 #--------------------------------------------------

From c9d28bbb7729da17dcb527b015359b9d8dd721ff Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Thu, 29 Jun 2023 15:15:25 +0100
Subject: [PATCH 65/75] solve pull/5#discussion_r1246532768

---
 .../examples/04-assign-target.tql                      | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/cyber-threat-intelligence/examples/04-assign-target.tql b/cyber-threat-intelligence/examples/04-assign-target.tql
index 0a4ab25..da90a6c 100644
--- a/cyber-threat-intelligence/examples/04-assign-target.tql
+++ b/cyber-threat-intelligence/examples/04-assign-target.tql
@@ -15,10 +15,10 @@ insert
 #--------------------------------------------------
 # Exercise 04:
 
-# Write a new query to find the attack_pattern with stix_id "attack_pattern_bravo" 
-# as well as the malware with stix_id "bravo_malware"
-# and then, create a uses relationship to descibe the fact that the attack_pattern is using the malware
-# Keyword hints: match, insert
-# Type hints: attack_pattern, malware, uses
+# Write a new query to find the id_unknown with stix_id "bravo_id_unknown" as well as the malware with stix_id "bravo_malware"
+# and then, create a uses relationship to descibe the fact that the attack_pattern is using the malware.
+# You will need to give a new unique stix_id to your uses relationship.
+# Keyword hints: match, insert, has
+# Type hints: id_unknown, malware, uses
 
 #--------------------------------------------------

From f320502c736d31f14d875b19f7584c190a88557f Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Thu, 29 Jun 2023 15:16:22 +0100
Subject: [PATCH 66/75] solve bis

---
 cyber-threat-intelligence/examples/exercise-solutions.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/exercise-solutions.tql b/cyber-threat-intelligence/examples/exercise-solutions.tql
index 5c70fd4..fb5b4af 100644
--- a/cyber-threat-intelligence/examples/exercise-solutions.tql
+++ b/cyber-threat-intelligence/examples/exercise-solutions.tql
@@ -38,7 +38,7 @@ $t has threat_actor_types "insider";
 # Exercise 04 solution:
 
 match
-$bravo_id isa id_unknown, has name "Adversary Bravo";
+$bravo_id isa id_unknown, has stix_id "bravo_id_unknown";
 $bravo_ma isa malware, has stix_id "bravo_malware";
 
 insert

From 8a103fe5d447ac87e3ef16b375935e5d905ab459 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Thu, 29 Jun 2023 18:17:26 +0100
Subject: [PATCH 67/75] Update
 cyber-threat-intelligence/examples/05-infered-uses.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/05-infered-uses.tql | 1 -
 1 file changed, 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/05-infered-uses.tql b/cyber-threat-intelligence/examples/05-infered-uses.tql
index 845879e..97f0d88 100644
--- a/cyber-threat-intelligence/examples/05-infered-uses.tql
+++ b/cyber-threat-intelligence/examples/05-infered-uses.tql
@@ -30,6 +30,5 @@ $x has stix_id "bravo_id_unknown";
 # This rule makes uses relationship transitive, so if we know that a threat actor uses an unknown id, and that unknown
 # id uses a target, then we can infer that the threat actor uses the target. This is a very powerful feature of TypeDB.
 # 
-# Keyword hints: infer
 
 #--------------------------------------------------

From 642265243c68a8dc7b4c203b21f972df7915e99b Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sully@pl0p.fr>
Date: Thu, 29 Jun 2023 18:18:01 +0100
Subject: [PATCH 68/75] Update
 cyber-threat-intelligence/examples/07-external-reference.tql

Co-authored-by: James Whiteside <117453030+james-whiteside@users.noreply.github.com>
---
 cyber-threat-intelligence/examples/07-external-reference.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/07-external-reference.tql b/cyber-threat-intelligence/examples/07-external-reference.tql
index 8f25ef1..fc83204 100644
--- a/cyber-threat-intelligence/examples/07-external-reference.tql
+++ b/cyber-threat-intelligence/examples/07-external-reference.tql
@@ -1,6 +1,6 @@
 # Example 07:
 
-# From the Example 06, we can see that some attack patterns have external references.
+# From Example 06, we can see that some attack patterns have external references.
 # We can use the same approach to find attack patterns that are used by intrusion sets and have external references.
 # An external reference refers to a link or identifier that points to additional information or context about a specific threat or indicator. 
 

From a09de0ee54096e6ca738442aed6be957ea77e702 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Thu, 29 Jun 2023 18:35:13 +0100
Subject: [PATCH 69/75] rename

---
 .../examples/{01-list-id_unknown.tql => 01-list-id-unknown.tql}   | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename cyber-threat-intelligence/examples/{01-list-id_unknown.tql => 01-list-id-unknown.tql} (100%)

diff --git a/cyber-threat-intelligence/examples/01-list-id_unknown.tql b/cyber-threat-intelligence/examples/01-list-id-unknown.tql
similarity index 100%
rename from cyber-threat-intelligence/examples/01-list-id_unknown.tql
rename to cyber-threat-intelligence/examples/01-list-id-unknown.tql

From 4608937e5ac20ff96252d266df1ffbe73f44bce4 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Thu, 29 Jun 2023 18:36:52 +0100
Subject: [PATCH 70/75] change style

---
 .../examples/01-list-id-unknown.tql           | 10 +--
 .../examples/02-list-identity.tql             |  2 +-
 .../examples/03-create-malware.tql            | 34 ++++-----
 .../examples/04-assign-target.tql             | 22 +++---
 .../examples/05-infered-uses.tql              | 16 ++---
 .../examples/06-uses-chain.tql                | 14 ++--
 .../examples/07-external-reference.tql        |  8 +--
 .../examples/08-check-intrusion-set.tql       | 14 ++--
 .../examples/exercise-solutions.tql           | 70 +++++++++----------
 9 files changed, 95 insertions(+), 95 deletions(-)

diff --git a/cyber-threat-intelligence/examples/01-list-id-unknown.tql b/cyber-threat-intelligence/examples/01-list-id-unknown.tql
index 5413808..f904199 100644
--- a/cyber-threat-intelligence/examples/01-list-id-unknown.tql
+++ b/cyber-threat-intelligence/examples/01-list-id-unknown.tql
@@ -1,19 +1,19 @@
 # Example 01:
 
-# Let's start by getting a list of id_unknown in the database.
+# Let's start by getting a list of id-unknown in the database.
 #
 # We are querying for a list of actors with unknown ids.
 # $t and $attribute are variables, which are used in the query.
 # The query is a get query containing a single pattern matching statement.
-# The query will return all the entities of type id_unknown in the database and their attributes.
+# The query will return all the entities of type id-unknown in the database and their attributes.
 
-match 
-$t isa id_unknown, has $attribute;
+match  
+$t isa id-unknown, has $attribute;
 
 #--------------------------------------------------
 # Exercise 01:
 
-# Edit this query to show only the name and description of our id_unknown.
+# Edit this query to show only the name and description of our id-unknown.
 # Type hints: name, description
 
 #--------------------------------------------------
diff --git a/cyber-threat-intelligence/examples/02-list-identity.tql b/cyber-threat-intelligence/examples/02-list-identity.tql
index 274727a..f742e29 100644
--- a/cyber-threat-intelligence/examples/02-list-identity.tql
+++ b/cyber-threat-intelligence/examples/02-list-identity.tql
@@ -13,7 +13,7 @@ $t isa identity, has $attribute;
 #--------------------------------------------------
 # Exercise 02:
 
-# Edit this query to list only id_unknown and identity.
+# Edit this query to list only id-unknown and identity.
 # Keyword hints: not
 # Type hints: organization
 
diff --git a/cyber-threat-intelligence/examples/03-create-malware.tql b/cyber-threat-intelligence/examples/03-create-malware.tql
index 48529c2..0f1eabc 100644
--- a/cyber-threat-intelligence/examples/03-create-malware.tql
+++ b/cyber-threat-intelligence/examples/03-create-malware.tql
@@ -1,37 +1,37 @@
 # Example 03:
 
 # Now let's insert a new threat actor, a new malware and create an attribution relation between them.
-# We will also add a new malware, bravo_malware, as well as a new threat_actor, bravo_threat.
-# We will then use them both to create a new attributed_to relation.
+# We will also add a new malware, bravo-malware, as well as a new threat-actor, bravo-threat.
+# We will then use them both to create a new attributed-to relation.
 
 insert
-$bravo_ta isa threat_actor, 
-    has spec_version "2.1",
-    has stix_id "bravo_threat", 
+$bravo-ta isa threat-actor, 
+    has spec-version "2.1",
+    has stix-id "bravo-threat", 
     has created 2022-05-07T14:22:14.760, 
     has modified 2022-05-07T14:22:14.760, 
     has name "Bravo Attacker", 
-    has threat_actor_types "spy", 
-    has threat_actor_types "criminal";
+    has threat-actor-types "spy", 
+    has threat-actor-types "criminal";
     
-$bravo_ma isa malware,
-    has spec_version "2.1",
-    has stix_id "bravo_malware",
+$bravo-ma isa malware,
+    has spec-version "2.1",
+    has stix-id "bravo-malware",
     has created 2022-05-07T14:22:14.760,
     has modified 2022-05-07T14:22:14.760,
     has description "Bravo Malware";   
 
-(attributing: $bravo_ta, attributed: $bravo_ma) isa attributed_to,
-    has spec_version "2.01",
-    has stix_id "bravo_threat_attributed_to_bravo_id"; 
+(attributing: $bravo-ta, attributed: $bravo-ma) isa attributed-to,
+    has spec-version "2.01",
+    has stix-id "bravo-threat-attributed-to-bravo-id"; 
     
 #--------------------------------------------------
 # Exercise 03:
 
-# Display the threat_actor created in this example.
-# Then Write a new query to give bravo_threat a third threat actor type: "insider". 
-# Try re-display the treat_actor to see the results of this insert query.
+# Display the threat-actor created in this example.
+# Then Write a new query to give bravo-threat a third threat actor type: "insider". 
+# Try re-display the treat-actor to see the results of this insert query.
 # Keyword hints: match, insert
-# Type hints: threat_actor, threat_actor_types, stix_id
+# Type hints: threat-actor, threat-actor-types, stix-id
 
 #--------------------------------------------------
diff --git a/cyber-threat-intelligence/examples/04-assign-target.tql b/cyber-threat-intelligence/examples/04-assign-target.tql
index da90a6c..b946ae9 100644
--- a/cyber-threat-intelligence/examples/04-assign-target.tql
+++ b/cyber-threat-intelligence/examples/04-assign-target.tql
@@ -1,24 +1,24 @@
 # Example 04:
 
-# Now let's insert a new targets relation between a specific malware and a specific id_unknown.
-# We will use the stix_id attribute to identify the malware and the name attribute to identify the id_unknown.
-# We will also assign a stix_id attribute to identify the new targets relation.
+# Now let's insert a new targets relation between a specific malware and a specific id-unknown.
+# We will use the stix-id attribute to identify the malware and the name attribute to identify the id-unknown.
+# We will also assign a stix-id attribute to identify the new targets relation.
 
 match
-$bravo_id isa id_unknown, has name "Adversary Bravo";
-$bravo_ma isa malware, has stix_id "bravo_malware";
+$bravo-id isa id-unknown, has name "Adversary Bravo";
+$bravo-ma isa malware, has stix-id "bravo-malware";
 
 insert
-(targeting: $bravo_ma, targeted: $bravo_id) isa targets,
-    has stix_id "bravo_targets";
+(targeting: $bravo-ma, targeted: $bravo-id) isa targets,
+    has stix-id "bravo-targets";
     
 #--------------------------------------------------
 # Exercise 04:
 
-# Write a new query to find the id_unknown with stix_id "bravo_id_unknown" as well as the malware with stix_id "bravo_malware"
-# and then, create a uses relationship to descibe the fact that the attack_pattern is using the malware.
-# You will need to give a new unique stix_id to your uses relationship.
+# Write a new query to find the id-unknown with stix-id "bravo-id-unknown" as well as the malware with stix-id "bravo-malware"
+# and then, create a uses relationship to descibe the fact that the attack-pattern is using the malware.
+# You will need to give a new unique stix-id to your uses relationship.
 # Keyword hints: match, insert, has
-# Type hints: id_unknown, malware, uses
+# Type hints: id-unknown, malware, uses
 
 #--------------------------------------------------
diff --git a/cyber-threat-intelligence/examples/05-infered-uses.tql b/cyber-threat-intelligence/examples/05-infered-uses.tql
index 97f0d88..5399067 100644
--- a/cyber-threat-intelligence/examples/05-infered-uses.tql
+++ b/cyber-threat-intelligence/examples/05-infered-uses.tql
@@ -1,13 +1,13 @@
 # Example 05:
 
-# Now let's research the attack we described earlier using the id_unknown and threat_actor stix_id
+# Now let's research the attack we described earlier using the id-unknown and threat-actor stix-id
 # This query represents the following question: "Who targets the unknown id and what tool is used?"
 
 match
 $t($x, $y) isa targets;
-$c($a, $b) isa attributed_to;
-$b has stix_id "bravo_threat";
-$x has stix_id "bravo_id_unknown";
+$c($a, $b) isa attributed-to;
+$b has stix-id "bravo-threat";
+$x has stix-id "bravo-id-unknown";
 
 #--------------------------------------------------
 # Exercise 05:
@@ -16,11 +16,11 @@ $x has stix_id "bravo_id_unknown";
 # TypeDB's rule-inference. Now if we run the query again, we get more attributes as well as a new relation
 # shown in a green outline. This is because of a rule encoded into the schema:
 # 
-# rule transitive_use:
+# rule transitive-use:
 # when {
-#     $x isa stix_domain_object;
-#     $y isa stix_domain_object;
-#     $z isa stix_domain_object;
+#     $x isa stix-domain-object;
+#     $y isa stix-domain-object;
+#     $z isa stix-domain-object;
 #     $use1 (using: $x, used: $y) isa uses;
 #     $use2 (using: $y, used: $z) isa uses;
 # } then {
diff --git a/cyber-threat-intelligence/examples/06-uses-chain.tql b/cyber-threat-intelligence/examples/06-uses-chain.tql
index 450c202..a53a136 100644
--- a/cyber-threat-intelligence/examples/06-uses-chain.tql
+++ b/cyber-threat-intelligence/examples/06-uses-chain.tql
@@ -1,24 +1,24 @@
 # Example 06:
 
-# Next, we will use the stix_id to find the attack pattern using the malware created in Exercise 03.
+# Next, we will use the stix-id to find the attack pattern using the malware created in Exercise 03.
 # We will then create a uses relationship between the attack pattern and malware.
 
 match
-$bravo_ap isa attack_pattern, has stix_id "attack_pattern_bravo";
-$bravo_ma isa malware, has stix_id "bravo_malware";
+$bravo-ap isa attack-pattern, has stix-id "attack-pattern-bravo";
+$bravo-ma isa malware, has stix-id "bravo-malware";
 
 insert
-$u1 (used: $bravo_ap, using:$bravo_ma) isa uses,
-    has stix_id "bravo_uses_1";
+$u1 (used: $bravo-ap, using:$bravo-ma) isa uses,
+    has stix-id "bravo-uses-1";
 
 #--------------------------------------------------
 # Exercise 06:
 
 # With inference switched on, we can now query for the attack pattern and malware that are used by the threat actor.
-# Create a query that finds the attack pattern and malware that are used by the threat actor with stix_id "bravo_threat".
+# Create a query that finds the attack pattern and malware that are used by the threat actor with stix-id "bravo-threat".
 # To switch on explanations, toggle the "snapshot", "infer", and "explain" buttons to on. 
 # You can double click on the green infered uses relationship to get an explanation of what triggered the inferred rule.
 # Keyword hints: match, or
-# Type hints: attack_pattern, malware, threat_actor, uses, stix_id
+# Type hints: attack-pattern, malware, threat-actor, uses, stix-id
 
 #--------------------------------------------------
diff --git a/cyber-threat-intelligence/examples/07-external-reference.tql b/cyber-threat-intelligence/examples/07-external-reference.tql
index fc83204..7ffd03d 100644
--- a/cyber-threat-intelligence/examples/07-external-reference.tql
+++ b/cyber-threat-intelligence/examples/07-external-reference.tql
@@ -5,10 +5,10 @@
 # An external reference refers to a link or identifier that points to additional information or context about a specific threat or indicator. 
 
 match 
-$e isa external_reference;
+$e isa external-reference;
 $e has $eid;
-$a isa attack_pattern;
-$rel (referencing: $a, referenced: $e) isa external_references;
+$a isa attack-pattern;
+$rel (referencing: $a, referenced: $e) isa external-references;
 
 #--------------------------------------------------
 # Exercise 07:
@@ -17,7 +17,7 @@ $rel (referencing: $a, referenced: $e) isa external_references;
 # Return the name of the attack pattern, the name of the intrusion set, and the external reference ID.
 # Order by the name of the attack pattern.
 # Keyword hints: match, sort
-# Type hints: attack_pattern, intrusion_set, external_reference
+# Type hints: attack-pattern, intrusion-set, external-reference
 
 #--------------------------------------------------
 
diff --git a/cyber-threat-intelligence/examples/08-check-intrusion-set.tql b/cyber-threat-intelligence/examples/08-check-intrusion-set.tql
index fb3cd15..af32805 100644
--- a/cyber-threat-intelligence/examples/08-check-intrusion-set.tql
+++ b/cyber-threat-intelligence/examples/08-check-intrusion-set.tql
@@ -5,18 +5,18 @@
 # are referenced by a specific external reference.
 
 match
-$a isa attack_pattern, has name $an;
-$i isa intrusion_set, has name $in;
-$rel (referencing: $a, referenced: $e) isa external_references;
+$a isa attack-pattern, has name $an;
+$i isa intrusion-set, has name $in;
+$rel (referencing: $a, referenced: $e) isa external-references;
 $u (used: $a, using: $i) isa uses;
 
 #------------------------------------------------------------
 # Exercise 08:
 
-# Create an intrusion_set as well as a uses relation to link it to the malware owning "bravo_malware" as stix_id.
-# You will need to provide a stix_id for both new intrusion_set and new uses relation.
-# Modify the query from the Exercise 06 to include your intrusion_set as a potential roleplayer in the uses relationship.
+# Create an intrusion-set as well as a uses relation to link it to the malware owning "bravo-malware" as stix-id.
+# You will need to provide a stix-id for both new intrusion-set and new uses relation.
+# Modify the query from the Exercise 06 to include your intrusion-set as a potential roleplayer in the uses relationship.
 # 
-# As we can see, two uses relations are infered, automatically creating a link between intrusion_set and threat_actor through attack_pattern.
+# As we can see, two uses relations are infered, automatically creating a link between intrusion-set and threat-actor through attack-pattern.
 
 #------------------------------------------------------------
diff --git a/cyber-threat-intelligence/examples/exercise-solutions.tql b/cyber-threat-intelligence/examples/exercise-solutions.tql
index fb5b4af..626e10c 100644
--- a/cyber-threat-intelligence/examples/exercise-solutions.tql
+++ b/cyber-threat-intelligence/examples/exercise-solutions.tql
@@ -7,7 +7,7 @@
 # Exercise 01 solution:
 
 match 
-$t isa id_unknown, has name $n, has description $d;
+$t isa id-unknown, has name $n, has description $d;
 
 #--------------------------------------------------
 # Exercise 02 solution:
@@ -21,16 +21,16 @@ not{$t isa organization;};
 
 #display
 match
-$t isa threat_actor, has stix_id $n;
-$n = "bravo_threat";
+$t isa threat-actor, has stix-id $n;
+$n = "bravo-threat";
 
-#insert new threat_actor_types
+#insert new threat-actor-types
 match
-$t isa threat_actor, has stix_id $n;
-$n = "bravo_threat";
+$t isa threat-actor, has stix-id $n;
+$n = "bravo-threat";
 
 insert 
-$t has threat_actor_types "insider";
+$t has threat-actor-types "insider";
 
 
 
@@ -38,58 +38,58 @@ $t has threat_actor_types "insider";
 # Exercise 04 solution:
 
 match
-$bravo_id isa id_unknown, has stix_id "bravo_id_unknown";
-$bravo_ma isa malware, has stix_id "bravo_malware";
+$bravo-id isa id-unknown, has stix-id "bravo-id-unknown";
+$bravo-ma isa malware, has stix-id "bravo-malware";
 
 insert
-(used: $bravo_ma, using: $bravo_id) isa uses,
-    has stix_id "bravo_uses";
+(used: $bravo-ma, using: $bravo-id) isa uses,
+    has stix-id "bravo-uses";
     
 #--------------------------------------------------
 # Exercise 06 solution:
 
 match 
-{$bravo_1 isa attack_pattern, has stix_id "attack_pattern_bravo";} or
-{$bravo_1 isa malware, has stix_id "bravo_malware";} or
-{$bravo_1 isa threat_actor, has stix_id "bravo_threat";};
+{$bravo-1 isa attack-pattern, has stix-id "attack-pattern-bravo";} or
+{$bravo-1 isa malware, has stix-id "bravo-malware";} or
+{$bravo-1 isa threat-actor, has stix-id "bravo-threat";};
 
-{$bravo_2 isa attack_pattern, has stix_id "attack_pattern_bravo";} or
-{$bravo_2 isa malware, has stix_id "bravo_malware";} or
-{$bravo_2 isa threat_actor, has stix_id "bravo_threat";};
+{$bravo-2 isa attack-pattern, has stix-id "attack-pattern-bravo";} or
+{$bravo-2 isa malware, has stix-id "bravo-malware";} or
+{$bravo-2 isa threat-actor, has stix-id "bravo-threat";};
 
-$new ($bravo_1, $bravo_2) isa uses;
+$new ($bravo-1, $bravo-2) isa uses;
 
 #--------------------------------------------------
 # Exercise 07 solution:
 
 match 
 
-$e isa external_reference, has url_link $c;
+$e isa external-reference, has url-link $c;
 $e has $eid;
-$a isa attack_pattern, has name $d;
-$rel (referencing: $a, referenced: $e) isa external_references; sort $d;
+$a isa attack-pattern, has name $d;
+$rel (referencing: $a, referenced: $e) isa external-references; sort $d;
 
 #--------------------------------------------------
 # Exercise 08 solution:
 
-# insert new intrusion_set and uses relation
+# insert new intrusion-set and uses relation
 match 
-$bravo_2 isa malware, has stix_id "bravo_malware";
+$bravo-2 isa malware, has stix-id "bravo-malware";
 
 insert 
-$intrusion isa intrusion_set, has stix_id "bravo_intrusion";
-$bravo_uses (using: $intrusion, used: $bravo_2) isa uses, has stix_id "bravo_uses_3"; 
+$intrusion isa intrusion-set, has stix-id "bravo-intrusion";
+$bravo-uses (using: $intrusion, used: $bravo-2) isa uses, has stix-id "bravo-uses-3"; 
 
-# search for uses between attack_pattern, malware, threat_actor and intrusion_set
+# search for uses between attack-pattern, malware, threat-actor and intrusion-set
 match 
-{$bravo_1 isa attack_pattern, has stix_id "attack_pattern_bravo";} or
-{$bravo_1 isa malware, has stix_id "bravo_malware";} or
-{$bravo_1 isa threat_actor, has stix_id "bravo_threat";} or
-{$bravo_1 isa intrusion_set, has stix_id "bravo_intrusion";};
+{$bravo-1 isa attack-pattern, has stix-id "attack-pattern-bravo";} or
+{$bravo-1 isa malware, has stix-id "bravo-malware";} or
+{$bravo-1 isa threat-actor, has stix-id "bravo-threat";} or
+{$bravo-1 isa intrusion-set, has stix-id "bravo-intrusion";};
 
-{$bravo_2 isa attack_pattern, has stix_id "attack_pattern_bravo";} or
-{$bravo_2 isa malware, has stix_id "bravo_malware";} or
-{$bravo_2 isa threat_actor, has stix_id "bravo_threat";} or
-{$bravo_2 isa intrusion_set, has stix_id "bravo_intrusion";};
+{$bravo-2 isa attack-pattern, has stix-id "attack-pattern-bravo";} or
+{$bravo-2 isa malware, has stix-id "bravo-malware";} or
+{$bravo-2 isa threat-actor, has stix-id "bravo-threat";} or
+{$bravo-2 isa intrusion-set, has stix-id "bravo-intrusion";};
 
-$new ($bravo_1, $bravo_2) isa uses;
+$new ($bravo-1, $bravo-2) isa uses;

From 02ee9da50e2206afabb07c37b2edc2e56f9d7114 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Thu, 29 Jun 2023 18:37:23 +0100
Subject: [PATCH 71/75] change Style

---
 cyber-threat-intelligence/define-schema.tql | 1772 +++++++++----------
 cyber-threat-intelligence/insert-data.tql   |  478 ++---
 2 files changed, 1125 insertions(+), 1125 deletions(-)

diff --git a/cyber-threat-intelligence/define-schema.tql b/cyber-threat-intelligence/define-schema.tql
index d598f04..e70ae6f 100644
--- a/cyber-threat-intelligence/define-schema.tql
+++ b/cyber-threat-intelligence/define-schema.tql
@@ -1,30 +1,30 @@
 define
 
-# Based on https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_disnqa06jm5
+# Based on https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#-disnqa06jm5
 
 ### 1 Base Entities ###
 
-stix_entity sub entity,
+stix-entity sub entity,
     abstract; 
 
-stix_object sub stix_entity,
-    owns stix_type,
-    owns stix_id @key,
-    owns custom_attribute,
+stix-object sub stix-entity,
+    owns stix-type,
+    owns stix-id @key,
+    owns custom-attribute,
 
-    plays granular_marking:marking;
+    plays granular-marking:marking;
 
-stix_core_object sub stix_object,
-    owns spec_version,
+stix-core-object sub stix-object,
+    owns spec-version,
 
-    plays object_marking:marked,
-    plays created_by:created,
-    plays derivation:derived_from,
+    plays object-marking:marked,
+    plays created-by:created,
+    plays derivation:derived-from,
     plays derivation:deriving,
-    plays duplicate_of:duplicated_object;
+    plays duplicate-of:duplicated-object;
 
 
-stix_domain_object sub stix_core_object,
+stix-domain-object sub stix-core-object,
     owns created,
     owns modified,
     owns revoked,
@@ -33,52 +33,52 @@ stix_domain_object sub stix_core_object,
     owns langs,
 
     # Rel
-    plays sighting:sighting_of,
-    plays external_references:referencing,
+    plays sighting:sighting-of,
+    plays external-references:referencing,
 
     # RRel
-    plays kill_chain_phases:used,
-    plays sighting:observed_data,
-    plays external_references:referenced;
+    plays kill-chain-phases:used,
+    plays sighting:observed-data,
+    plays external-references:referenced;
 
 
-stix_cyber_observable_object sub stix_core_object,
+stix-cyber-observable-object sub stix-core-object,
     owns defanged,
     
     # Rel
-    plays external_references:referencing,
-    plays contains_ref:containing,
+    plays external-references:referencing,
+    plays contains-ref:containing,
 
     # RRel
-    plays external_references:referenced;
+    plays external-references:referenced;
 
-stix_sub_object sub stix_entity,
+stix-sub-object sub stix-entity,
     owns created,
     owns modified,
 
-    plays granular_marking:marking;
+    plays granular-marking:marking;
 
 
 ### 2 Data Types ###
 
-external_reference sub stix_sub_object,
-    owns source_name,
+external-reference sub stix-sub-object,
+    owns source-name,
     owns description,
-    owns url_link,
-    owns external_id,
+    owns url-link,
+    owns external-id,
 
-    plays hashes:hashes_owner,
-    plays external_references:referenced;
+    plays hashes:hashes-owner,
+    plays external-references:referenced;
 
-kill_chain_phase sub stix_sub_object,
-    owns kill_chain_name,
-    owns kill_chain_phase_name,
+kill-chain-phase sub stix-sub-object,
+    owns kill-chain-name,
+    owns kill-chain-phase-name,
 
-    plays kill_chain_phases:using;
+    plays kill-chain-phases:using;
 
 ### 3 SDOs ###
 
-attack_pattern sub stix_domain_object,
+attack-pattern sub stix-domain-object,
     owns name,
     owns description,
     owns aliases,
@@ -93,25 +93,25 @@ attack_pattern sub stix_domain_object,
     plays uses:used,
     plays mitigates:mitigated;
 
-campaign sub stix_domain_object,
+campaign sub stix-domain-object,
     owns name,
     owns description,
     owns aliases,
-    owns first_seen,
-    owns last_seen,
+    owns first-seen,
+    owns last-seen,
     owns objective,
 
     # Rel
     plays targets:targeting,
-    plays attributed_to:attributing,
+    plays attributed-to:attributing,
     plays uses:using,
     plays compromises:compromising,
-    plays originates_from:originating,
+    plays originates-from:originating,
 
     # RRel
     plays indicates:indicated;
 
-course_of_action sub stix_domain_object,
+course-of-action sub stix-domain-object,
     owns name,
     owns description,
     owns action,
@@ -121,31 +121,31 @@ course_of_action sub stix_domain_object,
     plays mitigates:mitigating,
     plays remediates:remediating;
 
-grouping sub stix_domain_object,
+grouping sub stix-domain-object,
     owns name,
     owns description,
     owns context;
 
 
 
-identity sub stix_domain_object,
+identity sub stix-domain-object,
     owns name,
     owns description,
-    owns stix_role,
-    owns identity_class,
+    owns stix-role,
+    owns identity-class,
     owns sector,
-    owns contact_information,
+    owns contact-information,
 
-    plays created_by:creator,
+    plays created-by:creator,
 
     # Rel
-    plays located_at:locating,
+    plays located-at:locating,
     plays uses:using,
 
     # RRel
     plays uses:used,
     plays targets:targeted,
-    plays attributed_to:attributed,
+    plays attributed-to:attributed,
     plays impersonates:impersonated;
 
 individual sub identity;
@@ -153,115 +153,115 @@ group sub identity;
 system sub identity;
 organization sub identity;
 class sub identity;
-id_unknown sub identity;
+id-unknown sub identity;
 
-incident sub stix_domain_object,
+incident sub stix-domain-object,
     owns name,
     owns description;
 
-indicator sub stix_domain_object,
+indicator sub stix-domain-object,
     owns name,
     owns description,
-    owns indicator_type,
+    owns indicator-type,
     owns pattern,
-    owns pattern_type,
-    owns pattern_version,
-    owns valid_from,
-    owns valid_until,
+    owns pattern-type,
+    owns pattern-version,
+    owns valid-from,
+    owns valid-until,
 
     # Rel
     plays indicates:indicating,
-    plays based_on:basing,
+    plays based-on:basing,
 
     # RRel
     plays investigates:investigated,
     plays mitigates:mitigated;
 
-infrastructure sub stix_domain_object,
+infrastructure sub stix-domain-object,
     owns name,
     owns description,
-    owns infrastructure_types,
+    owns infrastructure-types,
     owns aliases,
-    owns first_seen,
-    owns last_seen,
+    owns first-seen,
+    owns last-seen,
 
     # Rel
     plays delivers:delivering,
     plays uses:using,
-    plays located_at:locating,
-    plays communicates_with:communicating,
-    plays consist_of:consisting,
+    plays located-at:locating,
+    plays communicates-with:communicating,
+    plays consist-of:consisting,
     plays controls:controlling,
     plays have:having,
     plays hosts:hosting,
 
     # RRel
     plays controls:controlled,
-    plays communicates_with:communicated,
+    plays communicates-with:communicated,
     plays compromises:compromised,
     plays indicates:indicated,
     plays uses:used,
     plays targets:targeted,
     plays hosts:hosted,
-    plays beacons_to:beaconed_to,
-    plays exfiltrates_to:exfiltrated_to,
+    plays beacons-to:beaconed-to,
+    plays exfiltrates-to:exfiltrated-to,
     plays ownerships:owned;
 
-intrusion_set sub stix_domain_object,
+intrusion-set sub stix-domain-object,
     owns name,
     owns description,
     owns aliases,
-    owns first_seen,
-    owns last_seen,
+    owns first-seen,
+    owns last-seen,
     owns goals,
     owns sophistication,
-    owns resource_level,
-    owns primary_motivation,
-    owns secondary_motivations,
+    owns resource-level,
+    owns primary-motivation,
+    owns secondary-motivations,
 
     # Rel
     plays targets:targeting,
     plays uses:using,
-    plays attributed_to:attributing,
+    plays attributed-to:attributing,
     plays compromises:compromising,
-    plays originates_from:originating,
+    plays originates-from:originating,
     plays hosts:hosting,
     plays ownerships:owning,
 
     # RRel
     plays indicates:indicated,
-    plays attributed_to:attributed,
-    plays authored_by:authored;
+    plays attributed-to:attributed,
+    plays authored-by:authored;
 
-malware sub stix_domain_object,
+malware sub stix-domain-object,
     owns name,
     owns description,
-    owns malware_types,
-    owns is_family,
+    owns malware-types,
+    owns is-family,
     owns aliases,
-    owns first_seen,
-    owns last_seen,
-    owns architecture_execution_envs,
-    owns implementation_languages,
+    owns first-seen,
+    owns last-seen,
+    owns architecture-execution-envs,
+    owns implementation-languages,
     owns capabilities,
 
     # Rel
     plays targets:targeting,
     plays uses:using,
-    plays originates_from:originating,
+    plays originates-from:originating,
     plays controls:controlling,
     plays hosts:hosting,
-    plays authored_by:authoring,
-    plays beacons_to:beaconing_to,
-    plays exfiltrates_to:exfiltrating_to,
+    plays authored-by:authoring,
+    plays beacons-to:beaconing-to,
+    plays exfiltrates-to:exfiltrating-to,
     plays downloads:downloading,
     plays drops:dropping,
     plays exploits:exploiting,
-    plays variant_of:varianted_from,
-    plays communicates_with:communicating,
+    plays variant-of:varianted-from,
+    plays communicates-with:communicating,
 
     # RRel
-    plays attributed_to:attributed,
+    plays attributed-to:attributed,
     plays controls:controlled,
     plays remediates:remediated,
     plays mitigates:mitigated,
@@ -270,13 +270,13 @@ malware sub stix_domain_object,
     plays indicates:indicated,
     plays downloads:downloaded,
     plays drops:dropped,
-    plays variant_of:varianted,
+    plays variant-of:varianted,
     plays characterizes:characterized,
-    plays analysis_of:analysed,
-    plays static_analysis_of:analysed,
-    plays dynamic_analysis_of:analysed;
+    plays analysis-of:analysed,
+    plays static-analysis-of:analysed,
+    plays dynamic-analysis-of:analysed;
 
-location sub stix_domain_object,
+location sub stix-domain-object,
     owns name,
     owns description,
     owns latitude,
@@ -284,99 +284,99 @@ location sub stix_domain_object,
     owns precision,
     owns region,
     owns country,
-    owns administrative_area,
+    owns administrative-area,
     owns city,
-    owns street_address,
-    owns postal_code,
+    owns street-address,
+    owns postal-code,
 
     # RRel
     plays targets:targeted,
-    plays originates_from:originated,
-    plays located_at:located;
+    plays originates-from:originated,
+    plays located-at:located;
 
-malware_analysis sub stix_domain_object,
+malware-analysis sub stix-domain-object,
     owns product,
     owns version,
-    owns configuration_version,
+    owns configuration-version,
     owns module,
-    owns analysis_engine_version,
-    owns analysis_definition_version,
+    owns analysis-engine-version,
+    owns analysis-definition-version,
     owns submitted,
-    owns analysis_started,
-    owns analysis_ended,
-    owns result_name,
+    owns analysis-started,
+    owns analysis-ended,
+    owns result-name,
     owns result,
 
     # Rel
     plays characterizes:characterizing,
-    plays analysis_of:analysing,
-    plays static_analysis_of:analysing,
-    plays dynamic_analysis_of:analysing;
+    plays analysis-of:analysing,
+    plays static-analysis-of:analysing,
+    plays dynamic-analysis-of:analysing;
 
-note sub stix_domain_object,
-    owns note_abstract,
+note sub stix-domain-object,
+    owns note-abstract,
     owns content,
     owns authors;
 
-opinion sub stix_domain_object,
+opinion sub stix-domain-object,
     owns explanation,
     owns authors,
-    owns opinion_enum;
+    owns opinion-enum;
 
-observed_data sub stix_domain_object,
-    owns first_observed,
-    owns last_observed,
-    owns number_observed,
+observed-data sub stix-domain-object,
+    owns first-observed,
+    owns last-observed,
+    owns number-observed,
 
     # RRel
-    plays based_on:based,
-    plays consist_of:consisted;
+    plays based-on:based,
+    plays consist-of:consisted;
 
-report sub stix_domain_object,
+report sub stix-domain-object,
     owns name,
     owns description,
-    owns report_type,
+    owns report-type,
     owns published;
 
-threat_actor sub stix_domain_object,
+threat-actor sub stix-domain-object,
     owns name,
     owns description,
     owns aliases,
-    owns stix_role,
-    owns first_seen,
-    owns last_seen,
+    owns stix-role,
+    owns first-seen,
+    owns last-seen,
     owns goals,
-    owns resource_level,
-    owns primary_motivation,
-    owns secondary_motivations,
+    owns resource-level,
+    owns primary-motivation,
+    owns secondary-motivations,
     owns sophistication,
-    owns personal_characteristics,
+    owns personal-characteristics,
     owns roles,
-    owns threat_actor_types,
+    owns threat-actor-types,
 
     # Rel
     plays targets:targeting,
     plays uses:using,
-    plays attributed_to:attributing,
+    plays attributed-to:attributing,
     plays compromises:compromising,
-    plays located_at:locating,
+    plays located-at:locating,
     plays impersonates:impersonating,
     plays hosts:hosting,
     plays ownerships:owning,
 
     # RRel
-    plays attributed_to:attributed,
+    plays attributed-to:attributed,
     plays indicates:indicated,
-    plays authored_by:authored;
+    plays authored-by:authored;
 
-tool sub stix_domain_object,
+tool sub stix-domain-object,
     owns name,
     owns description,
-    owns tool_types,
+    owns tool-types,
     owns aliases,
-    owns first_seen,
-    owns last_seen,
-    owns tool_version,
+    owns first-seen,
+    owns last-seen,
+    owns tool-version,
 
     # Rel
     plays delivers:delivering,
@@ -393,12 +393,12 @@ tool sub stix_domain_object,
     plays downloads:downloaded,
     plays drops:dropped;
 
-custom_object sub stix_domain_object,
+custom-object sub stix-domain-object,
     owns name,
     owns description,
     owns aliases,
-    owns first_seen,
-    owns last_seen,
+    owns first-seen,
+    owns last-seen,
     owns objective,
 
     # Rel
@@ -410,7 +410,7 @@ custom_object sub stix_domain_object,
     plays uses:used,
     plays mitigates:mitigated;
 
-vulnerability sub stix_domain_object,
+vulnerability sub stix-domain-object,
     owns name,
     owns description,
 
@@ -422,13 +422,13 @@ vulnerability sub stix_domain_object,
     plays exploits:exploited;
 
 ### 5 SROs ###
-stix_core_relationship sub relation,
+stix-core-relationship sub relation,
     # Required
-    owns spec_version,
-    owns stix_id @key,
+    owns spec-version,
+    owns stix-id @key,
     owns created,
     owns modified,
-    owns stix_type,
+    owns stix-type,
 
     # Optional
     owns description,
@@ -436,128 +436,128 @@ stix_core_relationship sub relation,
     owns labels,
     owns confidence,
     owns langs,
-    owns custom_attribute,
+    owns custom-attribute,
 
     relates source,
     relates target,
 
-    plays created_by:created,
-    plays granular_marking:marking,
-    plays external_references:referenced;
+    plays created-by:created,
+    plays granular-marking:marking,
+    plays external-references:referenced;
 
-delivers sub stix_core_relationship,
+delivers sub stix-core-relationship,
     relates delivering as source,
     relates delivered as target;
 
-targets sub stix_core_relationship,
+targets sub stix-core-relationship,
     relates targeting as source,
     relates targeted as target;
 
-attributed_to sub stix_core_relationship,
+attributed-to sub stix-core-relationship,
     relates attributing as source,
     relates attributed as target;
 
-uses sub stix_core_relationship,
+uses sub stix-core-relationship,
     relates using as source,
     relates used as target;
 
-indicates sub stix_core_relationship,
+indicates sub stix-core-relationship,
     relates indicating as source,
     relates indicated as target;
 
-compromises sub stix_core_relationship,
+compromises sub stix-core-relationship,
     relates compromising as source,
     relates compromised as target;
 
-originates_from sub stix_core_relationship,
+originates-from sub stix-core-relationship,
     relates originating as source,
     relates originated as target;
 
-investigates sub stix_core_relationship,
+investigates sub stix-core-relationship,
     relates investigating as source,
     relates investigated as target;
 
-mitigates sub stix_core_relationship,
+mitigates sub stix-core-relationship,
     relates mitigating as source,
     relates mitigated as target;
 
-remediates sub stix_core_relationship,
+remediates sub stix-core-relationship,
     relates remediating as source,
     relates remediated as target;
 
-located_at sub stix_core_relationship,
+located-at sub stix-core-relationship,
     relates locating as source,
     relates located as target;
 
-impersonates sub stix_core_relationship,
+impersonates sub stix-core-relationship,
     relates impersonating as source,
     relates impersonated as target;
 
-based_on sub stix_core_relationship,
+based-on sub stix-core-relationship,
     relates basing as source,
     relates based as target;
 
-communicates_with sub stix_core_relationship,
+communicates-with sub stix-core-relationship,
     relates communicating as source,
     relates communicated as target;
 
-consist_of sub stix_core_relationship,
+consist-of sub stix-core-relationship,
     relates consisting as source,
     relates consisted as target;
 
-controls sub stix_core_relationship,
+controls sub stix-core-relationship,
     relates controlling as source,
     relates controlled as target;
 
-have sub stix_core_relationship,
+have sub stix-core-relationship,
     relates having as source,
     relates had as target;
 
-hosts sub stix_core_relationship,
+hosts sub stix-core-relationship,
     relates hosting as source,
     relates hosted as target;
 
-authored_by sub stix_core_relationship,
+authored-by sub stix-core-relationship,
     relates authoring as source,
     relates authored as target;
 
-beacons_to sub stix_core_relationship,
-    relates beaconing_to as source,
-    relates beaconed_to as target;
+beacons-to sub stix-core-relationship,
+    relates beaconing-to as source,
+    relates beaconed-to as target;
 
-exfiltrates_to sub stix_core_relationship,
-    relates exfiltrating_to as source,
-    relates exfiltrated_to as target;
+exfiltrates-to sub stix-core-relationship,
+    relates exfiltrating-to as source,
+    relates exfiltrated-to as target;
 
-downloads sub stix_core_relationship,
+downloads sub stix-core-relationship,
     relates downloading as source,
     relates downloaded as target;
 
-drops sub stix_core_relationship,
+drops sub stix-core-relationship,
     relates dropping as source,
     relates dropped as target;
 
-exploits sub stix_core_relationship,
+exploits sub stix-core-relationship,
     relates exploiting as source,
     relates exploited as target;
 
-variant_of sub stix_core_relationship,
-    relates varianted_from as source,
+variant-of sub stix-core-relationship,
+    relates varianted-from as source,
     relates varianted as target;
 
-characterizes sub stix_core_relationship,
+characterizes sub stix-core-relationship,
     relates characterizing as source,
     relates characterized as target;
 
-analysis sub stix_core_relationship,
+analysis sub stix-core-relationship,
     relates analysing as source,
     relates analysed as target;
 
-analysis_of sub analysis;
-static_analysis_of sub analysis;
-dynamic_analysis_of sub analysis;
+analysis-of sub analysis;
+static-analysis-of sub analysis;
+dynamic-analysis-of sub analysis;
 
-ownerships sub stix_core_relationship,
+ownerships sub stix-core-relationship,
     relates owning as source,
     relates owned as target;
 
@@ -565,384 +565,384 @@ ref sub relation,
     relates source,
     relates target;
 
-from_ref sub ref;
-sender_ref sub ref;
-raw_email_ref sub ref;
-body_raw_ref sub ref;
-parent_directory_ref sub ref;
-content_ref sub ref;
-optional_header sub ref,
+from-ref sub ref;
+sender-ref sub ref;
+raw-email-ref sub ref;
+body-raw-ref sub ref;
+parent-directory-ref sub ref;
+content-ref sub ref;
+optional-header sub ref,
     relates from as source;
-belongs_to_ref sub ref;
-src_ref sub ref;
-dst_ref sub ref;
-src_payload_ref sub ref;
-dst_payload_ref sub ref;
-encapsulated_by_ref sub ref;
-massage_body_data_ref sub ref;
-creator_user_ref sub ref;
-image_ref sub ref;
-parent_ref sub ref;
-message_body_data_ref sub ref,
+belongs-to-ref sub ref;
+src-ref sub ref;
+dst-ref sub ref;
+src-payload-ref sub ref;
+dst-payload-ref sub ref;
+encapsulated-by-ref sub ref;
+massage-body-data-ref sub ref;
+creator-user-ref sub ref;
+image-ref sub ref;
+parent-ref sub ref;
+message-body-data-ref sub ref,
     relates from as source;
 
 derivation sub relation,
-    relates derived_from,
+    relates derived-from,
     relates deriving;
 
-duplicate_of sub relation,
-    relates duplicated_object;
+duplicate-of sub relation,
+    relates duplicated-object;
 
 
-sighting sub stix_core_relationship,
-    owns first_seen,
-    owns last_seen,
+sighting sub stix-core-relationship,
+    owns first-seen,
+    owns last-seen,
     owns count,
     owns summary,
 
-    relates sighting_of,
-    relates observed_data;
+    relates sighting-of,
+    relates observed-data;
 
 
 
 ### 6 SCOs ###
 
-artifact sub stix_cyber_observable_object,
-    owns mime_type,
-    owns payload_bin,
-    owns url_link,
-    owns encryption_algorithm,
-    owns decryption_key,
+artifact sub stix-cyber-observable-object,
+    owns mime-type,
+    owns payload-bin,
+    owns url-link,
+    owns encryption-algorithm,
+    owns decryption-key,
 
     # RRel
-    plays body_raw_ref:target,
-    plays raw_email_ref:target,
-    plays content_ref:target,
-    plays message_body_data_ref:target;
+    plays body-raw-ref:target,
+    plays raw-email-ref:target,
+    plays content-ref:target,
+    plays message-body-data-ref:target;
 
-autonomous_system sub stix_cyber_observable_object,
+autonomous-system sub stix-cyber-observable-object,
     owns number,
     owns name,
     owns rir,
 
     # RRel
-    plays belongs_to_refs:belonging;
+    plays belongs-to-refs:belonging;
 
-directory sub stix_cyber_observable_object,
+directory sub stix-cyber-observable-object,
     owns path,
-    owns path_enc,
+    owns path-enc,
     owns ctime,
     owns mtime,
     owns atime,
 
     # Rel
-    plays contains_ref:contained,
+    plays contains-ref:contained,
 
     # RRel
-    plays parent_directory_ref:target;
+    plays parent-directory-ref:target;
 
-domain_name sub stix_cyber_observable_object,
-    owns stix_value,
+domain-name sub stix-cyber-observable-object,
+    owns stix-value,
 
     # Rel
-    plays resolves_to_refs:resolved,
+    plays resolves-to-refs:resolved,
 
     # RRel
-    plays resolves_to_refs:resolving,
-    plays communicates_with:communicated;
+    plays resolves-to-refs:resolving,
+    plays communicates-with:communicated;
 
 
-email_addr sub stix_cyber_observable_object,
-    owns stix_value,
-    owns display_name,
+email-addr sub stix-cyber-observable-object,
+    owns stix-value,
+    owns display-name,
 
     # Rel
-    plays belongs_to_ref:source,
+    plays belongs-to-ref:source,
     
     # RRel
-    plays from_ref:target,
-    plays sender_ref:target,
-    plays to_refs:to,
-    plays cc_refs:to,
-    plays bcc_refs:to;
-
-email_message sub stix_cyber_observable_object,
-    owns is_multipart,
+    plays from-ref:target,
+    plays sender-ref:target,
+    plays to-refs:to,
+    plays cc-refs:to,
+    plays bcc-refs:to;
+
+email-message sub stix-cyber-observable-object,
+    owns is-multipart,
     owns date,
-    owns content_type,
-    owns message_id,
+    owns content-type,
+    owns message-id,
     owns subject,
     owns body,
 
     # Rel
-    plays from_ref:source,
-    plays sender_ref:source,
-    plays to_refs:from,
-    plays cc_refs:from,
-    plays bcc_refs:from,
-    plays received_lines:owner,
-    plays body_multipart:to,
-    plays raw_email_ref:source;
+    plays from-ref:source,
+    plays sender-ref:source,
+    plays to-refs:from,
+    plays cc-refs:from,
+    plays bcc-refs:from,
+    plays received-lines:owner,
+    plays body-multipart:to,
+    plays raw-email-ref:source;
 
 
-email_mime_part sub stix_sub_object,
+email-mime-part sub stix-sub-object,
     owns body,
-    owns content_type,
-    owns content_disposition,
+    owns content-type,
+    owns content-disposition,
 
     # Rel
-    plays body_raw_ref:source,
+    plays body-raw-ref:source,
 
     # RRel
-    plays body_multipart:from;
+    plays body-multipart:from;
 
-file sub stix_cyber_observable_object,
+file sub stix-cyber-observable-object,
     owns size,
     owns name,
-    owns name_enc,
-    owns magic_number_hex,
-    owns mime_type,
+    owns name-enc,
+    owns magic-number-hex,
+    owns mime-type,
     owns ctime,
     owns mtime,
     owns atime,
 
     # Rel
-    plays hashes:hashes_owner,
-    plays parent_directory_ref:source,
-    plays contains_ref:contained,
-    plays content_ref:source,
+    plays hashes:hashes-owner,
+    plays parent-directory-ref:source,
+    plays contains-ref:contained,
+    plays content-ref:source,
 
     # RRel
     plays downloads:downloaded,
-    plays body_raw_ref:target,
-    plays image_ref:target,
-    plays service_dll_refs:to;
+    plays body-raw-ref:target,
+    plays image-ref:target,
+    plays service-dll-refs:to;
 
-archive_ext sub file,
+archive-ext sub file,
     owns comment;
 
-ntfs_ext sub file,
+ntfs-ext sub file,
     owns sid,
     
     # Rel
-    plays alternate_data_streams:from;
+    plays alternate-data-streams:from;
 
-alternate_data_stream sub file,
+alternate-data-stream sub file,
 
     # RRel
-    plays alternate_data_streams:to;
+    plays alternate-data-streams:to;
 
-pdf_ext sub stix_cyber_observable_object,
+pdf-ext sub stix-cyber-observable-object,
     owns version,
-    owns is_optimized,
+    owns is-optimized,
     owns pdfid0,
     owns pdfid1,
 
     # Rel
-    plays document_info_dict:document_owner;
+    plays document-info-dict:document-owner;
 
-raster_image_ext sub file,
-    owns image_height,
-    owns image_width,
-    owns bits_per_pixel,
+raster-image-ext sub file,
+    owns image-height,
+    owns image-width,
+    owns bits-per-pixel,
     
     # Rel
-    plays exif_tags:exif_owner;
+    plays exif-tags:exif-owner;
 
-windows_pebinary_ext sub file,
-    owns pe_type,
+windows-pebinary-ext sub file,
+    owns pe-type,
     owns imphash,
-    owns machine_hex,
-    owns number_of_sections,
-    owns time_date_stamp,
-    owns pointer_to_symbol_table_hex,
-    owns number_of_symbols,
-    owns size_of_optional_header,
-    owns characterstics_hex,
+    owns machine-hex,
+    owns number-of-sections,
+    owns time-date-stamp,
+    owns pointer-to-symbol-table-hex,
+    owns number-of-symbols,
+    owns size-of-optional-header,
+    owns characterstics-hex,
 
     # Rel  
-    plays optional_header:from,
+    plays optional-header:from,
     plays sections:from;
 
-windows_pe_optional_header_type sub entity,
-    owns magic_hex,
-    owns major_linker_version,
-    owns minor_linker_version,
-    owns size_of_code,
-    owns size_of_initialized_data,
-    owns size_ofuninitialized_data,
-    owns address_of_entry_point,
-    owns base_of_code,
-    owns base_of_data,
-    owns image_base,
-    owns section_alignment,
-    owns file_alignment,
-    owns major_os_version,
-    owns minor_os_version,
-    owns major_image_version,
-    owns minor_image_version,
-    owns major_subsystem_version,
-    owns minor_subsystem_version,
-    owns win32_version_value_hex,
-    owns size_of_image,
-    owns size_of_headers,
-    owns checksum_hex,
-    owns subsystem_hex,
-    owns dll_characteristics_hex,
-    owns size_of_stack_reserve,
-    owns size_of_stack_commit,
-    owns size_of_heap_reserve,
-    owns size_of_heap_commit,
-    owns loader_flags_hex,
-    owns number_of_rva_and_sizes,
+windows-pe-optional-header-type sub entity,
+    owns magic-hex,
+    owns major-linker-version,
+    owns minor-linker-version,
+    owns size-of-code,
+    owns size-of-initialized-data,
+    owns size-ofuninitialized-data,
+    owns address-of-entry-point,
+    owns base-of-code,
+    owns base-of-data,
+    owns image-base,
+    owns section-alignment,
+    owns file-alignment,
+    owns major-os-version,
+    owns minor-os-version,
+    owns major-image-version,
+    owns minor-image-version,
+    owns major-subsystem-version,
+    owns minor-subsystem-version,
+    owns win32-version-value-hex,
+    owns size-of-image,
+    owns size-of-headers,
+    owns checksum-hex,
+    owns subsystem-hex,
+    owns dll-characteristics-hex,
+    owns size-of-stack-reserve,
+    owns size-of-stack-commit,
+    owns size-of-heap-reserve,
+    owns size-of-heap-commit,
+    owns loader-flags-hex,
+    owns number-of-rva-and-sizes,
 
     # Rel
-    plays hashes:hashes_owner,
+    plays hashes:hashes-owner,
 
     # RRel
-    plays optional_header:target;
+    plays optional-header:target;
 
-windows_pe_section sub entity,
+windows-pe-section sub entity,
     owns name,
     owns size,
     owns entropy,
 
     # Rel
-    plays hashes:hashes_owner,
+    plays hashes:hashes-owner,
 
     # RRel
     plays sections:to;
 
-ipv4_address sub stix_cyber_observable_object,
-    owns stix_value,
+ipv4-address sub stix-cyber-observable-object,
+    owns stix-value,
 
     # Rel
-    plays resolves_to_refs:resolved,
-    plays belongs_to_refs:belonged,
+    plays resolves-to-refs:resolved,
+    plays belongs-to-refs:belonged,
 
     # RRel
-    plays resolves_to_refs:resolving,
-    plays communicates_with:communicated;
+    plays resolves-to-refs:resolving,
+    plays communicates-with:communicated;
 
 
 
-ipv6_address sub stix_cyber_observable_object,
-    owns stix_value,
+ipv6-address sub stix-cyber-observable-object,
+    owns stix-value,
 
     # Rel
-    plays resolves_to_refs:resolved,
-    plays belongs_to_refs:belonged,
+    plays resolves-to-refs:resolved,
+    plays belongs-to-refs:belonged,
 
     # RRel
-    plays resolves_to_refs:resolving,
-    plays communicates_with:communicated;
+    plays resolves-to-refs:resolving,
+    plays communicates-with:communicated;
 
 
-mac_addr sub stix_cyber_observable_object,
-    owns stix_value,
+mac-addr sub stix-cyber-observable-object,
+    owns stix-value,
 
     # RRel
-    plays resolves_to_refs:resolving;
+    plays resolves-to-refs:resolving;
 
 
-mutex sub stix_cyber_observable_object,
+mutex sub stix-cyber-observable-object,
     owns name;
 
 
-network_traffic sub stix_cyber_observable_object,
+network-traffic sub stix-cyber-observable-object,
     owns start,
     owns end,
-    owns is_active,
-    owns src_port,
-    owns dst_port,
+    owns is-active,
+    owns src-port,
+    owns dst-port,
 
     # Rel
-    plays src_ref:source,
-    plays dst_ref:source,
-    plays src_payload_ref:source,
-    plays dst_payload_ref:source,
-    plays encapsulated_by_ref:source,
+    plays src-ref:source,
+    plays dst-ref:source,
+    plays src-payload-ref:source,
+    plays dst-payload-ref:source,
+    plays encapsulated-by-ref:source,
     plays protocols:from,
-    plays ipfix:ipfix_owner,
-    plays encapsulates_refs:encapsulated,
+    plays ipfix:ipfix-owner,
+    plays encapsulates-refs:encapsulated,
 
     # RRel
-    plays encapsulates_refs:encapsulating,
-    plays encapsulated_by_ref:target,
-    plays opened_connection_refs:opening;
+    plays encapsulates-refs:encapsulating,
+    plays encapsulated-by-ref:target,
+    plays opened-connection-refs:opening;
 
-http_request_ext sub network_traffic,
-    owns request_method,
-    owns request_value,
-    owns request_version,
-    owns message_body_length,
+http-request-ext sub network-traffic,
+    owns request-method,
+    owns request-value,
+    owns request-version,
+    owns message-body-length,
 
     # Rel
-    plays request_header:header_owner,
-    plays message_body_data_ref:from;
+    plays request-header:header-owner,
+    plays message-body-data-ref:from;
 
-icmp_ext sub network_traffic,
-    owns icmp_type_hex,
-    owns icmp_code_hex;
+icmp-ext sub network-traffic,
+    owns icmp-type-hex,
+    owns icmp-code-hex;
 
-socket_ext sub network_traffic,
-    owns address_family,
-    owns is_blocking,
-    owns is_listening,
-    owns socket_type,
-    owns socket_descriptor,
-    owns socket_handle,
+socket-ext sub network-traffic,
+    owns address-family,
+    owns is-blocking,
+    owns is-listening,
+    owns socket-type,
+    owns socket-descriptor,
+    owns socket-handle,
 
     # Rel
-    plays options:options_owner;
+    plays options:options-owner;
 
-tcp_ext sub network_traffic,
-    owns src_flags_hex,
-    owns dst_flags_hex;
+tcp-ext sub network-traffic,
+    owns src-flags-hex,
+    owns dst-flags-hex;
 
-process sub stix_cyber_observable_object,
-    owns is_hidden,
+process sub stix-cyber-observable-object,
+    owns is-hidden,
     owns pid,
-    owns created_time,
+    owns created-time,
     owns cwd,
-    owns command_line,
+    owns command-line,
 
     # Rel
-    plays environment_variables:variables_owner,
-    plays opened_connection_refs:opened,
-    plays creator_user_ref:source,
-    plays image_ref:source,
-    plays parent_ref:source,
-    plays child_refs:parent,
+    plays environment-variables:variables-owner,
+    plays opened-connection-refs:opened,
+    plays creator-user-ref:source,
+    plays image-ref:source,
+    plays parent-ref:source,
+    plays child-refs:parent,
     
     # RRel
-    plays parent_ref:target,
-    plays child_refs:child;
+    plays parent-ref:target,
+    plays child-refs:child;
 
-windows_process_ext sub process,
-    owns aslr_enabled,
-    owns dep_enabled,
+windows-process-ext sub process,
+    owns aslr-enabled,
+    owns dep-enabled,
     owns priority,
-    owns owner_sid,
-    owns window_title,
-    owns integrity_level,
+    owns owner-sid,
+    owns window-title,
+    owns integrity-level,
 
     # Rel
-    plays startup_info:info_owner;
-
-windows_service_ext sub process,
-    owns service_name,
-    owns display_name,
-    owns group_name,
-    owns start_type,
-    owns service_type,
-    owns service_status,
+    plays startup-info:info-owner;
+
+windows-service-ext sub process,
+    owns service-name,
+    owns display-name,
+    owns group-name,
+    owns start-type,
+    owns service-type,
+    owns service-status,
     owns descriptions,
     
     # Rel
-    plays service_dll_refs:from;
+    plays service-dll-refs:from;
 
-software sub stix_cyber_observable_object,
+software sub stix-cyber-observable-object,
     owns name,
     owns spe,
     owns swid,
@@ -950,125 +950,125 @@ software sub stix_cyber_observable_object,
     owns version,
     owns languages;
     
-url sub stix_cyber_observable_object,
-    owns stix_value,
+url sub stix-cyber-observable-object,
+    owns stix-value,
 
     # RRel
-    plays communicates_with:communicated;
+    plays communicates-with:communicated;
 
 
-user_account sub stix_cyber_observable_object,
-    owns user_id,
+user-account sub stix-cyber-observable-object,
+    owns user-id,
     owns credential,
-    owns account_login,
-    owns account_type,
-    owns display_name,
-    owns is_service_account,
-    owns is_privileged,
-    owns can_escalate_privs,
-    owns is_disabled,
-    owns account_created,
-    owns account_expires,
-    owns credential_last_changed,
-    owns account_first_login,
-    owns account_last_login,
+    owns account-login,
+    owns account-type,
+    owns display-name,
+    owns is-service-account,
+    owns is-privileged,
+    owns can-escalate-privs,
+    owns is-disabled,
+    owns account-created,
+    owns account-expires,
+    owns credential-last-changed,
+    owns account-first-login,
+    owns account-last-login,
 
     # RRel
-    plays belongs_to_ref:target,
-    plays creator_user_ref:target;
+    plays belongs-to-ref:target,
+    plays creator-user-ref:target;
 
-unix_account_ext sub user_account,
+unix-account-ext sub user-account,
     owns gid,
-    owns home_dir,
+    owns home-dir,
     owns shell,
     owns groups;
 
 
-windows_registry_key sub stix_cyber_observable_object,
-    owns attribute_key,
-    owns modified_time,
-    owns number_subkeys,
+windows-registry-key sub stix-cyber-observable-object,
+    owns attribute-key,
+    owns modified-time,
+    owns number-subkeys,
     
     # Rel
     plays values:from,
-    plays creator_user_ref:source;
+    plays creator-user-ref:source;
     
-windows_registry_value_type sub stix_cyber_observable_object,
+windows-registry-value-type sub stix-cyber-observable-object,
     owns name,
     owns data,
-    owns data_type,
+    owns data-type,
     
     # RRel
     plays values:to;
     
-x509_certificate sub stix_cyber_observable_object,
-    owns is_self_signed,
+x509-certificate sub stix-cyber-observable-object,
+    owns is-self-signed,
     owns version,
-    owns serial_number,
-    owns signature_algorithm,
+    owns serial-number,
+    owns signature-algorithm,
     owns issuer,
-    owns validity_not_before,
-    owns validity_not_after,
+    owns validity-not-before,
+    owns validity-not-after,
     owns subject,
-    owns subject_public_key_algorithm,
-    owns subject_public_key_modulus,
-    owns subject_public_key_exponent,
+    owns subject-public-key-algorithm,
+    owns subject-public-key-modulus,
+    owns subject-public-key-exponent,
 
     # Rel
-    plays hashes:hashes_owner;
-
-x509_v3_extensions sub x509_certificate,
-    owns basic_constraints,
-    owns name_constraints,
-    owns policy_constraints,
-    owns key_usage,
-    owns extended_key_usage,
-    owns subject_key_identifier,
-    owns authority_key_identifier,
-    owns subject_alternative_name,
-    owns issuer_alternative_name,
-    owns subject_directory_attributes,
-    owns crl_distribution_points,
-    owns inhibit_any_policy,
-    owns private_key_usage_period_not_before,
-    owns private_key_usage_period_not_after,
-    owns certificate_policies,
-    owns policy_mappings;
-
-marking_definition sub stix_object,
+    plays hashes:hashes-owner;
+
+x509-v3-extensions sub x509-certificate,
+    owns basic-constraints,
+    owns name-constraints,
+    owns policy-constraints,
+    owns key-usage,
+    owns extended-key-usage,
+    owns subject-key-identifier,
+    owns authority-key-identifier,
+    owns subject-alternative-name,
+    owns issuer-alternative-name,
+    owns subject-directory-attributes,
+    owns crl-distribution-points,
+    owns inhibit-any-policy,
+    owns private-key-usage-period-not-before,
+    owns private-key-usage-period-not-after,
+    owns certificate-policies,
+    owns policy-mappings;
+
+marking-definition sub stix-object,
     owns created,
     owns modified,
     owns name,
-    owns spec_version,
+    owns spec-version,
 
-    plays created_by:created,
-    plays data_marking:marking,
-    plays external_references:referencing;
+    plays created-by:created,
+    plays data-marking:marking,
+    plays external-references:referencing;
 
-statement_marking sub marking_definition,
+statement-marking sub marking-definition,
     owns statement;
 
-tlp_marking sub marking_definition,
+tlp-marking sub marking-definition,
     owns color;
 
 list sub relation,
-    relates list_item,
+    relates list-item,
     relates owner;
 
-linked_list sub list,
-    plays first_element:list,
-    plays last_element:list,
-    plays list_element:list;
+linked-list sub list,
+    plays first-element:list,
+    plays last-element:list,
+    plays list-element:list;
 
-first_element sub relation,
+first-element sub relation,
     relates first,
     relates list;
 
-last_element sub relation,
+last-element sub relation,
     relates last,
     relates list;
 
-list_element sub relation,
+list-element sub relation,
     relates element,
     relates list;
 
@@ -1080,537 +1080,537 @@ node sub relation,
     plays node:next,
 
     # RRel
-    plays list_element:element,
-    plays last_element:last,
-    plays first_element:first;
+    plays list-element:element,
+    plays last-element:last,
+    plays first-element:first;
 
 dict sub relation,
-    relates dict_item,
+    relates dict-item,
     relates owner,
-    owns key_abstract,
+    owns key-abstract,
     abstract;
 
 
 hashes sub dict,
-    relates hash_value as dict_item,
-    relates hashes_owner as owner,
-    owns hash_algorithm as key_abstract; 
+    relates hash-value as dict-item,
+    relates hashes-owner as owner,
+    owns hash-algorithm as key-abstract; 
 
-document_info_dict sub dict,
-    relates document_info as dict_item,
-    relates document_owner as owner,
-    owns key as key_abstract;
+document-info-dict sub dict,
+    relates document-info as dict-item,
+    relates document-owner as owner,
+    owns key as key-abstract;
 
-exif_tags sub dict,
-    relates exif_tag as dict_item,
-    relates exif_owner as owner,
-    owns key as key_abstract;
+exif-tags sub dict,
+    relates exif-tag as dict-item,
+    relates exif-owner as owner,
+    owns key as key-abstract;
 
 ipfix sub dict,
-    relates ipfix_field as dict_item,
-    relates ipfix_owner as owner,
-    owns key as key_abstract;
+    relates ipfix-field as dict-item,
+    relates ipfix-owner as owner,
+    owns key as key-abstract;
 
-request_header sub dict,
-    relates header as dict_item,
-    relates header_owner as owner,
-    owns key as key_abstract;
+request-header sub dict,
+    relates header as dict-item,
+    relates header-owner as owner,
+    owns key as key-abstract;
 
 options sub dict,
-    relates option as dict_item,
-    relates options_owner as owner,
-    owns key as key_abstract;
-
-environment_variables sub dict,
-    relates variable as dict_item,
-    relates variables_owner as owner,
-    owns key as key_abstract;
-
-startup_info sub dict,
-    relates info as dict_item,
-    relates info_owner as owner,
-    owns key as key_abstract;
-
-additional_header_fields sub relation, 
-    relates dict_item,
+    relates option as dict-item,
+    relates options-owner as owner,
+    owns key as key-abstract;
+
+environment-variables sub dict,
+    relates variable as dict-item,
+    relates variables-owner as owner,
+    owns key as key-abstract;
+
+startup-info sub dict,
+    relates info as dict-item,
+    relates info-owner as owner,
+    owns key as key-abstract;
+
+additional-header-fields sub relation, 
+    relates dict-item,
     relates owner,
 
-    plays header_fields:owner,
+    plays header-fields:owner,
 
     owns key;
 
-header_fields sub list,
-    plays additional_header_fields:dict_item;
+header-fields sub list,
+    plays additional-header-fields:dict-item;
 
-external_references sub list,
-    relates referencing as list_item,
+external-references sub list,
+    relates referencing as list-item,
     relates referenced as owner;
 
-kill_chain_phases sub list,
-    relates using as list_item,
+kill-chain-phases sub list,
+    relates using as list-item,
     relates used as owner;
 
-data_marking sub list,
-    relates marking as list_item,
+data-marking sub list,
+    relates marking as list-item,
     relates marked as owner,
 
-    plays granular_marking:marking;
+    plays granular-marking:marking;
 
-object_marking sub list,
-    relates marking as list_item,
+object-marking sub list,
+    relates marking as list-item,
     relates marked as owner;
 
-granular_marking sub list,
-    relates marking as list_item,
+granular-marking sub list,
+    relates marking as list-item,
     relates marked as owner;
 
-created_by sub list,
-    relates creator as list_item,
+created-by sub list,
+    relates creator as list-item,
     relates created as owner;
 
-resolves_to_refs sub list,
-    relates resolving as list_item,
+resolves-to-refs sub list,
+    relates resolving as list-item,
     relates resolved as owner;
 
-belongs_to_refs sub list,
-    relates belonging as list_item,
+belongs-to-refs sub list,
+    relates belonging as list-item,
     relates belonged as owner;
 
-contains_ref sub list,
-    relates containing as list_item,
+contains-ref sub list,
+    relates containing as list-item,
     relates contained as owner;
 
-to_refs sub list,
-    relates to as list_item,
+to-refs sub list,
+    relates to as list-item,
     relates from as owner;
 
-cc_refs sub list,
-    relates to as list_item,
+cc-refs sub list,
+    relates to as list-item,
     relates from as owner;
 
-bcc_refs sub list,
-    relates to as list_item,
+bcc-refs sub list,
+    relates to as list-item,
     relates from as owner;
 
-body_multipart sub list,
-    relates to as list_item,
+body-multipart sub list,
+    relates to as list-item,
     relates from as owner;
 
-alternate_data_streams sub list,
-    relates to as list_item,
+alternate-data-streams sub list,
+    relates to as list-item,
     relates from as owner;
 
 sections sub list,
-    relates to as list_item,
+    relates to as list-item,
     relates from as owner;
 
 protocols sub list,
-    relates to as list_item,
+    relates to as list-item,
     relates from as owner;
 
-encapsulates_refs sub list,
-    relates encapsulating as list_item,
+encapsulates-refs sub list,
+    relates encapsulating as list-item,
     relates encapsulated as owner;
 
-opened_connection_refs sub list,
-    relates opening as list_item,
+opened-connection-refs sub list,
+    relates opening as list-item,
     relates opened as owner;
 
-child_refs sub list,
-    relates child as list_item,
+child-refs sub list,
+    relates child as list-item,
     relates parent as owner;
 
-service_dll_refs sub list,
-    relates to as list_item,
+service-dll-refs sub list,
+    relates to as list-item,
     relates from as owner;
 
 
 values sub list,
-    relates to as list_item,
+    relates to as list-item,
     relates from as owner;
 
-received_lines sub linked_list;
+received-lines sub linked-list;
 
-stix_attribute_string sub attribute,
+stix-attribute-string sub attribute,
     value string,
 
-    plays granular_marking:marking,
+    plays granular-marking:marking,
     abstract;
 
 
-stix_type sub stix_attribute_string;
-stix_id sub stix_attribute_string;
-stix_role sub stix_attribute_string;
-spec_version sub stix_attribute_string;
-labels sub stix_attribute_string;
-langs sub stix_attribute_string;
-defanged sub stix_attribute_string;
-source_name sub stix_attribute_string;
-url_link sub stix_attribute_string;
-external_id sub stix_attribute_string;
-name sub stix_attribute_string;
-name_enc sub stix_attribute_string;
-magic_number_hex sub stix_attribute_string;
-mime_type sub stix_attribute_string;
-aliases sub stix_attribute_string;
-objective sub stix_attribute_string;
-action sub stix_attribute_string;
-context sub stix_attribute_string;
-identity_class sub stix_attribute_string;
-sector sub stix_attribute_string;
-infrastructure_types sub stix_attribute_string;
-contact_information sub stix_attribute_string;
-indicator_type sub stix_attribute_string;
-pattern sub stix_attribute_string;
-pattern_type sub stix_attribute_string;
-pattern_version sub stix_attribute_string;
-goals sub stix_attribute_string;
-resource_level sub stix_attribute_string;
-primary_motivation sub stix_attribute_string;
-secondary_motivations sub stix_attribute_string;
-malware_types sub stix_attribute_string;
-architecture_execution_envs sub stix_attribute_string;
-implementation_languages sub stix_attribute_string;
-capabilities sub stix_attribute_string;
-region sub stix_attribute_string;
-country sub stix_attribute_string;
-administrative_area sub stix_attribute_string;
-city sub stix_attribute_string;
-street_address sub stix_attribute_string;
-postal_code sub stix_attribute_string;
-version sub stix_attribute_string;
-configuration_version sub stix_attribute_string;
-module sub stix_attribute_string;
-analysis_engine_version sub stix_attribute_string;
-analysis_definition_version sub stix_attribute_string;
-result_name sub stix_attribute_string;
-result sub stix_attribute_string;
-note_abstract sub stix_attribute_string;
-content sub stix_attribute_string;
-authors sub stix_attribute_string;
-explanation sub stix_attribute_string;
-opinion_enum sub stix_attribute_string;
-report_type sub stix_attribute_string;
-sophistication sub stix_attribute_string;
-personal_characteristics sub stix_attribute_string;
-roles sub stix_attribute_string;
-threat_actor_types sub stix_attribute_string;
-tool_types sub stix_attribute_string;
-tool_version sub stix_attribute_string;
-vulnerability_types sub stix_attribute_string;
-kill_chain_name sub stix_attribute_string;
-kill_chain_phase_name sub stix_attribute_string;
-summary sub stix_attribute_string;
-payload_bin sub stix_attribute_string;
-decryption_key sub stix_attribute_string;
-path sub stix_attribute_string;
-path_enc sub stix_attribute_string;
-rir sub stix_attribute_string;
-display_name sub stix_attribute_string;
-content_type sub stix_attribute_string;
-message_id sub stix_attribute_string;
-subject sub stix_attribute_string;
-body sub stix_attribute_string;
-content_disposition sub stix_attribute_string;
-comment sub stix_attribute_string;
-sid sub stix_attribute_string;
-owner_sid sub stix_attribute_string;
-pdfid0 sub stix_attribute_string;
-pdfid1 sub stix_attribute_string;
-pe_type sub stix_attribute_string;
-imphash sub stix_attribute_string;
-machine_hex sub stix_attribute_string;
-pointer_to_symbol_table_hex sub stix_attribute_string;
-characterstics_hex sub stix_attribute_string;
-win32_version_value_hex sub stix_attribute_string;
-checksum_hex sub stix_attribute_string;
-subsystem_hex sub stix_attribute_string;
-dll_characteristics_hex sub stix_attribute_string;
-loader_flags_hex sub stix_attribute_string;
-magic_hex sub stix_attribute_string;
-request_method sub stix_attribute_string;
-request_value sub stix_attribute_string;
-request_version sub stix_attribute_string;
-icmp_type_hex sub stix_attribute_string;
-icmp_code_hex sub stix_attribute_string;
-service_name sub stix_attribute_string;
-subject_public_key_algorithm sub stix_attribute_string;
-subject_public_key_modulus sub stix_attribute_string;
-certificate_policies sub stix_attribute_string;
-crl_distribution_points sub stix_attribute_string;
-subject_directory_attributes sub stix_attribute_string;
-key_usage sub stix_attribute_string;
-subject_alternative_name sub stix_attribute_string;
-subject_key_identifier sub stix_attribute_string;
-extended_key_usage sub stix_attribute_string;
-name_constraints sub stix_attribute_string;
-policy_mappings sub stix_attribute_string;
-policy_constraints sub stix_attribute_string;
-basic_constraints sub stix_attribute_string;
-inhibit_any_policy sub stix_attribute_string;
-authority_key_identifier sub stix_attribute_string;
-issuer_alternative_name sub stix_attribute_string;
-data sub stix_attribute_string;
-user_id sub stix_attribute_string;
-priority sub stix_attribute_string;
-stix_value sub stix_attribute_string;
-cwd sub stix_attribute_string;
-command_line sub stix_attribute_string;
-account_login sub stix_attribute_string;
-group_name sub stix_attribute_string;
-dst_flags_hex sub stix_attribute_string;
-src_flags_hex sub stix_attribute_string;
-product sub stix_attribute_string;
-spe sub stix_attribute_string;
-exif_tag_string sub stix_attribute_string;
-window_title sub stix_attribute_string;
-statement sub stix_attribute_string;
-home_dir sub stix_attribute_string;
-account_type sub stix_attribute_string;
-credential sub stix_attribute_string;
-attribute_key sub stix_attribute_string;
-shell sub stix_attribute_string;
-swid sub stix_attribute_string;
-vendor sub stix_attribute_string;
-description sub stix_attribute_string;
-descriptions sub stix_attribute_string;
-languages sub stix_attribute_string;
-groups sub stix_attribute_string;
-
-received sub stix_attribute_string,
+stix-type sub stix-attribute-string;
+stix-id sub stix-attribute-string;
+stix-role sub stix-attribute-string;
+spec-version sub stix-attribute-string;
+labels sub stix-attribute-string;
+langs sub stix-attribute-string;
+defanged sub stix-attribute-string;
+source-name sub stix-attribute-string;
+url-link sub stix-attribute-string;
+external-id sub stix-attribute-string;
+name sub stix-attribute-string;
+name-enc sub stix-attribute-string;
+magic-number-hex sub stix-attribute-string;
+mime-type sub stix-attribute-string;
+aliases sub stix-attribute-string;
+objective sub stix-attribute-string;
+action sub stix-attribute-string;
+context sub stix-attribute-string;
+identity-class sub stix-attribute-string;
+sector sub stix-attribute-string;
+infrastructure-types sub stix-attribute-string;
+contact-information sub stix-attribute-string;
+indicator-type sub stix-attribute-string;
+pattern sub stix-attribute-string;
+pattern-type sub stix-attribute-string;
+pattern-version sub stix-attribute-string;
+goals sub stix-attribute-string;
+resource-level sub stix-attribute-string;
+primary-motivation sub stix-attribute-string;
+secondary-motivations sub stix-attribute-string;
+malware-types sub stix-attribute-string;
+architecture-execution-envs sub stix-attribute-string;
+implementation-languages sub stix-attribute-string;
+capabilities sub stix-attribute-string;
+region sub stix-attribute-string;
+country sub stix-attribute-string;
+administrative-area sub stix-attribute-string;
+city sub stix-attribute-string;
+street-address sub stix-attribute-string;
+postal-code sub stix-attribute-string;
+version sub stix-attribute-string;
+configuration-version sub stix-attribute-string;
+module sub stix-attribute-string;
+analysis-engine-version sub stix-attribute-string;
+analysis-definition-version sub stix-attribute-string;
+result-name sub stix-attribute-string;
+result sub stix-attribute-string;
+note-abstract sub stix-attribute-string;
+content sub stix-attribute-string;
+authors sub stix-attribute-string;
+explanation sub stix-attribute-string;
+opinion-enum sub stix-attribute-string;
+report-type sub stix-attribute-string;
+sophistication sub stix-attribute-string;
+personal-characteristics sub stix-attribute-string;
+roles sub stix-attribute-string;
+threat-actor-types sub stix-attribute-string;
+tool-types sub stix-attribute-string;
+tool-version sub stix-attribute-string;
+vulnerability-types sub stix-attribute-string;
+kill-chain-name sub stix-attribute-string;
+kill-chain-phase-name sub stix-attribute-string;
+summary sub stix-attribute-string;
+payload-bin sub stix-attribute-string;
+decryption-key sub stix-attribute-string;
+path sub stix-attribute-string;
+path-enc sub stix-attribute-string;
+rir sub stix-attribute-string;
+display-name sub stix-attribute-string;
+content-type sub stix-attribute-string;
+message-id sub stix-attribute-string;
+subject sub stix-attribute-string;
+body sub stix-attribute-string;
+content-disposition sub stix-attribute-string;
+comment sub stix-attribute-string;
+sid sub stix-attribute-string;
+owner-sid sub stix-attribute-string;
+pdfid0 sub stix-attribute-string;
+pdfid1 sub stix-attribute-string;
+pe-type sub stix-attribute-string;
+imphash sub stix-attribute-string;
+machine-hex sub stix-attribute-string;
+pointer-to-symbol-table-hex sub stix-attribute-string;
+characterstics-hex sub stix-attribute-string;
+win32-version-value-hex sub stix-attribute-string;
+checksum-hex sub stix-attribute-string;
+subsystem-hex sub stix-attribute-string;
+dll-characteristics-hex sub stix-attribute-string;
+loader-flags-hex sub stix-attribute-string;
+magic-hex sub stix-attribute-string;
+request-method sub stix-attribute-string;
+request-value sub stix-attribute-string;
+request-version sub stix-attribute-string;
+icmp-type-hex sub stix-attribute-string;
+icmp-code-hex sub stix-attribute-string;
+service-name sub stix-attribute-string;
+subject-public-key-algorithm sub stix-attribute-string;
+subject-public-key-modulus sub stix-attribute-string;
+certificate-policies sub stix-attribute-string;
+crl-distribution-points sub stix-attribute-string;
+subject-directory-attributes sub stix-attribute-string;
+key-usage sub stix-attribute-string;
+subject-alternative-name sub stix-attribute-string;
+subject-key-identifier sub stix-attribute-string;
+extended-key-usage sub stix-attribute-string;
+name-constraints sub stix-attribute-string;
+policy-mappings sub stix-attribute-string;
+policy-constraints sub stix-attribute-string;
+basic-constraints sub stix-attribute-string;
+inhibit-any-policy sub stix-attribute-string;
+authority-key-identifier sub stix-attribute-string;
+issuer-alternative-name sub stix-attribute-string;
+data sub stix-attribute-string;
+user-id sub stix-attribute-string;
+priority sub stix-attribute-string;
+stix-value sub stix-attribute-string;
+cwd sub stix-attribute-string;
+command-line sub stix-attribute-string;
+account-login sub stix-attribute-string;
+group-name sub stix-attribute-string;
+dst-flags-hex sub stix-attribute-string;
+src-flags-hex sub stix-attribute-string;
+product sub stix-attribute-string;
+spe sub stix-attribute-string;
+exif-tag-string sub stix-attribute-string;
+window-title sub stix-attribute-string;
+statement sub stix-attribute-string;
+home-dir sub stix-attribute-string;
+account-type sub stix-attribute-string;
+credential sub stix-attribute-string;
+attribute-key sub stix-attribute-string;
+shell sub stix-attribute-string;
+swid sub stix-attribute-string;
+vendor sub stix-attribute-string;
+description sub stix-attribute-string;
+descriptions sub stix-attribute-string;
+languages sub stix-attribute-string;
+groups sub stix-attribute-string;
+
+received sub stix-attribute-string,
     plays node:listed;
-document_info sub stix_attribute_string,
-    plays document_info_dict:document_info;
-protocol sub stix_attribute_string,
+document-info sub stix-attribute-string,
+    plays document-info-dict:document-info;
+protocol sub stix-attribute-string,
     plays protocols:to;
-ipfix_string sub stix_attribute_string,
-    plays ipfix:ipfix_field;
-header sub stix_attribute_string,
-    plays request_header:header;
-environment_variable sub stix_attribute_string,
-    plays environment_variables:variable;
-startup sub stix_attribute_string,
-    plays startup_info:info;
-
-issuer sub stix_attribute_string;
-serial_number sub stix_attribute_string;
-signature_algorithm sub stix_attribute_string;
-subject_public_key_exponent sub stix_attribute_string;
-
-hash_value sub stix_attribute_string,
-    plays hashes:hash_value;
-key_abstract sub stix_attribute_string,
+ipfix-string sub stix-attribute-string,
+    plays ipfix:ipfix-field;
+header sub stix-attribute-string,
+    plays request-header:header;
+environment-variable sub stix-attribute-string,
+    plays environment-variables:variable;
+startup sub stix-attribute-string,
+    plays startup-info:info;
+
+issuer sub stix-attribute-string;
+serial-number sub stix-attribute-string;
+signature-algorithm sub stix-attribute-string;
+subject-public-key-exponent sub stix-attribute-string;
+
+hash-value sub stix-attribute-string,
+    plays hashes:hash-value;
+key-abstract sub stix-attribute-string,
     abstract;
-key sub key_abstract;
-hash_algorithm sub key_abstract,
+key sub key-abstract;
+hash-algorithm sub key-abstract,
     regex "^(MD5|SHA-1|SHA-256|SHA-512|SHA3-256|SHA3-512|SSDEEP|TLSH)$";
-encryption_algorithm sub stix_attribute_string,
-    regex "^(AES_256_GCM|ChaCha20_Poly1305|mime_type_indicated)$";
-address_family sub stix_attribute_string,
-    regex "^(AF_UNSPEC|AF_INET|AF_IPX|AF_APPLETALK|AF_NETBIOS|AF_INET6|AF_IRDA|AF_BTH)$";
-socket_type sub stix_attribute_string,
-    regex "^(SOCK_STREAM|SOCK_DGRAM|SOCK_RAW|SOCK_RDM|SOCK_SEQPACKET)$";
-opinion_enum sub stix_attribute_string,
-    regex "^(strongly_disagree|disagree|neutral|agree|strongly_agree)$";
-integrity_level sub stix_attribute_string,
+encryption-algorithm sub stix-attribute-string,
+    regex "^(AES-256-GCM|ChaCha20-Poly1305|mime-type-indicated)$";
+address-family sub stix-attribute-string,
+    regex "^(AF-UNSPEC|AF-INET|AF-IPX|AF-APPLETALK|AF-NETBIOS|AF-INET6|AF-IRDA|AF-BTH)$";
+socket-type sub stix-attribute-string,
+    regex "^(SOCK-STREAM|SOCK-DGRAM|SOCK-RAW|SOCK-RDM|SOCK-SEQPACKET)$";
+opinion-enum sub stix-attribute-string,
+    regex "^(strongly-disagree|disagree|neutral|agree|strongly-agree)$";
+integrity-level sub stix-attribute-string,
     regex "^(low|medium|high|system)$";
-data_type sub stix_attribute_string,
-    regex "^(REG_NONE|REG_SZ|REG_EXPAND_SZ|REG_BINARY|REG_DWORD|REG_DWORD_BIG_ENDIAN|REG_LINK|REG_MULTI_SZ|REG_RESOURCE_LIST|REG_FULL_RESOURCE_DESCRIPTION|REG_RESOURCE_REQUIREMENTS_LIST|REG_QWORD|REG_INVALID_TYPE)$";
-start_type sub stix_attribute_string,
-    regex "^(SERVICE_AUTO_START|SERVICE_BOOT_START|SERVICE_DEMAND_START|SERVICE_DISABLED|SERVICE_SYSTEM_ALERT)$";
-service_type sub stix_attribute_string,
-    regex "^(SERVICE_KERNEL_DRIVER|SERVICE_FILE_SYSTEM_DRIVER|SERVICE_WIN32_OWN_PROCESS|SERVICE_WIN32_SHARE_PROCESS)$";
-service_status sub stix_attribute_string,
-    regex "^(SERVICE_CONTINUE_PENDING|SERVICE_PAUSE_PENDING|SERVICE_PAUSED|SERVICE_RUNNING|SERVICE_START_PENDING|SERVICE_STOP_PENDING|SERVICE_STOPPED)$";
-color sub stix_attribute_string,
+data-type sub stix-attribute-string,
+    regex "^(REG-NONE|REG-SZ|REG-EXPAND-SZ|REG-BINARY|REG-DWORD|REG-DWORD-BIG-ENDIAN|REG-LINK|REG-MULTI-SZ|REG-RESOURCE-LIST|REG-FULL-RESOURCE-DESCRIPTION|REG-RESOURCE-REQUIREMENTS-LIST|REG-QWORD|REG-INVALID-TYPE)$";
+start-type sub stix-attribute-string,
+    regex "^(SERVICE-AUTO-START|SERVICE-BOOT-START|SERVICE-DEMAND-START|SERVICE-DISABLED|SERVICE-SYSTEM-ALERT)$";
+service-type sub stix-attribute-string,
+    regex "^(SERVICE-KERNEL-DRIVER|SERVICE-FILE-SYSTEM-DRIVER|SERVICE-WIN32-OWN-PROCESS|SERVICE-WIN32-SHARE-PROCESS)$";
+service-status sub stix-attribute-string,
+    regex "^(SERVICE-CONTINUE-PENDING|SERVICE-PAUSE-PENDING|SERVICE-PAUSED|SERVICE-RUNNING|SERVICE-START-PENDING|SERVICE-STOP-PENDING|SERVICE-STOPPED)$";
+color sub stix-attribute-string,
     regex "^(white|green|amber|red|clear)$";
-stix_attribute_double sub attribute,
+stix-attribute-double sub attribute,
     value double,
 
-    plays granular_marking:marked,
+    plays granular-marking:marked,
     abstract;
 
-number sub stix_attribute_double;
-latitude sub stix_attribute_double;
-longitude sub stix_attribute_double;
-precision sub stix_attribute_double;
-number_observed sub stix_attribute_double;
-count sub stix_attribute_double;
-entropy sub stix_attribute_double;
-size_ofuninitialized_data sub stix_attribute_double;
+number sub stix-attribute-double;
+latitude sub stix-attribute-double;
+longitude sub stix-attribute-double;
+precision sub stix-attribute-double;
+number-observed sub stix-attribute-double;
+count sub stix-attribute-double;
+entropy sub stix-attribute-double;
+size-ofuninitialized-data sub stix-attribute-double;
 
-stix_attribute_integer sub attribute,
+stix-attribute-integer sub attribute,
     value long,
 
-    plays granular_marking:marked,
+    plays granular-marking:marked,
     abstract;
 
-size sub stix_attribute_integer;
-gid sub stix_attribute_integer;
-image_height sub stix_attribute_integer;
-image_width sub stix_attribute_integer;
-bits_per_pixel sub stix_attribute_integer;
-confidence sub stix_attribute_integer;
-number_of_sections sub stix_attribute_integer;
-number_of_symbols sub stix_attribute_integer;
-size_of_optional_header sub stix_attribute_integer;
-major_linker_version sub stix_attribute_integer;
-minor_linker_version sub stix_attribute_integer;
-size_of_code sub stix_attribute_integer;
-size_of_initialized_data sub stix_attribute_integer;
-size_of_uninitialized_data sub stix_attribute_integer;
-address_of_entry_point sub stix_attribute_integer;
-base_of_code sub stix_attribute_integer;
-base_of_data sub stix_attribute_integer;
-image_base sub stix_attribute_integer;
-section_alignment sub stix_attribute_integer;
-file_alignment sub stix_attribute_integer;
-major_os_version sub stix_attribute_integer;
-minor_os_version sub stix_attribute_integer;
-major_image_version sub stix_attribute_integer;
-minor_image_version sub stix_attribute_integer;
-major_subsystem_version sub stix_attribute_integer;
-minor_subsystem_version sub stix_attribute_integer;
-size_of_image sub stix_attribute_integer;
-size_of_headers sub stix_attribute_integer;
-size_of_stack_reserve sub stix_attribute_integer;
-size_of_stack_commit sub stix_attribute_integer;
-size_of_heap_reserve sub stix_attribute_integer;
-size_of_heap_commit sub stix_attribute_integer;
-number_of_rva_and_sizes sub stix_attribute_integer;
-message_body_length sub stix_attribute_integer;
-number_subkeys sub stix_attribute_integer;
-exif_tag_int sub stix_attribute_integer;
-src_port sub stix_attribute_integer;
-dst_port sub stix_attribute_integer;
-src_byte_count sub stix_attribute_integer;
-dst_byte_count sub stix_attribute_integer;
-src_packets sub stix_attribute_integer;
-dst_packets sub stix_attribute_integer;
-socket_descriptor sub stix_attribute_integer;
-socket_handle sub stix_attribute_integer;
-pid sub stix_attribute_integer;
-option sub stix_attribute_integer,
+size sub stix-attribute-integer;
+gid sub stix-attribute-integer;
+image-height sub stix-attribute-integer;
+image-width sub stix-attribute-integer;
+bits-per-pixel sub stix-attribute-integer;
+confidence sub stix-attribute-integer;
+number-of-sections sub stix-attribute-integer;
+number-of-symbols sub stix-attribute-integer;
+size-of-optional-header sub stix-attribute-integer;
+major-linker-version sub stix-attribute-integer;
+minor-linker-version sub stix-attribute-integer;
+size-of-code sub stix-attribute-integer;
+size-of-initialized-data sub stix-attribute-integer;
+size-of-uninitialized-data sub stix-attribute-integer;
+address-of-entry-point sub stix-attribute-integer;
+base-of-code sub stix-attribute-integer;
+base-of-data sub stix-attribute-integer;
+image-base sub stix-attribute-integer;
+section-alignment sub stix-attribute-integer;
+file-alignment sub stix-attribute-integer;
+major-os-version sub stix-attribute-integer;
+minor-os-version sub stix-attribute-integer;
+major-image-version sub stix-attribute-integer;
+minor-image-version sub stix-attribute-integer;
+major-subsystem-version sub stix-attribute-integer;
+minor-subsystem-version sub stix-attribute-integer;
+size-of-image sub stix-attribute-integer;
+size-of-headers sub stix-attribute-integer;
+size-of-stack-reserve sub stix-attribute-integer;
+size-of-stack-commit sub stix-attribute-integer;
+size-of-heap-reserve sub stix-attribute-integer;
+size-of-heap-commit sub stix-attribute-integer;
+number-of-rva-and-sizes sub stix-attribute-integer;
+message-body-length sub stix-attribute-integer;
+number-subkeys sub stix-attribute-integer;
+exif-tag-int sub stix-attribute-integer;
+src-port sub stix-attribute-integer;
+dst-port sub stix-attribute-integer;
+src-byte-count sub stix-attribute-integer;
+dst-byte-count sub stix-attribute-integer;
+src-packets sub stix-attribute-integer;
+dst-packets sub stix-attribute-integer;
+socket-descriptor sub stix-attribute-integer;
+socket-handle sub stix-attribute-integer;
+pid sub stix-attribute-integer;
+option sub stix-attribute-integer,
     plays options:option;
-ipfix_integer sub stix_attribute_integer,
-    plays ipfix:ipfix_field;
+ipfix-integer sub stix-attribute-integer,
+    plays ipfix:ipfix-field;
 
-stix_attribute_boolean sub attribute,
+stix-attribute-boolean sub attribute,
     value boolean,
 
-    plays granular_marking:marked,
+    plays granular-marking:marked,
     abstract;
 
-is_family sub stix_attribute_boolean;
-is_optimized sub stix_attribute_boolean;
-is_self_signed sub stix_attribute_boolean;
-dep_enabled sub stix_attribute_boolean;
-is_active sub stix_attribute_boolean;
-is_hidden sub stix_attribute_boolean;
-is_blocking sub stix_attribute_boolean;
-is_listening sub stix_attribute_boolean;
-can_escalate_privs sub stix_attribute_boolean;
-is_service_account sub stix_attribute_boolean;
-is_privileged sub stix_attribute_boolean;
-can_escalate_privs sub stix_attribute_boolean;
-is_disabled sub stix_attribute_boolean;
-is_multipart sub stix_attribute_boolean;
-aslr_enabled sub stix_attribute_boolean;
-revoked sub stix_attribute_boolean;
-
-stix_attribute_timestamp sub attribute,
+is-family sub stix-attribute-boolean;
+is-optimized sub stix-attribute-boolean;
+is-self-signed sub stix-attribute-boolean;
+dep-enabled sub stix-attribute-boolean;
+is-active sub stix-attribute-boolean;
+is-hidden sub stix-attribute-boolean;
+is-blocking sub stix-attribute-boolean;
+is-listening sub stix-attribute-boolean;
+can-escalate-privs sub stix-attribute-boolean;
+is-service-account sub stix-attribute-boolean;
+is-privileged sub stix-attribute-boolean;
+can-escalate-privs sub stix-attribute-boolean;
+is-disabled sub stix-attribute-boolean;
+is-multipart sub stix-attribute-boolean;
+aslr-enabled sub stix-attribute-boolean;
+revoked sub stix-attribute-boolean;
+
+stix-attribute-timestamp sub attribute,
     value datetime,
 
-    plays granular_marking:marked,
+    plays granular-marking:marked,
     abstract;
 
-date sub stix_attribute_timestamp;
-ctime sub stix_attribute_timestamp;
-atime sub stix_attribute_timestamp;
-mtime sub stix_attribute_timestamp;
-created sub stix_attribute_timestamp;
-modified sub stix_attribute_timestamp;
-submitted sub stix_attribute_timestamp;
-valid_from sub stix_attribute_timestamp;
-valid_until sub stix_attribute_timestamp;
-first_observed sub stix_attribute_timestamp;
-last_observed sub stix_attribute_timestamp;
-analysis_started sub stix_attribute_timestamp;
-analysis_ended sub stix_attribute_timestamp;
-published sub stix_attribute_timestamp;
-first_seen sub stix_attribute_timestamp;
-last_seen sub stix_attribute_timestamp;
-time_date_stamp sub stix_attribute_timestamp;
-end sub stix_attribute_timestamp;
-start sub stix_attribute_timestamp;
-created_time sub stix_attribute_timestamp;
-modified_time sub stix_attribute_timestamp;
-account_created sub stix_attribute_timestamp;
-account_expires sub stix_attribute_timestamp;
-credential_last_changed sub stix_attribute_timestamp;
-account_first_login sub stix_attribute_timestamp;
-account_last_login sub stix_attribute_timestamp;
-validity_not_before sub stix_attribute_timestamp;
-validity_not_after sub stix_attribute_timestamp;
-private_key_usage_period_not_after sub stix_attribute_timestamp;
-private_key_usage_period_not_before sub stix_attribute_timestamp;
-
-custom_attribute sub attribute, value string, 
-    plays granular_marking:marked,
-    owns attribute_type; 
-
-attribute_type sub attribute, value string;
-
-rule linked_list_item:
+date sub stix-attribute-timestamp;
+ctime sub stix-attribute-timestamp;
+atime sub stix-attribute-timestamp;
+mtime sub stix-attribute-timestamp;
+created sub stix-attribute-timestamp;
+modified sub stix-attribute-timestamp;
+submitted sub stix-attribute-timestamp;
+valid-from sub stix-attribute-timestamp;
+valid-until sub stix-attribute-timestamp;
+first-observed sub stix-attribute-timestamp;
+last-observed sub stix-attribute-timestamp;
+analysis-started sub stix-attribute-timestamp;
+analysis-ended sub stix-attribute-timestamp;
+published sub stix-attribute-timestamp;
+first-seen sub stix-attribute-timestamp;
+last-seen sub stix-attribute-timestamp;
+time-date-stamp sub stix-attribute-timestamp;
+end sub stix-attribute-timestamp;
+start sub stix-attribute-timestamp;
+created-time sub stix-attribute-timestamp;
+modified-time sub stix-attribute-timestamp;
+account-created sub stix-attribute-timestamp;
+account-expires sub stix-attribute-timestamp;
+credential-last-changed sub stix-attribute-timestamp;
+account-first-login sub stix-attribute-timestamp;
+account-last-login sub stix-attribute-timestamp;
+validity-not-before sub stix-attribute-timestamp;
+validity-not-after sub stix-attribute-timestamp;
+private-key-usage-period-not-after sub stix-attribute-timestamp;
+private-key-usage-period-not-before sub stix-attribute-timestamp;
+
+custom-attribute sub attribute, value string, 
+    plays granular-marking:marked,
+    owns attribute-type; 
+
+attribute-type sub attribute, value string;
+
+rule linked-list-item:
 when {
-    { (list: $x, first: $z) isa first_element;}
+    { (list: $x, first: $z) isa first-element;}
     or {
-        (list: $x, element: $y) isa list_element;
+        (list: $x, element: $y) isa list-element;
         $y (next: $z) isa node;
     };
-    $x isa linked_list;
+    $x isa linked-list;
     $z isa node;
     $y isa node;
 } then {
-    (list: $x, element: $z) isa list_element;
+    (list: $x, element: $z) isa list-element;
 };
 
-rule last_element_linked_list:
+rule last-element-linked-list:
 when {
-    (list: $x, element: $y) isa list_element;
+    (list: $x, element: $y) isa list-element;
     not {
         $z isa node;
         $y (next: $z);
     };
-    $x isa linked_list;
+    $x isa linked-list;
     $y isa node;
     $z isa node;
 } then {
-    (list: $x, last: $y) isa last_element;
+    (list: $x, last: $y) isa last-element;
 };
 
-rule transitive_use:
+rule transitive-use:
 when {
-    $x isa stix_domain_object;
-    $y isa stix_domain_object;
-    $z isa stix_domain_object;
+    $x isa stix-domain-object;
+    $y isa stix-domain-object;
+    $z isa stix-domain-object;
     $use1 (using: $x, used: $y) isa uses;
     $use2 (using: $y, used: $z) isa uses;
 } then {
     (using: $x, used: $z) isa uses;
 };
 
-rule attributed_to_when_using:
+rule attributed-to-when-using:
 when {
-    (attributing: $z, attributed: $x) isa attributed_to;
+    (attributing: $z, attributed: $x) isa attributed-to;
     (using: $x, used: $y) isa uses;
 } then {
     (using: $z, used: $y) isa uses;
 };
 
-rule attributed_to_when_targeting:
+rule attributed-to-when-targeting:
 when {
-    (attributing: $z, attributed: $x) isa attributed_to;
+    (attributing: $z, attributed: $x) isa attributed-to;
     (targeting: $x, targeted: $y) isa targets;
 } then {
     (targeting: $z, targeted: $y) isa targets;
diff --git a/cyber-threat-intelligence/insert-data.tql b/cyber-threat-intelligence/insert-data.tql
index d7f46f1..60df777 100644
--- a/cyber-threat-intelligence/insert-data.tql
+++ b/cyber-threat-intelligence/insert-data.tql
@@ -7,35 +7,35 @@
 # Clean old data:
 
 match $t isa thing; delete $t isa thing;
-match $t isa threat_actor; insert $t has full-name "Bravo";
+match $t isa threat-actor; insert $t has full-name "Bravo";
 
 
 # Example from: https://oasis-open.github.io/cti-documentation/examples/identifying-a-threat-actor-profile
 # Identifying a Threat Actor Profile
 insert 
-$ta isa threat_actor, has name "Disco Team Threat Actor Group", 
-    has spec_version "2.1",
-    has stix_id "threat_actor__dfaa8d77_07e2_4e28_b2c8_92e9f7b04428",
+$ta isa threat-actor, has name "Disco Team Threat Actor Group", 
+    has spec-version "2.1",
+    has stix-id "threat-actor--dfaa8d77-07e2-4e28-b2c8-92e9f7b04428",
     has created 2014-11-19T23:39:03.893,
     has modified 2014-11-19T23:39:03.893,
-    has aliases "disco_team@stealthemail.com", 
+    has aliases "disco-team@stealthemail.com", 
     has aliases "Equipo del Discoteca",
     has description "This organized threat actor group operates to create profit from all types of crime.",
     has aliases "Equipo del Discoteca",
-    has stix_role "agent",
+    has stix-role "agent",
     has goals "Steal Credit Card Information", 
     has sophistication "expert",
-    has resource_level "organization", 
-    has threat_actor_types "crime syndicate", 
-    has primary_motivation "personal_gain";
-$id isa organization, has name "Disco Team", has spec_version "2.1", 
-    has stix_id "identity__733c5838_34d9_4fbf_949c_62aba761184c",
+    has resource-level "organization", 
+    has threat-actor-types "crime syndicate", 
+    has primary-motivation "personal-gain";
+$id isa organization, has name "Disco Team", has spec-version "2.1", 
+    has stix-id "identity--733c5838-34d9-4fbf-949c-62aba761184c",
     has created 2016-08-23T18:05:49.307, has modified 2016-08-23T18:05:49.307,
-    has description "Disco Team is the name of an organized threat actor crime_syndicate.", 
-    has contact_information "disco_team@stealthemail.com"; 
+    has description "Disco Team is the name of an organized threat actor crime-syndicate.", 
+    has contact-information "disco-team@stealthemail.com"; 
 
-(attributing: $ta, attributed: $id) isa attributed_to, has spec_version "2.1", 
-    has stix_id "relationship__a2e3efb5_351d_4d46_97a0_6897ee7c77a0",
+(attributing: $ta, attributed: $id) isa attributed-to, has spec-version "2.1", 
+    has stix-id "relationship--a2e3efb5-351d-4d46-97a0-6897ee7c77a0",
     has created 2020-02-29T18:01:28.577,
     has modified 2020-02-29T18:01:28.577;
 
@@ -43,32 +43,32 @@ $id isa organization, has name "Disco Team", has spec_version "2.1",
 # Identicator for malicious URL
 insert 
 $in isa indicator, has name "Malicious site hosting downloader",
-    has spec_version "2.1", 
+    has spec-version "2.1", 
     has description "This organized threat actor group operates to create profit from all types of crime.",
     has created 2014-06-29T13:49:37.079,
     has modified 2014-06-29T13:49:37.079,
-    has stix_id "indicator__d81f86b9_975b_4c0b_875e_810c5ad45a4f",
+    has stix-id "indicator--d81f86b9-975b-4c0b-875e-810c5ad45a4f",
     has pattern "[url:value = 'http://x4z9arb.cn/4712/']", 
-    has pattern_type "stix", 
-    has valid_from 2014-06-29T13:49:37.079,
-    has indicator_type "malicious_activity";
+    has pattern-type "stix", 
+    has valid-from 2014-06-29T13:49:37.079,
+    has indicator-type "malicious-activity";
 $ma isa malware, has name "x4z9arb backdoor", 
-    has spec_version "2.1", 
-    has stix_id "malware__162d917e_766f_4611_b5d6_652791454fca", 
+    has spec-version "2.1", 
+    has stix-id "malware--162d917e-766f-4611-b5d6-652791454fca", 
     has created 2014-06-30T09:15:17.182, 
     has modified 2014-06-30T09:15:17.182, 
     has description "This malware attempts to download remote files after establishing a foothold as a backdoor.", 
-    has malware_types "backdoor",
-    has malware_types "remote_access_trojan",
-    has is_family false;
-$kill_chain_phase isa kill_chain_phase, 
-    has kill_chain_name "mandiant_attack_lifecycle_model",
-    has kill_chain_phase_name "establish_foothold"; 
-
-(used: $ma, using: $kill_chain_phase) isa kill_chain_phases;
+    has malware-types "backdoor",
+    has malware-types "remote-access-trojan",
+    has is-family false;
+$kill-chain-phase isa kill-chain-phase, 
+    has kill-chain-name "mandiant-attack-lifecycle-model",
+    has kill-chain-phase-name "establish-foothold"; 
+
+(used: $ma, using: $kill-chain-phase) isa kill-chain-phases;
 (indicating: $in, indicated: $ma) isa indicates, 
-    has spec_version "2.1",
-    has stix_id "relationship__864af2ea_46f9_4d23_b3a2_1c2adf81c265", 
+    has spec-version "2.1",
+    has stix-id "relationship--864af2ea-46f9-4d23-b3a2-1c2adf81c265", 
     has created 2020-02-29T18:03:58.029,
     has modified 2020-02-29T18:03:58.029;
 
@@ -76,183 +76,183 @@ $kill_chain_phase isa kill_chain_phase,
 # Malware indicator for file hash
 insert
 $in isa indicator, has name "File hash for Poison Ivy variant", 
-    has spec_version "2.1", 
-    has stix_id "indicator__a932fcc6_e032_476c_826f_cb970a5a1ade", 
+    has spec-version "2.1", 
+    has stix-id "indicator--a932fcc6-e032-476c-826f-cb970a5a1ade", 
     has created 2014-02-20T09:16:08.989, 
     has modified 2014-02-20T09:16:08.989, 
     has description "This file hash indicates that a sample of Poison Ivy is present.",
-    has indicator_type "malicious_activity",
-    has pattern "[file:hashes.'SHA_256' = 'ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c']", 
-    has pattern_type "stix",
-    has valid_from 2014-02-20T09:00:00;
+    has indicator-type "malicious-activity",
+    has pattern "[file:hashes.'SHA-256' = 'ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c']", 
+    has pattern-type "stix",
+    has valid-from 2014-02-20T09:00:00;
 $m isa malware, has name "Poison Ivy",
-    has spec_version "2.1", 
-    has stix_id "malware__fdd60b30_b67c_41e3_b0b9_f01faf20d111", 
+    has spec-version "2.1", 
+    has stix-id "malware--fdd60b30-b67c-41e3-b0b9-f01faf20d111", 
     has created 2014-02-20T09:16:08.989, 
     has modified 2014-02-20T09:16:08.989,
-    has malware_types "remote_access_trojan", 
-    has is_family false; 
+    has malware-types "remote-access-trojan", 
+    has is-family false; 
 (indicating: $in, indicated: $m) isa indicates, 
-    has spec_version "2.1", 
-    has stix_id "relationship__29dcdf68_1b0c_4e16_94ed_bcc7a9572f69", 
+    has spec-version "2.1", 
+    has stix-id "relationship--29dcdf68-1b0c-4e16-94ed-bcc7a9572f69", 
     has created 2020-02-29T18:09:12.808,
     has modified 2020-02-29T18:09:12.808;
 
 # Example from: https://oasis-open.github.io/cti-documentation/examples/sighting-of-an-indicator
 # Sighting of an Indicator
 insert
-$malicious_url isa indicator, has name "Malicious URL", 
-    has spec_version "2.1",
-    has stix_id "indicator__9299f726_ce06_492e_8472_2b52ccb53191", 
+$malicious-url isa indicator, has name "Malicious URL", 
+    has spec-version "2.1",
+    has stix-id "indicator--9299f726-ce06-492e-8472-2b52ccb53191", 
     has created 2017-02-27T13:57:10.515, 
     has modified 2017-02-27T13:57:10.515, 
     has description "This URL is potentially associated with malicious activity and is listed on several blacklist sites.", 
-    has indicator_type "malicious_activity", 
+    has indicator-type "malicious-activity", 
     has pattern "[url:value = 'http://paypa1.banking.com']", 
-    has pattern_type "stix", 
-    has valid_from 2015-06-29T09:10:15.915;
+    has pattern-type "stix", 
+    has valid-from 2015-06-29T09:10:15.915;
 $alpha isa organization, has name "Alpha Threat Analysis Org.", 
-    has spec_version "2.1",
-    has stix_id "identity__39012926_a052_44c4_ae48_caaf4a10ee6e", 
+    has spec-version "2.1",
+    has stix-id "identity--39012926-a052-44c4-ae48-caaf4a10ee6e", 
     has created 2017-02-24T15:50:10.564, 
     has modified 2017-02-24T15:50:10.564, 
-    has stix_role "Cyber Security", 
+    has stix-role "Cyber Security", 
     has sector "technology", 
-    has contact_information "info@alpha.org"; 
+    has contact-information "info@alpha.org"; 
 $beta isa organization, has name "Beta Cyber Intelligence Company", 
-    has spec_version "2.1",
-    has stix_id "identity__5206ba14_478f_4b0b_9a48_395f690c20a2", 
+    has spec-version "2.1",
+    has stix-id "identity--5206ba14-478f-4b0b-9a48-395f690c20a2", 
     has created 2017-02-26T17:55:10.442, 
     has modified 2017-02-26T17:55:10.442, 
-    has stix_role "Cyber Security",  
+    has stix-role "Cyber Security",  
     has sector "technology", 
-    has contact_information "info@beta.com"; 
-(observed_data: $beta, sighting_of: $malicious_url) isa sighting, has stix_id "5206ba14_478f_4b0b_9a48_395f690c20a2";
-(creator: $alpha, created: $malicious_url) isa created_by; 
+    has contact-information "info@beta.com"; 
+(observed-data: $beta, sighting-of: $malicious-url) isa sighting, has stix-id "5206ba14-478f-4b0b-9a48-395f690c20a2";
+(creator: $alpha, created: $malicious-url) isa created-by; 
 
 # Example from: https://oasis-open.github.io/cti-documentation/examples/sighting-of-observed-data
 # Sighting of Observed Data
 insert
 $pym isa organization, has name "Pym Technologies", 
-    has spec_version "2.1",
-    has stix_id "identity__7865b6d2_a4af_45c5_b582_afe5ec376c33",
+    has spec-version "2.1",
+    has stix-id "identity--7865b6d2-a4af-45c5-b582-afe5ec376c33",
     has created 2013-04-14T13:07:49.812, 
     has modified 2013-04-14T13:07:49.812, 
     has sector "technology",
-    has contact_information "hank@pymtech.com";
+    has contact-information "hank@pymtech.com";
 $oscorp isa organization, has name "Oscorp Industries", 
-    has spec_version "2.1" , 
-    has stix_id "identity__987eeee1_413a_44ac_96cc_0a8acdcc2f2c", 
+    has spec-version "2.1" , 
+    has stix-id "identity--987eeee1-413a-44ac-96cc-0a8acdcc2f2c", 
     has created 2017-01-14T13:07:49.812, 
     has modified 2017-01-14T13:07:49.812, 
     has sector "technology", 
-    has contact_information "norman@oscorp.com";
+    has contact-information "norman@oscorp.com";
 $malware isa malware, has name "Online Job Site Trojan", 
-    has spec_version "2.1", 
-    has stix_id "malware__ae560258_a5cb_4be8_8f05_013d6712295f", 
+    has spec-version "2.1", 
+    has stix-id "malware--ae560258-a5cb-4be8-8f05-013d6712295f", 
     has created 2014-02-20T09:16:08.989, 
     has modified 2014-02-20T09:16:08.989, 
     has description "Trojan that is disguised as the executable file resume.pdf., it also creates a registry key.",
-    has malware_types "remote_access_trojan", 
-    has is_family false;
+    has malware-types "remote-access-trojan", 
+    has is-family false;
 $file isa file, 
-    has stix_id "file__364fe3e5_b1f4_5ba3_b951_ee5983b3538d",
-    has spec_version "2.1",
+    has stix-id "file--364fe3e5-b1f4-5ba3-b951-ee5983b3538d",
+    has spec-version "2.1",
     has size 83968, 
     has name "resume.pdf";
-$ploup isa hash_value;
+$ploup isa hash-value;
 $ploup "1717b7fff97d37a1e1a0029d83492de1";
-$plip isa hash_value; 
+$plip isa hash-value; 
 $plip "1717b7fff97d37a1e1a0aa29d83492de1";
-(hash_value: $ploup, hashes_owner: $file) isa hashes, has hash_algorithm "MD5";
-(hash_value: $plip, hashes_owner: $file) isa hashes, has hash_algorithm "SHA-1";
-$data1 isa observed_data, 
-    has spec_version "2.1",
-    has stix_id "observed_data__cf8eaa41_6f4c_482e_89b9_9cd2d6a83cb1", 
+(hash-value: $ploup, hashes-owner: $file) isa hashes, has hash-algorithm "MD5";
+(hash-value: $plip, hashes-owner: $file) isa hashes, has hash-algorithm "SHA-1";
+$data1 isa observed-data, 
+    has spec-version "2.1",
+    has stix-id "observed-data--cf8eaa41-6f4c-482e-89b9-9cd2d6a83cb1", 
     has created 2017-02-28T19:37:11.213, 
     has modified 2017-02-28T19:37:11.213,
-    has first_observed 2017-02-27T21:37:11.213, 
-    has last_observed 2017-02-27T21:37:11.213,
-    has number_observed 1;
-$key isa windows_registry_key,
-    has stix_id "windows_registry_key__16b80d14_d574_5620_abad_10ff304b1c26", 
-    has spec_version "2.1", 
-    has attribute_key "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\WSALG2";
-$data2 isa observed_data, 
-    has spec_version "2.1",
-    has stix_id "observed_data__a0d34360_66ad_4977_b255_d9e1080421c4", 
+    has first-observed 2017-02-27T21:37:11.213, 
+    has last-observed 2017-02-27T21:37:11.213,
+    has number-observed 1;
+$key isa windows-registry-key,
+    has stix-id "windows-registry-key--16b80d14-d574-5620-abad-10ff304b1c26", 
+    has spec-version "2.1", 
+    has attribute-key "HKEY-LOCAL-MACHINE\\SYSTEM\\ControlSet001\\Services\\WSALG2";
+$data2 isa observed-data, 
+    has spec-version "2.1",
+    has stix-id "observed-data--a0d34360-66ad-4977-b255-d9e1080421c4", 
     has created 2017-02-28T19:37:11.213, 
     has modified 2017-02-28T19:37:11.213, 
-    has first_observed 2017-02-27T21:37:11.213, 
-    has last_observed 2017-02-27T21:37:11.213, 
-    has number_observed 1;
-(creator: $oscorp, created: $data2) isa created_by;
-(creator: $oscorp, created: $data1) isa created_by;
-(creator: $pym, created: $malware) isa created_by;
-(sighting_of: $malware, observed_data: $data1, observed_data: $data2) isa sighting,
-   has spec_version "2.1",
-   has stix_id "sighting__779c4ae8_e134_4180_baa4_03141095d971",
+    has first-observed 2017-02-27T21:37:11.213, 
+    has last-observed 2017-02-27T21:37:11.213, 
+    has number-observed 1;
+(creator: $oscorp, created: $data2) isa created-by;
+(creator: $oscorp, created: $data1) isa created-by;
+(creator: $pym, created: $malware) isa created-by;
+(sighting-of: $malware, observed-data: $data1, observed-data: $data2) isa sighting,
+   has spec-version "2.1",
+   has stix-id "sighting--779c4ae8-e134-4180-baa4-03141095d971",
    has created 2017-02-28T19:37:11.213, 
    has modified 2017-02-28T19:37:11.213,
-   has first_seen 2017-02-28T19:07:24.856, 
-   has last_seen 2017-02-28T19:07:24.857,
+   has first-seen 2017-02-28T19:07:24.856, 
+   has last-seen 2017-02-28T19:07:24.857,
    has count 1;
-(referencing: $data1, referenced: $file) isa external_references; 
-(referencing: $data2, referenced: $key) isa external_references; 
+(referencing: $data1, referenced: $file) isa external-references; 
+(referencing: $data2, referenced: $key) isa external-references; 
 
 # Example from: https://oasis-open.github.io/cti-documentation/examples/threat-actor-leveraging-attack-patterns-and-malware
 # Threat Actor Leveraging Attack Patterns and Malware
 insert
-$bravo_ta isa threat_actor, 
-    has spec_version "2.1",
-    has stix_id "threat_actor_bravo", 
+$bravo-ta isa threat-actor, 
+    has spec-version "2.1",
+    has stix-id "threat-actor-bravo", 
     has created 2015-05-07T14:22:14.760, 
     has modified 2015-05-07T14:22:14.760, 
     has name "Adversary Bravo", 
     has description "Adversary Bravo is known to use phishing attacks to deliver remote access malware to the targets.",
-    has threat_actor_types "spy", 
-    has threat_actor_types "criminal";
-$poison_ivy isa malware,
-    has spec_version "2.1", 
-    has stix_id "malware__d1c612bc_146f_4b65_b7b0_9a54a14150a4",
+    has threat-actor-types "spy", 
+    has threat-actor-types "criminal";
+$poison-ivy isa malware,
+    has spec-version "2.1", 
+    has stix-id "malware--d1c612bc-146f-4b65-b7b0-9a54a14150a4",
     has created 2015-04-23T11:12:34.760, 
     has modified 2015-04-23T11:12:34.760, 
     has name "Poison Ivy Variant d1c6", 
-    has is_family false, 
-    has malware_types "remote_access_trojan";
-$kill_chain_phase isa kill_chain_phase, 
-    has kill_chain_name "mandiant_attack_lifecycle_model",
-    has kill_chain_phase_name "initial_compromise"; 
-(used: $poison_ivy, using: $kill_chain_phase) isa kill_chain_phases;
-$phishing isa attack_pattern, 
-    has spec_version "2.1", 
-    has stix_id "attack_pattern__8ac90ff3_ecf8_4835_95b8_6aea6a623df5", 
+    has is-family false, 
+    has malware-types "remote-access-trojan";
+$kill-chain-phase isa kill-chain-phase, 
+    has kill-chain-name "mandiant-attack-lifecycle-model",
+    has kill-chain-phase-name "initial-compromise"; 
+(used: $poison-ivy, using: $kill-chain-phase) isa kill-chain-phases;
+$phishing isa attack-pattern, 
+    has spec-version "2.1", 
+    has stix-id "attack-pattern--8ac90ff3-ecf8-4835-95b8-6aea6a623df5", 
     has created 2015-05-07T14:22:14.760, 
     has modified 2015-05-07T14:22:14.760, 
     has name "Phishing", 
     has description "Spear phishing used as a delivery mechanism for malware.";
-(used: $phishing, using: $kill_chain_phase) isa kill_chain_phases; 
+(used: $phishing, using: $kill-chain-phase) isa kill-chain-phases; 
 
-$bravo_id isa id_unknown, 
-    has spec_version "2.1",
-    has stix_id "bravo_id_unknown",
+$bravo-id isa id-unknown, 
+    has spec-version "2.1",
+    has stix-id "bravo-id-unknown",
     has created 2015-05-10T16:27:17.760, 
     has modified 2015-05-10T16:27:17.760, 
     has name "Adversary Bravo", 
     has description "Adversary Bravo is a threat actor that utilizes phishing attacks.";
-# (using: $bravo_ta, used: $poison_ivy) isa uses, 
-#     has spec_version "2.1",
-#     has stix_id "relationship__d44019b6_b8f7_4cb3_837e_7fd3c5724b87",
+# (using: $bravo-ta, used: $poison-ivy) isa uses, 
+#     has spec-version "2.1",
+#     has stix-id "relationship--d44019b6-b8f7-4cb3-837e-7fd3c5724b87",
 #     has created 2020-02-29T18:18:08.661,
 #     has modified 2020-02-29T18:18:08.661;
-# (using: $bravo_ta, used: $phishing) isa uses,
-#     has spec_version "2.1",
-#     has stix_id "relationship__3cd2d6f9_0ded_486b_8dca_606283a8997f", 
+# (using: $bravo-ta, used: $phishing) isa uses,
+#     has spec-version "2.1",
+#     has stix-id "relationship--3cd2d6f9-0ded-486b-8dca-606283a8997f", 
 #     has created 2020-02-29T18:18:08.661,
 #     has modified 2020-02-29T18:18:08.661;
-# (attributing: $bravo_ta, attributed: $bravo_id) isa attributed_to,
-#     has spec_version "2.1",
-#     has stix_id "relationship__56e5f1c8_08f3_4e24_9e8e_f87d844672ec", 
+# (attributing: $bravo-ta, attributed: $bravo-id) isa attributed-to,
+#     has spec-version "2.1",
+#     has stix-id "relationship--56e5f1c8-08f3-4e24-9e8e-f87d844672ec", 
 #     has created 2020-02-29T18:18:08.661, 
 #     has modified 2020-02-29T18:18:08.661;
 
@@ -260,27 +260,27 @@ $bravo_id isa id_unknown,
 # Malware Indicator for File Hash
 insert 
 $in isa indicator, has name "Malicious site hosting downloader",
-    has spec_version "2.1", 
+    has spec-version "2.1", 
     has description "File hash for Poison Ivy variant",
     has created 2014-02-20T09:16:08.989,
     has modified 2014-02-20T09:16:08.989,
-    has stix_id "indicator--a932fcc6-e032-476c-826f-cb970a5a1ade",
+    has stix-id "indicator--a932fcc6-e032-476c-826f-cb970a5a1ade",
     has pattern "[file:hashes.'SHA-256' = 'ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c']", 
-    has pattern_type "stix", 
-    has valid_from 2014-02-20T09:00:00,
-    has indicator_type "malicious_activity";
+    has pattern-type "stix", 
+    has valid-from 2014-02-20T09:00:00,
+    has indicator-type "malicious-activity";
 $ma isa malware, has name "Poison Ivy", 
-    has spec_version "2.1", 
-    has stix_id "malware--fdd60b30-b67c-41e3-b0b9-f01faf20d111", 
+    has spec-version "2.1", 
+    has stix-id "malware--fdd60b30-b67c-41e3-b0b9-f01faf20d111", 
     has created 2014-02-20T09:16:08.989, 
     has modified 2014-02-20T09:16:08.989, 
-    has malware_types "backdoor",
-    has malware_types "remote_access_trojan",
-    has is_family false;
+    has malware-types "backdoor",
+    has malware-types "remote-access-trojan",
+    has is-family false;
 
 (indicating: $in, indicated: $ma) isa indicates, 
-    has spec_version "2.1",
-    has stix_id "relationship--29dcdf68-1b0c-4e16-94ed-bcc7a9572f69", 
+    has spec-version "2.1",
+    has stix-id "relationship--29dcdf68-1b0c-4e16-94ed-bcc7a9572f69", 
     has created 2020-02-29T18:09:12.808,
     has modified 2020-02-29T18:09:12.808;
 
@@ -288,220 +288,220 @@ $ma isa malware, has name "Poison Ivy",
 # Defining Campaigns vs. Threat Actors vs. Intrusion Sets
 insert
 
-$bravo_at isa attack_pattern,
-    has spec_version "2.1",
-    has stix_id "attack_pattern_bravo",
+$bravo-at isa attack-pattern,
+    has spec-version "2.1",
+    has stix-id "attack-pattern-bravo",
     has created 2015-05-10T16:27:16.760,
     has modified 2015-05-10T16:27:16.760,
     has name "Attack Pattern Bravo";
 
-$bpp_ta isa threat_actor, 
-    has spec_version "2.1",
-    has stix_id "threat-actor--56f3f0db-b5d5-431c-ae56-c18f02caf500", 
+$bpp-ta isa threat-actor, 
+    has spec-version "2.1",
+    has stix-id "threat-actor--56f3f0db-b5d5-431c-ae56-c18f02caf500", 
     has created 2016-08-08T15:50:10.983, 
     has modified 2016-08-08T15:50:10.983, 
     has name "Fake BPP (Branistan Peoples Party)", 
-    has threat_actor_types "nation-state", 
+    has threat-actor-types "nation-state", 
     has roles "director",
     has goals "Influence the election in Branistan",
     has sophistication "strategic",
-    has resource_level "government",
-    has primary_motivation "ideology",
-    has secondary_motivations "dominance";
+    has resource-level "government",
+    has primary-motivation "ideology",
+    has secondary-motivations "dominance";
 
 $id1 isa identity,
-    has spec_version "2.1",
-    has stix_id "identity--8c6af861-7b20-41ef-9b59-6344fd872a8f",
+    has spec-version "2.1",
+    has stix-id "identity--8c6af861-7b20-41ef-9b59-6344fd872a8f",
     has created 2016-08-08T15:50:10.983,
     has modified 2016-08-08T15:50:10.983,
     has name "Franistan Intelligence",
-    has identity_class "organization";
+    has identity-class "organization";
 
 $id2 isa identity,
-    has spec_version "2.1",
-    has stix_id "identity--ddfe7140-2ba4-48e4-b19a-df069432103b",
+    has spec-version "2.1",
+    has stix-id "identity--ddfe7140-2ba4-48e4-b19a-df069432103b",
     has created 2016-08-08T15:50:10.983,
     has modified 2016-08-08T15:50:10.983,
     has name "Branistan Peoples Party",
-    has identity_class "organization";
+    has identity-class "organization";
 
-$er1 isa external_reference,
-    has source_name "website",
-    has url_link "http://www.bpp.bn";
+$er1 isa external-reference,
+    has source-name "website",
+    has url-link "http://www.bpp.bn";
 
-(referencing: $id2, referenced: $er1) isa external_references;
+(referencing: $id2, referenced: $er1) isa external-references;
 
-$at1 isa attack_pattern,
-    has spec_version "2.1",
-    has stix_id "attack-pattern--19da6e1c-71ab-4c2f-886d-d620d09d3b5a",
+$at1 isa attack-pattern,
+    has spec-version "2.1",
+    has stix-id "attack-pattern--19da6e1c-71ab-4c2f-886d-d620d09d3b5a",
     has created 2016-08-08T15:50:10.983,
     has modified 2017-01-30T21:15:04.127,
     has name "Content Spoofing";
 
-$er2 isa external_reference,
-    has source_name "capec",
-    has url_link "https://capec.mitre.org/data/definitions/148.html",
-    has external_id "CAPEC-148";
+$er2 isa external-reference,
+    has source-name "capec",
+    has url-link "https://capec.mitre.org/data/definitions/148.html",
+    has external-id "CAPEC-148";
 
-(referencing: $at1, referenced: $er2) isa external_references;
+(referencing: $at1, referenced: $er2) isa external-references;
 
-$at2 isa attack_pattern,
-    has spec_version "2.1",
-    has stix_id "attack-pattern--f6050ea6-a9a3-4524-93ed-c27858d6cb3c",
+$at2 isa attack-pattern,
+    has spec-version "2.1",
+    has stix-id "attack-pattern--f6050ea6-a9a3-4524-93ed-c27858d6cb3c",
     has created 2016-08-08T15:50:10.983,
     has modified 2017-01-30T21:15:04.127,
     has name "HTTP Flood";
 
-$er3 isa external_reference,
-    has source_name "capec",
-    has url_link "https://capec.mitre.org/data/definitions/488.html",
-    has external_id "CAPEC-488";
+$er3 isa external-reference,
+    has source-name "capec",
+    has url-link "https://capec.mitre.org/data/definitions/488.html",
+    has external-id "CAPEC-488";
 
-(referencing: $at2, referenced: $er3) isa external_references;
+(referencing: $at2, referenced: $er3) isa external-references;
 
 $ca1 isa campaign,
-    has spec_version "2.1",
-    has stix_id "campaign--e5268b6e-4931-42f1-b379-87f48eb41b1e",
+    has spec-version "2.1",
+    has stix-id "campaign--e5268b6e-4931-42f1-b379-87f48eb41b1e",
     has created 2016-08-08T15:50:10.983,
     has modified 2016-08-08T15:50:10.983,
     has name "Operation Bran Flakes",
     has description "A concerted effort to insert false information into the BPP's web pages.",
     has aliases "OBF",
-    has first_seen 2016-01-08T12:50:40.123,
+    has first-seen 2016-01-08T12:50:40.123,
     has objective "Hack www.bpp.bn";
 
 $ca2 isa campaign,
-    has spec_version "2.1",
-    has stix_id "campaign--1d8897a7-fdc2-4e59-afc9-becbe04df727",
+    has spec-version "2.1",
+    has stix-id "campaign--1d8897a7-fdc2-4e59-afc9-becbe04df727",
     has created 2016-08-08T15:50:10.983,
     has modified 2016-08-08T15:50:10.983,
     has name "Operation Raisin Bran",
     has description "A DDOS campaign to flood BPP web servers.",
     has aliases "ORB",
-    has first_seen 2016-02-07T19:45:32.126,
+    has first-seen 2016-02-07T19:45:32.126,
     has objective "Flood www.bpp.bn";
 
-$is1 isa intrusion_set,
-    has spec_version "2.1",
-    has stix_id "intrusion-set--ed69450a-f067-4b51-9ba2-c4616b9a6713",
+$is1 isa intrusion-set,
+    has spec-version "2.1",
+    has stix-id "intrusion-set--ed69450a-f067-4b51-9ba2-c4616b9a6713",
     has created 2016-08-08T15:50:10.983,
     has modified 2016-08-08T15:50:10.983,
     has name "APT BPP",
     has description "An advanced persistent threat that seeks to disrupt Branistan's election with multiple attacks.",
     has aliases "Bran-teaser",
-    has first_seen 2016-01-08T12:50:40.123,
+    has first-seen 2016-01-08T12:50:40.123,
     has goals "Influence the Branistan election",
     has goals "Disrupt the BPP",
     has sophistication "strategic",
-    has resource_level "government",
-    has primary_motivation "ideology",
-    has secondary_motivations "dominance";
+    has resource-level "government",
+    has primary-motivation "ideology",
+    has secondary-motivations "dominance";
 
-$ato1 (attributing: $ca1, attributed: $bpp_ta) isa attributed_to;
-$ato1 has spec_version "2.1",
-    has stix_id "relationship--98765000-efdf-4a86-8681-36481ceae57f",
+$ato1 (attributing: $ca1, attributed: $bpp-ta) isa attributed-to;
+$ato1 has spec-version "2.1",
+    has stix-id "relationship--98765000-efdf-4a86-8681-36481ceae57f",
     has created 2020-02-29T17:41:44.938,
     has modified 2020-02-29T17:41:44.938;
 
-$ato2 (attributing: $ca2, attributed: $bpp_ta) isa attributed_to;
-$ato2 has spec_version "2.1",
-    has stix_id "relationship--53a55c73-f2c8-47b9-8e50-ae34d8c5da4d",
+$ato2 (attributing: $ca2, attributed: $bpp-ta) isa attributed-to;
+$ato2 has spec-version "2.1",
+    has stix-id "relationship--53a55c73-f2c8-47b9-8e50-ae34d8c5da4d",
     has created 2020-02-29T17:41:44.938,
     has modified 2020-02-29T17:41:44.938;
 
-$ato3 (attributing: $ca1, attributed: $is1) isa attributed_to;
-$ato3 has spec_version "2.1",
-    has stix_id "relationship--5047c2c0-524b-4afd-9cd6-e197efe59495",
+$ato3 (attributing: $ca1, attributed: $is1) isa attributed-to;
+$ato3 has spec-version "2.1",
+    has stix-id "relationship--5047c2c0-524b-4afd-9cd6-e197efe59495",
     has created 2020-02-29T17:41:44.939,
     has modified 2020-02-29T17:41:44.939;
 
-$ato4 (attributing: $ca2, attributed: $is1) isa attributed_to;
-$ato4 has spec_version "2.1",
-    has stix_id "relationship--9cc131ca-b64d-4ab1-a300-5e4a0073280a",
+$ato4 (attributing: $ca2, attributed: $is1) isa attributed-to;
+$ato4 has spec-version "2.1",
+    has stix-id "relationship--9cc131ca-b64d-4ab1-a300-5e4a0073280a",
     has created 2020-02-29T17:41:44.939,
     has modified 2020-02-29T17:41:44.939;
 
-$ato5 (attributing: $is1, attributed: $bpp_ta) isa attributed_to;
-$ato5 has spec_version "2.1",
-    has stix_id "relationship--c171fd27-2a8a-42b7-8293-34016b70c1c8",
+$ato5 (attributing: $is1, attributed: $bpp-ta) isa attributed-to;
+$ato5 has spec-version "2.1",
+    has stix-id "relationship--c171fd27-2a8a-42b7-8293-34016b70c1c8",
     has created 2020-02-29T17:41:44.939,
     has modified 2020-02-29T17:41:44.939;
 
 $ato6 (targeting: $is1, targeted: $id2) isa targets;
-$ato6 has spec_version "2.1",
-    has stix_id "relationship--554e3341-d7b1-4b3c-a522-28ef52fbb49b",
+$ato6 has spec-version "2.1",
+    has stix-id "relationship--554e3341-d7b1-4b3c-a522-28ef52fbb49b",
     has created 2020-02-29T17:41:44.939,
     has modified 2020-02-29T17:41:44.939;
 
 $ato7 (using: $is1, used: $at1) isa uses;
-$ato7 has spec_version "2.1",
-    has stix_id "relationship--06964095-5750-41fe-a9af-6c6a9d995489",
+$ato7 has spec-version "2.1",
+    has stix-id "relationship--06964095-5750-41fe-a9af-6c6a9d995489",
     has created 2020-02-29T17:41:44.940,
     has modified 2020-02-29T17:41:44.940;
 
 $ato8 (using: $is1, used: $at2) isa uses;
-$ato8 has spec_version "2.1",
-    has stix_id "relationship--4fe5dab1-fd6d-41aa-b8b1-d3118a708284",
+$ato8 has spec-version "2.1",
+    has stix-id "relationship--4fe5dab1-fd6d-41aa-b8b1-d3118a708284",
     has created 2020-02-29T17:41:44.940,
     has modified 2020-02-29T17:41:44.940;
 
 $ato9 (targeting: $ca1, targeted: $id2) isa targets;
-$ato9 has spec_version "2.1",
-    has stix_id "relationship--d8b7932d-0ecb-4891-b021-c78ff2b63747",
+$ato9 has spec-version "2.1",
+    has stix-id "relationship--d8b7932d-0ecb-4891-b021-c78ff2b63747",
     has created 2020-02-29T17:41:44.940,
     has modified 2020-02-29T17:41:44.940;
 
 $ato10 (targeting: $ca2, targeted: $id2) isa targets;
-$ato10 has spec_version "2.1",
-    has stix_id "relationship--96cfbc6f-5c08-4372-b811-b90fbb2ec180",
+$ato10 has spec-version "2.1",
+    has stix-id "relationship--96cfbc6f-5c08-4372-b811-b90fbb2ec180",
     has created 2020-02-29T17:41:44.940,
     has modified 2020-02-29T17:41:44.940;
 
 $ato11 (using: $ca1, used: $at1) isa uses;
-$ato11 has spec_version "2.1",
-    has stix_id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0a",
+$ato11 has spec-version "2.1",
+    has stix-id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0a",
     has created 2020-02-29T17:41:44.940,
     has modified 2020-02-29T17:41:44.940;
 
 $ato12 (using: $ca2, used: $at2) isa uses;
-$ato12 has spec_version "2.1",
-    has stix_id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0b",
+$ato12 has spec-version "2.1",
+    has stix-id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0b",
     has created 2020-02-29T17:41:44.940,
     has modified 2020-02-29T17:41:44.940;
 
-$ato13 (impersonating: $bpp_ta, impersonated: $id2) isa impersonates;
-$ato13 has spec_version "2.1",
-    has stix_id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0c",
+$ato13 (impersonating: $bpp-ta, impersonated: $id2) isa impersonates;
+$ato13 has spec-version "2.1",
+    has stix-id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0c",
     has created 2020-02-29T17:41:44.940,
     has modified 2020-02-29T17:41:44.940;
 
-$ato14 (targeting: $bpp_ta, targeted: $id2) isa targets;
-$ato14 has spec_version "2.1",
-    has stix_id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0d",
+$ato14 (targeting: $bpp-ta, targeted: $id2) isa targets;
+$ato14 has spec-version "2.1",
+    has stix-id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0d",
     has created 2020-02-29T17:41:44.940,
     has modified 2020-02-29T17:41:44.940;
 
-$ato15 (attributing: $bpp_ta, attributed: $id1) isa attributed_to;
-$ato15 has spec_version "2.1",
-    has stix_id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0e",
+$ato15 (attributing: $bpp-ta, attributed: $id1) isa attributed-to;
+$ato15 has spec-version "2.1",
+    has stix-id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0e",
     has created 2020-02-29T17:41:44.940,
     has modified 2020-02-29T17:41:44.940;
 
 $ato16 (targeting: $ca2, targeted: $id1) isa targets;
-$ato16 has spec_version "2.1",
-    has stix_id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0f",
+$ato16 has spec-version "2.1",
+    has stix-id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b0f",
     has created 2020-02-29T17:41:44.940,
     has modified 2020-02-29T17:41:44.940;
 
-$ato17 (using: $bpp_ta, used: $at1) isa uses;
-$ato17 has spec_version "2.1",
-    has stix_id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b10",
+$ato17 (using: $bpp-ta, used: $at1) isa uses;
+$ato17 has spec-version "2.1",
+    has stix-id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b10",
     has created 2020-02-29T17:41:44.940,
     has modified 2020-02-29T17:41:44.940;
 
-$ato18 (using: $bpp_ta, used: $at2) isa uses;
-$ato18 has spec_version "2.1",
-    has stix_id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b11",
+$ato18 (using: $bpp-ta, used: $at2) isa uses;
+$ato18 has spec-version "2.1",
+    has stix-id "relationship--e0b0b1a9-0b0a-4b0a-9b0a-0b0a0b0a0b11",
     has created 2020-02-29T17:41:44.940,
     has modified 2020-02-29T17:41:44.940;
 

From e0e539979bd2ee6e99465ea78db8d2bfaf1672ca Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Thu, 29 Jun 2023 18:39:52 +0100
Subject: [PATCH 72/75] resolve
 https://github.com/vaticle/typedb-examples/pull/5#discussion_r1246886915

---
 .../examples/05-infered-uses.tql                      | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/cyber-threat-intelligence/examples/05-infered-uses.tql b/cyber-threat-intelligence/examples/05-infered-uses.tql
index 5399067..f3ee04b 100644
--- a/cyber-threat-intelligence/examples/05-infered-uses.tql
+++ b/cyber-threat-intelligence/examples/05-infered-uses.tql
@@ -16,15 +16,12 @@ $x has stix-id "bravo-id-unknown";
 # TypeDB's rule-inference. Now if we run the query again, we get more attributes as well as a new relation
 # shown in a green outline. This is because of a rule encoded into the schema:
 # 
-# rule transitive-use:
+# rule attributed-to-when-targeting:
 # when {
-#     $x isa stix-domain-object;
-#     $y isa stix-domain-object;
-#     $z isa stix-domain-object;
-#     $use1 (using: $x, used: $y) isa uses;
-#     $use2 (using: $y, used: $z) isa uses;
+#     (attributing: $z, attributed: $x) isa attributed-to;
+#     (targeting: $x, targeted: $y) isa targets;
 # } then {
-#     (using: $x, used: $z) isa uses;
+#     (targeting: $z, targeted: $y) isa targets;
 # };
 # 
 # This rule makes uses relationship transitive, so if we know that a threat actor uses an unknown id, and that unknown

From 7aa922f112e57942ca80fc842b69efb7022b2167 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Thu, 29 Jun 2023 18:51:06 +0100
Subject: [PATCH 73/75] solve
 https://github.com/vaticle/typedb-examples/pull/5#discussion_r1246881510

---
 cyber-threat-intelligence/examples/04-assign-target.tql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cyber-threat-intelligence/examples/04-assign-target.tql b/cyber-threat-intelligence/examples/04-assign-target.tql
index b946ae9..38d0cc5 100644
--- a/cyber-threat-intelligence/examples/04-assign-target.tql
+++ b/cyber-threat-intelligence/examples/04-assign-target.tql
@@ -16,7 +16,7 @@ insert
 # Exercise 04:
 
 # Write a new query to find the id-unknown with stix-id "bravo-id-unknown" as well as the malware with stix-id "bravo-malware"
-# and then, create a uses relationship to descibe the fact that the attack-pattern is using the malware.
+# and then, create a uses relationship to descibe the fact that the id-unknown is using the malware.
 # You will need to give a new unique stix-id to your uses relationship.
 # Keyword hints: match, insert, has
 # Type hints: id-unknown, malware, uses

From c7abbdb412eea019b7c5415f0eb76c1e246bc794 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Thu, 29 Jun 2023 18:53:35 +0100
Subject: [PATCH 74/75] solve
 https://github.com/vaticle/typedb-examples/pull/5#discussion_r1246898992

---
 .../examples/07-external-reference.tql                    | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/cyber-threat-intelligence/examples/07-external-reference.tql b/cyber-threat-intelligence/examples/07-external-reference.tql
index 7ffd03d..300419b 100644
--- a/cyber-threat-intelligence/examples/07-external-reference.tql
+++ b/cyber-threat-intelligence/examples/07-external-reference.tql
@@ -1,7 +1,7 @@
 # Example 07:
 
 # From Example 06, we can see that some attack patterns have external references.
-# We can use the same approach to find attack patterns that are used by intrusion sets and have external references.
+# We can use the same approach to find attack patterns that have external references.
 # An external reference refers to a link or identifier that points to additional information or context about a specific threat or indicator. 
 
 match 
@@ -13,11 +13,11 @@ $rel (referencing: $a, referenced: $e) isa external-references;
 #--------------------------------------------------
 # Exercise 07:
 
-# Find all attack patterns that are used by intrusion sets and have external references.
-# Return the name of the attack pattern, the name of the intrusion set, and the external reference ID.
+# Find all attack patterns that have external references.
+# Return the name of the attack pattern and the external reference ID.
 # Order by the name of the attack pattern.
 # Keyword hints: match, sort
-# Type hints: attack-pattern, intrusion-set, external-reference
+# Type hints: attack-pattern, external-reference
 
 #--------------------------------------------------
 

From 6525a38f7685205a0d74b88baea6e3a7665aee35 Mon Sep 17 00:00:00 2001
From: Sullivan Daly <sullivan@vaticle.com>
Date: Thu, 29 Jun 2023 19:26:50 +0100
Subject: [PATCH 75/75] de-doubling

---
 cyber-threat-intelligence/insert-data.tql | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/cyber-threat-intelligence/insert-data.tql b/cyber-threat-intelligence/insert-data.tql
index 60df777..ae3aef8 100644
--- a/cyber-threat-intelligence/insert-data.tql
+++ b/cyber-threat-intelligence/insert-data.tql
@@ -77,7 +77,7 @@ $kill-chain-phase isa kill-chain-phase,
 insert
 $in isa indicator, has name "File hash for Poison Ivy variant", 
     has spec-version "2.1", 
-    has stix-id "indicator--a932fcc6-e032-476c-826f-cb970a5a1ade", 
+    has stix-id "indicator--a932fcc6-exoeunthaoenut-476c-826f-cb970a5a1ade", 
     has created 2014-02-20T09:16:08.989, 
     has modified 2014-02-20T09:16:08.989, 
     has description "This file hash indicates that a sample of Poison Ivy is present.",
@@ -271,7 +271,7 @@ $in isa indicator, has name "Malicious site hosting downloader",
     has indicator-type "malicious-activity";
 $ma isa malware, has name "Poison Ivy", 
     has spec-version "2.1", 
-    has stix-id "malware--fdd60b30-b67c-41e3-b0b9-f01faf20d111", 
+    has stix-id "malware--fdd60b30-b67c-41aoeuaoeub9-f01faf20d111", 
     has created 2014-02-20T09:16:08.989, 
     has modified 2014-02-20T09:16:08.989, 
     has malware-types "backdoor",
@@ -280,7 +280,7 @@ $ma isa malware, has name "Poison Ivy",
 
 (indicating: $in, indicated: $ma) isa indicates, 
     has spec-version "2.1",
-    has stix-id "relationship--29dcdf68-1b0c-4e16-94ed-bcc7a9572f69", 
+    has stix-id "relationship--29dcdf68-1b0c-4e16-94ed-bcconkh-347a9572f69", 
     has created 2020-02-29T18:09:12.808,
     has modified 2020-02-29T18:09:12.808;