SpecterOps · JonasBK · Jun 26, 2026 · Jun 25, 2026
diff --git a/docs/opengraph/extensions/jamf/nodes/jamf_account.mdx b/docs/opengraph/extensions/jamf/nodes/jamf_account.mdx
@@ -59,19 +59,19 @@ The tables below list edges defined by the Jamf extension only. Additional edges
 | Property Name | Data Type | Description |
 |---|---|---|
 | displayname | string | Full name of the account holder |
-| privilegeSet | string | Privilege set assigned (Administrator, Custom, etc.) |
+| privilege_set | string | Privilege set assigned (Administrator, Custom, etc.) |
 | objectid | string | Unique identifier for the Account |
 | name | string | Username of the account |
 | email | string | Email address associated with the account |
-| siteID | integer | ID of the site the account is assigned to |
-| accessLevel | string | Access level (Full Access, Site Access, Group Access) |
+| site_id | integer | ID of the site the account is assigned to |
+| access_level | string | Access level (Full Access, Site Access, Group Access) |
 | enabled | string | Whether the account is enabled |
-| Tier | integer | Security tier classification (0 for administrators) |
-| localAccount | boolean | Whether this is a local Jamf account (not directory) |
-| privilegesJSSObjects | string[] | JSS Object permissions granted to the account |
-| privilegesJSSActions | string[] | JSS Action permissions granted |
-| privilegesJSSOSettings | string[] | JSS Settings permissions granted |
-| Groups | integer | Group assignment indicator |
+| tier | integer | Security tier classification (0 for administrators) |
+| local_account | boolean | Whether this is a local Jamf account (not directory) |
+| privileges_jss_objects | string[] | JSS Object permissions granted to the account |
+| privileges_jss_actions | string[] | JSS Action permissions granted |
+| privileges_jss_settings | string[] | JSS Settings permissions granted |
+| groups | integer | Group assignment indicator |
 
 ## Relationship Diagram
 

diff --git a/docs/opengraph/extensions/jamf/nodes/jamf_apiclient.mdx b/docs/opengraph/extensions/jamf/nodes/jamf_apiclient.mdx
@@ -50,12 +50,12 @@ The tables below list edges defined by the Jamf extension only. Additional edges
 
 | Property Name | Data Type | Description |
 |---|---|---|
-| displayName | string | Display name of the API client |
+| display_name | string | Display name of the API client |
 | name | string | Name of the API client |
 | enabled | boolean | Whether the API client is enabled |
-| authorizationScopes | string[] | API roles assigned to this client |
+| authorization_scopes | string[] | API roles assigned to this client |
 | privileges | string[] | Resolved list of all privileges from assigned roles |
-| Tier | integer | Security tier classification |
+| tier | integer | Security tier classification |
 
 ## Relationship Diagram
 

diff --git a/docs/opengraph/extensions/jamf/nodes/jamf_computer.mdx b/docs/opengraph/extensions/jamf/nodes/jamf_computer.mdx
@@ -51,7 +51,7 @@ The tables below list edges defined by the Jamf extension only. Additional edges
 | user_approved_enrollment | boolean | Whether enrollment was user-approved |
 | user_approved_mdm | boolean | Whether MDM was user-approved |
 | device_aad_infos | string | Azure AD device information |
-| siteID | integer | ID of the site the computer belongs to |
+| site_id | integer | ID of the site the computer belongs to |
 | sitename | string | Name of the site |
 | username | string | Assigned username |
 | email_address | string | Assigned user email |
@@ -71,7 +71,7 @@ The tables below list edges defined by the Jamf extension only. Additional edges
 | jamf_version | string | Jamf agent version |
 | filevault2_users | string | FileVault 2 enabled users |
 | local_accounts | string | Local user accounts |
-| Tier | integer | Security tier classification |
+| tier | integer | Security tier classification |
 
 ## Relationship Diagram
 

diff --git a/docs/opengraph/extensions/jamf/nodes/jamf_computeruser.mdx b/docs/opengraph/extensions/jamf/nodes/jamf_computeruser.mdx
@@ -43,7 +43,7 @@ The tables below list edges defined by the Jamf extension only. Additional edges
 | email | string | Email address of the user |
 | objectid | string | Unique identifier for the Computer User |
 | computer | string | ID of the computer this user is assigned to |
-| Tier | integer | Security tier classification |
+| tier | integer | Security tier classification |
 
 ## Relationship Diagram
 

diff --git a/docs/opengraph/extensions/jamf/nodes/jamf_disabledaccount.mdx b/docs/opengraph/extensions/jamf/nodes/jamf_disabledaccount.mdx
@@ -61,19 +61,19 @@ The tables below list edges defined by the Jamf extension only. Additional edges
 | Property Name | Data Type | Description |
 |---|---|---|
 | displayname | string | Full name of the account holder |
-| privilegeSet | string | Privilege set assigned (Administrator, Custom, etc.) |
+| privilege_set | string | Privilege set assigned (Administrator, Custom, etc.) |
 | objectid | string | Unique identifier for the Account |
 | name | string | Username of the account |
 | email | string | Email address associated with the account |
-| siteID | integer | ID of the site the account is assigned to |
-| accessLevel | string | Access level (Full Access, Site Access, Group Access) |
+| site_id | integer | ID of the site the account is assigned to |
+| access_level | string | Access level (Full Access, Site Access, Group Access) |
 | enabled | string | Whether the account is enabled (always "Disabled") |
-| Tier | integer | Security tier classification (0 for administrators) |
-| localAccount | boolean | Whether this is a local Jamf account (not directory) |
-| privilegesJSSObjects | string[] | JSS Object permissions granted to the account |
-| privilegesJSSActions | string[] | JSS Action permissions granted |
-| privilegesJSSOSettings | string[] | JSS Settings permissions granted |
-| Groups | integer | Group assignment indicator |
+| tier | integer | Security tier classification (0 for administrators) |
+| local_account | boolean | Whether this is a local Jamf account (not directory) |
+| privileges_jss_objects | string[] | JSS Object permissions granted to the account |
+| privileges_jss_actions | string[] | JSS Action permissions granted |
+| privileges_jss_settings | string[] | JSS Settings permissions granted |
+| groups | integer | Group assignment indicator |
 
 ## Relationship Diagram
 

diff --git a/docs/opengraph/extensions/jamf/nodes/jamf_disabledapiclient.mdx b/docs/opengraph/extensions/jamf/nodes/jamf_disabledapiclient.mdx
@@ -52,12 +52,12 @@ The tables below list edges defined by the Jamf extension only. Additional edges
 
 | Property Name | Data Type | Description |
 |---|---|---|
-| displayName | string | Display name of the API client |
+| display_name | string | Display name of the API client |
 | name | string | Name of the API client |
 | enabled | boolean | Whether the API client is enabled (always false) |
-| authorizationScopes | string[] | API roles assigned to this client |
+| authorization_scopes | string[] | API roles assigned to this client |
 | privileges | string[] | Resolved list of all privileges from assigned roles |
-| Tier | integer | Security tier classification |
+| tier | integer | Security tier classification |
 
 ## Relationship Diagram
 

diff --git a/docs/opengraph/extensions/jamf/nodes/jamf_group.mdx b/docs/opengraph/extensions/jamf/nodes/jamf_group.mdx
@@ -55,15 +55,15 @@ The tables below list edges defined by the Jamf extension only. Additional edges
 | Property Name | Data Type | Description |
 |---|---|---|
 | displayname | string | Display name of the group |
-| privilegeSet | string | Privilege set assigned (Administrator, Custom, etc.) |
+| privilege_set | string | Privilege set assigned (Administrator, Custom, etc.) |
 | objectid | string | Unique identifier for the Group |
 | name | string | Name of the group |
-| siteID | integer | ID of the site the group is assigned to |
-| accessLevel | string | Access level (Full Access, Site Access) |
-| Tier | integer | Security tier classification (0 for administrator groups) |
-| privilegesJSSObjects | string[] | JSS Object permissions granted to the group |
-| privilegesJSSActions | string[] | JSS Action permissions granted |
-| privilegesJSSOSettings | string[] | JSS Settings permissions granted |
+| site_id | integer | ID of the site the group is assigned to |
+| access_level | string | Access level (Full Access, Site Access) |
+| tier | integer | Security tier classification (0 for administrator groups) |
+| privileges_jss_objects | string[] | JSS Object permissions granted to the group |
+| privileges_jss_actions | string[] | JSS Action permissions granted |
+| privileges_jss_settings | string[] | JSS Settings permissions granted |
 | members | string | Serialized list of group members |
 
 ## Relationship Diagram

diff --git a/docs/opengraph/extensions/jamf/nodes/jamf_site.mdx b/docs/opengraph/extensions/jamf/nodes/jamf_site.mdx
@@ -38,8 +38,8 @@ The tables below list edges defined by the Jamf extension only. Additional edges
 | name | string | Name of the site |
 | objectid | string | Unique identifier for the Site |
 | displayname | string | Display name of the site |
-| siteID | integer | Jamf site ID |
-| Tier | integer | Security tier classification |
+| site_id | integer | Jamf site ID |
+| tier | integer | Security tier classification |
 
 ## Relationship Diagram
 

diff --git a/docs/opengraph/extensions/jamf/nodes/jamf_ssointegration.mdx b/docs/opengraph/extensions/jamf/nodes/jamf_ssointegration.mdx
@@ -35,16 +35,16 @@ The tables below list edges defined by the Jamf extension only. Additional edges
 
 | Property Name | Data Type | Description |
 |---|---|---|
-| ssoEnabled | boolean | Whether SSO is enabled |
-| idpUrl | string | Identity Provider URL |
-| idpProviderType | string | Type of identity provider |
-| entityId | string | SAML entity ID |
-| groupAttributeName | string | Attribute name for group mapping |
-| groupRdnKey | string | RDN key for group lookups |
-| siteID | string | Site ID (always "-1" for global) |
-| Tier | integer | Security tier classification (0) |
+| sso_enabled | boolean | Whether SSO is enabled |
+| idp_url | string | Identity Provider URL |
+| idp_provider_type | string | Type of identity provider |
+| entity_id | string | SAML entity ID |
+| group_attribute_name | string | Attribute name for group mapping |
+| group_rdn_key | string | RDN key for group lookups |
+| site_id | string | Site ID (always "-1" for global) |
+| tier | integer | Security tier classification (0) |
 | name | string | Name of the SSO integration |
-| enrollmentSsoConfig | string | Enrollment SSO configuration |
+| enrollment_sso_config | string | Enrollment SSO configuration |
 
 ## Relationship Diagram
 

diff --git a/docs/opengraph/extensions/jamf/nodes/jamf_tenant.mdx b/docs/opengraph/extensions/jamf/nodes/jamf_tenant.mdx
@@ -53,7 +53,7 @@ The tables below list edges defined by the Jamf extension only. Additional edges
 | type | string | Hosting type (cloud-hosted or on-premesis) |
 | objectid | string | Unique identifier matching the tenant name |
 | displayname | string | Display name of the Tenant |
-| Tier | integer | Security tier classification |
+| tier | integer | Security tier classification |
 
 ## Relationship Diagram
 

diff --git a/docs/opengraph/extensions/jamf/queries.mdx b/docs/opengraph/extensions/jamf/queries.mdx
@@ -152,7 +152,7 @@ Expand the graph by one edge showing nodes with edges to Tier 1 nodes with edges
 
 ```cypher
 MATCH p=(a) - [] -> (s)-[r]->(t)
-WHERE s.Tier = 1 AND t.Tier = 0
+WHERE s.tier = 1 AND t.tier = 0
 AND type(r) <> 'jamf_Contains'
 RETURN p
 LIMIT 1000
@@ -220,7 +220,7 @@ Retrieve attack paths between Tier 1 nodes and Tier 0 nodes that are fully trave
 
 ```cypher
 MATCH p=(s)-[r*1..5]->(t)
-WHERE s.Tier = 1 AND t.Tier = 0
+WHERE s.tier = 1 AND t.tier = 0
 AND s.primarykind <> 'jamf_Tenant'
 AND s.primarykind <> 'jamf_Site'
 AND r.traversable = True
@@ -236,7 +236,7 @@ Retrieve direct edges between Tier 1 nodes and Tier 0 nodes
 
 ```cypher
 MATCH p=(s)-[]->(t)
-WHERE s.Tier = 1 AND t.Tier = 0
+WHERE s.tier = 1 AND t.tier = 0
 RETURN p
 LIMIT 1000
 ```
@@ -249,7 +249,7 @@ Filter out jamf_Contains edges from Tiered node query
 
 ```cypher
 MATCH p=(s)-[r]->(t)
-WHERE s.Tier = 1 AND t.Tier = 0
+WHERE s.tier = 1 AND t.tier = 0
 AND type(r) <> 'jamf_Contains'
 RETURN p
 LIMIT 1000

diff --git a/docs/opengraph/extensions/okta/nodes/okta_agent.mdx b/docs/opengraph/extensions/okta/nodes/okta_agent.mdx
@@ -37,28 +37,28 @@ The tables below list edges defined by the Okta extension only. Additional edges
 | ---- | ------ | ---- | ----------- |
 | `id` | `agent.id` | `string` | Unique agent identifier. |
 | `name` | `agent.name` | `string` | Agent name shown in Okta Admin Console. |
-| `displayName` | `agent.name` | `string` | Display label used in BloodHound. |
-| `oktaDomain` | Collector context (non-API) | `string` | Okta organization domain where the agent exists. |
-| `poolName` | `agentPool.name` | `string` | Name of the parent [Okta_AgentPool](/opengraph/extensions/okta/nodes/okta_agentpool). For AD pools this typically corresponds to the synced AD domain. |
-| `operationalStatus` | `agent.operationalStatus` | `string` | Runtime health/operational state reported by Okta. |
-| `updateStatus` | `agent.updateStatus` | `string` | Agent software update state. |
+| `display_name` | `agent.name` | `string` | Display label used in BloodHound. |
+| `okta_domain` | Collector context (non-API) | `string` | Okta organization domain where the agent exists. |
+| `pool_name` | `agentPool.name` | `string` | Name of the parent [Okta_AgentPool](/opengraph/extensions/okta/nodes/okta_agentpool). For AD pools this typically corresponds to the synced AD domain. |
+| `operational_status` | `agent.operationalStatus` | `string` | Runtime health/operational state reported by Okta. |
+| `update_status` | `agent.updateStatus` | `string` | Agent software update state. |
 | `type` | `agent.type` | `string` | Agent type (for example AD, LDAP, IWA, or RADIUS). |
 | `version` | `agent.version` | `string` | Agent software version. |
-| `poolId` | `agent.poolId` | `string` | Identifier of the parent Okta agent pool. |
-| `lastConnection` | `FromUnixTime(agent.lastConnection)` | `datetime` | Timestamp of the last successful agent connection to Okta. |
+| `pool_id` | `agent.poolId` | `string` | Identifier of the parent Okta agent pool. |
+| `last_connection` | `FromUnixTime(agent.lastConnection)` | `datetime` | Timestamp of the last successful agent connection to Okta. |
 
 ## Sample Property Values
 
 ```yaml
 id: a53xfufl4rqWcHhQo697
 name: LON-SRV01
-displayName: LON-SRV01
-poolId: 0oaxg9rhdd7ncGCXv697
-oktaDomain: contoso.okta.com
-poolName: contoso.local
-operationalStatus: DISRUPTED
-updateStatus: Cancelled
+display_name: LON-SRV01
+pool_id: 0oaxg9rhdd7ncGCXv697
+okta_domain: contoso.okta.com
+pool_name: contoso.local
+operational_status: DISRUPTED
+update_status: Cancelled
 type: AD
 version: 3.22.0
-lastConnection: 2026-01-15T02:29:40+00:00
+last_connection: 2026-01-15T02:29:40+00:00
 ```
diff --git a/docs/opengraph/extensions/okta/nodes/okta_agentpool.mdx b/docs/opengraph/extensions/okta/nodes/okta_agentpool.mdx
@@ -50,9 +50,9 @@ The tables below list edges defined by the Okta extension only. Additional edges
 | ---- | ------ | ---- | ----------- |
 | `id` | `agentPool.id + "_pool"` | `string` | Unique agent pool identifier. |
 | `name` | `agentPool.name` | `string` | Name of the Okta agent pool. |
-| `displayName` | `agentPool.name` | `string` | Display label used in BloodHound. |
-| `oktaDomain` | Collector context (non-API) | `string` | Okta organization domain where the agent pool exists. |
-| `operationalStatus` | `agentPool.operationalStatus` | `string` | Current health/operational state of the agent pool. |
+| `display_name` | `agentPool.name` | `string` | Display label used in BloodHound. |
+| `okta_domain` | Collector context (non-API) | `string` | Okta organization domain where the agent pool exists. |
+| `operational_status` | `agentPool.operationalStatus` | `string` | Current health/operational state of the agent pool. |
 | `type` | `agentPool.type` | `string` | Agent pool type (for example AD, LDAP, IWA, RADIUS). |
 
 <Info>
@@ -64,8 +64,8 @@ The `_pool` suffix is therefore added to the `id` property of `Okta_AgentPool` n
 ```yaml
 id: 0oaxg9rhdd7ncGCXv697_pool
 name: contoso.local
-displayName: contoso.local
-oktaDomain: contoso.okta.com
-operationalStatus: DISRUPTED
+display_name: contoso.local
+okta_domain: contoso.okta.com
+operational_status: DISRUPTED
 type: AD
 ```
diff --git a/docs/opengraph/extensions/okta/nodes/okta_apiserviceintegration.mdx b/docs/opengraph/extensions/okta/nodes/okta_apiserviceintegration.mdx
@@ -49,21 +49,21 @@ The tables below list edges defined by the Okta extension only. Additional edges
 | ---- | ------ | ---- | ----------- |
 | `id` | `service.id` | `string` | Unique API service integration identifier. |
 | `name` | `service.name` | `string` | Name of the API service integration in Okta. |
-| `displayName` | `service.name` | `string` | Display label used in BloodHound. |
-| `oktaDomain` | Collector context (non-API) | `string` | Okta organization domain where the integration exists. |
-| `appType` | `service.type` | `string` | Integration/application type identifier. |
-| `oauthScopes` | `service.grantedScopes` | `string[]` | OAuth 2.0 scopes granted to the integration. |
-| `createdAt` | `service.createdAt` | `datetime` | Timestamp when the integration was created. |
+| `display_name` | `service.name` | `string` | Display label used in BloodHound. |
+| `okta_domain` | Collector context (non-API) | `string` | Okta organization domain where the integration exists. |
+| `app_type` | `service.type` | `string` | Integration/application type identifier. |
+| `oauth_scopes` | `service.grantedScopes` | `string[]` | OAuth 2.0 scopes granted to the integration. |
+| `created_at` | `service.createdAt` | `datetime` | Timestamp when the integration was created. |
 
 ## Sample Property Values
 
 ```yaml
 id: 0oaz7jy5f2oXnvtmN697
 name: Falcon Shield
-displayName: Falcon Shield
-oktaDomain: contoso.okta.com
-appType: falconshieldapiservice
-oauthScopes:
+display_name: Falcon Shield
+okta_domain: contoso.okta.com
+app_type: falconshieldapiservice
+oauth_scopes:
   - okta.users.read
   - okta.oauthIntegrations.read
   - okta.threatInsights.read
@@ -79,7 +79,7 @@ oauthScopes:
   - okta.policies.read
   - okta.networkZones.read
   - okta.features.read
-createdAt: 2026-01-15T12:25:42.000Z
+created_at: 2026-01-15T12:25:42.000Z
 ```
 
 ## Integration OAuth 2.0 Scopes

diff --git a/docs/opengraph/extensions/okta/nodes/okta_apitoken.mdx b/docs/opengraph/extensions/okta/nodes/okta_apitoken.mdx
@@ -37,28 +37,28 @@ No inbound edges are defined by the Okta extension for this node.
 | ---- | ------ | ---- | ----------- |
 | `id` | `apiToken.id` | `string` | Unique API token identifier. |
 | `name` | `apiToken.name` | `string` | Friendly name of the API token. |
-| `displayName` | `apiToken.name` | `string` | Display label used in BloodHound. |
-| `oktaDomain` | Collector context (non-API) | `string` | Okta organization domain where the token exists. |
-| `userId` | `apiToken.userId` | `string` | ID of the Okta user that owns the token. |
-| `clientName` | `apiToken.clientName` | `string` | Client/application name associated with the token. |
+| `display_name` | `apiToken.name` | `string` | Display label used in BloodHound. |
+| `okta_domain` | Collector context (non-API) | `string` | Okta organization domain where the token exists. |
+| `user_id` | `apiToken.userId` | `string` | ID of the Okta user that owns the token. |
+| `client_name` | `apiToken.clientName` | `string` | Client/application name associated with the token. |
 | `created` | `apiToken.created` | `datetime` | Token creation timestamp. |
-| `lastUpdated` | `apiToken.lastUpdated` | `datetime` | Last update timestamp of token metadata. |
-| `expiresAt` | `apiToken.expiresAt` | `datetime` | Token expiration timestamp. |
-| `networkConnection` | `apiToken.network.connection` | `string` | Network connection restriction for token usage. |
-| `tokenWindow` | `ToTimeSpan(apiToken.tokenWindow)` | `duration` | Inactivity window converted to `TimeSpan` when present. |
+| `last_updated` | `apiToken.lastUpdated` | `datetime` | Last update timestamp of token metadata. |
+| `expires_at` | `apiToken.expiresAt` | `datetime` | Token expiration timestamp. |
+| `network_connection` | `apiToken.network.connection` | `string` | Network connection restriction for token usage. |
+| `token_window` | `ToTimeSpan(apiToken.tokenWindow)` | `duration` | Inactivity window converted to `TimeSpan` when present. |
 
 ## Sample Property Values
 
 ```yaml
 id: 00T36fk75smeJybKx697
 name: Postman
-displayName: Postman
-oktaDomain: contoso.okta.com
-userId: 00uw0o8iizq37KgKP697
-clientName: Okta API
+display_name: Postman
+okta_domain: contoso.okta.com
+user_id: 00uw0o8iizq37KgKP697
+client_name: Okta API
 created: 2025-10-03T10:08:09+00:00
-lastUpdated: 2026-01-31T20:22:42+00:00
-expiresAt: 2026-03-02T20:22:42+00:00
-networkConnection: ANYWHERE
-tokenWindow: 30.00:00:00
+last_updated: 2026-01-31T20:22:42+00:00
+expires_at: 2026-03-02T20:22:42+00:00
+network_connection: ANYWHERE
+token_window: 30.00:00:00
 ```