Introduction
The document describes the integration between Recorded Future and Maltego. It is the first of several articles available on the support site that describe Recorded Future's transforms for Maltego. For an off-line version of this document, including the additional articles describing entities, transforms and engines, see the attached PDF file.
The integration consists of a set of Entities, Transforms, and Machines. This integration is available to clients of Recorded Future, and is provided by Recorded Future and Malformity Labs.
Installation
The installation has two steps:
- Install the Entities, Transforms, and Machines
- Enable the transforms with your Recorded Future API token
Install Step 1: Transform Hub
You can install the Recorded Future integration through the Maltego Transform Hub. In the Hub, look for the Recorded Future transforms tile. Hover over the tile and click the Install button.
The entities, transforms, and machines are automatically installed.
Install Step 2: Recorded Future API Token
Each transform must be linked to your Recorded Future API token. You will be prompted to enter your Recorded Future API token when installing from the transform hub.
Please reach out to Recorded Future support if you need a Recorded Future API token
More details about managing Recorded Future API Tokens is available on this support page: https://support.recordedfuture.com/hc/en-us/articles/4411077373587-Requesting-API-Tokens. In addition, you can contact Recorded Future Support if you need help with your API token.
Configuration Tips
Transform Slider
The transform slider can be used to control how many entities will be returned for any given entity. The slider values will depend on your version of Maltego, but each respective slider will contain designated limits you can select.
Collections
Collections can be used to simplify your graph as it grows. Turning on collections will automatically collapse leaf nodes of the same type within your graph. You can also set the point at which you want collections to take effect.
On the graph, collections will looks similar to the example below, which contains a collections of RF Document entities.
Filtering the RF Documents to Retrieve
When applying these transforms to cyber indicators or observables, generally some observables will return a few matches, and others will match nothing – but a few will have many more matches than can be easily investigated in a Maltego graph.
In these cases, you can navigate from Maltego into the Recorded Future portal to analyze the related events.
You can also filter the set of RF Documents retrieved by the transforms, using these properties:
- Only documents published on or Before a date in YYYY-MM-DD format
- Only documents published on or After a specific date in YYYY-MM-DD format
- Only documents from Include Media Types, a comma-separated list
- Omit documents from Exclude Media Types, a comma-separated list
To edit these filter properties, you can either directly edit the values in the property view or you can double-click on an Entity and select the Properties tab.
Note: Media Type is the same as “Source Types” in the Advanced Query Panel in Recorded Future; more information about them is available on this support page: https://support.recordedfuture.com/hc/en-us/articles/115001359907-Source-Types.
More information about the Recorded Future Transforms for Maltego, particularly about supported entities, is on this support page.