Maltego Transforms and Machines

Updated

Maltego Transforms

Each supported Entity has a number of transforms that can be run to search and return related data or entities. They are organized here by output type and a full list of transforms present in the transform set is available in Appendix A.

Entity to Intelligence Summary

These transforms retrieve summary metrics about available information in Recorded Future, and correspond with information available on a Recorded Future Intelligence card. The metric data is available in the detail pane of the entity and includes the information in the screenshot below.

 

The “RF Link” is clickable from within Maltego and will open the relevant Recorded Future link in your browser.

Entity to RF Documents

These transforms expand your graph with RF Document entities. Each web document returned has reported events involving the input Entity. This data can be viewed in the detail and property views for the entity.

 

In the Details view, you can review information about the web documents:

  • Title
  • Source name, publication date, and original document URL
  • Fragments: excerpts from the document which refer to the Entity
  • Backtrack link to analyze matching events in Recorded Future

Entity to Analyst Note

These transforms expand your graph with Analyst Note entities. Each entity returned has long form written text regarding the entity in question. This data can be viewed in the detail and property views for the entity.

 

The Detail View for this entity includes the title of the document, as well as an analyst provided note or comment. In addition, the TLP category, date and supporting URLs are also provided.

Entity to Attack Vector

These transforms expand your graph with Attack Vector entities. Each entity returned has reported events involving the input entity. This data can be viewed in the detail and property views for the entity.

The Detail View for this entity includes a link to investigate the entity within Recorded Future, as well as a count of the number of references within the system for the entity in question.

Entity to Malware

These transforms expand your graph with Malware entities. Each entity returned has reported events involving the input entity.

Entity to Malware Category

These transforms expand your graph with Malware Category entities. Each entity returned has reported events involving the input entity.

 

Entity to Malware Signature

These transforms expand your graph with Malware Signature entities. Each entity returned has reported events involving the input entity. This data can be viewed in the detail and property views for the entity.

 

The Detail View for this entity includes a link to investigate the entity within Recorded Future, as well as a count of the number of references within the system for the entity in question.

  

Entity to Vulnerability

These transforms expand your graph with Vulnerability entities. Each entity returned has reported events involving the input entity.

Entity to Operation

These transforms expand your graph with Operation entities. Each entity returned has reported events involving the input entity.

Entity to Domain

These transforms expand your graph with Domain entities. Each entity contains a variety of descriptive information about the entity. This data can be viewed in the detail and property views for the entity.

The Detail View for this entity includes a link to analyze the entity in Recorded Future, relevant dates and counts, a risk score and summary, as well as related hashes and domains.

Entity to Email

These transforms expand your graph with Email Address entities. Each entity returned has reported events involving the input entity.

 

Entity to Filename

These transforms expand your graph with Filename entities. Each entity returned has reported events involving the input entity. This data can be viewed in the detail and property views for the entity.

The Detail View for this entity includes a link to investigate the entity within Recorded Future, as well as a count of the number of references within the system for the entity in question.

 

Entity to Hash

These transforms expand your graph with Hash entities. Each entity contains a variety of descriptive information about the entity. This data can be viewed in the detail and property views for the entity.

 

 

The Detail View for this entity includes a link to analyze the entity in Recorded Future, relevant dates and counts, a risk score and summary, as well as related hashes and domains.

Entity to IP Address

These transforms expand your graph with IP Address entities. Each entity returned has reported events involving the input entity.

Entity to Registry Key

These transforms expand your graph with Registry Key entities. Each entity returned has reported events involving the input entity. This data can be viewed in the detail and property views for the entity.

The Detail View for this entity includes a link to investigate the entity within Recorded Future, as well as a count of the number of references within the system for the entity in question.

 

Entity to URL

These transforms expand your graph with URL entities. Each entity returned has reported events involving the input entity.

Entity to Organization

These transforms expand your graph with Organization entities. Each entity returned has reported events involving the input entity.

Entity to AS Number

These transforms expand your graph with AS Number entities. Each entity returned has reported events involving the input entity.

Entity to Company

These transforms expand your graph with Company entities. Each entity returned has reported events involving the input entity.

 

Phrase to Threat Intelligence Entities

When you start an investigation from a set of indicators or observables, the “mapping” from your initial data to Recorded Future entities is straightforward. Simple paste the entity text into Maltego, correct the automatically detected entity types if necessary, and begin running transforms. Maltego will recognize many entity types using regular expressions.

When your investigation starts with a threat actor or target organization, you begin by using the Maltego Phrase entity to map the threat actor or target to a Recorded Future entity. This mapping will resolve variations in spelling and naming (e.g. AnonGhost vs. AnonGh0st.)

 

You can map the input Phrase to an Alias (representing a person, Social Media profile, or forum username), Company, Operation, or Organization. Organizations can represent both threat actor groups and target organizations. After mapping the Phrase to an entity, the normal entity to metrics and entity to RF document transforms are available.

Maltego Machines

These Transforms were designed to be very specific and self-explanatory. However, this approach often means that completing a task involves progressively running many Transforms.

Machines are macro scripts that automate this task to save you time. The integration includes a Doc Expand machine for each Entity.

These Machines first retrieves RF Documents matching the current filter properties, and then for each RF Document expands other TI Entities that are also mentioned in that document.

You can use these Machines directly, and can also use them as templates for creating additional Machines that automatically pivot between information in Recorded Future and information in other threat intelligence services.

Getting Support

Please contact support with questions or issues using this integration. We’re ready to help! We are also eager to hear your ideas for improving and expanding this integration.

 

 

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section