Maltego Transforms
Each supported Entity has a number of transforms that can be run to search and return related data or entities. They are organized here by output type and a full list of transforms present in the transform set is available in Appendix A.
Entity to Intelligence Summary
These transforms retrieve summary metrics about available information in Recorded Future, and correspond with information available on a Recorded Future Intelligence card. The metric data is available in the detail pane of the entity and includes the information in the screenshot below.
The “RF Link” is clickable from within Maltego and will open the relevant Recorded Future link in your browser.
Entity to RF Documents
These transforms expand your graph with RF Document entities. Each web document returned has reported events involving the input Entity. This data can be viewed in the detail and property views for the entity.
In the Details view, you can review information about the web documents:
- Title
- Source name, publication date, and original document URL
- Fragments: excerpts from the document which refer to the Entity
- Backtrack link to analyze matching events in Recorded Future
Entity to Analyst Note
These transforms expand your graph with Analyst Note entities. Each entity returned has long form written text regarding the entity in question. This data can be viewed in the detail and property views for the entity.
The Detail View for this entity includes the title of the document, as well as an analyst provided note or comment. In addition, the TLP category, date and supporting URLs are also provided.
Entity to Attack Vector
These transforms expand your graph with Attack Vector entities. Each entity returned has reported events involving the input entity. This data can be viewed in the detail and property views for the entity.
The Detail View for this entity includes a link to investigate the entity within Recorded Future, as well as a count of the number of references within the system for the entity in question.
Entity to Malware
These transforms expand your graph with Malware entities. Each entity returned has reported events involving the input entity.
Entity to Malware Category
These transforms expand your graph with Malware Category entities. Each entity returned has reported events involving the input entity.
Entity to Malware Signature
These transforms expand your graph with Malware Signature entities. Each entity returned has reported events involving the input entity. This data can be viewed in the detail and property views for the entity.
The Detail View for this entity includes a link to investigate the entity within Recorded Future, as well as a count of the number of references within the system for the entity in question.
Entity to Vulnerability
These transforms expand your graph with Vulnerability entities. Each entity returned has reported events involving the input entity.
Entity to Operation
These transforms expand your graph with Operation entities. Each entity returned has reported events involving the input entity.
Entity to Domain
These transforms expand your graph with Domain entities. Each entity contains a variety of descriptive information about the entity. This data can be viewed in the detail and property views for the entity.
The Detail View for this entity includes a link to analyze the entity in Recorded Future, relevant dates and counts, a risk score and summary, as well as related hashes and domains.
Entity to Email
These transforms expand your graph with Email Address entities. Each entity returned has reported events involving the input entity.
Entity to Filename
These transforms expand your graph with Filename entities. Each entity returned has reported events involving the input entity. This data can be viewed in the detail and property views for the entity.
The Detail View for this entity includes a link to investigate the entity within Recorded Future, as well as a count of the number of references within the system for the entity in question.
Entity to Hash
These transforms expand your graph with Hash entities. Each entity contains a variety of descriptive information about the entity. This data can be viewed in the detail and property views for the entity.
The Detail View for this entity includes a link to analyze the entity in Recorded Future, relevant dates and counts, a risk score and summary, as well as related hashes and domains.
Entity to IP Address
These transforms expand your graph with IP Address entities. Each entity returned has reported events involving the input entity.
Entity to Registry Key
These transforms expand your graph with Registry Key entities. Each entity returned has reported events involving the input entity. This data can be viewed in the detail and property views for the entity.
The Detail View for this entity includes a link to investigate the entity within Recorded Future, as well as a count of the number of references within the system for the entity in question.
Entity to URL
These transforms expand your graph with URL entities. Each entity returned has reported events involving the input entity.
Entity to Organization
These transforms expand your graph with Organization entities. Each entity returned has reported events involving the input entity.
Entity to AS Number
These transforms expand your graph with AS Number entities. Each entity returned has reported events involving the input entity.
Entity to Company
These transforms expand your graph with Company entities. Each entity returned has reported events involving the input entity.
Phrase to Threat Intelligence Entities
When you start an investigation from a set of indicators or observables, the “mapping” from your initial data to Recorded Future entities is straightforward. Simple paste the entity text into Maltego, correct the automatically detected entity types if necessary, and begin running transforms. Maltego will recognize many entity types using regular expressions.
When your investigation starts with a threat actor or target organization, you begin by using the Maltego Phrase entity to map the threat actor or target to a Recorded Future entity. This mapping will resolve variations in spelling and naming (e.g. AnonGhost vs. AnonGh0st.)
You can map the input Phrase to an Alias (representing a person, Social Media profile, or forum username), Company, Operation, or Organization. Organizations can represent both threat actor groups and target organizations. After mapping the Phrase to an entity, the normal entity to metrics and entity to RF document transforms are available.
Maltego Machines
These Transforms were designed to be very specific and self-explanatory. However, this approach often means that completing a task involves progressively running many Transforms.
Machines are macro scripts that automate this task to save you time. The integration includes a Doc Expand machine for each Entity.
These Machines first retrieves RF Documents matching the current filter properties, and then for each RF Document expands other TI Entities that are also mentioned in that document.
You can use these Machines directly, and can also use them as templates for creating additional Machines that automatically pivot between information in Recorded Future and information in other threat intelligence services.
Getting Support
Please contact support with questions or issues using this integration. We’re ready to help! We are also eager to hear your ideas for improving and expanding this integration.