STIX2 Grouping
| Display Name | STIX2 Grouping |
| Entity Name | maltego.STIX2.grouping |
| Short Description | A Grouping object explicitly asserts that the referenced STIX Objects have a shared content. |
| Entity Category | STIX 2 domain objects |
| Base Entities | maltego.STIX2.core |
Entity Properties
| type | type | string | The type of this object, which MUST be the literal grouping. | grouping |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent this object. | |
| id | id | string | | |
| cre ated_by_ref | cre ated_by_ref | string | The ID of the Source object that describes who created this object. | |
| labels | labels | string[] | The labels property specifies a set of terms used to describe this object. | |
| created | created | string | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. | |
| modified | modified | string | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. | |
| revoked | revoked | string | The revoked property indicates whether the object has been revoked. | |
| confidence | confidence | string | Identifies the confidence that the creator has in the correctness of their data. | |
| lang | lang | string | Identifies the language of the text content in this object. | |
| external _references | external _references | string[] | A list of external references which refers to non-STIX i nformation. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| name | name | string | A name used to identify the Grouping. | |
| description | description | string | A description which provides more details and context about the Grouping, potentially including the purpose and key chara cteristics. | |
| context | context | string | A short description of the particular context shared by the content referenced by the Grouping. | |
| object_refs | object_refs | string[] | The STIX Objects (SDOs and SROs) that are referred to by this Grouping. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {} |
Entity Description
A Grouping object explicitly asserts that the referenced STIX Objects have a shared content.
STIX2 Note
| Display Name | STIX2 Note |
| Entity Name | maltego.STIX2.note |
| Short Description | A Note is a comment or note containing informative text to help explain the context of one or more STIX Objects (SDOs or SROs) or to provide additional analysis that is not contained in the original object. |
| Entity Category | STIX 2 domain objects |
| Base Entities | maltego.Phrase, maltego.STIX2.core |
Entity Properties
| type | type | string | The type of this object, which MUST be the literal note. | note |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent this object. | |
| id | id | string | | |
| cre ated_by_ref | cre ated_by_ref | string | The ID of the Source object that describes who created this object. | |
| labels | labels | string[] | The labels property specifies a set of terms used to describe this object. | |
| created | created | string | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. | |
| modified | modified | string | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. | |
| revoked | revoked | string | The revoked property indicates whether the object has been revoked. | |
| confidence | confidence | string | Identifies the confidence that the creator has in the correctness of their data. | |
| lang | lang | string | Identifies the language of the text content in this object. | |
| external _references | external _references | string[] | A list of external references which refers to non-STIX i nformation. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| text | text | string | The content of the note. | |
| abstract | abstract | string | A brief summary of the note. | |
| authors | authors | string[] | The name of the author(s) of this note (e.g., the analyst(s) that created it). | |
| object_refs | object_refs | string[] | The STIX Objects (SDOs and SROs) that the note is being applied to. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {"text": "content"} |
Entity Description
A Note is a comment or note containing informative text to help explain the context of one or more STIX Objects (SDOs or SROs) or to provide additional analysis that is not contained in the original object.
| Display Name | STIX2 Incident |
| Entity Name | maltego.STIX2.incident |
| Short Description | An incident is a grouping of adversary behavior that describes a set of malicious activities or attacks that occur over a period of time against a specific set of targets. |
| Entity Category | STIX 2 domain objects |
| Base Entities | maltego.STIX2.core |
Entity Properties
| type | type | string | The type of this object, which MUST be the literal incident. | x-openc ti-incident |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent this object. | |
| id | id | string | | |
| cre ated_by_ref | cre ated_by_ref | string | The ID of the Source object that describes who created this object. | |
| labels | labels | string[] | The labels property specifies a set of terms used to describe this object. | |
| created | created | string | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. | |
| modified | modified | string | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. | |
| revoked | revoked | string | The revoked property indicates whether the object has been revoked. | |
| confidence | confidence | string | Identifies the confidence that the creator has in the correctness of their data. | |
| lang | lang | string | Identifies the language of the text content in this object. | |
| external _references | external _references | string[] | A list of external references which refers to non-STIX i nformation. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| name | name | string | The name used to identify the Incident. | |
| description | description | string | A description that provides more details and context about the Incident, potentially including its purpose and its key chara cteristics. | |
| aliases | aliases | string[] | Alternative names used to identify this incident. | |
| first_seen | first_seen | string | The time that this Incident was first seen. | |
| last_seen | last_seen | string | The time that this Incident was last seen. | |
| objective | objective | string | This field defines the Incident’s primary goal, objective, desired outcome, or intended effect. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {} |
Entity Description
An incident is a grouping of adversary behavior that describes a set of malicious activities or attacks that occur over a period of time against a specific set of targets.
STIX2 Location
| Display Name | STIX2 Location |
| Entity Name | maltego.STIX2.location |
| Short Description | A Location represents a geographic location. The location may be described as any, some or all of the following: region (e.g., North America), civic address (e.g. New York, US), latitude and longitude. |
| Entity Category | STIX 2 domain objects |
| Base Entities | maltego.Location, maltego.STIX2.core |
Entity Properties
| type | type | string | The type of this object, which MUST be the literal location. | location |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent this object. | |
| id | id | string | | |
| cre ated_by_ref | cre ated_by_ref | string | The ID of the Source object that describes who created this object. | |
| labels | labels | string[] | The labels property specifies a set of terms used to describe this object. | |
| created | created | string | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. | |
| modified | modified | string | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. | |
| revoked | revoked | string | The revoked property indicates whether the object has been revoked. | |
| confidence | confidence | string | Identifies the confidence that the creator has in the correctness of their data. | |
| lang | lang | string | Identifies the language of the text content in this object. | |
| external _references | external _references | string[] | A list of external references which refers to non-STIX i nformation. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| lo cation.name | lo cation.name | string | A name used to identify the Location. | |
| latitude | latitude | string | The latitude of the Location in decimal degrees. | |
| longitude | longitude | string | The longitude of the Location in decimal degrees. | |
| country | country | string | The country that this Location describes. | |
| lo cation.area | lo cation.area | string | The state, province, or other s ub-national adm inistrative area that this Location describes. | |
| city | city | string | The city that this Location describes. | |
| st reetaddress | st reetaddress | string | The street address that this Location describes. | |
| locati on.areacode | locati on.areacode | string | The postal code for this Location. | |
| description | description | string | A textual description of the Location. | |
| precision | precision | string | Defines the precision of the coordinates specified by the latitude and longitude properties, measured in meters. | |
| region | region | string | The region that this Location describes. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {"loca tion.name": "name", "latitude": "latitude", " longitude": " longitude", "country": "country", "city": "city", "stre etaddress": "stree t_address", "loca tion.area": "administra tive_area", "location .areacode": "po stal_code"} |
Entity Description
A Location represents a geographic location. The location may be described as any, some or all of the following: region (e.g., North America), civic address (e.g. New York, US), latitude and longitude.
STIX2 Opinion
| Display Name | STIX2 Opinion |
| Entity Name | maltego.STIX2.opinion |
| Short Description | An Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity and captures the level of agreement or disagreement using a fixed scale. |
| Entity Category | STIX 2 domain objects |
| Base Entities | maltego.STIX2.core |
Entity Properties
| type | type | string | The type of this object, which MUST be the literal `opinion`. | opinion |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent this object. | |
| id | id | string | | |
| cre ated_by_ref | cre ated_by_ref | string | The ID of the Source object that describes who created this object. | |
| labels | labels | string[] | The labels property specifies a set of terms used to describe this object. | |
| created | created | string | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. | |
| modified | modified | string | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. | |
| revoked | revoked | string | The revoked property indicates whether the object has been revoked. | |
| confidence | confidence | string | Identifies the confidence that the creator has in the correctness of their data. | |
| lang | lang | string | Identifies the language of the text content in this object. | |
| external _references | external _references | string[] | A list of external references which refers to non-STIX i nformation. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| explanation | explanation | string | An explanation of why the producer has this Opinion. | |
| authors | authors | string[] | The name of the author(s) of this opinion (e.g., the analyst(s) that created it). | |
| object_refs | object_refs | string[] | The STIX Objects (SDOs and SROs) that the opinion is being applied to. | |
| opinion | opinion | string | The opinion that the producer has about about all of the STIX Object(s) listed in the object_refs property. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {} |
Entity Description
An Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity and captures the level of agreement or disagreement using a fixed scale.
STIX2 Vulnerability
| Display Name | STIX2 Vulnerability |
| Entity Name | maltego.STIX2.vulnerability |
| Short Description | A Vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network. |
| Entity Category | STIX 2 domain objects |
| Base Entities | maltego.STIX2.core |
Entity Properties
| type | type | string | The type of this object, which MUST be the literal vulne rability. | vu lnerability |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent this object. | |
| id | id | string | | |
| cre ated_by_ref | cre ated_by_ref | string | The ID of the Source object that describes who created this object. | |
| labels | labels | string[] | The labels property specifies a set of terms used to describe this object. | |
| created | created | string | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. | |
| modified | modified | string | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. | |
| revoked | revoked | string | The revoked property indicates whether the object has been revoked. | |
| confidence | confidence | string | Identifies the confidence that the creator has in the correctness of their data. | |
| lang | lang | string | Identifies the language of the text content in this object. | |
| external _references | external _references | string[] | A list of external references which refers to non-STIX i nformation. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| name | name | string | The name used to identify the Vul nerability. | |
| description | description | string | A description that provides more details and context about the Vul nerability. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {} |
Entity Description
A Vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network.
STIX2 Malware
| Display Name | STIX2 Malware |
| Entity Name | maltego.STIX2.malware |
| Short Description | Malware is a type of TTP that is also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. |
| Entity Category | STIX 2 domain objects |
| Base Entities | maltego.STIX2.core |
Entity Properties
| type | type | string | The type of this object, which MUST be the literal `malware`. | malware |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent this object. | |
| id | id | string | | |
| cre ated_by_ref | cre ated_by_ref | string | The ID of the Source object that describes who created this object. | |
| labels | labels | string[] | The labels property specifies a set of terms used to describe this object. | |
| created | created | string | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. | |
| modified | modified | string | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. | |
| revoked | revoked | string | The revoked property indicates whether the object has been revoked. | |
| confidence | confidence | string | Identifies the confidence that the creator has in the correctness of their data. | |
| lang | lang | string | Identifies the language of the text content in this object. | |
| external _references | external _references | string[] | A list of external references which refers to non-STIX i nformation. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| aliases | aliases | string[] | Alternative names used to identify this Malware or Malware family. | |
| first_seen | first_seen | string | The time that the malware instance or family was first seen. | |
| last_seen | last_seen | string | The time that the malware family or malware instance was last seen. | |
| operating system_refs | operating system_refs | string[] | The operating systems that the malware family or malware instance is executable on. | |
| archi tecture_exe cution_envs | archi tecture_exe cution_envs | string[] | The processor ar chitectures (e.g., x86, ARM, etc.) that the malware instance or family is executable on. Open Vocab -proc essor-archi tecture-os. | |
| im plementatio n_languages | im plementatio n_languages | string[] | The programming language(s) used to implement the malware instance or family. Open Vocab -imple mentation-l anguage-ov. | |
| c apabilities | c apabilities | string[] | Specifies any c apabilities identified for the malware instance or family. Open Vocab -ma lware-capab ilities-ov. | |
| sample_refs | sample_refs | string[] | The sample_refs property specifies a list of identifiers of the SCO file or artifact objects associated with this malware instance(s) or family. | |
| ma lware_types | ma lware_types | string[] | The type of malware being described. Open Vocab -malw are-type-ov | |
| name | name | string | The name used to identify the Malware. | |
| description | description | string | Provides more context and details about the Malware object. | |
| kill_c hain_phases | kill_c hain_phases | string[] | The list of kill chain phases for which this Malware instance can be used. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {} |
| is_family | is_family | string | Whether the object represents a malware family (if true) or a malware instance (if false). | True |
Entity Description
Malware is a type of TTP that is also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim.
STIX2 Malware Analysis
| Display Name | STIX2 Malware Analysis |
| Entity Name | maltego.STIX2.malware-analysis |
| Short Description | Malware Analysis captures the metadata and results of a particular analysis performed (static or dynamic) on the malware instance or family. |
| Entity Category | STIX 2 domain objects |
| Base Entities | maltego.STIX2.core |
Entity Properties
| type | type | string | The type of this object, which MUST be the literal malware- analysis. | malwa re-analysis |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent this object. | |
| id | id | string | | |
| cre ated_by_ref | cre ated_by_ref | string | The ID of the Source object that describes who created this object. | |
| labels | labels | string[] | The labels property specifies a set of terms used to describe this object. | |
| created | created | string | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. | |
| modified | modified | string | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. | |
| revoked | revoked | string | The revoked property indicates whether the object has been revoked. | |
| confidence | confidence | string | Identifies the confidence that the creator has in the correctness of their data. | |
| lang | lang | string | Identifies the language of the text content in this object. | |
| external _references | external _references | string[] | A list of external references which refers to non-STIX i nformation. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| product | product | string | The name of the analysis engine or product that was used for this analysis. | |
| version | version | string | The version of the analysis product that was used to perform this analysis. | |
| configurat ion_version | configurat ion_version | string | The version of the analysis product co nfiguration that was used to perform this analysis. | |
| modules | modules | string[] | The particular analysis product modules that were used to perform the analysis. | |
| a nalysis_eng ine_version | a nalysis_eng ine_version | string | The version of the analysis engine or product that was used to perform this analysis. | |
| analy sis_definit ion_version | analy sis_definit ion_version | string | The version of the analysis definitions used by the analysis tool. | |
| submitted | submitted | string | The date and time that this malware was first submitted for scanning or analysis. | |
| analy sis_started | analy sis_started | string | The date and time that the malware analysis was initiated. | |
| ana lysis_ended | ana lysis_ended | string | The date and time that the malware analysis ended. | |
| result_name | result_name | string | The cla ssification result or name assigned to the malware instance by the scanner tool. | |
| result | result | string | The cla ssification result as determined by the scanner or tool analysis process. | |
| host_vm_ref | host_vm_ref | string | A description of the virtual machine environment used to host the guest operating system (if applicable) that was used for the dynamic analysis of the malware instance or family. | |
| operating _system_ref | operating _system_ref | string | The operating system that was used to perform the dynamic analysis. | |
| i nstalled_so ftware_refs | i nstalled_so ftware_refs | string[] | Any n on-standard software installed on the operating system used for the dynamic analysis of the malware instance or family. | |
| analys is_sco_refs | analys is_sco_refs | string[] | The list of STIX objects that were captured during the analysis process. | |
| sample_ref | sample_ref | string | Refers to the object this analysis was performed against. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {} |
Entity Description
Malware Analysis captures the metadata and results of a particular analysis performed (static or dynamic) on the malware instance or family.
STIX2 Report
| Display Name | STIX2 Report |
| Entity Name | maltego.STIX2.report |
| Short Description | Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. |
| Entity Category | STIX 2 domain objects |
| Base Entities | maltego.STIX2.core |
Entity Properties
| type | type | string | The type of this object, which MUST be the literal report. | report |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent this object. | |
| id | id | string | | |
| cre ated_by_ref | cre ated_by_ref | string | The ID of the Source object that describes who created this object. | |
| labels | labels | string[] | The labels property specifies a set of terms used to describe this object. | |
| created | created | string | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. | |
| modified | modified | string | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. | |
| revoked | revoked | string | The revoked property indicates whether the object has been revoked. | |
| confidence | confidence | string | Identifies the confidence that the creator has in the correctness of their data. | |
| lang | lang | string | Identifies the language of the text content in this object. | |
| external _references | external _references | string[] | A list of external references which refers to non-STIX i nformation. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| r eport_types | r eport_types | string[] | This field is an Open Vocabulary that specifies the primary subject of this report. The suggested values for this field are in repo rt-type-ov. | |
| name | name | string | The name used to identify the Report. | |
| description | description | string | A description that provides more details and context about Report. | |
| published | published | string | The date that this report object was officially published by the creator of this report. | |
| object_refs | object_refs | string[] | Specifies the STIX Objects that are referred to by this Report. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {} |
Entity Description
Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details.
STIX2 Attack Pattern
| Display Name | STIX2 Attack Pattern |
| Entity Name | maltego.STIX2.attack-pattern |
| Short Description | Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. |
| Entity Category | STIX 2 domain objects |
| Base Entities | maltego.STIX2.core |
Entity Properties
| type | type | string | The type of this object, which MUST be the literal identity. | identity |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent this object. | |
| id | id | string | | |
| cre ated_by_ref | cre ated_by_ref | string | The ID of the Source object that describes who created this object. | |
| labels | labels | string[] | The labels property specifies a set of terms used to describe this object. | |
| created | created | string | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. | |
| modified | modified | string | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. | |
| revoked | revoked | string | The revoked property indicates whether the object has been revoked. | |
| confidence | confidence | string | Identifies the confidence that the creator has in the correctness of their data. | |
| lang | lang | string | Identifies the language of the text content in this object. | |
| external _references | external _references | string[] | A list of external references which refers to non-STIX i nformation. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| roles | roles | string[] | The list of roles that this Identity performs (e.g., CEO, Domain Admi nistrators, Doctors, Hospital, or Retailer). No open vocabulary is yet defined for this property. | |
| name | name | string | The name of this Identity. | |
| description | description | string | A description that provides more details and context about the Identity. | |
| ide ntity_class | ide ntity_class | string | The type of entity that this Identity describes, e.g., an individual or or ganization. Open Vocab -identi ty-class-ov | |
| sectors | sectors | string[] | The list of sectors that this Identity belongs to. Open Vocab -industr y-sector-ov | |
| contact information | contact information | string | The contact information (e-mail, phone number, etc.) for this Identity. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {} |
| x_mitre_id | x_mitre_id | string | ID of the attack pattern in MITRE frameworks | |
| x_mitr e_platforms | x_mitr e_platforms | string[] | OS concerned by this attack pattern in MITRE frameworks | |
| x_mitr e_permissio ns_required | x_mitr e_permissio ns_required | string[] | Permissions required to do this attack pattern in MITRE frameworks | |
| x_mitr e_detection | x_mitr e_detection | string | Detections methods for this attack pattern in MITRE frameworks | |
Entity Description
Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets.
STIX2 Core
| Display Name | STIX2 Core |
| Entity Name | maltego.STIX2.core |
| Short Description | Abstract entity from which all STIX entities inherit common properties |
| Entity Category | STIX 2 domain objects |
| Base Entities | (none) |
Entity Properties
| id | id | string | | |
| ma rking_color | ma rking_color | string | A color to be used in graphic display to show a marking sign (eg TLP) | |
| m arking_text | m arking_text | string | A text to be used in graphic display to show a marking sign (eg TLP) | |
Entity Description
Abstract entity from which all STIX entities inherit common properties.
STIX2 Threat Actor
| Display Name | STIX2 Threat Actor |
| Entity Name | maltego.STIX2.threat-actor |
| Short Description | Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. |
| Entity Category | STIX 2 domain objects |
| Base Entities | maltego.Organization, maltego.STIX2.core |
Entity Properties
| type | type | string | The type of this object, which MUST be the literal thre at-actor. | t hreat-actor |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent this object. | |
| id | id | string | | |
| cre ated_by_ref | cre ated_by_ref | string | The ID of the Source object that describes who created this object. | |
| labels | labels | string[] | The labels property specifies a set of terms used to describe this object. | |
| created | created | string | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. | |
| modified | modified | string | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. | |
| revoked | revoked | string | The revoked property indicates whether the object has been revoked. | |
| confidence | confidence | string | Identifies the confidence that the creator has in the correctness of their data. | |
| lang | lang | string | Identifies the language of the text content in this object. | |
| external _references | external _references | string[] | A list of external references which refers to non-STIX i nformation. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| title | title | string | A name used to identify this Threat Actor or Threat Actor group. | |
| threat actor_types | threat actor_types | string[] | This field specifies the type of threat actor. Open Vocab -threat-ac tor-type-ov | |
| description | description | string | A description that provides more details and context about the Threat Actor. | |
| aliases | aliases | string[] | A list of other names that this Threat Actor is believed to use. | |
| roles | roles | string[] | This is a list of roles the Threat Actor plays. Open Vocab -threat-ac tor-role-ov | |
| goals | goals | string[] | The high level goals of this Threat Actor, namely, what are they trying to do. | |
| first_seen | first_seen | string | The time that this Threat Actor was first seen. | |
| last_seen | last_seen | string | The time that this Threat Actor was last seen. | |
| sop histication | sop histication | string | The skill, specific knowledge, special training, or expertise a Threat Actor must have to perform the attack. Open Vocab -threat-a ctor-sophis tication-ov | |
| res ource_level | res ource_level | string | This defines the org anizational level at which this Threat Actor typically works. Open Vocab -at tack-resour ce-level-ov | |
| primary _motivation | primary _motivation | string | The primary reason, motivation, or purpose behind this Threat Actor. Open Vocab -attack-mo tivation-ov | |
| secondary motivations | secondary motivations | string[] | The secondary reasons, m otivations, or purposes behind this Threat Actor. Open Vocab -attack-mo tivation-ov | |
| personal motivations | personal motivations | string[] | The personal reasons, m otivations, or purposes of the Threat Actor regardless of org anizational goals. Open Vocab -attack-mo tivation-ov | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {"title": "name"} |
Entity Description
Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent.
STIX2 Identity
| Display Name | STIX2 Identity |
| Entity Name | maltego.STIX2.identity |
| Short Description | Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, or groups. |
| Entity Category | STIX 2 domain objects |
| Base Entities | maltego.Company, maltego.STIX2.core |
Entity Properties
| type | type | string | The type of this object, which MUST be the literal identity. | identity |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent this object. | |
| id | id | string | | |
| cre ated_by_ref | cre ated_by_ref | string | The ID of the Source object that describes who created this object. | |
| labels | labels | string[] | The labels property specifies a set of terms used to describe this object. | |
| created | created | string | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. | |
| modified | modified | string | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. | |
| revoked | revoked | string | The revoked property indicates whether the object has been revoked. | |
| confidence | confidence | string | Identifies the confidence that the creator has in the correctness of their data. | |
| lang | lang | string | Identifies the language of the text content in this object. | |
| external _references | external _references | string[] | A list of external references which refers to non-STIX i nformation. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| title | title | string | The name of this Identity. | |
| roles | roles | string[] | The list of roles that this Identity performs (e.g., CEO, Domain Admi nistrators, Doctors, Hospital, or Retailer). No open vocabulary is yet defined for this property. | |
| description | description | string | A description that provides more details and context about the Identity. | |
| ide ntity_class | ide ntity_class | string | The type of entity that this Identity describes, e.g., an individual or or ganization. Open Vocab -identi ty-class-ov | |
| sectors | sectors | string[] | The list of sectors that this Identity belongs to. Open Vocab -industr y-sector-ov | |
| contact information | contact information | string | The contact information (e-mail, phone number, etc.) for this Identity. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {"title": "name"} |
| x_open cti_aliases | x_open cti_aliases | string[] | Alternative names used to identify this identity. | |
Entity Description
Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, or groups.
STIX2 Intrusion Set
| Display Name | STIX2 Intrusion Set |
| Entity Name | maltego.STIX2.intrusion-set |
| Short Description | An Intrusion Set is a grouped set of adversary behavior and resources with common properties that is believed to be orchestrated by a single organization. |
| Entity Category | STIX 2 domain objects |
| Base Entities | maltego.STIX2.core |
Entity Properties
| type | type | string | The type of this object, which MUST be the literal intru sion-set. | in trusion-set |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent this object. | |
| id | id | string | | |
| cre ated_by_ref | cre ated_by_ref | string | The ID of the Source object that describes who created this object. | |
| labels | labels | string[] | The labels property specifies a set of terms used to describe this object. | |
| created | created | string | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. | |
| modified | modified | string | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. | |
| revoked | revoked | string | The revoked property indicates whether the object has been revoked. | |
| confidence | confidence | string | Identifies the confidence that the creator has in the correctness of their data. | |
| lang | lang | string | Identifies the language of the text content in this object. | |
| external _references | external _references | string[] | A list of external references which refers to non-STIX i nformation. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| name | name | string | The name used to identify the Intrusion Set. | |
| description | description | string | Provides more context and details about the Intrusion Set object. | |
| aliases | aliases | string[] | Alternative names used to identify this Intrusion Set. | |
| first_seen | first_seen | string | The time that this Intrusion Set was first seen. | |
| last_seen | last_seen | string | The time that this Intrusion Set was last seen. | |
| goals | goals | string[] | The high level goals of this Intrusion Set, namely, what are they trying to do. | |
| res ource_level | res ource_level | string | This defines the org anizational level at which this Intrusion Set typically works. Open Vocab -at tack-resour ce-level-ov | |
| primary _motivation | primary _motivation | string | The primary reason, motivation, or purpose behind this Intrusion Set. Open Vocab -attack-mo tivation-ov | |
| secondary motivations | secondary motivations | string[] | The secondary reasons, m otivations, or purposes behind this Intrusion Set. Open Vocab -attack-mo tivation-ov | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {} |
Entity Description
An Intrusion Set is a grouped set of adversary behavior and resources with common properties that is believed to be orchestrated by a single organization.
STIX2 Indicator
| Display Name | STIX2 Indicator |
| Entity Name | maltego.STIX2.indicator |
| Short Description | Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity. |
| Entity Category | STIX 2 domain objects |
| Base Entities | maltego.STIX2.core |
Entity Properties
| type | type | string | The type of this object, which MUST be the literal i ndicator. | indicator |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent this object. | |
| id | id | string | | |
| cre ated_by_ref | cre ated_by_ref | string | The ID of the Source object that describes who created this object. | |
| labels | labels | string[] | The labels property specifies a set of terms used to describe this object. | |
| created | created | string | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. | |
| modified | modified | string | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. | |
| revoked | revoked | string | The revoked property indicates whether the object has been revoked. | |
| confidence | confidence | string | Identifies the confidence that the creator has in the correctness of their data. | |
| lang | lang | string | Identifies the language of the text content in this object. | |
| external _references | external _references | string[] | A list of external references which refers to non-STIX i nformation. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| indi cator_types | indi cator_types | string[] | This field is an Open Vocabulary that specifies the type of indicator. Open vocab -indica tor-type-ov | |
| name | name | string | The name used to identify the Indicator. | |
| description | description | string | A description that provides the recipient with context about this Indicator potentially including its purpose and its key chara cteristics. | |
| pattern | pattern | string | The detection pattern for this indicator. | |
| p attern_type | p attern_type | string | The type of pattern used in this indicator. | |
| patt ern_version | patt ern_version | string | The version of the pattern that is used. | |
| valid_from | valid_from | string | The time from which this indicator should be considered valuable in telligence. | |
| valid_until | valid_until | string | The time at which this indicator should no longer be considered valuable in telligence. | |
| kill_c hain_phases | kill_c hain_phases | string[] | The phases of the kill chain that this indicator detects. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {} |
Entity Description
Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity.
STIX2 Infrastructure
| Display Name | STIX2 Infrastructure |
| Entity Name | maltego.STIX2.infrastructure |
| Short Description | Infrastructure objects describe systems, software services, and associated physical or virtual resources. |
| Entity Category | STIX 2 domain objects |
| Base Entities | maltego.STIX2.core |
Entity Properties
| type | type | string | The type of this object, which MUST be the literal infras tructure. | inf rastructure |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent this object. | |
| id | id | string | | |
| cre ated_by_ref | cre ated_by_ref | string | The ID of the Source object that describes who created this object. | |
| labels | labels | string[] | The labels property specifies a set of terms used to describe this object. | |
| created | created | string | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. | |
| modified | modified | string | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. | |
| revoked | revoked | string | The revoked property indicates whether the object has been revoked. | |
| confidence | confidence | string | Identifies the confidence that the creator has in the correctness of their data. | |
| lang | lang | string | Identifies the language of the text content in this object. | |
| external _references | external _references | string[] | A list of external references which refers to non-STIX i nformation. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| name | name | string | The name used to identify the Infr astructure. | |
| description | description | string | A description that provides more details and context about this Inf rastructure potentially including its purpose and its key chara cteristics. | |
| infrastru cture_types | infrastru cture_types | string[] | This field is an Open Vocabulary that specifies the type of infr astructure. Open vocab -infrastruct ure-type-ov | |
| aliases | aliases | string[] | Alternative names used to identify this Infr astructure. | |
| kill_c hain_phases | kill_c hain_phases | string[] | The list of kill chain phases for which this inf rastructure is used. | |
| first_seen | first_seen | string | The time that this inf rastructure was first seen performing malicious activities. | |
| last_seen | last_seen | string | The time that this inf rastructure was last seen performing malicious activities. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {} |
Entity Description
Infrastructure objects describe systems, software services, and associated physical or virtual resources.
STIX2 Course Of Action
| Display Name | STIX2 Course Of Action |
| Entity Name | maltego.STIX2.course-of-action |
| Short Description | A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. |
| Entity Category | STIX 2 domain objects |
| Base Entities | maltego.STIX2.core |
Entity Properties
| type | type | string | The type of this object, which MUST be the literal course-o f-action. | cours e-of-action |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent this object. | |
| id | id | string | | |
| cre ated_by_ref | cre ated_by_ref | string | The ID of the Source object that describes who created this object. | |
| labels | labels | string[] | The labels property specifies a set of terms used to describe this object. | |
| created | created | string | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. | |
| modified | modified | string | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. | |
| revoked | revoked | string | The revoked property indicates whether the object has been revoked. | |
| confidence | confidence | string | Identifies the confidence that the creator has in the correctness of their data. | |
| lang | lang | string | Identifies the language of the text content in this object. | |
| external _references | external _references | string[] | A list of external references which refers to non-STIX i nformation. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| name | name | string | The name used to identify the Course of Action. | |
| description | description | string | A description that provides more details and context about this object, potentially including its purpose and its key chara cteristics. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {} |
Entity Description
A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress.
STIX2 Observed Data
| Display Name | STIX2 Observed Data |
| Entity Name | maltego.STIX2.observed-data |
| Short Description | Observed data conveys information that was observed on systems and networks, such as log data or network traffic, using the Cyber Observable specification. |
| Entity Category | STIX 2 domain objects |
| Base Entities | maltego.STIX2.core |
Entity Properties
| type | type | string | The type of this object, which MUST be the literal obser ved-data. | ob served-data |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent this object. | |
| id | id | string | | |
| cre ated_by_ref | cre ated_by_ref | string | The ID of the Source object that describes who created this object. | |
| labels | labels | string[] | The labels property specifies a set of terms used to describe this object. | |
| created | created | string | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. | |
| modified | modified | string | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. | |
| revoked | revoked | string | The revoked property indicates whether the object has been revoked. | |
| confidence | confidence | string | Identifies the confidence that the creator has in the correctness of their data. | |
| lang | lang | string | Identifies the language of the text content in this object. | |
| external _references | external _references | string[] | A list of external references which refers to non-STIX i nformation. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| fir st_observed | fir st_observed | string | The beginning of the time window that the data was observed during. | |
| la st_observed | la st_observed | string | The end of the time window that the data was observed during. | |
| numb er_observed | numb er_observed | string | The number of times the data represented in the objects property was observed. This MUST be an integer between 1 and 999,999,999 inclusive. | |
| objects | objects | string | A dictionary of Cyber Observable Objects that describes the single 'fact' that was observed. | |
| object_refs | object_refs | string[] | A list of SCOs and SROs r epresenting the o bservation. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {} |
Entity Description
Observed data conveys information that was observed on systems and networks, such as log data or network traffic, using the Cyber Observable specification.
| Display Name | STIX2 Tool |
| Entity Name | maltego.STIX2.tool |
| Short Description | Tools are legitimate software that can be used by threat actors to perform attacks. |
| Entity Category | STIX 2 domain objects |
| Base Entities | maltego.STIX2.core |
Entity Properties
| type | type | string | The type of this object, which MUST be the literal tool. | tool |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent this object. | |
| id | id | string | | |
| cre ated_by_ref | cre ated_by_ref | string | The ID of the Source object that describes who created this object. | |
| labels | labels | string[] | The labels property specifies a set of terms used to describe this object. | |
| created | created | string | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. | |
| modified | modified | string | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. | |
| revoked | revoked | string | The revoked property indicates whether the object has been revoked. | |
| confidence | confidence | string | Identifies the confidence that the creator has in the correctness of their data. | |
| lang | lang | string | Identifies the language of the text content in this object. | |
| external _references | external _references | string[] | A list of external references which refers to non-STIX i nformation. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| aliases | aliases | string[] | Alternative names used to identify this Tool. | |
| tool_types | tool_types | string[] | The kind(s) of tool(s) being described. Open Vocab -t ool-type-ov | |
| name | name | string | The name used to identify the Tool. | |
| description | description | string | Provides more context and details about the Tool object. | |
| t ool_version | t ool_version | string | The version identifier associated with the tool. | |
| kill_c hain_phases | kill_c hain_phases | string[] | The list of kill chain phases for which this Tool instance can be used. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {} |
Entity Description
Tools are legitimate software that can be used by threat actors to perform attacks.
STIX2 Campaign
| Display Name | STIX2 Campaign |
| Entity Name | maltego.STIX2.campaign |
| Short Description | A Campaign is a grouping of adversary behavior that describes a set of malicious activities or attacks that occur over a period of time against a specific set of targets. |
| Entity Category | STIX 2 domain objects |
| Base Entities | maltego.STIX2.core |
Entity Properties
| type | type | string | The type of this object, which MUST be the literal campaign. | campaign |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent this object. | |
| id | id | string | | |
| cre ated_by_ref | cre ated_by_ref | string | The ID of the Source object that describes who created this object. | |
| labels | labels | string[] | The labels property specifies a set of terms used to describe this object. | |
| created | created | string | The created property represents the time at which the first version of this object was created. The timstamp value MUST be precise to the nearest m illisecond. | |
| modified | modified | string | The modified property represents the time that this particular version of the object was modified. The timstamp value MUST be precise to the nearest m illisecond. | |
| revoked | revoked | string | The revoked property indicates whether the object has been revoked. | |
| confidence | confidence | string | Identifies the confidence that the creator has in the correctness of their data. | |
| lang | lang | string | Identifies the language of the text content in this object. | |
| external _references | external _references | string[] | A list of external references which refers to non-STIX i nformation. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| name | name | string | The name used to identify the Campaign. | |
| description | description | string | A description that provides more details and context about the Campaign, potentially including its purpose and its key chara cteristics. | |
| aliases | aliases | string[] | Alternative names used to identify this campaign. | |
| first_seen | first_seen | string | The time that this Campaign was first seen. | |
| last_seen | last_seen | string | The time that this Campaign was last seen. | |
| objective | objective | string | This field defines the Campaign’s primary goal, objective, desired outcome, or intended effect. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {} |
Entity Description
A Campaign is a grouping of adversary behavior that describes a set of malicious activities or attacks that occur over a period of time against a specific set of targets.