Overview
Splunk is a software platform used for monitoring, searching, analyzing, and visualizing machine-generated log data in real-time. Splunk provides insights to technology infrastructure, security systems, and various business applications that help drive operational performance and business results.
Splunk ES was developed to help make sense of machine-generated log data, and has become a popular choice among Security Information and Event Management (SIEM) solutions for many organizations worldwide. It is primarily used for searching, monitoring, and examining Big Data through a web-style interface.
The Splunk Enterprise integration for Maltego combines the full advantage of the Splunk Common Information Model (CIM) with the investigative capabilities of link analysis.
Using Splunk, SOC teams and cyber security and threat analysts alike can easily query the following CIM data models:
- Authentication
- Endpoint
- Malware
- Network Resolution
- Network Sessions
- Network Traffic
- Vulnerabilities
Investigators can also perform raw searches, using Splunk’s Search Processing Language to get other events that may not yet be part of the data models.
Be sure to read our blog post: SIEM-plifying Investigations with Splunk and Maltego to learn more about how to leverage Splunk data and explore a use case showing how the Splunk Enterprise Security Transforms can query the Authentication data model, thus allowing you to retrieve information from authentication sources such as Active Directory (AD) directly on Maltego.
You can read more about the Splunk integration in the Hub item detail page on our website here.
Installation Guidelines
For customers with an internet-facing Splunk instance, simply install the Hub item and enter your details. For customers without an internet-facing Splunk instance, email support@maltego.com or reach out to us using the contact form on this page.
If you are a Maltego commeruser and are interested in learning how to integrate Splunk Enterprise into Maltego within your organization, email us at support@maltego.com Our integration experts are happy to discuss your needs and support the integration process!
Configuration Requirements
To enable the Maltego Splunk Enterprise Security Transforms to work, the Splunk Administrator must configure the following:
- Enable the Common Information Model. Please refer to the Splunk User Setup - Common Information Model Add-on Documentation.
Authentication
The default Splunk ES role ESS_USER will be able to access the Transforms. The ideal authentication setup is as follows:
- Create a custom user profile with an ess_user role that allows the SPLUNK REST API to search data. Please refer to the Splunk Admin Management Documentation.
- The Transforms can be authenticated using a username and password, or a security token. Either of these can be created for authentication, please ensure that one is enabled should it be missing.
Troubleshooting
Should you experience failure to access the Transforms, please check that the following READ permissions are present.
Set the READ permissions for the following objects:
- Apps
- Custom Search Commands
- Search Scripts
Should you require additional support, please refer to the Splunk Object Permission Settings Documentation.
To Action (Phrase)
Description
Returns the value of the field ‘action’ as a Phrase Entity
| Display Name | To Action (Phrase) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘action’ as a Phrase Entity |
Variants
| networksessionsallsessionstoactionphrase | maltego.splunk.AllSessions |
| endpointprocessestoactionphrase | maltego.splunk.Processes |
| endpointfilesystemtoactionphrase | maltego.splunk.Filesystem |
| endpointregistrytoactionphrase | maltego.splunk.Registry |
| authenticationtoactionphrase | maltego.splunk.Authentication |
| networktrafficalltraffictoactionphrase | maltego.splunk.AllTraffic |
| malwaremalwareattackstoactionphrase | maltego.splunk.MalwareAttacks |
To Signature (Phrase)
Description
Returns the value of the field ‘signature’ as a Phrase Entity
| Display Name | To Signature (Phrase) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘signature’ as a Phrase Entity |
Variants
| networksessionsallsessionstosignaturephrase | maltego.splunk.AllSessions |
| vulnerabilitiestosignaturephrase | maltego.splunk.Vulnerabilities |
| authenticationtosignaturephrase | maltego.splunk.Authentication |
| malwaremalwareattackstosignaturephrase | maltego.splunk.MalwareAttacks |
To SrcIp (IPv4Address)
Description
Returns the value of the field ‘src_ip’ as a IPv4Address Entity
| Display Name | To SrcIp (IPv4Address) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘src_ip’ as a IPv4Address Entity |
Variants
| networksessionsallsessionstosrcipipv4address | maltego.splunk.AllSessions |
| networktrafficalltraffictosrcipipv4address | maltego.splunk.AllTraffic |
To SrcIp (IPv6Address)
Description
Returns the value of the field ‘src_ip’ as a IPv6Address Entity
| Display Name | To SrcIp (IPv6Address) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘src_ip’ as a IPv6Address Entity |
Variants
| networksessionsallsessionstosrcipipv6address | maltego.splunk.AllSessions |
| networktrafficalltraffictosrcipipv6address | maltego.splunk.AllTraffic |
To SrcNtHost (Domain)
Description
Returns the value of the field ‘src_nt_host’ as a Domain Entity
| Display Name | To SrcNtHost (Domain) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Transform Name | networksessionsallsessionstosrcnthostdomain |
| Input Entities | maltego.splunk.AllSessions |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘src_nt_host’ as a Domain Entity |
To DestIp (IPv4Address)
Description
Returns the value of the field ‘dest_ip’ as a IPv4Address Entity
| Display Name | To DestIp (IPv4Address) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘dest_ip’ as a IPv4Address Entity |
Variants
| networksessionsallsessionstodestipipv4address | maltego.splunk.AllSessions |
| networktrafficalltraffictodestipipv4address | maltego.splunk.AllTraffic |
To DestIp (IPv6Address)
Description
Returns the value of the field ‘dest_ip’ as a IPv6Address Entity
| Display Name | To DestIp (IPv6Address) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘dest_ip’ as a IPv6Address Entity |
Variants
| networksessionsallsessionstodestipipv6address | maltego.splunk.AllSessions |
| networktrafficalltraffictodestipipv6address | maltego.splunk.AllTraffic |
To DestNtHost (Domain)
Description
Returns the value of the field ‘dest_nt_host’ as a Domain Entity
| Display Name | To DestNtHost (Domain) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Transform Name | networksessionsallsessionstodestnthostdomain |
| Input Entities | maltego.splunk.AllSessions |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘dest_nt_host’ as a Domain Entity |
To User (Alias)
Description
Returns the value of the field ‘user’ as a Alias Entity
| Display Name | To User (Alias) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘user’ as a Alias Entity |
Variants
| networksessionsallsessionstouseralias | maltego.splunk.AllSessions |
| endpointportstouseralias | maltego.splunk.Ports |
| endpointprocessestouseralias | maltego.splunk.Processes |
| endpointservicestouseralias | maltego.splunk.Services |
| endpointfilesystemtouseralias | maltego.splunk.Filesystem |
| endpointregistrytouseralias | maltego.splunk.Registry |
| vulnerabilitiestouseralias | maltego.splunk.Vulnerabilities |
| authenticationtouseralias | maltego.splunk.Authentication |
| networktrafficalltraffictouseralias | maltego.splunk.AllTraffic |
| malwaremalwareattackstouseralias | maltego.splunk.MalwareAttacks |
To Src (IPv4Address)
Description
Returns the value of the field ‘src’ as a IPv4Address Entity
| Display Name | To Src (IPv4Address) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘src’ as a IPv4Address Entity |
Variants
| networkresolutiondnstosrcipv4address | maltego.splunk.Dns |
| endpointportstosrcipv4address | maltego.splunk.Ports |
| authenticationtosrcipv4address | maltego.splunk.Authentication |
| networktrafficalltraffictosrcipv4address | maltego.splunk.AllTraffic |
| malwaremalwareattackstosrcipv4address | maltego.splunk.MalwareAttacks |
To Src (IPv6Address)
Description
Returns the value of the field ‘src’ as a IPv6Address Entity
| Display Name | To Src (IPv6Address) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘src’ as a IPv6Address Entity |
Variants
| networkresolutiondnstosrcipv6address | maltego.splunk.Dns |
| endpointportstosrcipv6address | maltego.splunk.Ports |
| authenticationtosrcipv6address | maltego.splunk.Authentication |
| networktrafficalltraffictosrcipv6address | maltego.splunk.AllTraffic |
| malwaremalwareattackstosrcipv6address | maltego.splunk.MalwareAttacks |
To Dest (IPv4Address)
Description
Returns the value of the field ‘dest’ as a IPv4Address Entity
| Display Name | To Dest (IPv4Address) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘dest’ as a IPv4Address Entity |
Variants
| networkresolutiondnstodestipv4address | maltego.splunk.Dns |
| endpointportstodestipv4address | maltego.splunk.Ports |
| endpointprocessestodestipv4address | maltego.splunk.Processes |
| endpointservicestodestipv4address | maltego.splunk.Services |
| endpointfilesystemtodestipv4address | maltego.splunk.Filesystem |
| endpointregistrytodestipv4address | maltego.splunk.Registry |
| vulnerabilitiestodestipv4address | maltego.splunk.Vulnerabilities |
| authenticationtodestipv4address | maltego.splunk.Authentication |
| networktrafficalltraffictodestipv4address | maltego.splunk.AllTraffic |
| malwaremalwareattackstodestipv4address | maltego.splunk.MalwareAttacks |
| malwaremalwareoperationstodestipv4address | maltego.splunk.MalwareOperations |
To Dest (IPv6Address)
Description
Returns the value of the field ‘dest’ as a IPv6Address Entity
| Display Name | To Dest (IPv6Address) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘dest’ as a IPv6Address Entity |
Variants
| networkresolutiondnstodestipv6address | maltego.splunk.Dns |
| endpointportstodestipv6address | maltego.splunk.Ports |
| endpointprocessestodestipv6address | maltego.splunk.Processes |
| endpointservicestodestipv6address | maltego.splunk.Services |
| endpointfilesystemtodestipv6address | maltego.splunk.Filesystem |
| endpointregistrytodestipv6address | maltego.splunk.Registry |
| vulnerabilitiestodestipv6address | maltego.splunk.Vulnerabilities |
| authenticationtodestipv6address | maltego.splunk.Authentication |
| networktrafficalltraffictodestipv6address | maltego.splunk.AllTraffic |
| malwaremalwareattackstodestipv6address | maltego.splunk.MalwareAttacks |
| malwaremalwareoperationstodestipv6address | maltego.splunk.MalwareOperations |
To ProcessHash (Hash)
Description
Returns the value of the field ‘process_hash’ as a Hash Entity
| Display Name | To ProcessHash (Hash) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Transform Name | endpointprocessestoprocesshashhash |
| Input Entities | maltego.splunk.Processes |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘process_hash’ as a Hash Entity |
To UserId (Alias)
Description
Returns the value of the field ‘user_id’ as a Alias Entity
| Display Name | To UserId (Alias) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘user_id’ as a Alias Entity |
Variants
| endpointprocessestouseridalias | maltego.splunk.Processes |
| authenticationtouseridalias | maltego.splunk.Authentication |
To Description (Phrase)
Description
Returns the value of the field ‘description’ as a Phrase Entity
| Display Name | To Description (Phrase) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Transform Name | endpointservicestodescriptionphrase |
| Input Entities | maltego.splunk.Services |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘description’ as a Phrase Entity |
To ServiceDllHash (Hash)
Description
Returns the value of the field ‘service_dll_hash’ as a Hash Entity
| Display Name | To ServiceDllHash (Hash) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Transform Name | endpointservicestoservicedllhashhash |
| Input Entities | maltego.splunk.Services |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘service_dll_hash’ as a Hash Entity |
To ServiceHash (Hash)
Description
Returns the value of the field ‘service_hash’ as a Hash Entity
| Display Name | To ServiceHash (Hash) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Transform Name | endpointservicestoservicehashhash |
| Input Entities | maltego.splunk.Services |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘service_hash’ as a Hash Entity |
To FileHash (Hash)
Description
Returns the value of the field ‘file_hash’ as a Hash Entity
| Display Name | To FileHash (Hash) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘file_hash’ as a Hash Entity |
Variants
| endpointfilesystemtofilehashhash | maltego.splunk.Filesystem |
| malwaremalwareattackstofilehashhash | maltego.splunk.MalwareAttacks |
To FileName (Phrase)
Description
Returns the value of the field ‘file_name’ as a Phrase Entity
| Display Name | To FileName (Phrase) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘file_name’ as a Phrase Entity |
Variants
| endpointfilesystemtofilenamephrase | maltego.splunk.Filesystem |
| malwaremalwareattackstofilenamephrase | maltego.splunk.MalwareAttacks |
To Url (URL)
Description
Returns the value of the field ‘url’ as a URL Entity
| Display Name | To Url (URL) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘url’ as a URL Entity |
Variants
| vulnerabilitiestourlurl | maltego.splunk.Vulnerabilities |
| malwaremalwareattackstourlurl | maltego.splunk.MalwareAttacks |
To Cve (CVE)
Description
Returns the value of the field ‘cve’ as a CVE Entity
| Display Name | To Cve (CVE) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Transform Name | vulnerabilitiestocvecve |
| Input Entities | maltego.splunk.Vulnerabilities |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘cve’ as a CVE Entity |
To Dvc (Alias)
Description
Returns the value of the field ‘dvc’ as a Alias Entity
| Display Name | To Dvc (Alias) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘dvc’ as a Alias Entity |
Variants
| vulnerabilitiestodvcalias | maltego.splunk.Vulnerabilities |
| networktrafficalltraffictodvcalias | maltego.splunk.AllTraffic |
To DestNtDomain (Domain)
Description
Returns the value of the field ‘dest_nt_domain’ as a Domain Entity
| Display Name | To DestNtDomain (Domain) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘dest_nt_domain’ as a Domain Entity |
Variants
| authenticationtodestntdomaindomain | maltego.splunk.Authentication |
| malwaremalwareattackstodestntdomaindomain | maltego.splunk.MalwareAttacks |
| malwaremalwareoperationstodestntdomaindomain | maltego.splunk.MalwareOperations |
To SrcNtDomain (Domain)
Description
Returns the value of the field ‘src_nt_domain’ as a Domain Entity
| Display Name | To SrcNtDomain (Domain) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Transform Name | authenticationtosrcntdomaindomain |
| Input Entities | maltego.splunk.Authentication |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘src_nt_domain’ as a Domain Entity |
To SrcUserId (Alias)
Description
Returns the value of the field ‘src_user_id’ as a Alias Entity
| Display Name | To SrcUserId (Alias) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Transform Name | authenticationtosrcuseridalias |
| Input Entities | maltego.splunk.Authentication |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘src_user_id’ as a Alias Entity |
To App (Phrase)
Description
Returns the value of the field ‘app’ as a Phrase Entity
| Display Name | To App (Phrase) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘app’ as a Phrase Entity |
Variants
| authenticationtoappphrase | maltego.splunk.Authentication |
| networktrafficalltraffictoappphrase | maltego.splunk.AllTraffic |
To SrcUser (Alias)
Description
Returns the value of the field ‘src_user’ as a Alias Entity
| Display Name | To SrcUser (Alias) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘src_user’ as a Alias Entity |
Variants
| authenticationtosrcuseralias | maltego.splunk.Authentication |
| malwaremalwareattackstosrcuseralias | maltego.splunk.MalwareAttacks |
To DestTranslatedIp (IPv4Address)
Description
Returns the value of the field ‘dest_translated_ip’ as a IPv4Address Entity
| Display Name | To DestTranslatedIp (IPv4Address) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Transform Name | networktrafficalltraffictodesttranslatedipipv4address |
| Input Entities | maltego.splunk.AllTraffic |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘dest_translated_ip’ as a IPv4Address Entity |
To DestTranslatedIp (IPv6Address)
Description
Returns the value of the field ‘dest_translated_ip’ as a IPv6Address Entity
| Display Name | To DestTranslatedIp (IPv6Address) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Transform Name | networktrafficalltraffictodesttranslatedipipv6address |
| Input Entities | maltego.splunk.AllTraffic |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘dest_translated_ip’ as a IPv6Address Entity |
To DvcIp (IPv4Address)
Description
Returns the value of the field ‘dvc_ip’ as a IPv4Address Entity
| Display Name | To DvcIp (IPv4Address) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Transform Name | networktrafficalltraffictodvcipipv4address |
| Input Entities | maltego.splunk.AllTraffic |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘dvc_ip’ as a IPv4Address Entity |
To DvcIp (IPv6Address)
Description
Returns the value of the field ‘dvc_ip’ as a IPv6Address Entity
| Display Name | To DvcIp (IPv6Address) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Transform Name | networktrafficalltraffictodvcipipv6address |
| Input Entities | maltego.splunk.AllTraffic |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘dvc_ip’ as a IPv6Address Entity |
To SrcTranslatedIp (IPv4Address)
Description
Returns the value of the field ‘src_translated_ip’ as a IPv4Address Entity
| Display Name | To SrcTranslatedIp (IPv4Address) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Transform Name | networktrafficalltraffictosrctranslatedipipv4address |
| Input Entities | maltego.splunk.AllTraffic |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘src_translated_ip’ as a IPv4Address Entity |
To SrcTranslatedIp (IPv6Address)
Description
Returns the value of the field ‘src_translated_ip’ as a IPv6Address Entity
| Display Name | To SrcTranslatedIp (IPv6Address) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Transform Name | networktrafficalltraffictosrctranslatedipipv6address |
| Input Entities | maltego.splunk.AllTraffic |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘src_translated_ip’ as a IPv6Address Entity |
To Ssid (Phrase)
Description
Returns the value of the field ‘ssid’ as a Phrase Entity
| Display Name | To Ssid (Phrase) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Transform Name | networktrafficalltraffictossidphrase |
| Input Entities | maltego.splunk.AllTraffic |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ‘ssid’ as a Phrase Entity |
To Time (DateTime)
Description
Returns the value of the field ’_time’ as a DateTime Entity
| Display Name | To Time (DateTime) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Transform Name | malwaremalwareoperationstotimedatetime |
| Input Entities | maltego.splunk.MalwareOperations |
| Output Entities | Phrase |
| Short Description | Returns the value of the field ’_time’ as a DateTime Entity |
To All Interesting Fields
Description
Extracts interesting fields from the incoming Entity properties
| Display Name | To All Interesting Fields |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Transform Name | baseeventtointerestingfield |
| Input Entities | maltego.splunk.BaseEvent |
| Output Entities | Phrase |
| Short Description | Extracts interesting fields from the incoming Entity properties |
Get All Sessions Events by src_ip [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get All Sessions Events by src_ip [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstonetworksessionsallsessionsusingsrcip | maltego.IPv4Address | This Transform returns AllSessions events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’ |
| ipv6addresstonetworksessionsallsessionsusingsrcip | maltego.IPv6Address | This Transform returns AllSessions events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’ |
Get All Sessions Events by dest_ip [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get All Sessions Events by dest_ip [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstonetworksessionsallsessionsusingdestip | maltego.IPv4Address | This Transform returns AllSessions events where the field ‘DestIp’ is equal to the value of the input IPv4Address.The CIM defines the field name DestIp as ‘The internal IP address allocated to the client initializing a network session. For DHCP and VPN events this is the IP address leased to the client.’ |
| ipv6addresstonetworksessionsallsessionsusingdestip | maltego.IPv6Address | This Transform returns AllSessions events where the field ‘DestIp’ is equal to the value of the input IPv6Address.The CIM defines the field name DestIp as ‘The internal IP address allocated to the client initializing a network session. For DHCP and VPN events this is the IP address leased to the client.’ |
Get All Sessions Events by user [Splunk]
Description
This Transform returns AllSessions events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user in a network session event where applicable. For example a VPN session or an authenticated DHCP event.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get All Sessions Events by user [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastonetworksessionsallsessionsusinguser |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns AllSessions events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user in a network session event where applicable. For example a VPN session or an authenticated DHCP event.’ |
Get Session Start Events by src_ip [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Session Start Events by src_ip [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstonetworksessionssessionstartusingsrcip | maltego.IPv4Address | This Transform returns SessionStart events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’ |
| ipv6addresstonetworksessionssessionstartusingsrcip | maltego.IPv6Address | This Transform returns SessionStart events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’ |
Get Session End Events by src_ip [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Session End Events by src_ip [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstonetworksessionssessionendusingsrcip | maltego.IPv4Address | This Transform returns SessionEnd events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’ |
| ipv6addresstonetworksessionssessionendusingsrcip | maltego.IPv6Address | This Transform returns SessionEnd events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’ |
Get Dhcp Events by src_ip [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Dhcp Events by src_ip [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstonetworksessionsdhcpusingsrcip | maltego.IPv4Address | This Transform returns DHCP events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’ |
| ipv6addresstonetworksessionsdhcpusingsrcip | maltego.IPv6Address | This Transform returns DHCP events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’ |
Get Vpn Events by src_ip [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Vpn Events by src_ip [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstonetworksessionsvpnusingsrcip | maltego.IPv4Address | This Transform returns VPN events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’ |
| ipv6addresstonetworksessionsvpnusingsrcip | maltego.IPv6Address | This Transform returns VPN events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’ |
Get Dns Events by src [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Dns Events by src [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstonetworkresolutiondnsusingsrc | maltego.IPv4Address | This Transform returns DNS events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The source of the network resolution event. You can alias this from more specific fields such as src_host src_ip or src_name.’ |
| ipv6addresstonetworkresolutiondnsusingsrc | maltego.IPv6Address | This Transform returns DNS events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The source of the network resolution event. You can alias this from more specific fields such as src_host src_ip or src_name.’ |
Get Ports Events by src [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Ports Events by src [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstoendpointportsusingsrc | maltego.IPv4Address | This Transform returns Ports events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The remote system connected to the listening port (if applicable).’ |
| ipv6addresstoendpointportsusingsrc | maltego.IPv6Address | This Transform returns Ports events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The remote system connected to the listening port (if applicable).’ |
Get Ports Events by user [Splunk]
Description
This Transform returns Ports events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the listening port.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Ports Events by user [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoendpointportsusinguser |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns Ports events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the listening port.’ |
Get Processes Events by user_id [Splunk]
Description
This Transform returns Processes events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique identifier of the user account which spawned the process.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Processes Events by user_id [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoendpointprocessesusinguserid |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns Processes events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique identifier of the user account which spawned the process.’ |
Get Processes Events by user [Splunk]
Description
This Transform returns Processes events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account which spawned the process.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Processes Events by user [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoendpointprocessesusinguser |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns Processes events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account which spawned the process.’ |
Get Processes Events by process_hash [Splunk]
Description
This Transform returns Processes events where the field ‘ProcessHash’ is equal to the value of the input Hash.The CIM defines the field name ProcessHash as ‘The digest(s) of the parent process such as etc.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Processes Events by process_hash [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | hashtoendpointprocessesusingprocesshash |
| Input Entities | maltego.Hash |
| Output Entities | Phrase |
| Short Description | This Transform returns Processes events where the field ‘ProcessHash’ is equal to the value of the input Hash.The CIM defines the field name ProcessHash as ‘The digest(s) of the parent process such as etc.’ |
Get Services Events by user [Splunk]
Description
This Transform returns Services events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the service.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Services Events by user [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoendpointservicesusinguser |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns Services events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the service.’ |
Get Services Events by service_dll_hash [Splunk]
Description
This Transform returns Services events where the field ‘ServiceDllHash’ is equal to the value of the input Hash.The CIM defines the field name ServiceDllHash as ‘The digest(s) of the dynamic link library associated with the service such as etc.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Services Events by service_dll_hash [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | hashtoendpointservicesusingservicedllhash |
| Input Entities | maltego.Hash |
| Output Entities | Phrase |
| Short Description | This Transform returns Services events where the field ‘ServiceDllHash’ is equal to the value of the input Hash.The CIM defines the field name ServiceDllHash as ‘The digest(s) of the dynamic link library associated with the service such as etc.’ |
Get Services Events by service_hash [Splunk]
Description
This Transform returns Services events where the field ‘ServiceHash’ is equal to the value of the input Hash.The CIM defines the field name ServiceHash as ‘The digest(s) of the service such as etc.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Services Events by service_hash [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | hashtoendpointservicesusingservicehash |
| Input Entities | maltego.Hash |
| Output Entities | Phrase |
| Short Description | This Transform returns Services events where the field ‘ServiceHash’ is equal to the value of the input Hash.The CIM defines the field name ServiceHash as ‘The digest(s) of the service such as etc.’ |
Get Filesystem Events by user [Splunk]
Description
This Transform returns Filesystem events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the filesystem access.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Filesystem Events by user [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoendpointfilesystemusinguser |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns Filesystem events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the filesystem access.’ |
Get Filesystem Events by file_hash [Splunk]
Description
This Transform returns Filesystem events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘A cryptographic identifier assigned to the file object affected by the event.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Filesystem Events by file_hash [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | hashtoendpointfilesystemusingfilehash |
| Input Entities | maltego.Hash |
| Output Entities | Phrase |
| Short Description | This Transform returns Filesystem events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘A cryptographic identifier assigned to the file object affected by the event.’ |
Get Registry Events by user [Splunk]
Description
This Transform returns Registry events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the registry access.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Registry Events by user [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoendpointregistryusinguser |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns Registry events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the registry access.’ |
Get Vulnerabilities Events by user [Splunk]
Description
This Transform returns Vulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Vulnerabilities Events by user [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastovulnerabilitiesusinguser |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns Vulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’ |
Get Vulnerabilities Events by dvc [Splunk]
Description
This Transform returns Vulnerabilities events where the field ‘Dvc’ is equal to the value of the input Alias.The CIM defines the field name Dvc as ‘The system that discovered the vulnerability. You can alias this from more specific fields such as dvc_host dvc_ip or dvc_name.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Vulnerabilities Events by dvc [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastovulnerabilitiesusingdvc |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns Vulnerabilities events where the field ‘Dvc’ is equal to the value of the input Alias.The CIM defines the field name Dvc as ‘The system that discovered the vulnerability. You can alias this from more specific fields such as dvc_host dvc_ip or dvc_name.’ |
Get Vulnerabilities Events by url [Splunk]
Description
This Transform returns Vulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Vulnerabilities Events by url [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | urltovulnerabilitiesusingurl |
| Input Entities | maltego.URL |
| Output Entities | Phrase |
| Short Description | This Transform returns Vulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’ |
Get High Critical Vulnerabilities Events by user [Splunk]
Description
This Transform returns HighCriticalVulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get High Critical Vulnerabilities Events by user [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastovulnerabilitieshighcriticalvulnerabilitiesusinguser |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns HighCriticalVulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’ |
Get High Critical Vulnerabilities Events by url [Splunk]
Description
This Transform returns HighCriticalVulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get High Critical Vulnerabilities Events by url [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | urltovulnerabilitieshighcriticalvulnerabilitiesusingurl |
| Input Entities | maltego.URL |
| Output Entities | Phrase |
| Short Description | This Transform returns HighCriticalVulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’ |
Get Medium Vulnerabilities Events by user [Splunk]
Description
This Transform returns MediumVulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Medium Vulnerabilities Events by user [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastovulnerabilitiesmediumvulnerabilitiesusinguser |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns MediumVulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’ |
Get Medium Vulnerabilities Events by url [Splunk]
Description
This Transform returns MediumVulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Medium Vulnerabilities Events by url [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | urltovulnerabilitiesmediumvulnerabilitiesusingurl |
| Input Entities | maltego.URL |
| Output Entities | Phrase |
| Short Description | This Transform returns MediumVulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’ |
Description
This Transform returns LowInformationalVulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Low Informational Vulnerabilities Events by user [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastovulnerabilitieslowinformationalvulnerabilitiesusinguser |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns LowInformationalVulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’ |
Description
This Transform returns LowInformationalVulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Low Informational Vulnerabilities Events by url [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | urltovulnerabilitieslowinformationalvulnerabilitiesusingurl |
| Input Entities | maltego.URL |
| Output Entities | Phrase |
| Short Description | This Transform returns LowInformationalVulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’ |
Get Authentication Events by src [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Authentication Events by src [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstoauthenticationusingsrc | maltego.IPv4Address | This Transform returns Authentication events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The source involved in the authentication. In the case of endpoint protection authentication the src is the client. You can alias this from more specific fields such as src_host src_ip or src_nt_host.’ |
| ipv6addresstoauthenticationusingsrc | maltego.IPv6Address | This Transform returns Authentication events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The source involved in the authentication. In the case of endpoint protection authentication the src is the client. You can alias this from more specific fields such as src_host src_ip or src_nt_host.’ |
Get Authentication Events by src_user_id [Splunk]
Description
This Transform returns Authentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Authentication Events by src_user_id [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoauthenticationusingsrcuserid |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns Authentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’ |
Get Authentication Events by src_user [Splunk]
Description
This Transform returns Authentication events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘In privilege escalation events src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Authentication Events by src_user [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoauthenticationusingsrcuser |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns Authentication events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘In privilege escalation events src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’ |
Get Authentication Events by user_id [Splunk]
Description
This Transform returns Authentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Authentication Events by user_id [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoauthenticationusinguserid |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns Authentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’ |
Get Authentication Events by user [Splunk]
Description
This Transform returns Authentication events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The name of the user involved in the event or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Authentication Events by user [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoauthenticationusinguser |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns Authentication events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The name of the user involved in the event or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’ |
Get Failed Authentication Events by src_user_id [Splunk]
Description
This Transform returns FailedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Failed Authentication Events by src_user_id [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoauthenticationfailedauthenticationusingsrcuserid |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns FailedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’ |
Get Failed Authentication Events by user_id [Splunk]
Description
This Transform returns FailedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Failed Authentication Events by user_id [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoauthenticationfailedauthenticationusinguserid |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns FailedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’ |
Get Successful Authentication Events by src_user_id [Splunk]
Description
This Transform returns SuccessfulAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Successful Authentication Events by src_user_id [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoauthenticationsuccessfulauthenticationusingsrcuserid |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns SuccessfulAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’ |
Get Successful Authentication Events by user_id [Splunk]
Description
This Transform returns SuccessfulAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Successful Authentication Events by user_id [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoauthenticationsuccessfulauthenticationusinguserid |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns SuccessfulAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’ |
Get Default Authentication Events by src_user_id [Splunk]
Description
This Transform returns DefaultAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Default Authentication Events by src_user_id [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoauthenticationdefaultauthenticationusingsrcuserid |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns DefaultAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’ |
Get Default Authentication Events by user_id [Splunk]
Description
This Transform returns DefaultAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Default Authentication Events by user_id [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoauthenticationdefaultauthenticationusinguserid |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns DefaultAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’ |
Get Failed Default Authentication Events by src_user_id [Splunk]
Description
This Transform returns FailedDefaultAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Failed Default Authentication Events by src_user_id [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoauthenticationfaileddefaultauthenticationusingsrcuserid |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns FailedDefaultAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’ |
Get Failed Default Authentication Events by user_id [Splunk]
Description
This Transform returns FailedDefaultAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Failed Default Authentication Events by user_id [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoauthenticationfaileddefaultauthenticationusinguserid |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns FailedDefaultAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’ |
Get Successful Default Authentication Events by src_user_id [Splunk]
Description
This Transform returns SuccessfulDefaultAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Successful Default Authentication Events by src_user_id [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoauthenticationsuccessfuldefaultauthenticationusingsrcuserid |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns SuccessfulDefaultAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’ |
Get Successful Default Authentication Events by user_id [Splunk]
Description
This Transform returns SuccessfulDefaultAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Successful Default Authentication Events by user_id [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoauthenticationsuccessfuldefaultauthenticationusinguserid |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns SuccessfulDefaultAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’ |
Get Insecure Authentication Events by src_user_id [Splunk]
Description
This Transform returns InsecureAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Insecure Authentication Events by src_user_id [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoauthenticationinsecureauthenticationusingsrcuserid |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns InsecureAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’ |
Get Insecure Authentication Events by user_id [Splunk]
Description
This Transform returns InsecureAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Insecure Authentication Events by user_id [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoauthenticationinsecureauthenticationusinguserid |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns InsecureAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’ |
Get Privileged Authentication Events by src_user_id [Splunk]
Description
This Transform returns PrivilegedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Privileged Authentication Events by src_user_id [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoauthenticationprivilegedauthenticationusingsrcuserid |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns PrivilegedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’ |
Get Privileged Authentication Events by user_id [Splunk]
Description
This Transform returns PrivilegedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Privileged Authentication Events by user_id [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoauthenticationprivilegedauthenticationusinguserid |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns PrivilegedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’ |
Get Failed Privileged Authentication Events by src_user_id [Splunk]
Description
This Transform returns FailedPrivilegedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Failed Privileged Authentication Events by src_user_id [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoauthenticationfailedprivilegedauthenticationusingsrcuserid |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns FailedPrivilegedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’ |
Get Failed Privileged Authentication Events by user_id [Splunk]
Description
This Transform returns FailedPrivilegedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Failed Privileged Authentication Events by user_id [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoauthenticationfailedprivilegedauthenticationusinguserid |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns FailedPrivilegedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’ |
Get Successful Privileged Authentication Events by src_user_id [Splunk]
Description
This Transform returns SuccessfulPrivilegedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Successful Privileged Authentication Events by src_user_id [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoauthenticationsuccessfulprivilegedauthenticationusingsrcuserid |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns SuccessfulPrivilegedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’ |
Get Successful Privileged Authentication Events by user_id [Splunk]
Description
This Transform returns SuccessfulPrivilegedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Successful Privileged Authentication Events by user_id [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastoauthenticationsuccessfulprivilegedauthenticationusinguserid |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns SuccessfulPrivilegedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’ |
Get All Traffic Events by src_ip [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get All Traffic Events by src_ip [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstonetworktrafficalltrafficusingsrcip | maltego.IPv4Address | This Transform returns AllTraffic events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The ip address of the source.’ |
| ipv6addresstonetworktrafficalltrafficusingsrcip | maltego.IPv6Address | This Transform returns AllTraffic events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The ip address of the source.’ |
Get All Traffic Events by src [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get All Traffic Events by src [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstonetworktrafficalltrafficusingsrc | maltego.IPv4Address | This Transform returns AllTraffic events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The source of the network traffic (the client requesting the connection). You can alias this from more specific fields such as src_host src_ip or src_name.’ |
| ipv6addresstonetworktrafficalltrafficusingsrc | maltego.IPv6Address | This Transform returns AllTraffic events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The source of the network traffic (the client requesting the connection). You can alias this from more specific fields such as src_host src_ip or src_name.’ |
Get All Traffic Events by dest_ip [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get All Traffic Events by dest_ip [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstonetworktrafficalltrafficusingdestip | maltego.IPv4Address | This Transform returns AllTraffic events where the field ‘DestIp’ is equal to the value of the input IPv4Address.The CIM defines the field name DestIp as ‘The IP address of the destination.’ |
| ipv6addresstonetworktrafficalltrafficusingdestip | maltego.IPv6Address | This Transform returns AllTraffic events where the field ‘DestIp’ is equal to the value of the input IPv6Address.The CIM defines the field name DestIp as ‘The IP address of the destination.’ |
Get All Traffic Events by dvc_ip [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get All Traffic Events by dvc_ip [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstonetworktrafficalltrafficusingdvcip | maltego.IPv4Address | This Transform returns AllTraffic events where the field ‘DvcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name DvcIp as ‘The ip address of the device.’ |
| ipv6addresstonetworktrafficalltrafficusingdvcip | maltego.IPv6Address | This Transform returns AllTraffic events where the field ‘DvcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name DvcIp as ‘The ip address of the device.’ |
Get All Traffic Events by dvc [Splunk]
Description
This Transform returns AllTraffic events where the field ‘Dvc’ is equal to the value of the input Alias.The CIM defines the field name Dvc as ‘The device that reported the traffic event. You can alias this from more specific fields such as dvc_host dvc_ip or dvc_name.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get All Traffic Events by dvc [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastonetworktrafficalltrafficusingdvc |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns AllTraffic events where the field ‘Dvc’ is equal to the value of the input Alias.The CIM defines the field name Dvc as ‘The device that reported the traffic event. You can alias this from more specific fields such as dvc_host dvc_ip or dvc_name.’ |
Get All Traffic Events by user [Splunk]
Description
This Transform returns AllTraffic events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user that requested the traffic flow.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get All Traffic Events by user [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastonetworktrafficalltrafficusinguser |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns AllTraffic events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user that requested the traffic flow.’ |
Get Allowed Traffic Events by src_ip [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Allowed Traffic Events by src_ip [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstonetworktrafficallowedtrafficusingsrcip | maltego.IPv4Address | This Transform returns AllowedTraffic events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The ip address of the source.’ |
| ipv6addresstonetworktrafficallowedtrafficusingsrcip | maltego.IPv6Address | This Transform returns AllowedTraffic events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The ip address of the source.’ |
Get Allowed Traffic Events by dest_ip [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Allowed Traffic Events by dest_ip [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstonetworktrafficallowedtrafficusingdestip | maltego.IPv4Address | This Transform returns AllowedTraffic events where the field ‘DestIp’ is equal to the value of the input IPv4Address.The CIM defines the field name DestIp as ‘The IP address of the destination.’ |
| ipv6addresstonetworktrafficallowedtrafficusingdestip | maltego.IPv6Address | This Transform returns AllowedTraffic events where the field ‘DestIp’ is equal to the value of the input IPv6Address.The CIM defines the field name DestIp as ‘The IP address of the destination.’ |
Get Allowed Traffic Events by dvc_ip [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Allowed Traffic Events by dvc_ip [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstonetworktrafficallowedtrafficusingdvcip | maltego.IPv4Address | This Transform returns AllowedTraffic events where the field ‘DvcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name DvcIp as ‘The ip address of the device.’ |
| ipv6addresstonetworktrafficallowedtrafficusingdvcip | maltego.IPv6Address | This Transform returns AllowedTraffic events where the field ‘DvcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name DvcIp as ‘The ip address of the device.’ |
Get Blocked Traffic Events by src_ip [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Blocked Traffic Events by src_ip [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstonetworktrafficblockedtrafficusingsrcip | maltego.IPv4Address | This Transform returns BlockedTraffic events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The ip address of the source.’ |
| ipv6addresstonetworktrafficblockedtrafficusingsrcip | maltego.IPv6Address | This Transform returns BlockedTraffic events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The ip address of the source.’ |
Get Blocked Traffic Events by dest_ip [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Blocked Traffic Events by dest_ip [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstonetworktrafficblockedtrafficusingdestip | maltego.IPv4Address | This Transform returns BlockedTraffic events where the field ‘DestIp’ is equal to the value of the input IPv4Address.The CIM defines the field name DestIp as ‘The IP address of the destination.’ |
| ipv6addresstonetworktrafficblockedtrafficusingdestip | maltego.IPv6Address | This Transform returns BlockedTraffic events where the field ‘DestIp’ is equal to the value of the input IPv6Address.The CIM defines the field name DestIp as ‘The IP address of the destination.’ |
Get Blocked Traffic Events by dvc_ip [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Blocked Traffic Events by dvc_ip [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstonetworktrafficblockedtrafficusingdvcip | maltego.IPv4Address | This Transform returns BlockedTraffic events where the field ‘DvcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name DvcIp as ‘The ip address of the device.’ |
| ipv6addresstonetworktrafficblockedtrafficusingdvcip | maltego.IPv6Address | This Transform returns BlockedTraffic events where the field ‘DvcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name DvcIp as ‘The ip address of the device.’ |
Get Malware Attacks Events by src [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Malware Attacks Events by src [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstomalwaremalwareattacksusingsrc | maltego.IPv4Address | This Transform returns MalwareAttacks events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’ |
| ipv6addresstomalwaremalwareattacksusingsrc | maltego.IPv6Address | This Transform returns MalwareAttacks events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’ |
Get Malware Attacks Events by src_user [Splunk]
Description
This Transform returns MalwareAttacks events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Malware Attacks Events by src_user [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastomalwaremalwareattacksusingsrcuser |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns MalwareAttacks events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’ |
Get Malware Attacks Events by user [Splunk]
Description
This Transform returns MalwareAttacks events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the malware event.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Malware Attacks Events by user [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastomalwaremalwareattacksusinguser |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns MalwareAttacks events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the malware event.’ |
Get Malware Attacks Events by url [Splunk]
Description
This Transform returns MalwareAttacks events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Malware Attacks Events by url [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | urltomalwaremalwareattacksusingurl |
| Input Entities | maltego.URL |
| Output Entities | Phrase |
| Short Description | This Transform returns MalwareAttacks events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’ |
Get Malware Attacks Events by file_hash [Splunk]
Description
This Transform returns MalwareAttacks events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Malware Attacks Events by file_hash [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | hashtomalwaremalwareattacksusingfilehash |
| Input Entities | maltego.Hash |
| Output Entities | Phrase |
| Short Description | This Transform returns MalwareAttacks events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’ |
Get Allowed Malware Events by src [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Allowed Malware Events by src [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstomalwareallowedmalwareusingsrc | maltego.IPv4Address | This Transform returns AllowedMalware events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’ |
| ipv6addresstomalwareallowedmalwareusingsrc | maltego.IPv6Address | This Transform returns AllowedMalware events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’ |
Get Allowed Malware Events by src_user [Splunk]
Description
This Transform returns AllowedMalware events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Allowed Malware Events by src_user [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastomalwareallowedmalwareusingsrcuser |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns AllowedMalware events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’ |
Get Allowed Malware Events by url [Splunk]
Description
This Transform returns AllowedMalware events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Allowed Malware Events by url [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | urltomalwareallowedmalwareusingurl |
| Input Entities | maltego.URL |
| Output Entities | Phrase |
| Short Description | This Transform returns AllowedMalware events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’ |
Get Allowed Malware Events by file_hash [Splunk]
Description
This Transform returns AllowedMalware events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Allowed Malware Events by file_hash [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | hashtomalwareallowedmalwareusingfilehash |
| Input Entities | maltego.Hash |
| Output Entities | Phrase |
| Short Description | This Transform returns AllowedMalware events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’ |
Get Blocked Malware Events by src [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Blocked Malware Events by src [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstomalwareblockedmalwareusingsrc | maltego.IPv4Address | This Transform returns BlockedMalware events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’ |
| ipv6addresstomalwareblockedmalwareusingsrc | maltego.IPv6Address | This Transform returns BlockedMalware events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’ |
Get Blocked Malware Events by src_user [Splunk]
Description
This Transform returns BlockedMalware events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Blocked Malware Events by src_user [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastomalwareblockedmalwareusingsrcuser |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns BlockedMalware events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’ |
Get Blocked Malware Events by url [Splunk]
Description
This Transform returns BlockedMalware events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Blocked Malware Events by url [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | urltomalwareblockedmalwareusingurl |
| Input Entities | maltego.URL |
| Output Entities | Phrase |
| Short Description | This Transform returns BlockedMalware events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’ |
Get Blocked Malware Events by file_hash [Splunk]
Description
This Transform returns BlockedMalware events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Blocked Malware Events by file_hash [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | hashtomalwareblockedmalwareusingfilehash |
| Input Entities | maltego.Hash |
| Output Entities | Phrase |
| Short Description | This Transform returns BlockedMalware events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’ |
Get Deferred Malware Events by src [Splunk]
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Deferred Malware Events by src [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Output Entities | Phrase |
Variants
| ipv4addresstomalwaredeferredmalwareusingsrc | maltego.IPv4Address | This Transform returns DeferredMalware events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’ |
| ipv6addresstomalwaredeferredmalwareusingsrc | maltego.IPv6Address | This Transform returns DeferredMalware events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’ |
Get Deferred Malware Events by src_user [Splunk]
Description
This Transform returns DeferredMalware events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Deferred Malware Events by src_user [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | aliastomalwaredeferredmalwareusingsrcuser |
| Input Entities | maltego.Alias |
| Output Entities | Phrase |
| Short Description | This Transform returns DeferredMalware events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’ |
Get Deferred Malware Events by url [Splunk]
Description
This Transform returns DeferredMalware events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Deferred Malware Events by url [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | urltomalwaredeferredmalwareusingurl |
| Input Entities | maltego.URL |
| Output Entities | Phrase |
| Short Description | This Transform returns DeferredMalware events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’ |
Get Deferred Malware Events by file_hash [Splunk]
Description
This Transform returns DeferredMalware events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Deferred Malware Events by file_hash [Splunk] |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | Splunk |
| Transform Name | hashtomalwaredeferredmalwareusingfilehash |
| Input Entities | maltego.Hash |
| Output Entities | Phrase |
| Short Description | This Transform returns DeferredMalware events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’ |
Get All Sessions Events (any field)
Description
Returns events where the input Entity value was observed
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get All Sessions Events (any field) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns events where the input Entity value was observed |
Variants
| rawsearchallsessionsusingipv4address | maltego.IPv4Address |
| rawsearchallsessionsusingipv6address | maltego.IPv6Address |
| rawsearchallsessionsusinghash | maltego.Hash |
| rawsearchallsessionsusingalias | maltego.Alias |
| rawsearchallsessionsusingemailaddress | maltego.EmailAddress |
| rawsearchallsessionsusingphrase | maltego.Phrase |
| rawsearchallsessionsusingdomain | maltego.Domain |
| rawsearchallsessionsusingcve | maltego.CVE |
Get DHCP Events (any field)
Description
Returns events where the input Entity value was observed
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get DHCP Events (any field) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns events where the input Entity value was observed |
Variants
| rawsearchdhcpusingipv4address | maltego.IPv4Address |
| rawsearchdhcpusingipv6address | maltego.IPv6Address |
| rawsearchdhcpusinghash | maltego.Hash |
| rawsearchdhcpusingalias | maltego.Alias |
| rawsearchdhcpusingemailaddress | maltego.EmailAddress |
| rawsearchdhcpusingphrase | maltego.Phrase |
| rawsearchdhcpusingdomain | maltego.Domain |
| rawsearchdhcpusingcve | maltego.CVE |
Get DNS Events (any field)
Description
Returns events where the input Entity value was observed
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get DNS Events (any field) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns events where the input Entity value was observed |
Variants
| rawsearchdnsusingipv4address | maltego.IPv4Address |
| rawsearchdnsusingipv6address | maltego.IPv6Address |
| rawsearchdnsusinghash | maltego.Hash |
| rawsearchdnsusingalias | maltego.Alias |
| rawsearchdnsusingemailaddress | maltego.EmailAddress |
| rawsearchdnsusingphrase | maltego.Phrase |
| rawsearchdnsusingdomain | maltego.Domain |
| rawsearchdnsusingcve | maltego.CVE |
Get Ports Events (any field)
Description
Returns events where the input Entity value was observed
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Ports Events (any field) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns events where the input Entity value was observed |
Variants
| rawsearchportsusingipv4address | maltego.IPv4Address |
| rawsearchportsusingipv6address | maltego.IPv6Address |
| rawsearchportsusinghash | maltego.Hash |
| rawsearchportsusingalias | maltego.Alias |
| rawsearchportsusingemailaddress | maltego.EmailAddress |
| rawsearchportsusingphrase | maltego.Phrase |
| rawsearchportsusingdomain | maltego.Domain |
| rawsearchportsusingcve | maltego.CVE |
Get Processes Events (any field)
Description
Returns events where the input Entity value was observed
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Processes Events (any field) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns events where the input Entity value was observed |
Variants
| rawsearchprocessesusingipv4address | maltego.IPv4Address |
| rawsearchprocessesusingipv6address | maltego.IPv6Address |
| rawsearchprocessesusinghash | maltego.Hash |
| rawsearchprocessesusingalias | maltego.Alias |
| rawsearchprocessesusingemailaddress | maltego.EmailAddress |
| rawsearchprocessesusingphrase | maltego.Phrase |
| rawsearchprocessesusingdomain | maltego.Domain |
| rawsearchprocessesusingcve | maltego.CVE |
Get Services Events (any field)
Description
Returns events where the input Entity value was observed
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Services Events (any field) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns events where the input Entity value was observed |
Variants
| rawsearchservicesusingipv4address | maltego.IPv4Address |
| rawsearchservicesusingipv6address | maltego.IPv6Address |
| rawsearchservicesusinghash | maltego.Hash |
| rawsearchservicesusingalias | maltego.Alias |
| rawsearchservicesusingemailaddress | maltego.EmailAddress |
| rawsearchservicesusingphrase | maltego.Phrase |
| rawsearchservicesusingdomain | maltego.Domain |
| rawsearchservicesusingcve | maltego.CVE |
Get Filesystem Events (any field)
Description
Returns events where the input Entity value was observed
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Filesystem Events (any field) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns events where the input Entity value was observed |
Variants
| rawsearchfilesystemusingipv4address | maltego.IPv4Address |
| rawsearchfilesystemusingipv6address | maltego.IPv6Address |
| rawsearchfilesystemusinghash | maltego.Hash |
| rawsearchfilesystemusingalias | maltego.Alias |
| rawsearchfilesystemusingemailaddress | maltego.EmailAddress |
| rawsearchfilesystemusingphrase | maltego.Phrase |
| rawsearchfilesystemusingdomain | maltego.Domain |
| rawsearchfilesystemusingcve | maltego.CVE |
Get Registry Events (any field)
Description
Returns events where the input Entity value was observed
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Registry Events (any field) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns events where the input Entity value was observed |
Variants
| rawsearchregistryusingipv4address | maltego.IPv4Address |
| rawsearchregistryusingipv6address | maltego.IPv6Address |
| rawsearchregistryusinghash | maltego.Hash |
| rawsearchregistryusingalias | maltego.Alias |
| rawsearchregistryusingemailaddress | maltego.EmailAddress |
| rawsearchregistryusingphrase | maltego.Phrase |
| rawsearchregistryusingdomain | maltego.Domain |
| rawsearchregistryusingcve | maltego.CVE |
Get Vulnerabilities Events (any field)
Description
Returns events where the input Entity value was observed
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Vulnerabilities Events (any field) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns events where the input Entity value was observed |
Variants
| rawsearchvulnerabilitiesusingipv4address | maltego.IPv4Address |
| rawsearchvulnerabilitiesusingipv6address | maltego.IPv6Address |
| rawsearchvulnerabilitiesusinghash | maltego.Hash |
| rawsearchvulnerabilitiesusingalias | maltego.Alias |
| rawsearchvulnerabilitiesusingemailaddress | maltego.EmailAddress |
| rawsearchvulnerabilitiesusingphrase | maltego.Phrase |
| rawsearchvulnerabilitiesusingdomain | maltego.Domain |
| rawsearchvulnerabilitiesusingcve | maltego.CVE |
Get Authentication Events (any field)
Description
Returns events where the input Entity value was observed
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Authentication Events (any field) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns events where the input Entity value was observed |
Variants
| rawsearchauthenticationusingipv4address | maltego.IPv4Address |
| rawsearchauthenticationusingipv6address | maltego.IPv6Address |
| rawsearchauthenticationusinghash | maltego.Hash |
| rawsearchauthenticationusingalias | maltego.Alias |
| rawsearchauthenticationusingemailaddress | maltego.EmailAddress |
| rawsearchauthenticationusingphrase | maltego.Phrase |
| rawsearchauthenticationusingdomain | maltego.Domain |
| rawsearchauthenticationusingcve | maltego.CVE |
Get All Traffic Events (any field)
Description
Returns events where the input Entity value was observed
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get All Traffic Events (any field) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns events where the input Entity value was observed |
Variants
| rawsearchalltrafficusingipv4address | maltego.IPv4Address |
| rawsearchalltrafficusingipv6address | maltego.IPv6Address |
| rawsearchalltrafficusinghash | maltego.Hash |
| rawsearchalltrafficusingalias | maltego.Alias |
| rawsearchalltrafficusingemailaddress | maltego.EmailAddress |
| rawsearchalltrafficusingphrase | maltego.Phrase |
| rawsearchalltrafficusingdomain | maltego.Domain |
| rawsearchalltrafficusingcve | maltego.CVE |
Get Malware Attacks Events (any field)
Description
Returns events where the input Entity value was observed
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Malware Attacks Events (any field) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns events where the input Entity value was observed |
Variants
| rawsearchmalwareattacksusingipv4address | maltego.IPv4Address |
| rawsearchmalwareattacksusingipv6address | maltego.IPv6Address |
| rawsearchmalwareattacksusinghash | maltego.Hash |
| rawsearchmalwareattacksusingalias | maltego.Alias |
| rawsearchmalwareattacksusingemailaddress | maltego.EmailAddress |
| rawsearchmalwareattacksusingphrase | maltego.Phrase |
| rawsearchmalwareattacksusingdomain | maltego.Domain |
| rawsearchmalwareattacksusingcve | maltego.CVE |
Get Malware Operations Events (any field)
Description
Returns events where the input Entity value was observed
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Get Malware Operations Events (any field) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns events where the input Entity value was observed |
Variants
| rawsearchmalwareoperationsusingipv4address | maltego.IPv4Address |
| rawsearchmalwareoperationsusingipv6address | maltego.IPv6Address |
| rawsearchmalwareoperationsusinghash | maltego.Hash |
| rawsearchmalwareoperationsusingalias | maltego.Alias |
| rawsearchmalwareoperationsusingemailaddress | maltego.EmailAddress |
| rawsearchmalwareoperationsusingphrase | maltego.Phrase |
| rawsearchmalwareoperationsusingdomain | maltego.Domain |
| rawsearchmalwareoperationsusingcve | maltego.CVE |
Search All Events (any field)
Description
Returns Splunk events where the input Entity value was observed
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Search All Events (any field) |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Output Entities | Phrase |
| Short Description | Returns Splunk events where the input Entity value was observed |
Variants
| rawmultisearchallmodelsusingipv4address | maltego.IPv4Address |
| rawmultisearchallmodelsusingipv6address | maltego.IPv6Address |
| rawmultisearchallmodelsusinghash | maltego.Hash |
| rawmultisearchallmodelsusingalias | maltego.Alias |
| rawmultisearchallmodelsusingemailaddress | maltego.EmailAddress |
| rawmultisearchallmodelsusingphrase | maltego.Phrase |
| rawmultisearchallmodelsusingdomain | maltego.Domain |
| rawmultisearchallmodelsusingcve | maltego.CVE |
Run Raw Splunk Query
Description
Transform executes the given Splunk query
| Date Range | daterange | | False | false | false |
| Host | string | | False | false | false |
| Password | string | | False | false | false |
| Port | int | | False | false | false |
| Token | string | | False | false | false |
| Username | string | | False | false | false |
| Display Name | Run Raw Splunk Query |
| Owner | Maltego Technologies GmbH |
| Author | dev@maltego.com |
| Data Source | |
| Transform Name | phrasetorawquery |
| Input Entities | maltego.Phrase |
| Output Entities | Phrase |
| Short Description | Transform executes the given Splunk query |