Open navigation

Splunk Enterprise Security

Modified on: Mon, 16 May, 2022 at 1:09 PM

Overview

Splunk is a software platform used for monitoring, searching, analyzing, and visualizing machine-generated log data in real-time. Splunk provides insights to technology infrastructure, security systems, and various business applications that help drive operational performance and business results.


Splunk ES was developed to help make sense of machine-generated log data, and has become a popular choice among Security Information and Event Management (SIEM) solutions for many organizations worldwide. It is primarily used for searching, monitoring, and examining Big Data through a web-style interface.


The Splunk Enterprise integration for Maltego combines the full advantage of the Splunk Common Information Model (CIM) with the investigative capabilities of link analysis.


Using Splunk, SOC teams and cyber security and threat analysts alike can easily query the following CIM data models:

  • Authentication
  • Endpoint
  • Malware
  • Network Resolution
  • Network Sessions
  • Network Traffic
  • Vulnerabilities


Investigators can also perform raw searches, using Splunk’s Search Processing Language to get other events that may not yet be part of the data models.


Be sure to read our blog post: SIEM-plifying Investigations with Splunk and Maltego to learn more about how to leverage Splunk data and explore a use case showing how the Splunk Enterprise Security Transforms can query the Authentication data model, thus allowing you to retrieve information from authentication sources such as Active Directory (AD) directly on Maltego.


You can read more about the Splunk integration in the Hub item detail page on our website here.


Installation guidelines

For customers with an internet-facing Splunk instance, simply install the Hub item and enter your details. For customers without an internet-facing Splunk instance, email support@maltego.com or reach out to us using the contact form on this page.


If you are a Maltego Pro user and are interested in learning how to integrate Splunk Enterprise into Maltego within your organization, email us at support@maltego.com Our integration experts are happy to discuss your needs and support the integration process!


Pricing and Access

The Splunk Enterprise Security Transforms are only available to Enterprise plan users with a Maltego commercial license (One, Classic, XL).


If you are interested in learning how we can help you achieve this integration within your organization, please reach out to us.


Splunk Enterprise Security Transforms

To Action (Phrase)

Description

Returns the value of the field ‘action’ as a Phrase Entity


Transform Meta Info

Information Value
Display Name To Action (Phrase)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns the value of the field ‘action’ as a Phrase Entity

Variants

Transform Name Input Entities
networksessionsallsessionstoactionphrase maltego.splunk.AllSessions
endpointprocessestoactionphrase maltego.splunk.Processes
endpointfilesystemtoactionphrase maltego.splunk.Filesystem
endpointregistrytoactionphrase maltego.splunk.Registry
authenticationtoactionphrase maltego.splunk.Authentication
networktrafficalltraffictoactionphrase maltego.splunk.AllTraffic
malwaremalwareattackstoactionphrase maltego.splunk.MalwareAttacks

To Signature (Phrase)

Description

Returns the value of the field ‘signature’ as a Phrase Entity


Transform Meta Info

Information Value
Display Name To Signature (Phrase)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns the value of the field ‘signature’ as a Phrase Entity

Variants

Transform Name Input Entities
networksessionsallsessionstosignaturephrase maltego.splunk.AllSessions
vulnerabilitiestosignaturephrase maltego.splunk.Vulnerabilities
authenticationtosignaturephrase maltego.splunk.Authentication
malwaremalwareattackstosignaturephrase maltego.splunk.MalwareAttacks

To SrcIp (IPv4Address)

Description

Returns the value of the field ‘src_ip’ as a IPv4Address Entity


Transform Meta Info

Information Value
Display Name To SrcIp (IPv4Address)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns the value of the field ‘src_ip’ as a IPv4Address Entity

Variants

Transform Name Input Entities
networksessionsallsessionstosrcipipv4address maltego.splunk.AllSessions
networktrafficalltraffictosrcipipv4address maltego.splunk.AllTraffic

To SrcIp (IPv6Address)

Description

Returns the value of the field ‘src_ip’ as a IPv6Address Entity


Transform Meta Info

Information Value
Display Name To SrcIp (IPv6Address)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns the value of the field ‘src_ip’ as a IPv6Address Entity

Variants

Transform Name Input Entities
networksessionsallsessionstosrcipipv6address maltego.splunk.AllSessions
networktrafficalltraffictosrcipipv6address maltego.splunk.AllTraffic

To SrcNtHost (Domain)

Description

Returns the value of the field ‘src_nt_host’ as a Domain Entity


Transform Meta Info

Information Value
Display Name To SrcNtHost (Domain)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Transform Name networksessionsallsessionstosrcnthostdomain
Input Entities maltego.splunk.AllSessions
Output Entities Phrase
Short Description Returns the value of the field ‘src_nt_host’ as a Domain Entity

To DestIp (IPv4Address)

Description

Returns the value of the field ‘dest_ip’ as a IPv4Address Entity


Transform Meta Info

Information Value
Display Name To DestIp (IPv4Address)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns the value of the field ‘dest_ip’ as a IPv4Address Entity

Variants

Transform Name Input Entities
networksessionsallsessionstodestipipv4address maltego.splunk.AllSessions
networktrafficalltraffictodestipipv4address maltego.splunk.AllTraffic

To DestIp (IPv6Address)

Description

Returns the value of the field ‘dest_ip’ as a IPv6Address Entity


Transform Meta Info

Information Value
Display Name To DestIp (IPv6Address)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns the value of the field ‘dest_ip’ as a IPv6Address Entity

Variants

Transform Name Input Entities
networksessionsallsessionstodestipipv6address maltego.splunk.AllSessions
networktrafficalltraffictodestipipv6address maltego.splunk.AllTraffic

To DestNtHost (Domain)

Description

Returns the value of the field ‘dest_nt_host’ as a Domain Entity


Transform Meta Info

Information Value
Display Name To DestNtHost (Domain)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Transform Name networksessionsallsessionstodestnthostdomain
Input Entities maltego.splunk.AllSessions
Output Entities Phrase
Short Description Returns the value of the field ‘dest_nt_host’ as a Domain Entity

To User (Alias)

Description

Returns the value of the field ‘user’ as a Alias Entity


Transform Meta Info

Information Value
Display Name To User (Alias)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns the value of the field ‘user’ as a Alias Entity

Variants

Transform Name Input Entities
networksessionsallsessionstouseralias maltego.splunk.AllSessions
endpointportstouseralias maltego.splunk.Ports
endpointprocessestouseralias maltego.splunk.Processes
endpointservicestouseralias maltego.splunk.Services
endpointfilesystemtouseralias maltego.splunk.Filesystem
endpointregistrytouseralias maltego.splunk.Registry
vulnerabilitiestouseralias maltego.splunk.Vulnerabilities
authenticationtouseralias maltego.splunk.Authentication
networktrafficalltraffictouseralias maltego.splunk.AllTraffic
malwaremalwareattackstouseralias maltego.splunk.MalwareAttacks

To Src (IPv4Address)

Description

Returns the value of the field ‘src’ as a IPv4Address Entity


Transform Meta Info

Information Value
Display Name To Src (IPv4Address)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns the value of the field ‘src’ as a IPv4Address Entity

Variants

Transform Name Input Entities
networkresolutiondnstosrcipv4address maltego.splunk.Dns
endpointportstosrcipv4address maltego.splunk.Ports
authenticationtosrcipv4address maltego.splunk.Authentication
networktrafficalltraffictosrcipv4address maltego.splunk.AllTraffic
malwaremalwareattackstosrcipv4address maltego.splunk.MalwareAttacks

To Src (IPv6Address)

Description

Returns the value of the field ‘src’ as a IPv6Address Entity


Transform Meta Info

Information Value
Display Name To Src (IPv6Address)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns the value of the field ‘src’ as a IPv6Address Entity

Variants

Transform Name Input Entities
networkresolutiondnstosrcipv6address maltego.splunk.Dns
endpointportstosrcipv6address maltego.splunk.Ports
authenticationtosrcipv6address maltego.splunk.Authentication
networktrafficalltraffictosrcipv6address maltego.splunk.AllTraffic
malwaremalwareattackstosrcipv6address maltego.splunk.MalwareAttacks

To Dest (IPv4Address)

Description

Returns the value of the field ‘dest’ as a IPv4Address Entity


Transform Meta Info

Information Value
Display Name To Dest (IPv4Address)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns the value of the field ‘dest’ as a IPv4Address Entity

Variants

Transform Name Input Entities
networkresolutiondnstodestipv4address maltego.splunk.Dns
endpointportstodestipv4address maltego.splunk.Ports
endpointprocessestodestipv4address maltego.splunk.Processes
endpointservicestodestipv4address maltego.splunk.Services
endpointfilesystemtodestipv4address maltego.splunk.Filesystem
endpointregistrytodestipv4address maltego.splunk.Registry
vulnerabilitiestodestipv4address maltego.splunk.Vulnerabilities
authenticationtodestipv4address maltego.splunk.Authentication
networktrafficalltraffictodestipv4address maltego.splunk.AllTraffic
malwaremalwareattackstodestipv4address maltego.splunk.MalwareAttacks
malwaremalwareoperationstodestipv4address maltego.splunk.MalwareOperations

To Dest (IPv6Address)

Description

Returns the value of the field ‘dest’ as a IPv6Address Entity


Transform Meta Info

Information Value
Display Name To Dest (IPv6Address)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns the value of the field ‘dest’ as a IPv6Address Entity

Variants

Transform Name Input Entities
networkresolutiondnstodestipv6address maltego.splunk.Dns
endpointportstodestipv6address maltego.splunk.Ports
endpointprocessestodestipv6address maltego.splunk.Processes
endpointservicestodestipv6address maltego.splunk.Services
endpointfilesystemtodestipv6address maltego.splunk.Filesystem
endpointregistrytodestipv6address maltego.splunk.Registry
vulnerabilitiestodestipv6address maltego.splunk.Vulnerabilities
authenticationtodestipv6address maltego.splunk.Authentication
networktrafficalltraffictodestipv6address maltego.splunk.AllTraffic
malwaremalwareattackstodestipv6address maltego.splunk.MalwareAttacks
malwaremalwareoperationstodestipv6address maltego.splunk.MalwareOperations

To ProcessHash (Hash)

Description

Returns the value of the field ‘process_hash’ as a Hash Entity


Transform Meta Info

Information Value
Display Name To ProcessHash (Hash)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Transform Name endpointprocessestoprocesshashhash
Input Entities maltego.splunk.Processes
Output Entities Phrase
Short Description Returns the value of the field ‘process_hash’ as a Hash Entity

To UserId (Alias)

Description

Returns the value of the field ‘user_id’ as a Alias Entity


Transform Meta Info

Information Value
Display Name To UserId (Alias)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns the value of the field ‘user_id’ as a Alias Entity

Variants

Transform Name Input Entities
endpointprocessestouseridalias maltego.splunk.Processes
authenticationtouseridalias maltego.splunk.Authentication

To Description (Phrase)

Description

Returns the value of the field ‘description’ as a Phrase Entity


Transform Meta Info

Information Value
Display Name To Description (Phrase)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Transform Name endpointservicestodescriptionphrase
Input Entities maltego.splunk.Services
Output Entities Phrase
Short Description Returns the value of the field ‘description’ as a Phrase Entity

To ServiceDllHash (Hash)

Description

Returns the value of the field ‘service_dll_hash’ as a Hash Entity


Transform Meta Info

Information Value
Display Name To ServiceDllHash (Hash)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Transform Name endpointservicestoservicedllhashhash
Input Entities maltego.splunk.Services
Output Entities Phrase
Short Description Returns the value of the field ‘service_dll_hash’ as a Hash Entity

To ServiceHash (Hash)

Description

Returns the value of the field ‘service_hash’ as a Hash Entity


Transform Meta Info

Information Value
Display Name To ServiceHash (Hash)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Transform Name endpointservicestoservicehashhash
Input Entities maltego.splunk.Services
Output Entities Phrase
Short Description Returns the value of the field ‘service_hash’ as a Hash Entity

To FileHash (Hash)

Description

Returns the value of the field ‘file_hash’ as a Hash Entity


Transform Meta Info

Information Value
Display Name To FileHash (Hash)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns the value of the field ‘file_hash’ as a Hash Entity

Variants

Transform Name Input Entities
endpointfilesystemtofilehashhash maltego.splunk.Filesystem
malwaremalwareattackstofilehashhash maltego.splunk.MalwareAttacks

To FileName (Phrase)

Description

Returns the value of the field ‘file_name’ as a Phrase Entity


Transform Meta Info

Information Value
Display Name To FileName (Phrase)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns the value of the field ‘file_name’ as a Phrase Entity

Variants

Transform Name Input Entities
endpointfilesystemtofilenamephrase maltego.splunk.Filesystem
malwaremalwareattackstofilenamephrase maltego.splunk.MalwareAttacks

To Url (URL)

Description

Returns the value of the field ‘url’ as a URL Entity


Transform Meta Info

Information Value
Display Name To Url (URL)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns the value of the field ‘url’ as a URL Entity

Variants

Transform Name Input Entities
vulnerabilitiestourlurl maltego.splunk.Vulnerabilities
malwaremalwareattackstourlurl maltego.splunk.MalwareAttacks

To Cve (CVE)

Description

Returns the value of the field ‘cve’ as a CVE Entity


Transform Meta Info

Information Value
Display Name To Cve (CVE)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Transform Name vulnerabilitiestocvecve
Input Entities maltego.splunk.Vulnerabilities
Output Entities Phrase
Short Description Returns the value of the field ‘cve’ as a CVE Entity

To Dvc (Alias)

Description

Returns the value of the field ‘dvc’ as a Alias Entity


Transform Meta Info

Information Value
Display Name To Dvc (Alias)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns the value of the field ‘dvc’ as a Alias Entity

Variants

Transform Name Input Entities
vulnerabilitiestodvcalias maltego.splunk.Vulnerabilities
networktrafficalltraffictodvcalias maltego.splunk.AllTraffic

To DestNtDomain (Domain)

Description

Returns the value of the field ‘dest_nt_domain’ as a Domain Entity


Transform Meta Info

Information Value
Display Name To DestNtDomain (Domain)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns the value of the field ‘dest_nt_domain’ as a Domain Entity

Variants

Transform Name Input Entities
authenticationtodestntdomaindomain maltego.splunk.Authentication
malwaremalwareattackstodestntdomaindomain maltego.splunk.MalwareAttacks
malwaremalwareoperationstodestntdomaindomain maltego.splunk.MalwareOperations

To SrcNtDomain (Domain)

Description

Returns the value of the field ‘src_nt_domain’ as a Domain Entity


Transform Meta Info

Information Value
Display Name To SrcNtDomain (Domain)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Transform Name authenticationtosrcntdomaindomain
Input Entities maltego.splunk.Authentication
Output Entities Phrase
Short Description Returns the value of the field ‘src_nt_domain’ as a Domain Entity

To SrcUserId (Alias)

Description

Returns the value of the field ‘src_user_id’ as a Alias Entity


Transform Meta Info

Information Value
Display Name To SrcUserId (Alias)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Transform Name authenticationtosrcuseridalias
Input Entities maltego.splunk.Authentication
Output Entities Phrase
Short Description Returns the value of the field ‘src_user_id’ as a Alias Entity

To App (Phrase)

Description

Returns the value of the field ‘app’ as a Phrase Entity


Transform Meta Info

Information Value
Display Name To App (Phrase)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns the value of the field ‘app’ as a Phrase Entity

Variants

Transform Name Input Entities
authenticationtoappphrase maltego.splunk.Authentication
networktrafficalltraffictoappphrase maltego.splunk.AllTraffic

To SrcUser (Alias)

Description

Returns the value of the field ‘src_user’ as a Alias Entity


Transform Meta Info

Information Value
Display Name To SrcUser (Alias)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns the value of the field ‘src_user’ as a Alias Entity

Variants

Transform Name Input Entities
authenticationtosrcuseralias maltego.splunk.Authentication
malwaremalwareattackstosrcuseralias maltego.splunk.MalwareAttacks

To DestTranslatedIp (IPv4Address)

Description

Returns the value of the field ‘dest_translated_ip’ as a IPv4Address Entity


Transform Meta Info

Information Value
Display Name To DestTranslatedIp (IPv4Address)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Transform Name networktrafficalltraffictodesttranslatedipipv4address
Input Entities maltego.splunk.AllTraffic
Output Entities Phrase
Short Description Returns the value of the field ‘dest_translated_ip’ as a IPv4Address Entity

To DestTranslatedIp (IPv6Address)

Description

Returns the value of the field ‘dest_translated_ip’ as a IPv6Address Entity


Transform Meta Info

Information Value
Display Name To DestTranslatedIp (IPv6Address)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Transform Name networktrafficalltraffictodesttranslatedipipv6address
Input Entities maltego.splunk.AllTraffic
Output Entities Phrase
Short Description Returns the value of the field ‘dest_translated_ip’ as a IPv6Address Entity

To DvcIp (IPv4Address)

Description

Returns the value of the field ‘dvc_ip’ as a IPv4Address Entity


Transform Meta Info

Information Value
Display Name To DvcIp (IPv4Address)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Transform Name networktrafficalltraffictodvcipipv4address
Input Entities maltego.splunk.AllTraffic
Output Entities Phrase
Short Description Returns the value of the field ‘dvc_ip’ as a IPv4Address Entity

To DvcIp (IPv6Address)

Description

Returns the value of the field ‘dvc_ip’ as a IPv6Address Entity


Transform Meta Info

Information Value
Display Name To DvcIp (IPv6Address)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Transform Name networktrafficalltraffictodvcipipv6address
Input Entities maltego.splunk.AllTraffic
Output Entities Phrase
Short Description Returns the value of the field ‘dvc_ip’ as a IPv6Address Entity

To SrcTranslatedIp (IPv4Address)

Description

Returns the value of the field ‘src_translated_ip’ as a IPv4Address Entity


Transform Meta Info

Information Value
Display Name To SrcTranslatedIp (IPv4Address)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Transform Name networktrafficalltraffictosrctranslatedipipv4address
Input Entities maltego.splunk.AllTraffic
Output Entities Phrase
Short Description Returns the value of the field ‘src_translated_ip’ as a IPv4Address Entity

To SrcTranslatedIp (IPv6Address)

Description

Returns the value of the field ‘src_translated_ip’ as a IPv6Address Entity


Transform Meta Info

Information Value
Display Name To SrcTranslatedIp (IPv6Address)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Transform Name networktrafficalltraffictosrctranslatedipipv6address
Input Entities maltego.splunk.AllTraffic
Output Entities Phrase
Short Description Returns the value of the field ‘src_translated_ip’ as a IPv6Address Entity

To Ssid (Phrase)

Description

Returns the value of the field ‘ssid’ as a Phrase Entity


Transform Meta Info

Information Value
Display Name To Ssid (Phrase)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Transform Name networktrafficalltraffictossidphrase
Input Entities maltego.splunk.AllTraffic
Output Entities Phrase
Short Description Returns the value of the field ‘ssid’ as a Phrase Entity

To Time (DateTime)

Description

Returns the value of the field ’_time’ as a DateTime Entity


Transform Meta Info

Information Value
Display Name To Time (DateTime)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Transform Name malwaremalwareoperationstotimedatetime
Input Entities maltego.splunk.MalwareOperations
Output Entities Phrase
Short Description Returns the value of the field ’_time’ as a DateTime Entity

To All Interesting Fields

Description

Extracts interesting fields from the incoming Entity properties


Transform Meta Info

Information Value
Display Name To All Interesting Fields
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Transform Name baseeventtointerestingfield
Input Entities maltego.splunk.BaseEvent
Output Entities Phrase
Short Description Extracts interesting fields from the incoming Entity properties

Get All Sessions Events by src_ip [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get All Sessions Events by src_ip [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstonetworksessionsallsessionsusingsrcip maltego.IPv4Address This Transform returns AllSessions events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’
ipv6addresstonetworksessionsallsessionsusingsrcip maltego.IPv6Address This Transform returns AllSessions events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’

Get All Sessions Events by dest_ip [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get All Sessions Events by dest_ip [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstonetworksessionsallsessionsusingdestip maltego.IPv4Address This Transform returns AllSessions events where the field ‘DestIp’ is equal to the value of the input IPv4Address.The CIM defines the field name DestIp as ‘The internal IP address allocated to the client initializing a network session. For DHCP and VPN events this is the IP address leased to the client.’
ipv6addresstonetworksessionsallsessionsusingdestip maltego.IPv6Address This Transform returns AllSessions events where the field ‘DestIp’ is equal to the value of the input IPv6Address.The CIM defines the field name DestIp as ‘The internal IP address allocated to the client initializing a network session. For DHCP and VPN events this is the IP address leased to the client.’

Get All Sessions Events by user [Splunk]

Description

This Transform returns AllSessions events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user in a network session event where applicable. For example a VPN session or an authenticated DHCP event.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get All Sessions Events by user [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastonetworksessionsallsessionsusinguser
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns AllSessions events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user in a network session event where applicable. For example a VPN session or an authenticated DHCP event.’

Get Session Start Events by src_ip [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Session Start Events by src_ip [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstonetworksessionssessionstartusingsrcip maltego.IPv4Address This Transform returns SessionStart events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’
ipv6addresstonetworksessionssessionstartusingsrcip maltego.IPv6Address This Transform returns SessionStart events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’

Get Session End Events by src_ip [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Session End Events by src_ip [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstonetworksessionssessionendusingsrcip maltego.IPv4Address This Transform returns SessionEnd events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’
ipv6addresstonetworksessionssessionendusingsrcip maltego.IPv6Address This Transform returns SessionEnd events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’

Get Dhcp Events by src_ip [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Dhcp Events by src_ip [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstonetworksessionsdhcpusingsrcip maltego.IPv4Address This Transform returns DHCP events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’
ipv6addresstonetworksessionsdhcpusingsrcip maltego.IPv6Address This Transform returns DHCP events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’

Get Vpn Events by src_ip [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Vpn Events by src_ip [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstonetworksessionsvpnusingsrcip maltego.IPv4Address This Transform returns VPN events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’
ipv6addresstonetworksessionsvpnusingsrcip maltego.IPv6Address This Transform returns VPN events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’

Get Dns Events by src [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Dns Events by src [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstonetworkresolutiondnsusingsrc maltego.IPv4Address This Transform returns DNS events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The source of the network resolution event. You can alias this from more specific fields such as src_host src_ip or src_name.’
ipv6addresstonetworkresolutiondnsusingsrc maltego.IPv6Address This Transform returns DNS events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The source of the network resolution event. You can alias this from more specific fields such as src_host src_ip or src_name.’

Get Ports Events by src [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Ports Events by src [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstoendpointportsusingsrc maltego.IPv4Address This Transform returns Ports events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The remote system connected to the listening port (if applicable).’
ipv6addresstoendpointportsusingsrc maltego.IPv6Address This Transform returns Ports events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The remote system connected to the listening port (if applicable).’

Get Ports Events by user [Splunk]

Description

This Transform returns Ports events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the listening port.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Ports Events by user [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoendpointportsusinguser
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns Ports events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the listening port.’

Get Processes Events by user_id [Splunk]

Description

This Transform returns Processes events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique identifier of the user account which spawned the process.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Processes Events by user_id [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoendpointprocessesusinguserid
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns Processes events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique identifier of the user account which spawned the process.’

Get Processes Events by user [Splunk]

Description

This Transform returns Processes events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account which spawned the process.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Processes Events by user [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoendpointprocessesusinguser
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns Processes events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account which spawned the process.’

Get Processes Events by process_hash [Splunk]

Description

This Transform returns Processes events where the field ‘ProcessHash’ is equal to the value of the input Hash.The CIM defines the field name ProcessHash as ‘The digest(s) of the parent process such as etc.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Processes Events by process_hash [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name hashtoendpointprocessesusingprocesshash
Input Entities maltego.Hash
Output Entities Phrase
Short Description This Transform returns Processes events where the field ‘ProcessHash’ is equal to the value of the input Hash.The CIM defines the field name ProcessHash as ‘The digest(s) of the parent process such as etc.’

Get Services Events by user [Splunk]

Description

This Transform returns Services events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the service.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Services Events by user [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoendpointservicesusinguser
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns Services events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the service.’

Get Services Events by service_dll_hash [Splunk]

Description

This Transform returns Services events where the field ‘ServiceDllHash’ is equal to the value of the input Hash.The CIM defines the field name ServiceDllHash as ‘The digest(s) of the dynamic link library associated with the service such as etc.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Services Events by service_dll_hash [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name hashtoendpointservicesusingservicedllhash
Input Entities maltego.Hash
Output Entities Phrase
Short Description This Transform returns Services events where the field ‘ServiceDllHash’ is equal to the value of the input Hash.The CIM defines the field name ServiceDllHash as ‘The digest(s) of the dynamic link library associated with the service such as etc.’

Get Services Events by service_hash [Splunk]

Description

This Transform returns Services events where the field ‘ServiceHash’ is equal to the value of the input Hash.The CIM defines the field name ServiceHash as ‘The digest(s) of the service such as etc.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Services Events by service_hash [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name hashtoendpointservicesusingservicehash
Input Entities maltego.Hash
Output Entities Phrase
Short Description This Transform returns Services events where the field ‘ServiceHash’ is equal to the value of the input Hash.The CIM defines the field name ServiceHash as ‘The digest(s) of the service such as etc.’

Get Filesystem Events by user [Splunk]

Description

This Transform returns Filesystem events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the filesystem access.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Filesystem Events by user [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoendpointfilesystemusinguser
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns Filesystem events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the filesystem access.’

Get Filesystem Events by file_hash [Splunk]

Description

This Transform returns Filesystem events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘A cryptographic identifier assigned to the file object affected by the event.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Filesystem Events by file_hash [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name hashtoendpointfilesystemusingfilehash
Input Entities maltego.Hash
Output Entities Phrase
Short Description This Transform returns Filesystem events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘A cryptographic identifier assigned to the file object affected by the event.’

Get Registry Events by user [Splunk]

Description

This Transform returns Registry events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the registry access.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Registry Events by user [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoendpointregistryusinguser
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns Registry events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the registry access.’

Get Vulnerabilities Events by user [Splunk]

Description

This Transform returns Vulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Vulnerabilities Events by user [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastovulnerabilitiesusinguser
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns Vulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’

Get Vulnerabilities Events by dvc [Splunk]

Description

This Transform returns Vulnerabilities events where the field ‘Dvc’ is equal to the value of the input Alias.The CIM defines the field name Dvc as ‘The system that discovered the vulnerability. You can alias this from more specific fields such as dvc_host dvc_ip or dvc_name.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Vulnerabilities Events by dvc [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastovulnerabilitiesusingdvc
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns Vulnerabilities events where the field ‘Dvc’ is equal to the value of the input Alias.The CIM defines the field name Dvc as ‘The system that discovered the vulnerability. You can alias this from more specific fields such as dvc_host dvc_ip or dvc_name.’

Get Vulnerabilities Events by url [Splunk]

Description

This Transform returns Vulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Vulnerabilities Events by url [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name urltovulnerabilitiesusingurl
Input Entities maltego.URL
Output Entities Phrase
Short Description This Transform returns Vulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’

Get High Critical Vulnerabilities Events by user [Splunk]

Description

This Transform returns HighCriticalVulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get High Critical Vulnerabilities Events by user [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastovulnerabilitieshighcriticalvulnerabilitiesusinguser
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns HighCriticalVulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’

Get High Critical Vulnerabilities Events by url [Splunk]

Description

This Transform returns HighCriticalVulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get High Critical Vulnerabilities Events by url [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name urltovulnerabilitieshighcriticalvulnerabilitiesusingurl
Input Entities maltego.URL
Output Entities Phrase
Short Description This Transform returns HighCriticalVulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’

Get Medium Vulnerabilities Events by user [Splunk]

Description

This Transform returns MediumVulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Medium Vulnerabilities Events by user [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastovulnerabilitiesmediumvulnerabilitiesusinguser
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns MediumVulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’

Get Medium Vulnerabilities Events by url [Splunk]

Description

This Transform returns MediumVulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Medium Vulnerabilities Events by url [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name urltovulnerabilitiesmediumvulnerabilitiesusingurl
Input Entities maltego.URL
Output Entities Phrase
Short Description This Transform returns MediumVulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’

Get Low Informational Vulnerabilities Events by user [Splunk]

Description

This Transform returns LowInformationalVulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Low Informational Vulnerabilities Events by user [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastovulnerabilitieslowinformationalvulnerabilitiesusinguser
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns LowInformationalVulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’

Get Low Informational Vulnerabilities Events by url [Splunk]

Description

This Transform returns LowInformationalVulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Low Informational Vulnerabilities Events by url [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name urltovulnerabilitieslowinformationalvulnerabilitiesusingurl
Input Entities maltego.URL
Output Entities Phrase
Short Description This Transform returns LowInformationalVulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’

Get Authentication Events by src [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Authentication Events by src [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstoauthenticationusingsrc maltego.IPv4Address This Transform returns Authentication events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The source involved in the authentication. In the case of endpoint protection authentication the src is the client. You can alias this from more specific fields such as src_host src_ip or src_nt_host.’
ipv6addresstoauthenticationusingsrc maltego.IPv6Address This Transform returns Authentication events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The source involved in the authentication. In the case of endpoint protection authentication the src is the client. You can alias this from more specific fields such as src_host src_ip or src_nt_host.’

Get Authentication Events by src_user_id [Splunk]

Description

This Transform returns Authentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Authentication Events by src_user_id [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoauthenticationusingsrcuserid
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns Authentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Get Authentication Events by src_user [Splunk]

Description

This Transform returns Authentication events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘In privilege escalation events src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Authentication Events by src_user [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoauthenticationusingsrcuser
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns Authentication events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘In privilege escalation events src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Get Authentication Events by user_id [Splunk]

Description

This Transform returns Authentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Authentication Events by user_id [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoauthenticationusinguserid
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns Authentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Get Authentication Events by user [Splunk]

Description

This Transform returns Authentication events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The name of the user involved in the event or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Authentication Events by user [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoauthenticationusinguser
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns Authentication events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The name of the user involved in the event or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Get Failed Authentication Events by src_user_id [Splunk]

Description

This Transform returns FailedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Failed Authentication Events by src_user_id [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoauthenticationfailedauthenticationusingsrcuserid
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns FailedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Get Failed Authentication Events by user_id [Splunk]

Description

This Transform returns FailedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Failed Authentication Events by user_id [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoauthenticationfailedauthenticationusinguserid
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns FailedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Get Successful Authentication Events by src_user_id [Splunk]

Description

This Transform returns SuccessfulAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Successful Authentication Events by src_user_id [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoauthenticationsuccessfulauthenticationusingsrcuserid
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns SuccessfulAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Get Successful Authentication Events by user_id [Splunk]

Description

This Transform returns SuccessfulAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Successful Authentication Events by user_id [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoauthenticationsuccessfulauthenticationusinguserid
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns SuccessfulAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Get Default Authentication Events by src_user_id [Splunk]

Description

This Transform returns DefaultAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Default Authentication Events by src_user_id [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoauthenticationdefaultauthenticationusingsrcuserid
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns DefaultAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Get Default Authentication Events by user_id [Splunk]

Description

This Transform returns DefaultAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Default Authentication Events by user_id [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoauthenticationdefaultauthenticationusinguserid
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns DefaultAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Get Failed Default Authentication Events by src_user_id [Splunk]

Description

This Transform returns FailedDefaultAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Failed Default Authentication Events by src_user_id [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoauthenticationfaileddefaultauthenticationusingsrcuserid
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns FailedDefaultAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Get Failed Default Authentication Events by user_id [Splunk]

Description

This Transform returns FailedDefaultAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Failed Default Authentication Events by user_id [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoauthenticationfaileddefaultauthenticationusinguserid
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns FailedDefaultAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Get Successful Default Authentication Events by src_user_id [Splunk]

Description

This Transform returns SuccessfulDefaultAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Successful Default Authentication Events by src_user_id [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoauthenticationsuccessfuldefaultauthenticationusingsrcuserid
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns SuccessfulDefaultAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Get Successful Default Authentication Events by user_id [Splunk]

Description

This Transform returns SuccessfulDefaultAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Successful Default Authentication Events by user_id [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoauthenticationsuccessfuldefaultauthenticationusinguserid
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns SuccessfulDefaultAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Get Insecure Authentication Events by src_user_id [Splunk]

Description

This Transform returns InsecureAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Insecure Authentication Events by src_user_id [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoauthenticationinsecureauthenticationusingsrcuserid
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns InsecureAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Get Insecure Authentication Events by user_id [Splunk]

Description

This Transform returns InsecureAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Insecure Authentication Events by user_id [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoauthenticationinsecureauthenticationusinguserid
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns InsecureAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Get Privileged Authentication Events by src_user_id [Splunk]

Description

This Transform returns PrivilegedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Privileged Authentication Events by src_user_id [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoauthenticationprivilegedauthenticationusingsrcuserid
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns PrivilegedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Get Privileged Authentication Events by user_id [Splunk]

Description

This Transform returns PrivilegedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Privileged Authentication Events by user_id [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoauthenticationprivilegedauthenticationusinguserid
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns PrivilegedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Get Failed Privileged Authentication Events by src_user_id [Splunk]

Description

This Transform returns FailedPrivilegedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Failed Privileged Authentication Events by src_user_id [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoauthenticationfailedprivilegedauthenticationusingsrcuserid
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns FailedPrivilegedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Get Failed Privileged Authentication Events by user_id [Splunk]

Description

This Transform returns FailedPrivilegedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Failed Privileged Authentication Events by user_id [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoauthenticationfailedprivilegedauthenticationusinguserid
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns FailedPrivilegedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Get Successful Privileged Authentication Events by src_user_id [Splunk]

Description

This Transform returns SuccessfulPrivilegedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Successful Privileged Authentication Events by src_user_id [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoauthenticationsuccessfulprivilegedauthenticationusingsrcuserid
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns SuccessfulPrivilegedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Get Successful Privileged Authentication Events by user_id [Splunk]

Description

This Transform returns SuccessfulPrivilegedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Successful Privileged Authentication Events by user_id [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastoauthenticationsuccessfulprivilegedauthenticationusinguserid
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns SuccessfulPrivilegedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Get All Traffic Events by src_ip [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get All Traffic Events by src_ip [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstonetworktrafficalltrafficusingsrcip maltego.IPv4Address This Transform returns AllTraffic events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The ip address of the source.’
ipv6addresstonetworktrafficalltrafficusingsrcip maltego.IPv6Address This Transform returns AllTraffic events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The ip address of the source.’

Get All Traffic Events by src [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get All Traffic Events by src [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstonetworktrafficalltrafficusingsrc maltego.IPv4Address This Transform returns AllTraffic events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The source of the network traffic (the client requesting the connection). You can alias this from more specific fields such as src_host src_ip or src_name.’
ipv6addresstonetworktrafficalltrafficusingsrc maltego.IPv6Address This Transform returns AllTraffic events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The source of the network traffic (the client requesting the connection). You can alias this from more specific fields such as src_host src_ip or src_name.’

Get All Traffic Events by dest_ip [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get All Traffic Events by dest_ip [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstonetworktrafficalltrafficusingdestip maltego.IPv4Address This Transform returns AllTraffic events where the field ‘DestIp’ is equal to the value of the input IPv4Address.The CIM defines the field name DestIp as ‘The IP address of the destination.’
ipv6addresstonetworktrafficalltrafficusingdestip maltego.IPv6Address This Transform returns AllTraffic events where the field ‘DestIp’ is equal to the value of the input IPv6Address.The CIM defines the field name DestIp as ‘The IP address of the destination.’

Get All Traffic Events by dvc_ip [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get All Traffic Events by dvc_ip [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstonetworktrafficalltrafficusingdvcip maltego.IPv4Address This Transform returns AllTraffic events where the field ‘DvcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name DvcIp as ‘The ip address of the device.’
ipv6addresstonetworktrafficalltrafficusingdvcip maltego.IPv6Address This Transform returns AllTraffic events where the field ‘DvcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name DvcIp as ‘The ip address of the device.’

Get All Traffic Events by dvc [Splunk]

Description

This Transform returns AllTraffic events where the field ‘Dvc’ is equal to the value of the input Alias.The CIM defines the field name Dvc as ‘The device that reported the traffic event. You can alias this from more specific fields such as dvc_host dvc_ip or dvc_name.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get All Traffic Events by dvc [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastonetworktrafficalltrafficusingdvc
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns AllTraffic events where the field ‘Dvc’ is equal to the value of the input Alias.The CIM defines the field name Dvc as ‘The device that reported the traffic event. You can alias this from more specific fields such as dvc_host dvc_ip or dvc_name.’

Get All Traffic Events by user [Splunk]

Description

This Transform returns AllTraffic events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user that requested the traffic flow.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get All Traffic Events by user [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastonetworktrafficalltrafficusinguser
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns AllTraffic events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user that requested the traffic flow.’

Get Allowed Traffic Events by src_ip [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Allowed Traffic Events by src_ip [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstonetworktrafficallowedtrafficusingsrcip maltego.IPv4Address This Transform returns AllowedTraffic events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The ip address of the source.’
ipv6addresstonetworktrafficallowedtrafficusingsrcip maltego.IPv6Address This Transform returns AllowedTraffic events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The ip address of the source.’

Get Allowed Traffic Events by dest_ip [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Allowed Traffic Events by dest_ip [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstonetworktrafficallowedtrafficusingdestip maltego.IPv4Address This Transform returns AllowedTraffic events where the field ‘DestIp’ is equal to the value of the input IPv4Address.The CIM defines the field name DestIp as ‘The IP address of the destination.’
ipv6addresstonetworktrafficallowedtrafficusingdestip maltego.IPv6Address This Transform returns AllowedTraffic events where the field ‘DestIp’ is equal to the value of the input IPv6Address.The CIM defines the field name DestIp as ‘The IP address of the destination.’

Get Allowed Traffic Events by dvc_ip [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Allowed Traffic Events by dvc_ip [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstonetworktrafficallowedtrafficusingdvcip maltego.IPv4Address This Transform returns AllowedTraffic events where the field ‘DvcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name DvcIp as ‘The ip address of the device.’
ipv6addresstonetworktrafficallowedtrafficusingdvcip maltego.IPv6Address This Transform returns AllowedTraffic events where the field ‘DvcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name DvcIp as ‘The ip address of the device.’

Get Blocked Traffic Events by src_ip [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Blocked Traffic Events by src_ip [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstonetworktrafficblockedtrafficusingsrcip maltego.IPv4Address This Transform returns BlockedTraffic events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The ip address of the source.’
ipv6addresstonetworktrafficblockedtrafficusingsrcip maltego.IPv6Address This Transform returns BlockedTraffic events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The ip address of the source.’

Get Blocked Traffic Events by dest_ip [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Blocked Traffic Events by dest_ip [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstonetworktrafficblockedtrafficusingdestip maltego.IPv4Address This Transform returns BlockedTraffic events where the field ‘DestIp’ is equal to the value of the input IPv4Address.The CIM defines the field name DestIp as ‘The IP address of the destination.’
ipv6addresstonetworktrafficblockedtrafficusingdestip maltego.IPv6Address This Transform returns BlockedTraffic events where the field ‘DestIp’ is equal to the value of the input IPv6Address.The CIM defines the field name DestIp as ‘The IP address of the destination.’

Get Blocked Traffic Events by dvc_ip [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Blocked Traffic Events by dvc_ip [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstonetworktrafficblockedtrafficusingdvcip maltego.IPv4Address This Transform returns BlockedTraffic events where the field ‘DvcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name DvcIp as ‘The ip address of the device.’
ipv6addresstonetworktrafficblockedtrafficusingdvcip maltego.IPv6Address This Transform returns BlockedTraffic events where the field ‘DvcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name DvcIp as ‘The ip address of the device.’

Get Malware Attacks Events by src [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Malware Attacks Events by src [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstomalwaremalwareattacksusingsrc maltego.IPv4Address This Transform returns MalwareAttacks events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’
ipv6addresstomalwaremalwareattacksusingsrc maltego.IPv6Address This Transform returns MalwareAttacks events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’

Get Malware Attacks Events by src_user [Splunk]

Description

This Transform returns MalwareAttacks events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Malware Attacks Events by src_user [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastomalwaremalwareattacksusingsrcuser
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns MalwareAttacks events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’

Get Malware Attacks Events by user [Splunk]

Description

This Transform returns MalwareAttacks events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the malware event.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Malware Attacks Events by user [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastomalwaremalwareattacksusinguser
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns MalwareAttacks events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the malware event.’

Get Malware Attacks Events by url [Splunk]

Description

This Transform returns MalwareAttacks events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Malware Attacks Events by url [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name urltomalwaremalwareattacksusingurl
Input Entities maltego.URL
Output Entities Phrase
Short Description This Transform returns MalwareAttacks events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’

Get Malware Attacks Events by file_hash [Splunk]

Description

This Transform returns MalwareAttacks events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Malware Attacks Events by file_hash [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name hashtomalwaremalwareattacksusingfilehash
Input Entities maltego.Hash
Output Entities Phrase
Short Description This Transform returns MalwareAttacks events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’

Get Allowed Malware Events by src [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Allowed Malware Events by src [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstomalwareallowedmalwareusingsrc maltego.IPv4Address This Transform returns AllowedMalware events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’
ipv6addresstomalwareallowedmalwareusingsrc maltego.IPv6Address This Transform returns AllowedMalware events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’

Get Allowed Malware Events by src_user [Splunk]

Description

This Transform returns AllowedMalware events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Allowed Malware Events by src_user [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastomalwareallowedmalwareusingsrcuser
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns AllowedMalware events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’

Get Allowed Malware Events by url [Splunk]

Description

This Transform returns AllowedMalware events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Allowed Malware Events by url [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name urltomalwareallowedmalwareusingurl
Input Entities maltego.URL
Output Entities Phrase
Short Description This Transform returns AllowedMalware events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’

Get Allowed Malware Events by file_hash [Splunk]

Description

This Transform returns AllowedMalware events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Allowed Malware Events by file_hash [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name hashtomalwareallowedmalwareusingfilehash
Input Entities maltego.Hash
Output Entities Phrase
Short Description This Transform returns AllowedMalware events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’

Get Blocked Malware Events by src [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Blocked Malware Events by src [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstomalwareblockedmalwareusingsrc maltego.IPv4Address This Transform returns BlockedMalware events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’
ipv6addresstomalwareblockedmalwareusingsrc maltego.IPv6Address This Transform returns BlockedMalware events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’

Get Blocked Malware Events by src_user [Splunk]

Description

This Transform returns BlockedMalware events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Blocked Malware Events by src_user [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastomalwareblockedmalwareusingsrcuser
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns BlockedMalware events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’

Get Blocked Malware Events by url [Splunk]

Description

This Transform returns BlockedMalware events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Blocked Malware Events by url [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name urltomalwareblockedmalwareusingurl
Input Entities maltego.URL
Output Entities Phrase
Short Description This Transform returns BlockedMalware events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’

Get Blocked Malware Events by file_hash [Splunk]

Description

This Transform returns BlockedMalware events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Blocked Malware Events by file_hash [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name hashtomalwareblockedmalwareusingfilehash
Input Entities maltego.Hash
Output Entities Phrase
Short Description This Transform returns BlockedMalware events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’

Get Deferred Malware Events by src [Splunk]

Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Deferred Malware Events by src [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Output Entities Phrase

Variants

Transform Name Input Entities Short Description
ipv4addresstomalwaredeferredmalwareusingsrc maltego.IPv4Address This Transform returns DeferredMalware events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’
ipv6addresstomalwaredeferredmalwareusingsrc maltego.IPv6Address This Transform returns DeferredMalware events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’

Get Deferred Malware Events by src_user [Splunk]

Description

This Transform returns DeferredMalware events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Deferred Malware Events by src_user [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name aliastomalwaredeferredmalwareusingsrcuser
Input Entities maltego.Alias
Output Entities Phrase
Short Description This Transform returns DeferredMalware events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’

Get Deferred Malware Events by url [Splunk]

Description

This Transform returns DeferredMalware events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Deferred Malware Events by url [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name urltomalwaredeferredmalwareusingurl
Input Entities maltego.URL
Output Entities Phrase
Short Description This Transform returns DeferredMalware events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’

Get Deferred Malware Events by file_hash [Splunk]

Description

This Transform returns DeferredMalware events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Deferred Malware Events by file_hash [Splunk]
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source Splunk
Transform Name hashtomalwaredeferredmalwareusingfilehash
Input Entities maltego.Hash
Output Entities Phrase
Short Description This Transform returns DeferredMalware events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’

Get All Sessions Events (any field)

Description

Returns events where the input Entity value was observed


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get All Sessions Events (any field)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns events where the input Entity value was observed

Variants

Transform Name Input Entities
rawsearchallsessionsusingipv4address maltego.IPv4Address
rawsearchallsessionsusingipv6address maltego.IPv6Address
rawsearchallsessionsusinghash maltego.Hash
rawsearchallsessionsusingalias maltego.Alias
rawsearchallsessionsusingemailaddress maltego.EmailAddress
rawsearchallsessionsusingphrase maltego.Phrase
rawsearchallsessionsusingdomain maltego.Domain
rawsearchallsessionsusingcve maltego.CVE

Get DHCP Events (any field)

Description

Returns events where the input Entity value was observed


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get DHCP Events (any field)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns events where the input Entity value was observed

Variants

Transform Name Input Entities
rawsearchdhcpusingipv4address maltego.IPv4Address
rawsearchdhcpusingipv6address maltego.IPv6Address
rawsearchdhcpusinghash maltego.Hash
rawsearchdhcpusingalias maltego.Alias
rawsearchdhcpusingemailaddress maltego.EmailAddress
rawsearchdhcpusingphrase maltego.Phrase
rawsearchdhcpusingdomain maltego.Domain
rawsearchdhcpusingcve maltego.CVE

Get DNS Events (any field)

Description

Returns events where the input Entity value was observed


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get DNS Events (any field)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns events where the input Entity value was observed

Variants

Transform Name Input Entities
rawsearchdnsusingipv4address maltego.IPv4Address
rawsearchdnsusingipv6address maltego.IPv6Address
rawsearchdnsusinghash maltego.Hash
rawsearchdnsusingalias maltego.Alias
rawsearchdnsusingemailaddress maltego.EmailAddress
rawsearchdnsusingphrase maltego.Phrase
rawsearchdnsusingdomain maltego.Domain
rawsearchdnsusingcve maltego.CVE

Get Ports Events (any field)

Description

Returns events where the input Entity value was observed


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Ports Events (any field)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns events where the input Entity value was observed

Variants

Transform Name Input Entities
rawsearchportsusingipv4address maltego.IPv4Address
rawsearchportsusingipv6address maltego.IPv6Address
rawsearchportsusinghash maltego.Hash
rawsearchportsusingalias maltego.Alias
rawsearchportsusingemailaddress maltego.EmailAddress
rawsearchportsusingphrase maltego.Phrase
rawsearchportsusingdomain maltego.Domain
rawsearchportsusingcve maltego.CVE

Get Processes Events (any field)

Description

Returns events where the input Entity value was observed


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Processes Events (any field)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns events where the input Entity value was observed

Variants

Transform Name Input Entities
rawsearchprocessesusingipv4address maltego.IPv4Address
rawsearchprocessesusingipv6address maltego.IPv6Address
rawsearchprocessesusinghash maltego.Hash
rawsearchprocessesusingalias maltego.Alias
rawsearchprocessesusingemailaddress maltego.EmailAddress
rawsearchprocessesusingphrase maltego.Phrase
rawsearchprocessesusingdomain maltego.Domain
rawsearchprocessesusingcve maltego.CVE

Get Services Events (any field)

Description

Returns events where the input Entity value was observed


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Services Events (any field)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns events where the input Entity value was observed

Variants

Transform Name Input Entities
rawsearchservicesusingipv4address maltego.IPv4Address
rawsearchservicesusingipv6address maltego.IPv6Address
rawsearchservicesusinghash maltego.Hash
rawsearchservicesusingalias maltego.Alias
rawsearchservicesusingemailaddress maltego.EmailAddress
rawsearchservicesusingphrase maltego.Phrase
rawsearchservicesusingdomain maltego.Domain
rawsearchservicesusingcve maltego.CVE

Get Filesystem Events (any field)

Description

Returns events where the input Entity value was observed


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Filesystem Events (any field)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns events where the input Entity value was observed

Variants

Transform Name Input Entities
rawsearchfilesystemusingipv4address maltego.IPv4Address
rawsearchfilesystemusingipv6address maltego.IPv6Address
rawsearchfilesystemusinghash maltego.Hash
rawsearchfilesystemusingalias maltego.Alias
rawsearchfilesystemusingemailaddress maltego.EmailAddress
rawsearchfilesystemusingphrase maltego.Phrase
rawsearchfilesystemusingdomain maltego.Domain
rawsearchfilesystemusingcve maltego.CVE

Get Registry Events (any field)

Description

Returns events where the input Entity value was observed


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Registry Events (any field)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns events where the input Entity value was observed

Variants

Transform Name Input Entities
rawsearchregistryusingipv4address maltego.IPv4Address
rawsearchregistryusingipv6address maltego.IPv6Address
rawsearchregistryusinghash maltego.Hash
rawsearchregistryusingalias maltego.Alias
rawsearchregistryusingemailaddress maltego.EmailAddress
rawsearchregistryusingphrase maltego.Phrase
rawsearchregistryusingdomain maltego.Domain
rawsearchregistryusingcve maltego.CVE

Get Vulnerabilities Events (any field)

Description

Returns events where the input Entity value was observed


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Vulnerabilities Events (any field)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns events where the input Entity value was observed

Variants

Transform Name Input Entities
rawsearchvulnerabilitiesusingipv4address maltego.IPv4Address
rawsearchvulnerabilitiesusingipv6address maltego.IPv6Address
rawsearchvulnerabilitiesusinghash maltego.Hash
rawsearchvulnerabilitiesusingalias maltego.Alias
rawsearchvulnerabilitiesusingemailaddress maltego.EmailAddress
rawsearchvulnerabilitiesusingphrase maltego.Phrase
rawsearchvulnerabilitiesusingdomain maltego.Domain
rawsearchvulnerabilitiesusingcve maltego.CVE

Get Authentication Events (any field)

Description

Returns events where the input Entity value was observed


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Authentication Events (any field)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns events where the input Entity value was observed

Variants

Transform Name Input Entities
rawsearchauthenticationusingipv4address maltego.IPv4Address
rawsearchauthenticationusingipv6address maltego.IPv6Address
rawsearchauthenticationusinghash maltego.Hash
rawsearchauthenticationusingalias maltego.Alias
rawsearchauthenticationusingemailaddress maltego.EmailAddress
rawsearchauthenticationusingphrase maltego.Phrase
rawsearchauthenticationusingdomain maltego.Domain
rawsearchauthenticationusingcve maltego.CVE

Get All Traffic Events (any field)

Description

Returns events where the input Entity value was observed


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get All Traffic Events (any field)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns events where the input Entity value was observed

Variants

Transform Name Input Entities
rawsearchalltrafficusingipv4address maltego.IPv4Address
rawsearchalltrafficusingipv6address maltego.IPv6Address
rawsearchalltrafficusinghash maltego.Hash
rawsearchalltrafficusingalias maltego.Alias
rawsearchalltrafficusingemailaddress maltego.EmailAddress
rawsearchalltrafficusingphrase maltego.Phrase
rawsearchalltrafficusingdomain maltego.Domain
rawsearchalltrafficusingcve maltego.CVE

Get Malware Attacks Events (any field)

Description

Returns events where the input Entity value was observed


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Malware Attacks Events (any field)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns events where the input Entity value was observed

Variants

Transform Name Input Entities
rawsearchmalwareattacksusingipv4address maltego.IPv4Address
rawsearchmalwareattacksusingipv6address maltego.IPv6Address
rawsearchmalwareattacksusinghash maltego.Hash
rawsearchmalwareattacksusingalias maltego.Alias
rawsearchmalwareattacksusingemailaddress maltego.EmailAddress
rawsearchmalwareattacksusingphrase maltego.Phrase
rawsearchmalwareattacksusingdomain maltego.Domain
rawsearchmalwareattacksusingcve maltego.CVE

Get Malware Operations Events (any field)

Description

Returns events where the input Entity value was observed


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Get Malware Operations Events (any field)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns events where the input Entity value was observed

Variants

Transform Name Input Entities
rawsearchmalwareoperationsusingipv4address maltego.IPv4Address
rawsearchmalwareoperationsusingipv6address maltego.IPv6Address
rawsearchmalwareoperationsusinghash maltego.Hash
rawsearchmalwareoperationsusingalias maltego.Alias
rawsearchmalwareoperationsusingemailaddress maltego.EmailAddress
rawsearchmalwareoperationsusingphrase maltego.Phrase
rawsearchmalwareoperationsusingdomain maltego.Domain
rawsearchmalwareoperationsusingcve maltego.CVE

Search All Events (any field)

Description

Returns Splunk events where the input Entity value was observed


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Search All Events (any field)
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Output Entities Phrase
Short Description Returns Splunk events where the input Entity value was observed

Variants

Transform Name Input Entities
rawmultisearchallmodelsusingipv4address maltego.IPv4Address
rawmultisearchallmodelsusingipv6address maltego.IPv6Address
rawmultisearchallmodelsusinghash maltego.Hash
rawmultisearchallmodelsusingalias maltego.Alias
rawmultisearchallmodelsusingemailaddress maltego.EmailAddress
rawmultisearchallmodelsusingphrase maltego.Phrase
rawmultisearchallmodelsusingdomain maltego.Domain
rawmultisearchallmodelsusingcve maltego.CVE

Run Raw Splunk Query

Description

Transform executes the given Splunk query


Transform Settings

Display Name Setting Type Default Value Optional Popup Authentication
Date Range daterange   False false false
Host string   False false false
Password string   False false false
Port int   False false false
Token string   False false false
Username string   False false false

Transform Meta Info

Information Value
Display Name Run Raw Splunk Query
Owner Maltego Technologies GmbH
Author dev@maltego.com
Data Source  
Transform Name phrasetorawquery
Input Entities maltego.Phrase
Output Entities Phrase
Short Description Transform executes the given Splunk query

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.