Splunk Enterprise Security

Modified on: Wed, 8 Sep, 2021 at 5:22 PM

Overview

Splunk is a software platform used for monitoring, searching, analyzing, and visualizing machine-generated log data in real-time. Splunk provides insights to technology infrastructure, security systems, and various business applications that help drive operational performance and business results.


Splunk ES was developed to help make sense of machine-generated log data, and has become a popular choice among Security Information and Event Management (SIEM) solutions for many organizations worldwide. It is primarily used for searching, monitoring, and examining Big Data through a web-style interface.


The Splunk Enterprise integration for Maltego combines the full advantage of the Splunk Common Information Model (CIM) with the investigative capabilities of link analysis.


Using Splunk, SOC teams and cyber security and threat analysts alike can easily query the following CIM data models:

  • Authentication
  • Endpoint
  • Malware
  • Network Resolution
  • Network Sessions
  • Network Traffic
  • Vulnerabilities


Investigators can also perform raw searches, using Splunk’s Search Processing Language to get other events that may not yet be part of the data models.


Be sure to read our blog post: SIEM-plifying Investigations with Splunk and Maltego to learn more about how to leverage Splunk data and explore a use case showing how the Splunk Enterprise Security Transforms can query the Authentication data model, thus allowing you to retrieve information from authentication sources such as Active Directory (AD) directly on Maltego.


You can read more about the Splunk integration in the Hub item detail page on our website here.


Installation guidelines

For customers with an internet-facing Splunk instance, simply install the Hub item and enter your details. For customers without an internet-facing Splunk instance, email support@maltego.com.


If you are a Maltego Pro user and are interested in learning how to integrate Splunk Enterprise into Maltego within your organization, email us at support@maltego.com Our integration experts are happy to discuss your needs and support the integration process!


Pricing and Access

The Splunk Enterprise Security Transforms are only available to Enterprise plan users with a Maltego commercial license (One, Classic, XL).


If you are interested in learning how we can help you achieve this integration within your organization, please reach out to us.


Splunk Enterprise Security Transforms

Get All Sessions events by src_ip [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet All Sessions events by src_ip [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToNetworkSessionsAllSessionsUsingSrcIpmaltego.IPv4AddressThis Transform returns All_Sessions events where the field src_ip is equal to the value of the input IPv4Address.The CIM defines the field name src_ip as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’
ProdIPv6AddressToNetworkSessionsAllSessionsUsingSrcIpmaltego.IPv6AddressThis Transform returns All_Sessions events where the field src_ip is equal to the value of the input IPv6Address.The CIM defines the field name src_ip as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’

Get All Sessions events by dest_ip [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet All Sessions events by dest_ip [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToNetworkSessionsAllSessionsUsingDestIpmaltego.IPv4AddressThis Transform returns All_Sessions events where the field dest_ip is equal to the value of the input IPv4Address.The CIM defines the field name dest_ip as ‘The internal IP address allocated to the client initializing a network session. For DHCP and VPN events this is the IP address leased to the client.’
ProdIPv6AddressToNetworkSessionsAllSessionsUsingDestIpmaltego.IPv6AddressThis Transform returns All_Sessions events where the field dest_ip is equal to the value of the input IPv6Address.The CIM defines the field name dest_ip as ‘The internal IP address allocated to the client initializing a network session. For DHCP and VPN events this is the IP address leased to the client.’

Get All Sessions events by user [Splunk]

Description

This Transform returns All_Sessions events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user in a network session event where applicable. For example a VPN session or an authenticated DHCP event.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet All Sessions events by user [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToNetworkSessionsAllSessionsUsingUser
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns All_Sessions events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user in a network session event where applicable. For example a VPN session or an authenticated DHCP event.’

Get Session Start events by src_ip [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Session Start events by src_ip [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToNetworkSessionsSessionStartUsingSrcIpmaltego.IPv4AddressThis Transform returns Session_Start events where the field src_ip is equal to the value of the input IPv4Address.The CIM defines the field name src_ip as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’
ProdIPv6AddressToNetworkSessionsSessionStartUsingSrcIpmaltego.IPv6AddressThis Transform returns Session_Start events where the field src_ip is equal to the value of the input IPv6Address.The CIM defines the field name src_ip as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’

Get Session End events by src_ip [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Session End events by src_ip [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToNetworkSessionsSessionEndUsingSrcIpmaltego.IPv4AddressThis Transform returns Session_End events where the field src_ip is equal to the value of the input IPv4Address.The CIM defines the field name src_ip as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’
ProdIPv6AddressToNetworkSessionsSessionEndUsingSrcIpmaltego.IPv6AddressThis Transform returns Session_End events where the field src_ip is equal to the value of the input IPv6Address.The CIM defines the field name src_ip as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’

Get Dhcp events by src_ip [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Dhcp events by src_ip [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToNetworkSessionsDHCPUsingSrcIpmaltego.IPv4AddressThis Transform returns DHCP events where the field src_ip is equal to the value of the input IPv4Address.The CIM defines the field name src_ip as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’
ProdIPv6AddressToNetworkSessionsDHCPUsingSrcIpmaltego.IPv6AddressThis Transform returns DHCP events where the field src_ip is equal to the value of the input IPv6Address.The CIM defines the field name src_ip as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’

Get Vpn events by src_ip [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Vpn events by src_ip [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToNetworkSessionsVPNUsingSrcIpmaltego.IPv4AddressThis Transform returns VPN events where the field src_ip is equal to the value of the input IPv4Address.The CIM defines the field name src_ip as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’
ProdIPv6AddressToNetworkSessionsVPNUsingSrcIpmaltego.IPv6AddressThis Transform returns VPN events where the field src_ip is equal to the value of the input IPv6Address.The CIM defines the field name src_ip as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’

Get Malware Attacks events by src [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Malware Attacks events by src [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToMalwareMalwareAttacksUsingSrcmaltego.IPv4AddressThis Transform returns Malware_Attacks events where the field src is equal to the value of the input IPv4Address.The CIM defines the field name src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’
ProdIPv6AddressToMalwareMalwareAttacksUsingSrcmaltego.IPv6AddressThis Transform returns Malware_Attacks events where the field src is equal to the value of the input IPv6Address.The CIM defines the field name src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’

Get Malware Attacks events by src_user [Splunk]

Description

This Transform returns Malware_Attacks events where the field src_user is equal to the value of the input Alias.The CIM defines the field name src_user as ‘The reported sender of an email-based attack.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Malware Attacks events by src_user [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToMalwareMalwareAttacksUsingSrcUser
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Malware_Attacks events where the field src_user is equal to the value of the input Alias.The CIM defines the field name src_user as ‘The reported sender of an email-based attack.’

Get Malware Attacks events by user [Splunk]

Description

This Transform returns Malware_Attacks events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user involved in the malware event.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Malware Attacks events by user [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToMalwareMalwareAttacksUsingUser
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Malware_Attacks events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user involved in the malware event.’

Get Malware Attacks events by url [Splunk]

Description

This Transform returns Malware_Attacks events where the field url is equal to the value of the input URL.The CIM defines the field name url as ‘A URL containing more information about the vulnerability.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Malware Attacks events by url [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdURLToMalwareMalwareAttacksUsingUrl
Input Entitiesmaltego.URL
Output EntitiesPhrase
Short DescriptionThis Transform returns Malware_Attacks events where the field url is equal to the value of the input URL.The CIM defines the field name url as ‘A URL containing more information about the vulnerability.’

Get Malware Attacks events by file_hash [Splunk]

Description

This Transform returns Malware_Attacks events where the field file_hash is equal to the value of the input Hash.The CIM defines the field name file_hash as ‘The hash of the file with suspected malware.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Malware Attacks events by file_hash [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdHashToMalwareMalwareAttacksUsingFileHash
Input Entitiesmaltego.Hash
Output EntitiesPhrase
Short DescriptionThis Transform returns Malware_Attacks events where the field file_hash is equal to the value of the input Hash.The CIM defines the field name file_hash as ‘The hash of the file with suspected malware.’

Get Allowed Malware events by src [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Allowed Malware events by src [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToMalwareAllowedMalwareUsingSrcmaltego.IPv4AddressThis Transform returns Allowed_Malware events where the field src is equal to the value of the input IPv4Address.The CIM defines the field name src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’
ProdIPv6AddressToMalwareAllowedMalwareUsingSrcmaltego.IPv6AddressThis Transform returns Allowed_Malware events where the field src is equal to the value of the input IPv6Address.The CIM defines the field name src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’

Get Allowed Malware events by src_user [Splunk]

Description

This Transform returns Allowed_Malware events where the field src_user is equal to the value of the input Alias.The CIM defines the field name src_user as ‘The reported sender of an email-based attack.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Allowed Malware events by src_user [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToMalwareAllowedMalwareUsingSrcUser
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Allowed_Malware events where the field src_user is equal to the value of the input Alias.The CIM defines the field name src_user as ‘The reported sender of an email-based attack.’

Get Allowed Malware events by url [Splunk]

Description

This Transform returns Allowed_Malware events where the field url is equal to the value of the input URL.The CIM defines the field name url as ‘A URL containing more information about the vulnerability.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Allowed Malware events by url [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdURLToMalwareAllowedMalwareUsingUrl
Input Entitiesmaltego.URL
Output EntitiesPhrase
Short DescriptionThis Transform returns Allowed_Malware events where the field url is equal to the value of the input URL.The CIM defines the field name url as ‘A URL containing more information about the vulnerability.’

Get Allowed Malware events by file_hash [Splunk]

Description

This Transform returns Allowed_Malware events where the field file_hash is equal to the value of the input Hash.The CIM defines the field name file_hash as ‘The hash of the file with suspected malware.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Allowed Malware events by file_hash [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdHashToMalwareAllowedMalwareUsingFileHash
Input Entitiesmaltego.Hash
Output EntitiesPhrase
Short DescriptionThis Transform returns Allowed_Malware events where the field file_hash is equal to the value of the input Hash.The CIM defines the field name file_hash as ‘The hash of the file with suspected malware.’

Get Blocked Malware events by src [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Blocked Malware events by src [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToMalwareBlockedMalwareUsingSrcmaltego.IPv4AddressThis Transform returns Blocked_Malware events where the field src is equal to the value of the input IPv4Address.The CIM defines the field name src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’
ProdIPv6AddressToMalwareBlockedMalwareUsingSrcmaltego.IPv6AddressThis Transform returns Blocked_Malware events where the field src is equal to the value of the input IPv6Address.The CIM defines the field name src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’

Get Blocked Malware events by src_user [Splunk]

Description

This Transform returns Blocked_Malware events where the field src_user is equal to the value of the input Alias.The CIM defines the field name src_user as ‘The reported sender of an email-based attack.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Blocked Malware events by src_user [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToMalwareBlockedMalwareUsingSrcUser
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Blocked_Malware events where the field src_user is equal to the value of the input Alias.The CIM defines the field name src_user as ‘The reported sender of an email-based attack.’

Get Blocked Malware events by url [Splunk]

Description

This Transform returns Blocked_Malware events where the field url is equal to the value of the input URL.The CIM defines the field name url as ‘A URL containing more information about the vulnerability.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Blocked Malware events by url [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdURLToMalwareBlockedMalwareUsingUrl
Input Entitiesmaltego.URL
Output EntitiesPhrase
Short DescriptionThis Transform returns Blocked_Malware events where the field url is equal to the value of the input URL.The CIM defines the field name url as ‘A URL containing more information about the vulnerability.’

Get Blocked Malware events by file_hash [Splunk]

Description

This Transform returns Blocked_Malware events where the field file_hash is equal to the value of the input Hash.The CIM defines the field name file_hash as ‘The hash of the file with suspected malware.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Blocked Malware events by file_hash [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdHashToMalwareBlockedMalwareUsingFileHash
Input Entitiesmaltego.Hash
Output EntitiesPhrase
Short DescriptionThis Transform returns Blocked_Malware events where the field file_hash is equal to the value of the input Hash.The CIM defines the field name file_hash as ‘The hash of the file with suspected malware.’

Get Deferred Malware events by src [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Deferred Malware events by src [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToMalwareDeferredMalwareUsingSrcmaltego.IPv4AddressThis Transform returns Deferred_Malware events where the field src is equal to the value of the input IPv4Address.The CIM defines the field name src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’
ProdIPv6AddressToMalwareDeferredMalwareUsingSrcmaltego.IPv6AddressThis Transform returns Deferred_Malware events where the field src is equal to the value of the input IPv6Address.The CIM defines the field name src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’

Get Deferred Malware events by src_user [Splunk]

Description

This Transform returns Deferred_Malware events where the field src_user is equal to the value of the input Alias.The CIM defines the field name src_user as ‘The reported sender of an email-based attack.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Deferred Malware events by src_user [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToMalwareDeferredMalwareUsingSrcUser
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Deferred_Malware events where the field src_user is equal to the value of the input Alias.The CIM defines the field name src_user as ‘The reported sender of an email-based attack.’

Get Deferred Malware events by url [Splunk]

Description

This Transform returns Deferred_Malware events where the field url is equal to the value of the input URL.The CIM defines the field name url as ‘A URL containing more information about the vulnerability.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Deferred Malware events by url [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdURLToMalwareDeferredMalwareUsingUrl
Input Entitiesmaltego.URL
Output EntitiesPhrase
Short DescriptionThis Transform returns Deferred_Malware events where the field url is equal to the value of the input URL.The CIM defines the field name url as ‘A URL containing more information about the vulnerability.’

Get Deferred Malware events by file_hash [Splunk]

Description

This Transform returns Deferred_Malware events where the field file_hash is equal to the value of the input Hash.The CIM defines the field name file_hash as ‘The hash of the file with suspected malware.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Deferred Malware events by file_hash [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdHashToMalwareDeferredMalwareUsingFileHash
Input Entitiesmaltego.Hash
Output EntitiesPhrase
Short DescriptionThis Transform returns Deferred_Malware events where the field file_hash is equal to the value of the input Hash.The CIM defines the field name file_hash as ‘The hash of the file with suspected malware.’

Get Malware Operations events by src [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Malware Operations events by src [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToMalwareMalwareOperationsUsingSrcmaltego.IPv4AddressThis Transform returns Malware_Operations events where the field src is equal to the value of the input IPv4Address.The CIM defines the field name src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’
ProdIPv6AddressToMalwareMalwareOperationsUsingSrcmaltego.IPv6AddressThis Transform returns Malware_Operations events where the field src is equal to the value of the input IPv6Address.The CIM defines the field name src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’

Get Malware Operations events by src_user [Splunk]

Description

This Transform returns Malware_Operations events where the field src_user is equal to the value of the input Alias.The CIM defines the field name src_user as ‘The reported sender of an email-based attack.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Malware Operations events by src_user [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToMalwareMalwareOperationsUsingSrcUser
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Malware_Operations events where the field src_user is equal to the value of the input Alias.The CIM defines the field name src_user as ‘The reported sender of an email-based attack.’

Get Malware Operations events by url [Splunk]

Description

This Transform returns Malware_Operations events where the field url is equal to the value of the input URL.The CIM defines the field name url as ‘A URL containing more information about the vulnerability.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Malware Operations events by url [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdURLToMalwareMalwareOperationsUsingUrl
Input Entitiesmaltego.URL
Output EntitiesPhrase
Short DescriptionThis Transform returns Malware_Operations events where the field url is equal to the value of the input URL.The CIM defines the field name url as ‘A URL containing more information about the vulnerability.’

Get Malware Operations events by file_hash [Splunk]

Description

This Transform returns Malware_Operations events where the field file_hash is equal to the value of the input Hash.The CIM defines the field name file_hash as ‘The hash of the file with suspected malware.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Malware Operations events by file_hash [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdHashToMalwareMalwareOperationsUsingFileHash
Input Entitiesmaltego.Hash
Output EntitiesPhrase
Short DescriptionThis Transform returns Malware_Operations events where the field file_hash is equal to the value of the input Hash.The CIM defines the field name file_hash as ‘The hash of the file with suspected malware.’

Get All Traffic events by src_ip [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet All Traffic events by src_ip [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToNetworkTrafficAllTrafficUsingSrcIpmaltego.IPv4AddressThis Transform returns All_Traffic events where the field src_ip is equal to the value of the input IPv4Address.The CIM defines the field name src_ip as ‘The ip address of the source.’
ProdIPv6AddressToNetworkTrafficAllTrafficUsingSrcIpmaltego.IPv6AddressThis Transform returns All_Traffic events where the field src_ip is equal to the value of the input IPv6Address.The CIM defines the field name src_ip as ‘The ip address of the source.’

Get All Traffic events by src [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet All Traffic events by src [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToNetworkTrafficAllTrafficUsingSrcmaltego.IPv4AddressThis Transform returns All_Traffic events where the field src is equal to the value of the input IPv4Address.The CIM defines the field name src as ‘The source of the network traffic (the client requesting the connection). You can alias this from more specific fields such as src_host src_ip or src_name.’
ProdIPv6AddressToNetworkTrafficAllTrafficUsingSrcmaltego.IPv6AddressThis Transform returns All_Traffic events where the field src is equal to the value of the input IPv6Address.The CIM defines the field name src as ‘The source of the network traffic (the client requesting the connection). You can alias this from more specific fields such as src_host src_ip or src_name.’

Get All Traffic events by dest_ip [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet All Traffic events by dest_ip [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToNetworkTrafficAllTrafficUsingDestIpmaltego.IPv4AddressThis Transform returns All_Traffic events where the field dest_ip is equal to the value of the input IPv4Address.The CIM defines the field name dest_ip as ‘The IP address of the destination.’
ProdIPv6AddressToNetworkTrafficAllTrafficUsingDestIpmaltego.IPv6AddressThis Transform returns All_Traffic events where the field dest_ip is equal to the value of the input IPv6Address.The CIM defines the field name dest_ip as ‘The IP address of the destination.’

Get All Traffic events by dvc_ip [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet All Traffic events by dvc_ip [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToNetworkTrafficAllTrafficUsingDvcIpmaltego.IPv4AddressThis Transform returns All_Traffic events where the field dvc_ip is equal to the value of the input IPv4Address.The CIM defines the field name dvc_ip as ‘The ip address of the device.’
ProdIPv6AddressToNetworkTrafficAllTrafficUsingDvcIpmaltego.IPv6AddressThis Transform returns All_Traffic events where the field dvc_ip is equal to the value of the input IPv6Address.The CIM defines the field name dvc_ip as ‘The ip address of the device.’

Get All Traffic events by dvc [Splunk]

Description

This Transform returns All_Traffic events where the field dvc is equal to the value of the input Alias.The CIM defines the field name dvc as ‘The device that reported the traffic event. You can alias this from more specific fields such as dvc_host dvc_ip or dvc_name.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet All Traffic events by dvc [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToNetworkTrafficAllTrafficUsingDvc
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns All_Traffic events where the field dvc is equal to the value of the input Alias.The CIM defines the field name dvc as ‘The device that reported the traffic event. You can alias this from more specific fields such as dvc_host dvc_ip or dvc_name.’

Get All Traffic events by user [Splunk]

Description

This Transform returns All_Traffic events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user that requested the traffic flow.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet All Traffic events by user [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToNetworkTrafficAllTrafficUsingUser
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns All_Traffic events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user that requested the traffic flow.’

Get Allowed Traffic events by src_ip [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Allowed Traffic events by src_ip [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToNetworkTrafficAllowedTrafficUsingSrcIpmaltego.IPv4AddressThis Transform returns Allowed_Traffic events where the field src_ip is equal to the value of the input IPv4Address.The CIM defines the field name src_ip as ‘The ip address of the source.’
ProdIPv6AddressToNetworkTrafficAllowedTrafficUsingSrcIpmaltego.IPv6AddressThis Transform returns Allowed_Traffic events where the field src_ip is equal to the value of the input IPv6Address.The CIM defines the field name src_ip as ‘The ip address of the source.’

Get Allowed Traffic events by dest_ip [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Allowed Traffic events by dest_ip [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToNetworkTrafficAllowedTrafficUsingDestIpmaltego.IPv4AddressThis Transform returns Allowed_Traffic events where the field dest_ip is equal to the value of the input IPv4Address.The CIM defines the field name dest_ip as ‘The IP address of the destination.’
ProdIPv6AddressToNetworkTrafficAllowedTrafficUsingDestIpmaltego.IPv6AddressThis Transform returns Allowed_Traffic events where the field dest_ip is equal to the value of the input IPv6Address.The CIM defines the field name dest_ip as ‘The IP address of the destination.’

Get Allowed Traffic events by dvc_ip [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Allowed Traffic events by dvc_ip [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToNetworkTrafficAllowedTrafficUsingDvcIpmaltego.IPv4AddressThis Transform returns Allowed_Traffic events where the field dvc_ip is equal to the value of the input IPv4Address.The CIM defines the field name dvc_ip as ‘The ip address of the device.’
ProdIPv6AddressToNetworkTrafficAllowedTrafficUsingDvcIpmaltego.IPv6AddressThis Transform returns Allowed_Traffic events where the field dvc_ip is equal to the value of the input IPv6Address.The CIM defines the field name dvc_ip as ‘The ip address of the device.’

Get Blocked Traffic events by src_ip [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Blocked Traffic events by src_ip [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToNetworkTrafficBlockedTrafficUsingSrcIpmaltego.IPv4AddressThis Transform returns Blocked_Traffic events where the field src_ip is equal to the value of the input IPv4Address.The CIM defines the field name src_ip as ‘The ip address of the source.’
ProdIPv6AddressToNetworkTrafficBlockedTrafficUsingSrcIpmaltego.IPv6AddressThis Transform returns Blocked_Traffic events where the field src_ip is equal to the value of the input IPv6Address.The CIM defines the field name src_ip as ‘The ip address of the source.’

Get Blocked Traffic events by dest_ip [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Blocked Traffic events by dest_ip [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToNetworkTrafficBlockedTrafficUsingDestIpmaltego.IPv4AddressThis Transform returns Blocked_Traffic events where the field dest_ip is equal to the value of the input IPv4Address.The CIM defines the field name dest_ip as ‘The IP address of the destination.’
ProdIPv6AddressToNetworkTrafficBlockedTrafficUsingDestIpmaltego.IPv6AddressThis Transform returns Blocked_Traffic events where the field dest_ip is equal to the value of the input IPv6Address.The CIM defines the field name dest_ip as ‘The IP address of the destination.’

Get Blocked Traffic events by dvc_ip [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Blocked Traffic events by dvc_ip [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToNetworkTrafficBlockedTrafficUsingDvcIpmaltego.IPv4AddressThis Transform returns Blocked_Traffic events where the field dvc_ip is equal to the value of the input IPv4Address.The CIM defines the field name dvc_ip as ‘The ip address of the device.’
ProdIPv6AddressToNetworkTrafficBlockedTrafficUsingDvcIpmaltego.IPv6AddressThis Transform returns Blocked_Traffic events where the field dvc_ip is equal to the value of the input IPv6Address.The CIM defines the field name dvc_ip as ‘The ip address of the device.’

Get Vulnerabilities events by user [Splunk]

Description

This Transform returns Vulnerabilities events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user involved in the discovered vulnerability.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Vulnerabilities events by user [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToVulnerabilitiesVulnerabilitiesUsingUser
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Vulnerabilities events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user involved in the discovered vulnerability.’

Get Vulnerabilities events by dvc [Splunk]

Description

This Transform returns Vulnerabilities events where the field dvc is equal to the value of the input Alias.The CIM defines the field name dvc as ‘The system that discovered the vulnerability. You can alias this from more specific fields such as dvc_host dvc_ip or dvc_name.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Vulnerabilities events by dvc [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToVulnerabilitiesVulnerabilitiesUsingDvc
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Vulnerabilities events where the field dvc is equal to the value of the input Alias.The CIM defines the field name dvc as ‘The system that discovered the vulnerability. You can alias this from more specific fields such as dvc_host dvc_ip or dvc_name.’

Get Vulnerabilities events by url [Splunk]

Description

This Transform returns Vulnerabilities events where the field url is equal to the value of the input URL.The CIM defines the field name url as ‘The URL involved in the discovered vulnerability.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Vulnerabilities events by url [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdURLToVulnerabilitiesVulnerabilitiesUsingUrl
Input Entitiesmaltego.URL
Output EntitiesPhrase
Short DescriptionThis Transform returns Vulnerabilities events where the field url is equal to the value of the input URL.The CIM defines the field name url as ‘The URL involved in the discovered vulnerability.’

Get High Critical Vulnerabilities events by user [Splunk]

Description

This Transform returns High_Critical_Vulnerabilities events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user involved in the discovered vulnerability.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet High Critical Vulnerabilities events by user [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToVulnerabilitiesHighCriticalVulnerabilitiesUsingUser
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns High_Critical_Vulnerabilities events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user involved in the discovered vulnerability.’

Get High Critical Vulnerabilities events by url [Splunk]

Description

This Transform returns High_Critical_Vulnerabilities events where the field url is equal to the value of the input URL.The CIM defines the field name url as ‘The URL involved in the discovered vulnerability.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet High Critical Vulnerabilities events by url [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdURLToVulnerabilitiesHighCriticalVulnerabilitiesUsingUrl
Input Entitiesmaltego.URL
Output EntitiesPhrase
Short DescriptionThis Transform returns High_Critical_Vulnerabilities events where the field url is equal to the value of the input URL.The CIM defines the field name url as ‘The URL involved in the discovered vulnerability.’

Get Medium Vulnerabilities events by user [Splunk]

Description

This Transform returns Medium_Vulnerabilities events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user involved in the discovered vulnerability.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Medium Vulnerabilities events by user [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToVulnerabilitiesMediumVulnerabilitiesUsingUser
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Medium_Vulnerabilities events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user involved in the discovered vulnerability.’

Get Medium Vulnerabilities events by url [Splunk]

Description

This Transform returns Medium_Vulnerabilities events where the field url is equal to the value of the input URL.The CIM defines the field name url as ‘The URL involved in the discovered vulnerability.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Medium Vulnerabilities events by url [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdURLToVulnerabilitiesMediumVulnerabilitiesUsingUrl
Input Entitiesmaltego.URL
Output EntitiesPhrase
Short DescriptionThis Transform returns Medium_Vulnerabilities events where the field url is equal to the value of the input URL.The CIM defines the field name url as ‘The URL involved in the discovered vulnerability.’

Get Low Informational Vulnerabilities events by user [Splunk]

Description

This Transform returns Low_Informational_Vulnerabilities events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user involved in the discovered vulnerability.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Low Informational Vulnerabilities events by user [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToVulnerabilitiesLowInformationalVulnerabilitiesUsingUser
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Low_Informational_Vulnerabilities events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user involved in the discovered vulnerability.’

Get Low Informational Vulnerabilities events by url [Splunk]

Description

This Transform returns Low_Informational_Vulnerabilities events where the field url is equal to the value of the input URL.The CIM defines the field name url as ‘The URL involved in the discovered vulnerability.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Low Informational Vulnerabilities events by url [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdURLToVulnerabilitiesLowInformationalVulnerabilitiesUsingUrl
Input Entitiesmaltego.URL
Output EntitiesPhrase
Short DescriptionThis Transform returns Low_Informational_Vulnerabilities events where the field url is equal to the value of the input URL.The CIM defines the field name url as ‘The URL involved in the discovered vulnerability.’

Get Authentication events by src [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Authentication events by src [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToAuthenticationAuthenticationUsingSrcmaltego.IPv4AddressThis Transform returns Authentication events where the field src is equal to the value of the input IPv4Address.The CIM defines the field name src as ‘The source involved in the authentication. In the case of endpoint protection authentication the src is the client. You can alias this from more specific fields such as src_host src_ip or src_nt_host.’
ProdIPv6AddressToAuthenticationAuthenticationUsingSrcmaltego.IPv6AddressThis Transform returns Authentication events where the field src is equal to the value of the input IPv6Address.The CIM defines the field name src as ‘The source involved in the authentication. In the case of endpoint protection authentication the src is the client. You can alias this from more specific fields such as src_host src_ip or src_nt_host.’

Get Authentication events by src_user_id [Splunk]

Description

This Transform returns Authentication events where the field src_user_id is equal to the value of the input Alias.The CIM defines the field name src_user_id as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Authentication events by src_user_id [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToAuthenticationAuthenticationUsingSrcUserId
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Authentication events where the field src_user_id is equal to the value of the input Alias.The CIM defines the field name src_user_id as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Get Authentication events by src_user [Splunk]

Description

This Transform returns Authentication events where the field src_user is equal to the value of the input Alias.The CIM defines the field name src_user as ‘In privilege escalation events src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Authentication events by src_user [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToAuthenticationAuthenticationUsingSrcUser
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Authentication events where the field src_user is equal to the value of the input Alias.The CIM defines the field name src_user as ‘In privilege escalation events src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Get Authentication events by user_id [Splunk]

Description

This Transform returns Authentication events where the field user_id is equal to the value of the input Alias.The CIM defines the field name user_id as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Authentication events by user_id [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToAuthenticationAuthenticationUsingUserId
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Authentication events where the field user_id is equal to the value of the input Alias.The CIM defines the field name user_id as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Get Authentication events by user [Splunk]

Description

This Transform returns Authentication events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The name of the user involved in the event or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Authentication events by user [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToAuthenticationAuthenticationUsingUser
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Authentication events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The name of the user involved in the event or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Get Failed Authentication events by src_user_id [Splunk]

Description

This Transform returns Failed_Authentication events where the field src_user_id is equal to the value of the input Alias.The CIM defines the field name src_user_id as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Failed Authentication events by src_user_id [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToAuthenticationFailedAuthenticationUsingSrcUserId
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Failed_Authentication events where the field src_user_id is equal to the value of the input Alias.The CIM defines the field name src_user_id as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Get Failed Authentication events by user_id [Splunk]

Description

This Transform returns Failed_Authentication events where the field user_id is equal to the value of the input Alias.The CIM defines the field name user_id as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Failed Authentication events by user_id [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToAuthenticationFailedAuthenticationUsingUserId
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Failed_Authentication events where the field user_id is equal to the value of the input Alias.The CIM defines the field name user_id as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Get Successful Authentication events by src_user_id [Splunk]

Description

This Transform returns Successful_Authentication events where the field src_user_id is equal to the value of the input Alias.The CIM defines the field name src_user_id as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Successful Authentication events by src_user_id [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToAuthenticationSuccessfulAuthenticationUsingSrcUserId
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Successful_Authentication events where the field src_user_id is equal to the value of the input Alias.The CIM defines the field name src_user_id as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Get Successful Authentication events by user_id [Splunk]

Description

This Transform returns Successful_Authentication events where the field user_id is equal to the value of the input Alias.The CIM defines the field name user_id as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Successful Authentication events by user_id [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToAuthenticationSuccessfulAuthenticationUsingUserId
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Successful_Authentication events where the field user_id is equal to the value of the input Alias.The CIM defines the field name user_id as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Get Default Authentication events by src_user_id [Splunk]

Description

This Transform returns Default_Authentication events where the field src_user_id is equal to the value of the input Alias.The CIM defines the field name src_user_id as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Default Authentication events by src_user_id [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToAuthenticationDefaultAuthenticationUsingSrcUserId
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Default_Authentication events where the field src_user_id is equal to the value of the input Alias.The CIM defines the field name src_user_id as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Get Default Authentication events by user_id [Splunk]

Description

This Transform returns Default_Authentication events where the field user_id is equal to the value of the input Alias.The CIM defines the field name user_id as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Default Authentication events by user_id [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToAuthenticationDefaultAuthenticationUsingUserId
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Default_Authentication events where the field user_id is equal to the value of the input Alias.The CIM defines the field name user_id as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Get Failed Default Authentication events by src_user_id [Splunk]

Description

This Transform returns Failed_Default_Authentication events where the field src_user_id is equal to the value of the input Alias.The CIM defines the field name src_user_id as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Failed Default Authentication events by src_user_id [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToAuthenticationFailedDefaultAuthenticationUsingSrcUserId
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Failed_Default_Authentication events where the field src_user_id is equal to the value of the input Alias.The CIM defines the field name src_user_id as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Get Failed Default Authentication events by user_id [Splunk]

Description

This Transform returns Failed_Default_Authentication events where the field user_id is equal to the value of the input Alias.The CIM defines the field name user_id as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Failed Default Authentication events by user_id [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToAuthenticationFailedDefaultAuthenticationUsingUserId
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Failed_Default_Authentication events where the field user_id is equal to the value of the input Alias.The CIM defines the field name user_id as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Get Successful Default Authentication events by src_user_id [Splunk]

Description

This Transform returns Successful_Default_Authentication events where the field src_user_id is equal to the value of the input Alias.The CIM defines the field name src_user_id as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Successful Default Authentication events by src_user_id [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToAuthenticationSuccessfulDefaultAuthenticationUsingSrcUserId
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Successful_Default_Authentication events where the field src_user_id is equal to the value of the input Alias.The CIM defines the field name src_user_id as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Get Successful Default Authentication events by user_id [Splunk]

Description

This Transform returns Successful_Default_Authentication events where the field user_id is equal to the value of the input Alias.The CIM defines the field name user_id as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Successful Default Authentication events by user_id [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToAuthenticationSuccessfulDefaultAuthenticationUsingUserId
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Successful_Default_Authentication events where the field user_id is equal to the value of the input Alias.The CIM defines the field name user_id as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Get Insecure Authentication events by src_user_id [Splunk]

Description

This Transform returns Insecure_Authentication events where the field src_user_id is equal to the value of the input Alias.The CIM defines the field name src_user_id as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Insecure Authentication events by src_user_id [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToAuthenticationInsecureAuthenticationUsingSrcUserId
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Insecure_Authentication events where the field src_user_id is equal to the value of the input Alias.The CIM defines the field name src_user_id as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Get Insecure Authentication events by user_id [Splunk]

Description

This Transform returns Insecure_Authentication events where the field user_id is equal to the value of the input Alias.The CIM defines the field name user_id as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Insecure Authentication events by user_id [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToAuthenticationInsecureAuthenticationUsingUserId
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Insecure_Authentication events where the field user_id is equal to the value of the input Alias.The CIM defines the field name user_id as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Get Privileged Authentication events by src_user_id [Splunk]

Description

This Transform returns Privileged_Authentication events where the field src_user_id is equal to the value of the input Alias.The CIM defines the field name src_user_id as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Privileged Authentication events by src_user_id [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToAuthenticationPrivilegedAuthenticationUsingSrcUserId
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Privileged_Authentication events where the field src_user_id is equal to the value of the input Alias.The CIM defines the field name src_user_id as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Get Privileged Authentication events by user_id [Splunk]

Description

This Transform returns Privileged_Authentication events where the field user_id is equal to the value of the input Alias.The CIM defines the field name user_id as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Privileged Authentication events by user_id [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToAuthenticationPrivilegedAuthenticationUsingUserId
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Privileged_Authentication events where the field user_id is equal to the value of the input Alias.The CIM defines the field name user_id as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Get Failed Privileged Authentication events by src_user_id [Splunk]

Description

This Transform returns Failed_Privileged_Authentication events where the field src_user_id is equal to the value of the input Alias.The CIM defines the field name src_user_id as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Failed Privileged Authentication events by src_user_id [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToAuthenticationFailedPrivilegedAuthenticationUsingSrcUserId
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Failed_Privileged_Authentication events where the field src_user_id is equal to the value of the input Alias.The CIM defines the field name src_user_id as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Get Failed Privileged Authentication events by user_id [Splunk]

Description

This Transform returns Failed_Privileged_Authentication events where the field user_id is equal to the value of the input Alias.The CIM defines the field name user_id as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Failed Privileged Authentication events by user_id [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToAuthenticationFailedPrivilegedAuthenticationUsingUserId
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Failed_Privileged_Authentication events where the field user_id is equal to the value of the input Alias.The CIM defines the field name user_id as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Get Successful Privileged Authentication events by src_user_id [Splunk]

Description

This Transform returns Successful_Privileged_Authentication events where the field src_user_id is equal to the value of the input Alias.The CIM defines the field name src_user_id as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Successful Privileged Authentication events by src_user_id [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToAuthenticationSuccessfulPrivilegedAuthenticationUsingSrcUserId
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Successful_Privileged_Authentication events where the field src_user_id is equal to the value of the input Alias.The CIM defines the field name src_user_id as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Get Successful Privileged Authentication events by user_id [Splunk]

Description

This Transform returns Successful_Privileged_Authentication events where the field user_id is equal to the value of the input Alias.The CIM defines the field name user_id as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Successful Privileged Authentication events by user_id [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToAuthenticationSuccessfulPrivilegedAuthenticationUsingUserId
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Successful_Privileged_Authentication events where the field user_id is equal to the value of the input Alias.The CIM defines the field name user_id as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Get Ports events by src [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Ports events by src [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToEndpointPortsUsingSrcmaltego.IPv4AddressThis Transform returns Ports events where the field src is equal to the value of the input IPv4Address.The CIM defines the field name src as ‘The remote system connected to the listening port (if applicable).’
ProdIPv6AddressToEndpointPortsUsingSrcmaltego.IPv6AddressThis Transform returns Ports events where the field src is equal to the value of the input IPv6Address.The CIM defines the field name src as ‘The remote system connected to the listening port (if applicable).’

Get Ports events by user [Splunk]

Description

This Transform returns Ports events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user account associated with the listening port.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Ports events by user [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToEndpointPortsUsingUser
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Ports events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user account associated with the listening port.’

Get Processes events by user [Splunk]

Description

This Transform returns Processes events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user account which spawned the process.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Processes events by user [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToEndpointProcessesUsingUser
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Processes events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user account which spawned the process.’

Get Services events by user [Splunk]

Description

This Transform returns Services events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user account associated with the service.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Services events by user [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToEndpointServicesUsingUser
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Services events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user account associated with the service.’

Get Filesystem events by user [Splunk]

Description

This Transform returns Filesystem events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user account associated with the filesystem access.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Filesystem events by user [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToEndpointFilesystemUsingUser
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Filesystem events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user account associated with the filesystem access.’

Get Filesystem events by file_hash [Splunk]

Description

This Transform returns Filesystem events where the field file_hash is equal to the value of the input Hash.The CIM defines the field name file_hash as ‘A cryptographic identifier assigned to the file object affected by the event.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Filesystem events by file_hash [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdHashToEndpointFilesystemUsingFileHash
Input Entitiesmaltego.Hash
Output EntitiesPhrase
Short DescriptionThis Transform returns Filesystem events where the field file_hash is equal to the value of the input Hash.The CIM defines the field name file_hash as ‘A cryptographic identifier assigned to the file object affected by the event.’

Get Registry events by user [Splunk]

Description

This Transform returns Registry events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user account associated with the registry access.’


Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Registry events by user [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAliasToEndpointRegistryUsingUser
Input Entitiesmaltego.Alias
Output EntitiesPhrase
Short DescriptionThis Transform returns Registry events where the field user is equal to the value of the input Alias.The CIM defines the field name user as ‘The user account associated with the registry access.’

Get Dns events by src [Splunk]

Transform Settings

Display NameSetting TypeDefault ValueOptionalPopupAuthentication
Date Rangedaterange FalseTrueFalse
Passwordstring TrueTrueFalse
hoststringlocalhostFalseTrueFalse
portstring8089FalseTrueFalse
tokenstringtokenTrueTrueFalse
usernamestring TrueTrueFalse

Transform Meta Info

InformationValue
Display NameGet Dns events by src [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdIPv4AddressToNetworkResolutionDNSUsingSrcmaltego.IPv4AddressThis Transform returns DNS events where the field src is equal to the value of the input IPv4Address.The CIM defines the field name src as ‘The source of the network resolution event. You can alias this from more specific fields such as src_host src_ip or src_name.’
ProdIPv6AddressToNetworkResolutionDNSUsingSrcmaltego.IPv6AddressThis Transform returns DNS events where the field src is equal to the value of the input IPv6Address.The CIM defines the field name src as ‘The source of the network resolution event. You can alias this from more specific fields such as src_host src_ip or src_name.’

To Signature (Hash) [Splunk]

Transform Meta Info

InformationValue
Display NameTo Signature (Hash) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdNetworkSessionsAllSessionsToSignatureHashmaltego.splunk.AllSessionsReturns the value of the field ‘signature’ as a Hash entity
ProdVulnerabilitiesVulnerabilitiesToSignatureHashmaltego.splunk.VulnerabilitiesReturns the value of the calculated field ‘signature’ as a Hash entity
ProdAuthenticationAuthenticationToSignatureHashmaltego.splunk.AuthenticationReturns the value of the field ‘signature’ as a Hash entity
ProdMalwareMalwareAttacksToSignatureHashmaltego.splunk.MalwareAttacksReturns the value of the calculated field ‘signature’ as a Hash entity

To SrcIp (IPv4Address) [Splunk]

Description

Returns the value of the field ‘src_ip’ as a IPv4Address entity


Transform Meta Info

InformationValue
Display NameTo SrcIp (IPv4Address) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase
Short DescriptionReturns the value of the field ‘src_ip’ as a IPv4Address entity

Variants

Transform NameInput Entities
ProdNetworkSessionsAllSessionsToSrcIpIPv4Addressmaltego.splunk.AllSessions
ProdNetworkTrafficAllTrafficToSrcIpIPv4Addressmaltego.splunk.AllTraffic

To SrcIp (IPv6Address) [Splunk]

Description

Returns the value of the field ‘src_ip’ as a IPv6Address entity


Transform Meta Info

InformationValue
Display NameTo SrcIp (IPv6Address) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase
Short DescriptionReturns the value of the field ‘src_ip’ as a IPv6Address entity

Variants

Transform NameInput Entities
ProdNetworkSessionsAllSessionsToSrcIpIPv6Addressmaltego.splunk.AllSessions
ProdNetworkTrafficAllTrafficToSrcIpIPv6Addressmaltego.splunk.AllTraffic

To SrcNtHost (Domain) [Splunk]

Description

Returns the value of the field ‘src_nt_host’ as a Domain entity


Transform Meta Info

InformationValue
Display NameTo SrcNtHost (Domain) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdNetworkSessionsAllSessionsToSrcNtHostDomain
Input Entitiesmaltego.splunk.AllSessions
Output EntitiesPhrase
Short DescriptionReturns the value of the field ‘src_nt_host’ as a Domain entity

To DestIp (IPv4Address) [Splunk]

Transform Meta Info

InformationValue
Display NameTo DestIp (IPv4Address) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdNetworkSessionsAllSessionsToDestIpIPv4Addressmaltego.splunk.AllSessionsReturns the value of the calculated field ‘dest_ip’ as a IPv4Address entity
ProdNetworkTrafficAllTrafficToDestIpIPv4Addressmaltego.splunk.AllTrafficReturns the value of the field ‘dest_ip’ as a IPv4Address entity

To DestIp (IPv6Address) [Splunk]

Transform Meta Info

InformationValue
Display NameTo DestIp (IPv6Address) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdNetworkSessionsAllSessionsToDestIpIPv6Addressmaltego.splunk.AllSessionsReturns the value of the calculated field ‘dest_ip’ as a IPv6Address entity
ProdNetworkTrafficAllTrafficToDestIpIPv6Addressmaltego.splunk.AllTrafficReturns the value of the field ‘dest_ip’ as a IPv6Address entity

To DestNtHost (Domain) [Splunk]

Description

Returns the value of the calculated field ‘dest_nt_host’ as a Domain entity


Transform Meta Info

InformationValue
Display NameTo DestNtHost (Domain) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdNetworkSessionsAllSessionsToDestNtHostDomain
Input Entitiesmaltego.splunk.AllSessions
Output EntitiesPhrase
Short DescriptionReturns the value of the calculated field ‘dest_nt_host’ as a Domain entity

To User (Alias) [Splunk]

Transform Meta Info

InformationValue
Display NameTo User (Alias) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdNetworkSessionsAllSessionsToUserAliasmaltego.splunk.AllSessionsReturns the value of the calculated field ‘user’ as a Alias entity
ProdEndpointPortsToUserAliasmaltego.splunk.PortsReturns the value of the calculated field ‘user’ as a Alias entity
ProdEndpointProcessesToUserAliasmaltego.splunk.ProcessesReturns the value of the calculated field ‘user’ as a Alias entity
ProdEndpointServicesToUserAliasmaltego.splunk.ServicesReturns the value of the calculated field ‘user’ as a Alias entity
ProdEndpointFilesystemToUserAliasmaltego.splunk.FilesystemReturns the value of the calculated field ‘user’ as a Alias entity
ProdEndpointRegistryToUserAliasmaltego.splunk.RegistryReturns the value of the calculated field ‘user’ as a Alias entity
ProdVulnerabilitiesVulnerabilitiesToUserAliasmaltego.splunk.VulnerabilitiesReturns the value of the field ‘user’ as a Alias entity
ProdAuthenticationAuthenticationToUserAliasmaltego.splunk.AuthenticationReturns the value of the calculated field ‘user’ as a Alias entity
ProdNetworkTrafficAllTrafficToUserAliasmaltego.splunk.AllTrafficReturns the value of the calculated field ‘user’ as a Alias entity
ProdMalwareMalwareAttacksToUserAliasmaltego.splunk.MalwareAttacksReturns the value of the calculated field ‘user’ as a Alias entity

To Src (IPv4Address) [Splunk]

Transform Meta Info

InformationValue
Display NameTo Src (IPv4Address) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdNetworkResolutionDnsToSrcIPv4Addressmaltego.splunk.DnsReturns the value of the field ‘src’ as a IPv4Address entity
ProdEndpointPortsToSrcIPv4Addressmaltego.splunk.PortsReturns the value of the calculated field ‘src’ as a IPv4Address entity
ProdAuthenticationAuthenticationToSrcIPv4Addressmaltego.splunk.AuthenticationReturns the value of the calculated field ‘src’ as a IPv4Address entity
ProdNetworkTrafficAllTrafficToSrcIPv4Addressmaltego.splunk.AllTrafficReturns the value of the calculated field ‘src’ as a IPv4Address entity
ProdMalwareMalwareAttacksToSrcIPv4Addressmaltego.splunk.MalwareAttacksReturns the value of the field ‘src’ as a IPv4Address entity

To Src (IPv6Address) [Splunk]

Transform Meta Info

InformationValue
Display NameTo Src (IPv6Address) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdNetworkResolutionDnsToSrcIPv6Addressmaltego.splunk.DnsReturns the value of the field ‘src’ as a IPv6Address entity
ProdEndpointPortsToSrcIPv6Addressmaltego.splunk.PortsReturns the value of the calculated field ‘src’ as a IPv6Address entity
ProdAuthenticationAuthenticationToSrcIPv6Addressmaltego.splunk.AuthenticationReturns the value of the calculated field ‘src’ as a IPv6Address entity
ProdNetworkTrafficAllTrafficToSrcIPv6Addressmaltego.splunk.AllTrafficReturns the value of the calculated field ‘src’ as a IPv6Address entity
ProdMalwareMalwareAttacksToSrcIPv6Addressmaltego.splunk.MalwareAttacksReturns the value of the field ‘src’ as a IPv6Address entity

To Dest (IPv4Address) [Splunk]

Description

Returns the value of the calculated field ‘dest’ as a IPv4Address entity


Transform Meta Info

InformationValue
Display NameTo Dest (IPv4Address) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase
Short DescriptionReturns the value of the calculated field ‘dest’ as a IPv4Address entity

Variants

Transform NameInput Entities
ProdNetworkResolutionDnsToDestIPv4Addressmaltego.splunk.Dns
ProdEndpointPortsToDestIPv4Addressmaltego.splunk.Ports
ProdEndpointProcessesToDestIPv4Addressmaltego.splunk.Processes
ProdEndpointServicesToDestIPv4Addressmaltego.splunk.Services
ProdEndpointFilesystemToDestIPv4Addressmaltego.splunk.Filesystem
ProdEndpointRegistryToDestIPv4Addressmaltego.splunk.Registry
ProdVulnerabilitiesVulnerabilitiesToDestIPv4Addressmaltego.splunk.Vulnerabilities
ProdAuthenticationAuthenticationToDestIPv4Addressmaltego.splunk.Authentication
ProdNetworkTrafficAllTrafficToDestIPv4Addressmaltego.splunk.AllTraffic
ProdMalwareMalwareAttacksToDestIPv4Addressmaltego.splunk.MalwareAttacks
ProdMalwareMalwareOperationsToDestIPv4Addressmaltego.splunk.MalwareOperations

To Dest (IPv6Address) [Splunk]

Description

Returns the value of the calculated field ‘dest’ as a IPv6Address entity


Transform Meta Info

InformationValue
Display NameTo Dest (IPv6Address) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase
Short DescriptionReturns the value of the calculated field ‘dest’ as a IPv6Address entity

Variants

Transform NameInput Entities
ProdNetworkResolutionDnsToDestIPv6Addressmaltego.splunk.Dns
ProdEndpointPortsToDestIPv6Addressmaltego.splunk.Ports
ProdEndpointProcessesToDestIPv6Addressmaltego.splunk.Processes
ProdEndpointServicesToDestIPv6Addressmaltego.splunk.Services
ProdEndpointFilesystemToDestIPv6Addressmaltego.splunk.Filesystem
ProdEndpointRegistryToDestIPv6Addressmaltego.splunk.Registry
ProdVulnerabilitiesVulnerabilitiesToDestIPv6Addressmaltego.splunk.Vulnerabilities
ProdAuthenticationAuthenticationToDestIPv6Addressmaltego.splunk.Authentication
ProdNetworkTrafficAllTrafficToDestIPv6Addressmaltego.splunk.AllTraffic
ProdMalwareMalwareAttacksToDestIPv6Addressmaltego.splunk.MalwareAttacks
ProdMalwareMalwareOperationsToDestIPv6Addressmaltego.splunk.MalwareOperations

To ProcessHash (Hash) [Splunk]

Description

Returns the value of the field ‘process_hash’ as a Hash entity


Transform Meta Info

InformationValue
Display NameTo ProcessHash (Hash) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdEndpointProcessesToProcessHashHash
Input Entitiesmaltego.splunk.Processes
Output EntitiesPhrase
Short DescriptionReturns the value of the field ‘process_hash’ as a Hash entity

To UserId (Alias) [Splunk]

Description

Returns the value of the field ‘user_id’ as a Alias entity


Transform Meta Info

InformationValue
Display NameTo UserId (Alias) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase
Short DescriptionReturns the value of the field ‘user_id’ as a Alias entity

Variants

Transform NameInput Entities
ProdEndpointProcessesToUserIdAliasmaltego.splunk.Processes
ProdAuthenticationAuthenticationToUserIdAliasmaltego.splunk.Authentication

To Description (Phrase) [Splunk]

Description

Returns the value of the field ‘description’ as a Phrase entity


Transform Meta Info

InformationValue
Display NameTo Description (Phrase) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdEndpointServicesToDescriptionPhrase
Input Entitiesmaltego.splunk.Services
Output EntitiesPhrase
Short DescriptionReturns the value of the field ‘description’ as a Phrase entity

To ServiceDllHash (Hash) [Splunk]

Description

Returns the value of the field ‘service_dll_hash’ as a Hash entity


Transform Meta Info

InformationValue
Display NameTo ServiceDllHash (Hash) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdEndpointServicesToServiceDllHashHash
Input Entitiesmaltego.splunk.Services
Output EntitiesPhrase
Short DescriptionReturns the value of the field ‘service_dll_hash’ as a Hash entity

To ServiceHash (Hash) [Splunk]

Description

Returns the value of the field ‘service_hash’ as a Hash entity


Transform Meta Info

InformationValue
Display NameTo ServiceHash (Hash) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdEndpointServicesToServiceHashHash
Input Entitiesmaltego.splunk.Services
Output EntitiesPhrase
Short DescriptionReturns the value of the field ‘service_hash’ as a Hash entity

To FileHash (Hash) [Splunk]

Transform Meta Info

InformationValue
Display NameTo FileHash (Hash) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdEndpointFilesystemToFileHashHashmaltego.splunk.FilesystemReturns the value of the calculated field ‘file_hash’ as a Hash entity
ProdMalwareMalwareAttacksToFileHashHashmaltego.splunk.MalwareAttacksReturns the value of the field ‘file_hash’ as a Hash entity

To FileName (Phrase) [Splunk]

Transform Meta Info

InformationValue
Display NameTo FileName (Phrase) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdEndpointFilesystemToFileNamePhrasemaltego.splunk.FilesystemReturns the value of the calculated field ‘file_name’ as a Phrase entity
ProdMalwareMalwareAttacksToFileNamePhrasemaltego.splunk.MalwareAttacksReturns the value of the field ‘file_name’ as a Phrase entity

To Url (URL) [Splunk]

Description

Returns the value of the field ‘url’ as a URL entity


Transform Meta Info

InformationValue
Display NameTo Url (URL) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase
Short DescriptionReturns the value of the field ‘url’ as a URL entity

Variants

Transform NameInput Entities
ProdVulnerabilitiesVulnerabilitiesToUrlURLmaltego.splunk.Vulnerabilities
ProdMalwareMalwareAttacksToUrlURLmaltego.splunk.MalwareAttacks

To Cve (CVE) [Splunk]

Description

Returns the value of the calculated field ‘cve’ as a CVE entity


Transform Meta Info

InformationValue
Display NameTo Cve (CVE) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdVulnerabilitiesVulnerabilitiesToCveCVE
Input Entitiesmaltego.splunk.Vulnerabilities
Output EntitiesPhrase
Short DescriptionReturns the value of the calculated field ‘cve’ as a CVE entity

To Dvc (Alias) [Splunk]

Description

Returns the value of the calculated field ‘dvc’ as a Alias entity


Transform Meta Info

InformationValue
Display NameTo Dvc (Alias) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase
Short DescriptionReturns the value of the calculated field ‘dvc’ as a Alias entity

Variants

Transform NameInput Entities
ProdVulnerabilitiesVulnerabilitiesToDvcAliasmaltego.splunk.Vulnerabilities
ProdNetworkTrafficAllTrafficToDvcAliasmaltego.splunk.AllTraffic

To DestNtDomain (Domain) [Splunk]

Transform Meta Info

InformationValue
Display NameTo DestNtDomain (Domain) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdAuthenticationAuthenticationToDestNtDomainDomainmaltego.splunk.AuthenticationReturns the value of the field ‘dest_nt_domain’ as a Domain entity
ProdMalwareMalwareAttacksToDestNtDomainDomainmaltego.splunk.MalwareAttacksReturns the value of the calculated field ‘dest_nt_domain’ as a Domain entity
ProdMalwareMalwareOperationsToDestNtDomainDomainmaltego.splunk.MalwareOperationsReturns the value of the calculated field ‘dest_nt_domain’ as a Domain entity

To SrcNtDomain (Domain) [Splunk]

Description

Returns the value of the field ‘src_nt_domain’ as a Domain entity


Transform Meta Info

InformationValue
Display NameTo SrcNtDomain (Domain) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAuthenticationAuthenticationToSrcNtDomainDomain
Input Entitiesmaltego.splunk.Authentication
Output EntitiesPhrase
Short DescriptionReturns the value of the field ‘src_nt_domain’ as a Domain entity

To SrcUserId (Alias) [Splunk]

Description

Returns the value of the field ‘src_user_id’ as a Alias entity


Transform Meta Info

InformationValue
Display NameTo SrcUserId (Alias) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdAuthenticationAuthenticationToSrcUserIdAlias
Input Entitiesmaltego.splunk.Authentication
Output EntitiesPhrase
Short DescriptionReturns the value of the field ‘src_user_id’ as a Alias entity

To App (Phrase) [Splunk]

Transform Meta Info

InformationValue
Display NameTo App (Phrase) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdAuthenticationAuthenticationToAppPhrasemaltego.splunk.AuthenticationReturns the value of the calculated field ‘app’ as a Phrase entity
ProdNetworkTrafficAllTrafficToAppPhrasemaltego.splunk.AllTrafficReturns the value of the field ‘app’ as a Phrase entity

To SrcUser (Alias) [Splunk]

Transform Meta Info

InformationValue
Display NameTo SrcUser (Alias) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Output EntitiesPhrase

Variants

Transform NameInput EntitiesShort Description
ProdAuthenticationAuthenticationToSrcUserAliasmaltego.splunk.AuthenticationReturns the value of the calculated field ‘src_user’ as a Alias entity
ProdMalwareMalwareAttacksToSrcUserAliasmaltego.splunk.MalwareAttacksReturns the value of the field ‘src_user’ as a Alias entity

To DestTranslatedIp (IPv4Address) [Splunk]

Description

Returns the value of the field ‘dest_translated_ip’ as a IPv4Address entity


Transform Meta Info

InformationValue
Display NameTo DestTranslatedIp (IPv4Address) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdNetworkTrafficAllTrafficToDestTranslatedIpIPv4Address
Input Entitiesmaltego.splunk.AllTraffic
Output EntitiesPhrase
Short DescriptionReturns the value of the field ‘dest_translated_ip’ as a IPv4Address entity

To DestTranslatedIp (IPv6Address) [Splunk]

Description

Returns the value of the field ‘dest_translated_ip’ as a IPv6Address entity


Transform Meta Info

InformationValue
Display NameTo DestTranslatedIp (IPv6Address) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdNetworkTrafficAllTrafficToDestTranslatedIpIPv6Address
Input Entitiesmaltego.splunk.AllTraffic
Output EntitiesPhrase
Short DescriptionReturns the value of the field ‘dest_translated_ip’ as a IPv6Address entity

To DvcIp (IPv4Address) [Splunk]

Description

Returns the value of the field ‘dvc_ip’ as a IPv4Address entity


Transform Meta Info

InformationValue
Display NameTo DvcIp (IPv4Address) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdNetworkTrafficAllTrafficToDvcIpIPv4Address
Input Entitiesmaltego.splunk.AllTraffic
Output EntitiesPhrase
Short DescriptionReturns the value of the field ‘dvc_ip’ as a IPv4Address entity

To DvcIp (IPv6Address) [Splunk]

Description

Returns the value of the field ‘dvc_ip’ as a IPv6Address entity


Transform Meta Info

InformationValue
Display NameTo DvcIp (IPv6Address) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdNetworkTrafficAllTrafficToDvcIpIPv6Address
Input Entitiesmaltego.splunk.AllTraffic
Output EntitiesPhrase
Short DescriptionReturns the value of the field ‘dvc_ip’ as a IPv6Address entity

To SrcTranslatedIp (IPv4Address) [Splunk]

Description

Returns the value of the field ‘src_translated_ip’ as a IPv4Address entity


Transform Meta Info

InformationValue
Display NameTo SrcTranslatedIp (IPv4Address) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdNetworkTrafficAllTrafficToSrcTranslatedIpIPv4Address
Input Entitiesmaltego.splunk.AllTraffic
Output EntitiesPhrase
Short DescriptionReturns the value of the field ‘src_translated_ip’ as a IPv4Address entity

To SrcTranslatedIp (IPv6Address) [Splunk]

Description

Returns the value of the field ‘src_translated_ip’ as a IPv6Address entity


Transform Meta Info

InformationValue
Display NameTo SrcTranslatedIp (IPv6Address) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdNetworkTrafficAllTrafficToSrcTranslatedIpIPv6Address
Input Entitiesmaltego.splunk.AllTraffic
Output EntitiesPhrase
Short DescriptionReturns the value of the field ‘src_translated_ip’ as a IPv6Address entity

To Ssid (Phrase) [Splunk]

Description

Returns the value of the field ‘ssid’ as a Phrase entity


Transform Meta Info

InformationValue
Display NameTo Ssid (Phrase) [Splunk]
OwnerMaltego Technologies GmbH
Authortm@maltego.com
Data SourceSplunk
Transform NameProdNetworkTrafficAllTrafficToSsidPhrase
Input Entitiesmaltego.splunk.AllTraffic
Output EntitiesPhrase
Short DescriptionReturns the value of the field ‘ssid’ as a Phrase entity

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.