Splunk Enterprise Security

Overview

Splunk is a software platform used for monitoring, searching, analyzing, and visualizing machine-generated log data in real-time. Splunk provides insights to technology infrastructure, security systems, and various business applications that help drive operational performance and business results.

Splunk ES was developed to help make sense of machine-generated log data, and has become a popular choice among Security Information and Event Management (SIEM) solutions for many organizations worldwide. It is primarily used for searching, monitoring, and examining Big Data through a web-style interface.

The Splunk Enterprise integration for Maltego combines the full advantage of the Splunk Common Information Model (CIM) with the investigative capabilities of link analysis.

Using Splunk, SOC teams and cyber security and threat analysts alike can easily query the following CIM data models:

• Authentication
• Endpoint
• Malware
• Network Resolution
• Network Sessions
• Network Traffic
• Vulnerabilities

Investigators can also perform raw searches, using Splunk’s Search Processing Language to get other events that may not yet be part of the data models.

Be sure to read our blog post: SIEM-plifying Investigations with Splunk and Maltego to learn more about how to leverage Splunk data and explore a use case showing how the Splunk Enterprise Security Transforms can query the Authentication data model, thus allowing you to retrieve information from authentication sources such as Active Directory (AD) directly on Maltego.

You can read more about the Splunk integration in the Hub item detail page on our website here.

Installation Guidelines

For customers with an internet-facing Splunk instance, simply install the Hub item and enter your details. For customers without an internet-facing Splunk instance, email support@maltego.com or reach out to us using the contact form on this page.

If you are a Maltego Pro user and are interested in learning how to integrate Splunk Enterprise into Maltego within your organization, email us at support@maltego.com Our integration experts are happy to discuss your needs and support the integration process!

Configuration Requirements

To enable the Maltego Splunk Enterprise Security Transforms to work, the Splunk Administrator must configure the following:

Common Information Model

1. Enable the Common Information Model. Please refer to the Splunk User Setup - Common Information Model Add-on Documentation.

Authentication

The default Splunk ES role ESS_USER will be able to access the Transforms. The ideal authentication setup is as follows:

1. Create a custom user profile with an ess_user role that allows the SPLUNK REST API to search data. Please refer to the Splunk Admin Management Documentation.
2. The Transforms can be authenticated using a username and password, or a security token. Either of these can be created for authentication, please ensure that one is enabled should it be missing.

Troubleshooting

Should you experience failure to access the Transforms, please check that the following READ permissions are present.

Set the READ permissions for the following objects:

1. Apps
2. Custom Search Commands
3. Search Scripts

Should you require additional support, please refer to the Splunk Object Permission Settings Documentation.

Pricing and Access

The Splunk Enterprise Security Transforms are only available to Enterprise plan users with a Maltego commercial license (One, Classic, XL).

If you are interested in learning how we can help you achieve this integration within your organization, please reach out to us.

---

Splunk Enterprise Security Transforms

To Action (Phrase)

Description

Returns the value of the field ‘action’ as a Phrase Entity

Transform Meta Info

Information	Value
Display Name	To Action (Phrase)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns the value of the field ‘action’ as a Phrase Entity

Variants

Transform Name	Input Entities
networksessionsallsessionstoactionphrase	maltego.splunk.AllSessions
endpointprocessestoactionphrase	maltego.splunk.Processes
endpointfilesystemtoactionphrase	maltego.splunk.Filesystem
endpointregistrytoactionphrase	maltego.splunk.Registry
authenticationtoactionphrase	maltego.splunk.Authentication
networktrafficalltraffictoactionphrase	maltego.splunk.AllTraffic
malwaremalwareattackstoactionphrase	maltego.splunk.MalwareAttacks

---

To Signature (Phrase)

Description

Returns the value of the field ‘signature’ as a Phrase Entity

Transform Meta Info

Information	Value
Display Name	To Signature (Phrase)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns the value of the field ‘signature’ as a Phrase Entity

Variants

Transform Name	Input Entities
networksessionsallsessionstosignaturephrase	maltego.splunk.AllSessions
vulnerabilitiestosignaturephrase	maltego.splunk.Vulnerabilities
authenticationtosignaturephrase	maltego.splunk.Authentication
malwaremalwareattackstosignaturephrase	maltego.splunk.MalwareAttacks

---

To SrcIp (IPv4Address)

Description

Returns the value of the field ‘src_ip’ as a IPv4Address Entity

Transform Meta Info

Information	Value
Display Name	To SrcIp (IPv4Address)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns the value of the field ‘src_ip’ as a IPv4Address Entity

Variants

Transform Name	Input Entities
networksessionsallsessionstosrcipipv4address	maltego.splunk.AllSessions
networktrafficalltraffictosrcipipv4address	maltego.splunk.AllTraffic

---

To SrcIp (IPv6Address)

Description

Returns the value of the field ‘src_ip’ as a IPv6Address Entity

Transform Meta Info

Information	Value
Display Name	To SrcIp (IPv6Address)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns the value of the field ‘src_ip’ as a IPv6Address Entity

Variants

Transform Name	Input Entities
networksessionsallsessionstosrcipipv6address	maltego.splunk.AllSessions
networktrafficalltraffictosrcipipv6address	maltego.splunk.AllTraffic

---

To SrcNtHost (Domain)

Description

Returns the value of the field ‘src_nt_host’ as a Domain Entity

Transform Meta Info

Information	Value
Display Name	To SrcNtHost (Domain)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Transform Name	networksessionsallsessionstosrcnthostdomain
Input Entities	maltego.splunk.AllSessions
Output Entities	Phrase
Short Description	Returns the value of the field ‘src_nt_host’ as a Domain Entity

---

To DestIp (IPv4Address)

Description

Returns the value of the field ‘dest_ip’ as a IPv4Address Entity

Transform Meta Info

Information	Value
Display Name	To DestIp (IPv4Address)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns the value of the field ‘dest_ip’ as a IPv4Address Entity

Variants

Transform Name	Input Entities
networksessionsallsessionstodestipipv4address	maltego.splunk.AllSessions
networktrafficalltraffictodestipipv4address	maltego.splunk.AllTraffic

---

To DestIp (IPv6Address)

Description

Returns the value of the field ‘dest_ip’ as a IPv6Address Entity

Transform Meta Info

Information	Value
Display Name	To DestIp (IPv6Address)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns the value of the field ‘dest_ip’ as a IPv6Address Entity

Variants

Transform Name	Input Entities
networksessionsallsessionstodestipipv6address	maltego.splunk.AllSessions
networktrafficalltraffictodestipipv6address	maltego.splunk.AllTraffic

---

To DestNtHost (Domain)

Description

Returns the value of the field ‘dest_nt_host’ as a Domain Entity

Transform Meta Info

Information	Value
Display Name	To DestNtHost (Domain)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Transform Name	networksessionsallsessionstodestnthostdomain
Input Entities	maltego.splunk.AllSessions
Output Entities	Phrase
Short Description	Returns the value of the field ‘dest_nt_host’ as a Domain Entity

---

To User (Alias)

Description

Returns the value of the field ‘user’ as a Alias Entity

Transform Meta Info

Information	Value
Display Name	To User (Alias)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns the value of the field ‘user’ as a Alias Entity

Variants

Transform Name	Input Entities
networksessionsallsessionstouseralias	maltego.splunk.AllSessions
endpointportstouseralias	maltego.splunk.Ports
endpointprocessestouseralias	maltego.splunk.Processes
endpointservicestouseralias	maltego.splunk.Services
endpointfilesystemtouseralias	maltego.splunk.Filesystem
endpointregistrytouseralias	maltego.splunk.Registry
vulnerabilitiestouseralias	maltego.splunk.Vulnerabilities
authenticationtouseralias	maltego.splunk.Authentication
networktrafficalltraffictouseralias	maltego.splunk.AllTraffic
malwaremalwareattackstouseralias	maltego.splunk.MalwareAttacks

---

To Src (IPv4Address)

Description

Returns the value of the field ‘src’ as a IPv4Address Entity

Transform Meta Info

Information	Value
Display Name	To Src (IPv4Address)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns the value of the field ‘src’ as a IPv4Address Entity

Variants

Transform Name	Input Entities
networkresolutiondnstosrcipv4address	maltego.splunk.Dns
endpointportstosrcipv4address	maltego.splunk.Ports
authenticationtosrcipv4address	maltego.splunk.Authentication
networktrafficalltraffictosrcipv4address	maltego.splunk.AllTraffic
malwaremalwareattackstosrcipv4address	maltego.splunk.MalwareAttacks

---

To Src (IPv6Address)

Description

Returns the value of the field ‘src’ as a IPv6Address Entity

Transform Meta Info

Information	Value
Display Name	To Src (IPv6Address)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns the value of the field ‘src’ as a IPv6Address Entity

Variants

Transform Name	Input Entities
networkresolutiondnstosrcipv6address	maltego.splunk.Dns
endpointportstosrcipv6address	maltego.splunk.Ports
authenticationtosrcipv6address	maltego.splunk.Authentication
networktrafficalltraffictosrcipv6address	maltego.splunk.AllTraffic
malwaremalwareattackstosrcipv6address	maltego.splunk.MalwareAttacks

---

To Dest (IPv4Address)

Description

Returns the value of the field ‘dest’ as a IPv4Address Entity

Transform Meta Info

Information	Value
Display Name	To Dest (IPv4Address)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns the value of the field ‘dest’ as a IPv4Address Entity

Variants

Transform Name	Input Entities
networkresolutiondnstodestipv4address	maltego.splunk.Dns
endpointportstodestipv4address	maltego.splunk.Ports
endpointprocessestodestipv4address	maltego.splunk.Processes
endpointservicestodestipv4address	maltego.splunk.Services
endpointfilesystemtodestipv4address	maltego.splunk.Filesystem
endpointregistrytodestipv4address	maltego.splunk.Registry
vulnerabilitiestodestipv4address	maltego.splunk.Vulnerabilities
authenticationtodestipv4address	maltego.splunk.Authentication
networktrafficalltraffictodestipv4address	maltego.splunk.AllTraffic
malwaremalwareattackstodestipv4address	maltego.splunk.MalwareAttacks
malwaremalwareoperationstodestipv4address	maltego.splunk.MalwareOperations

---

To Dest (IPv6Address)

Description

Returns the value of the field ‘dest’ as a IPv6Address Entity

Transform Meta Info

Information	Value
Display Name	To Dest (IPv6Address)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns the value of the field ‘dest’ as a IPv6Address Entity

Variants

Transform Name	Input Entities
networkresolutiondnstodestipv6address	maltego.splunk.Dns
endpointportstodestipv6address	maltego.splunk.Ports
endpointprocessestodestipv6address	maltego.splunk.Processes
endpointservicestodestipv6address	maltego.splunk.Services
endpointfilesystemtodestipv6address	maltego.splunk.Filesystem
endpointregistrytodestipv6address	maltego.splunk.Registry
vulnerabilitiestodestipv6address	maltego.splunk.Vulnerabilities
authenticationtodestipv6address	maltego.splunk.Authentication
networktrafficalltraffictodestipv6address	maltego.splunk.AllTraffic
malwaremalwareattackstodestipv6address	maltego.splunk.MalwareAttacks
malwaremalwareoperationstodestipv6address	maltego.splunk.MalwareOperations

---

To ProcessHash (Hash)

Description

Returns the value of the field ‘process_hash’ as a Hash Entity

Transform Meta Info

Information	Value
Display Name	To ProcessHash (Hash)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Transform Name	endpointprocessestoprocesshashhash
Input Entities	maltego.splunk.Processes
Output Entities	Phrase
Short Description	Returns the value of the field ‘process_hash’ as a Hash Entity

---

To UserId (Alias)

Description

Returns the value of the field ‘user_id’ as a Alias Entity

Transform Meta Info

Information	Value
Display Name	To UserId (Alias)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns the value of the field ‘user_id’ as a Alias Entity

Variants

Transform Name	Input Entities
endpointprocessestouseridalias	maltego.splunk.Processes
authenticationtouseridalias	maltego.splunk.Authentication

---

To Description (Phrase)

Description

Returns the value of the field ‘description’ as a Phrase Entity

Transform Meta Info

Information	Value
Display Name	To Description (Phrase)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Transform Name	endpointservicestodescriptionphrase
Input Entities	maltego.splunk.Services
Output Entities	Phrase
Short Description	Returns the value of the field ‘description’ as a Phrase Entity

---

To ServiceDllHash (Hash)

Description

Returns the value of the field ‘service_dll_hash’ as a Hash Entity

Transform Meta Info

Information	Value
Display Name	To ServiceDllHash (Hash)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Transform Name	endpointservicestoservicedllhashhash
Input Entities	maltego.splunk.Services
Output Entities	Phrase
Short Description	Returns the value of the field ‘service_dll_hash’ as a Hash Entity

---

To ServiceHash (Hash)

Description

Returns the value of the field ‘service_hash’ as a Hash Entity

Transform Meta Info

Information	Value
Display Name	To ServiceHash (Hash)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Transform Name	endpointservicestoservicehashhash
Input Entities	maltego.splunk.Services
Output Entities	Phrase
Short Description	Returns the value of the field ‘service_hash’ as a Hash Entity

---

To FileHash (Hash)

Description

Returns the value of the field ‘file_hash’ as a Hash Entity

Transform Meta Info

Information	Value
Display Name	To FileHash (Hash)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns the value of the field ‘file_hash’ as a Hash Entity

Variants

Transform Name	Input Entities
endpointfilesystemtofilehashhash	maltego.splunk.Filesystem
malwaremalwareattackstofilehashhash	maltego.splunk.MalwareAttacks

---

To FileName (Phrase)

Description

Returns the value of the field ‘file_name’ as a Phrase Entity

Transform Meta Info

Information	Value
Display Name	To FileName (Phrase)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns the value of the field ‘file_name’ as a Phrase Entity

Variants

Transform Name	Input Entities
endpointfilesystemtofilenamephrase	maltego.splunk.Filesystem
malwaremalwareattackstofilenamephrase	maltego.splunk.MalwareAttacks

---

To Url (URL)

Description

Returns the value of the field ‘url’ as a URL Entity

Transform Meta Info

Information	Value
Display Name	To Url (URL)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns the value of the field ‘url’ as a URL Entity

Variants

Transform Name	Input Entities
vulnerabilitiestourlurl	maltego.splunk.Vulnerabilities
malwaremalwareattackstourlurl	maltego.splunk.MalwareAttacks

---

To Cve (CVE)

Description

Returns the value of the field ‘cve’ as a CVE Entity

Transform Meta Info

Information	Value
Display Name	To Cve (CVE)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Transform Name	vulnerabilitiestocvecve
Input Entities	maltego.splunk.Vulnerabilities
Output Entities	Phrase
Short Description	Returns the value of the field ‘cve’ as a CVE Entity

---

To Dvc (Alias)

Description

Returns the value of the field ‘dvc’ as a Alias Entity

Transform Meta Info

Information	Value
Display Name	To Dvc (Alias)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns the value of the field ‘dvc’ as a Alias Entity

Variants

Transform Name	Input Entities
vulnerabilitiestodvcalias	maltego.splunk.Vulnerabilities
networktrafficalltraffictodvcalias	maltego.splunk.AllTraffic

---

To DestNtDomain (Domain)

Description

Returns the value of the field ‘dest_nt_domain’ as a Domain Entity

Transform Meta Info

Information	Value
Display Name	To DestNtDomain (Domain)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns the value of the field ‘dest_nt_domain’ as a Domain Entity

Variants

Transform Name	Input Entities
authenticationtodestntdomaindomain	maltego.splunk.Authentication
malwaremalwareattackstodestntdomaindomain	maltego.splunk.MalwareAttacks
malwaremalwareoperationstodestntdomaindomain	maltego.splunk.MalwareOperations

---

To SrcNtDomain (Domain)

Description

Returns the value of the field ‘src_nt_domain’ as a Domain Entity

Transform Meta Info

Information	Value
Display Name	To SrcNtDomain (Domain)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Transform Name	authenticationtosrcntdomaindomain
Input Entities	maltego.splunk.Authentication
Output Entities	Phrase
Short Description	Returns the value of the field ‘src_nt_domain’ as a Domain Entity

---

To SrcUserId (Alias)

Description

Returns the value of the field ‘src_user_id’ as a Alias Entity

Transform Meta Info

Information	Value
Display Name	To SrcUserId (Alias)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Transform Name	authenticationtosrcuseridalias
Input Entities	maltego.splunk.Authentication
Output Entities	Phrase
Short Description	Returns the value of the field ‘src_user_id’ as a Alias Entity

---

To App (Phrase)

Description

Returns the value of the field ‘app’ as a Phrase Entity

Transform Meta Info

Information	Value
Display Name	To App (Phrase)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns the value of the field ‘app’ as a Phrase Entity

Variants

Transform Name	Input Entities
authenticationtoappphrase	maltego.splunk.Authentication
networktrafficalltraffictoappphrase	maltego.splunk.AllTraffic

---

To SrcUser (Alias)

Description

Returns the value of the field ‘src_user’ as a Alias Entity

Transform Meta Info

Information	Value
Display Name	To SrcUser (Alias)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns the value of the field ‘src_user’ as a Alias Entity

Variants

Transform Name	Input Entities
authenticationtosrcuseralias	maltego.splunk.Authentication
malwaremalwareattackstosrcuseralias	maltego.splunk.MalwareAttacks

---

To DestTranslatedIp (IPv4Address)

Description

Returns the value of the field ‘dest_translated_ip’ as a IPv4Address Entity

Transform Meta Info

Information	Value
Display Name	To DestTranslatedIp (IPv4Address)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Transform Name	networktrafficalltraffictodesttranslatedipipv4address
Input Entities	maltego.splunk.AllTraffic
Output Entities	Phrase
Short Description	Returns the value of the field ‘dest_translated_ip’ as a IPv4Address Entity

---

To DestTranslatedIp (IPv6Address)

Description

Returns the value of the field ‘dest_translated_ip’ as a IPv6Address Entity

Transform Meta Info

Information	Value
Display Name	To DestTranslatedIp (IPv6Address)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Transform Name	networktrafficalltraffictodesttranslatedipipv6address
Input Entities	maltego.splunk.AllTraffic
Output Entities	Phrase
Short Description	Returns the value of the field ‘dest_translated_ip’ as a IPv6Address Entity

---

To DvcIp (IPv4Address)

Description

Returns the value of the field ‘dvc_ip’ as a IPv4Address Entity

Transform Meta Info

Information	Value
Display Name	To DvcIp (IPv4Address)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Transform Name	networktrafficalltraffictodvcipipv4address
Input Entities	maltego.splunk.AllTraffic
Output Entities	Phrase
Short Description	Returns the value of the field ‘dvc_ip’ as a IPv4Address Entity

---

To DvcIp (IPv6Address)

Description

Returns the value of the field ‘dvc_ip’ as a IPv6Address Entity

Transform Meta Info

Information	Value
Display Name	To DvcIp (IPv6Address)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Transform Name	networktrafficalltraffictodvcipipv6address
Input Entities	maltego.splunk.AllTraffic
Output Entities	Phrase
Short Description	Returns the value of the field ‘dvc_ip’ as a IPv6Address Entity

---

To SrcTranslatedIp (IPv4Address)

Description

Returns the value of the field ‘src_translated_ip’ as a IPv4Address Entity

Transform Meta Info

Information	Value
Display Name	To SrcTranslatedIp (IPv4Address)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Transform Name	networktrafficalltraffictosrctranslatedipipv4address
Input Entities	maltego.splunk.AllTraffic
Output Entities	Phrase
Short Description	Returns the value of the field ‘src_translated_ip’ as a IPv4Address Entity

---

To SrcTranslatedIp (IPv6Address)

Description

Returns the value of the field ‘src_translated_ip’ as a IPv6Address Entity

Transform Meta Info

Information	Value
Display Name	To SrcTranslatedIp (IPv6Address)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Transform Name	networktrafficalltraffictosrctranslatedipipv6address
Input Entities	maltego.splunk.AllTraffic
Output Entities	Phrase
Short Description	Returns the value of the field ‘src_translated_ip’ as a IPv6Address Entity

---

To Ssid (Phrase)

Description

Returns the value of the field ‘ssid’ as a Phrase Entity

Transform Meta Info

Information	Value
Display Name	To Ssid (Phrase)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Transform Name	networktrafficalltraffictossidphrase
Input Entities	maltego.splunk.AllTraffic
Output Entities	Phrase
Short Description	Returns the value of the field ‘ssid’ as a Phrase Entity

---

To Time (DateTime)

Description

Returns the value of the field ’_time’ as a DateTime Entity

Transform Meta Info

Information	Value
Display Name	To Time (DateTime)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Transform Name	malwaremalwareoperationstotimedatetime
Input Entities	maltego.splunk.MalwareOperations
Output Entities	Phrase
Short Description	Returns the value of the field ’_time’ as a DateTime Entity

---

To All Interesting Fields

Description

Extracts interesting fields from the incoming Entity properties

Transform Meta Info

Information	Value
Display Name	To All Interesting Fields
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Transform Name	baseeventtointerestingfield
Input Entities	maltego.splunk.BaseEvent
Output Entities	Phrase
Short Description	Extracts interesting fields from the incoming Entity properties

---

Get All Sessions Events by src_ip [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get All Sessions Events by src_ip [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstonetworksessionsallsessionsusingsrcip	maltego.IPv4Address	This Transform returns AllSessions events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’
ipv6addresstonetworksessionsallsessionsusingsrcip	maltego.IPv6Address	This Transform returns AllSessions events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’

---

Get All Sessions Events by dest_ip [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get All Sessions Events by dest_ip [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstonetworksessionsallsessionsusingdestip	maltego.IPv4Address	This Transform returns AllSessions events where the field ‘DestIp’ is equal to the value of the input IPv4Address.The CIM defines the field name DestIp as ‘The internal IP address allocated to the client initializing a network session. For DHCP and VPN events this is the IP address leased to the client.’
ipv6addresstonetworksessionsallsessionsusingdestip	maltego.IPv6Address	This Transform returns AllSessions events where the field ‘DestIp’ is equal to the value of the input IPv6Address.The CIM defines the field name DestIp as ‘The internal IP address allocated to the client initializing a network session. For DHCP and VPN events this is the IP address leased to the client.’

---

Get All Sessions Events by user [Splunk]

Description

This Transform returns AllSessions events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user in a network session event where applicable. For example a VPN session or an authenticated DHCP event.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get All Sessions Events by user [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastonetworksessionsallsessionsusinguser
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns AllSessions events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user in a network session event where applicable. For example a VPN session or an authenticated DHCP event.’

---

Get Session Start Events by src_ip [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Session Start Events by src_ip [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstonetworksessionssessionstartusingsrcip	maltego.IPv4Address	This Transform returns SessionStart events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’
ipv6addresstonetworksessionssessionstartusingsrcip	maltego.IPv6Address	This Transform returns SessionStart events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’

---

Get Session End Events by src_ip [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Session End Events by src_ip [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstonetworksessionssessionendusingsrcip	maltego.IPv4Address	This Transform returns SessionEnd events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’
ipv6addresstonetworksessionssessionendusingsrcip	maltego.IPv6Address	This Transform returns SessionEnd events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’

---

Get Dhcp Events by src_ip [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Dhcp Events by src_ip [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstonetworksessionsdhcpusingsrcip	maltego.IPv4Address	This Transform returns DHCP events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’
ipv6addresstonetworksessionsdhcpusingsrcip	maltego.IPv6Address	This Transform returns DHCP events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’

---

Get Vpn Events by src_ip [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Vpn Events by src_ip [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstonetworksessionsvpnusingsrcip	maltego.IPv4Address	This Transform returns VPN events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’
ipv6addresstonetworksessionsvpnusingsrcip	maltego.IPv6Address	This Transform returns VPN events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The IP address of the client initializing a network session. Not applicable for DHCP events.’

---

Get Dns Events by src [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Dns Events by src [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstonetworkresolutiondnsusingsrc	maltego.IPv4Address	This Transform returns DNS events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The source of the network resolution event. You can alias this from more specific fields such as src_host src_ip or src_name.’
ipv6addresstonetworkresolutiondnsusingsrc	maltego.IPv6Address	This Transform returns DNS events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The source of the network resolution event. You can alias this from more specific fields such as src_host src_ip or src_name.’

---

Get Ports Events by src [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Ports Events by src [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstoendpointportsusingsrc	maltego.IPv4Address	This Transform returns Ports events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The remote system connected to the listening port (if applicable).’
ipv6addresstoendpointportsusingsrc	maltego.IPv6Address	This Transform returns Ports events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The remote system connected to the listening port (if applicable).’

---

Get Ports Events by user [Splunk]

Description

This Transform returns Ports events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the listening port.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Ports Events by user [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoendpointportsusinguser
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns Ports events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the listening port.’

---

Get Processes Events by user_id [Splunk]

Description

This Transform returns Processes events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique identifier of the user account which spawned the process.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Processes Events by user_id [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoendpointprocessesusinguserid
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns Processes events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique identifier of the user account which spawned the process.’

---

Get Processes Events by user [Splunk]

Description

This Transform returns Processes events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account which spawned the process.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Processes Events by user [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoendpointprocessesusinguser
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns Processes events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account which spawned the process.’

---

Get Processes Events by process_hash [Splunk]

Description

This Transform returns Processes events where the field ‘ProcessHash’ is equal to the value of the input Hash.The CIM defines the field name ProcessHash as ‘The digest(s) of the parent process such as etc.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Processes Events by process_hash [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	hashtoendpointprocessesusingprocesshash
Input Entities	maltego.Hash
Output Entities	Phrase
Short Description	This Transform returns Processes events where the field ‘ProcessHash’ is equal to the value of the input Hash.The CIM defines the field name ProcessHash as ‘The digest(s) of the parent process such as etc.’

---

Get Services Events by user [Splunk]

Description

This Transform returns Services events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the service.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Services Events by user [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoendpointservicesusinguser
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns Services events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the service.’

---

Get Services Events by service_dll_hash [Splunk]

Description

This Transform returns Services events where the field ‘ServiceDllHash’ is equal to the value of the input Hash.The CIM defines the field name ServiceDllHash as ‘The digest(s) of the dynamic link library associated with the service such as etc.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Services Events by service_dll_hash [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	hashtoendpointservicesusingservicedllhash
Input Entities	maltego.Hash
Output Entities	Phrase
Short Description	This Transform returns Services events where the field ‘ServiceDllHash’ is equal to the value of the input Hash.The CIM defines the field name ServiceDllHash as ‘The digest(s) of the dynamic link library associated with the service such as etc.’

---

Get Services Events by service_hash [Splunk]

Description

This Transform returns Services events where the field ‘ServiceHash’ is equal to the value of the input Hash.The CIM defines the field name ServiceHash as ‘The digest(s) of the service such as etc.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Services Events by service_hash [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	hashtoendpointservicesusingservicehash
Input Entities	maltego.Hash
Output Entities	Phrase
Short Description	This Transform returns Services events where the field ‘ServiceHash’ is equal to the value of the input Hash.The CIM defines the field name ServiceHash as ‘The digest(s) of the service such as etc.’

---

Get Filesystem Events by user [Splunk]

Description

This Transform returns Filesystem events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the filesystem access.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Filesystem Events by user [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoendpointfilesystemusinguser
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns Filesystem events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the filesystem access.’

---

Get Filesystem Events by file_hash [Splunk]

Description

This Transform returns Filesystem events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘A cryptographic identifier assigned to the file object affected by the event.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Filesystem Events by file_hash [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	hashtoendpointfilesystemusingfilehash
Input Entities	maltego.Hash
Output Entities	Phrase
Short Description	This Transform returns Filesystem events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘A cryptographic identifier assigned to the file object affected by the event.’

---

Get Registry Events by user [Splunk]

Description

This Transform returns Registry events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the registry access.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Registry Events by user [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoendpointregistryusinguser
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns Registry events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user account associated with the registry access.’

---

Get Vulnerabilities Events by user [Splunk]

Description

This Transform returns Vulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Vulnerabilities Events by user [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastovulnerabilitiesusinguser
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns Vulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’

---

Get Vulnerabilities Events by dvc [Splunk]

Description

This Transform returns Vulnerabilities events where the field ‘Dvc’ is equal to the value of the input Alias.The CIM defines the field name Dvc as ‘The system that discovered the vulnerability. You can alias this from more specific fields such as dvc_host dvc_ip or dvc_name.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Vulnerabilities Events by dvc [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastovulnerabilitiesusingdvc
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns Vulnerabilities events where the field ‘Dvc’ is equal to the value of the input Alias.The CIM defines the field name Dvc as ‘The system that discovered the vulnerability. You can alias this from more specific fields such as dvc_host dvc_ip or dvc_name.’

---

Get Vulnerabilities Events by url [Splunk]

Description

This Transform returns Vulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Vulnerabilities Events by url [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	urltovulnerabilitiesusingurl
Input Entities	maltego.URL
Output Entities	Phrase
Short Description	This Transform returns Vulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’

---

Get High Critical Vulnerabilities Events by user [Splunk]

Description

This Transform returns HighCriticalVulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get High Critical Vulnerabilities Events by user [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastovulnerabilitieshighcriticalvulnerabilitiesusinguser
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns HighCriticalVulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’

---

Get High Critical Vulnerabilities Events by url [Splunk]

Description

This Transform returns HighCriticalVulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get High Critical Vulnerabilities Events by url [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	urltovulnerabilitieshighcriticalvulnerabilitiesusingurl
Input Entities	maltego.URL
Output Entities	Phrase
Short Description	This Transform returns HighCriticalVulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’

---

Get Medium Vulnerabilities Events by user [Splunk]

Description

This Transform returns MediumVulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Medium Vulnerabilities Events by user [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastovulnerabilitiesmediumvulnerabilitiesusinguser
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns MediumVulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’

---

Get Medium Vulnerabilities Events by url [Splunk]

Description

This Transform returns MediumVulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Medium Vulnerabilities Events by url [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	urltovulnerabilitiesmediumvulnerabilitiesusingurl
Input Entities	maltego.URL
Output Entities	Phrase
Short Description	This Transform returns MediumVulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’

---

Get Low Informational Vulnerabilities Events by user [Splunk]

Description

This Transform returns LowInformationalVulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Low Informational Vulnerabilities Events by user [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastovulnerabilitieslowinformationalvulnerabilitiesusinguser
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns LowInformationalVulnerabilities events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the discovered vulnerability.’

---

Get Low Informational Vulnerabilities Events by url [Splunk]

Description

This Transform returns LowInformationalVulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Low Informational Vulnerabilities Events by url [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	urltovulnerabilitieslowinformationalvulnerabilitiesusingurl
Input Entities	maltego.URL
Output Entities	Phrase
Short Description	This Transform returns LowInformationalVulnerabilities events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘The URL involved in the discovered vulnerability.’

---

Get Authentication Events by src [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Authentication Events by src [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstoauthenticationusingsrc	maltego.IPv4Address	This Transform returns Authentication events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The source involved in the authentication. In the case of endpoint protection authentication the src is the client. You can alias this from more specific fields such as src_host src_ip or src_nt_host.’
ipv6addresstoauthenticationusingsrc	maltego.IPv6Address	This Transform returns Authentication events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The source involved in the authentication. In the case of endpoint protection authentication the src is the client. You can alias this from more specific fields such as src_host src_ip or src_nt_host.’

---

Get Authentication Events by src_user_id [Splunk]

Description

This Transform returns Authentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Authentication Events by src_user_id [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoauthenticationusingsrcuserid
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns Authentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

---

Get Authentication Events by src_user [Splunk]

Description

This Transform returns Authentication events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘In privilege escalation events src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Authentication Events by src_user [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoauthenticationusingsrcuser
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns Authentication events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘In privilege escalation events src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

---

Get Authentication Events by user_id [Splunk]

Description

This Transform returns Authentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Authentication Events by user_id [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoauthenticationusinguserid
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns Authentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

---

Get Authentication Events by user [Splunk]

Description

This Transform returns Authentication events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The name of the user involved in the event or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Authentication Events by user [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoauthenticationusinguser
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns Authentication events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The name of the user involved in the event or who initiated the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

---

Get Failed Authentication Events by src_user_id [Splunk]

Description

This Transform returns FailedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Failed Authentication Events by src_user_id [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoauthenticationfailedauthenticationusingsrcuserid
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns FailedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

---

Get Failed Authentication Events by user_id [Splunk]

Description

This Transform returns FailedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Failed Authentication Events by user_id [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoauthenticationfailedauthenticationusinguserid
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns FailedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

---

Get Successful Authentication Events by src_user_id [Splunk]

Description

This Transform returns SuccessfulAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Successful Authentication Events by src_user_id [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoauthenticationsuccessfulauthenticationusingsrcuserid
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns SuccessfulAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

---

Get Successful Authentication Events by user_id [Splunk]

Description

This Transform returns SuccessfulAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Successful Authentication Events by user_id [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoauthenticationsuccessfulauthenticationusinguserid
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns SuccessfulAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

---

Get Default Authentication Events by src_user_id [Splunk]

Description

This Transform returns DefaultAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Default Authentication Events by src_user_id [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoauthenticationdefaultauthenticationusingsrcuserid
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns DefaultAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

---

Get Default Authentication Events by user_id [Splunk]

Description

This Transform returns DefaultAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Default Authentication Events by user_id [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoauthenticationdefaultauthenticationusinguserid
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns DefaultAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

---

Get Failed Default Authentication Events by src_user_id [Splunk]

Description

This Transform returns FailedDefaultAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Failed Default Authentication Events by src_user_id [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoauthenticationfaileddefaultauthenticationusingsrcuserid
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns FailedDefaultAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

---

Get Failed Default Authentication Events by user_id [Splunk]

Description

This Transform returns FailedDefaultAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Failed Default Authentication Events by user_id [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoauthenticationfaileddefaultauthenticationusinguserid
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns FailedDefaultAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

---

Get Successful Default Authentication Events by src_user_id [Splunk]

Description

This Transform returns SuccessfulDefaultAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Successful Default Authentication Events by src_user_id [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoauthenticationsuccessfuldefaultauthenticationusingsrcuserid
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns SuccessfulDefaultAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

---

Get Successful Default Authentication Events by user_id [Splunk]

Description

This Transform returns SuccessfulDefaultAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Successful Default Authentication Events by user_id [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoauthenticationsuccessfuldefaultauthenticationusinguserid
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns SuccessfulDefaultAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

---

Get Insecure Authentication Events by src_user_id [Splunk]

Description

This Transform returns InsecureAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Insecure Authentication Events by src_user_id [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoauthenticationinsecureauthenticationusingsrcuserid
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns InsecureAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

---

Get Insecure Authentication Events by user_id [Splunk]

Description

This Transform returns InsecureAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Insecure Authentication Events by user_id [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoauthenticationinsecureauthenticationusinguserid
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns InsecureAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

---

Get Privileged Authentication Events by src_user_id [Splunk]

Description

This Transform returns PrivilegedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Privileged Authentication Events by src_user_id [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoauthenticationprivilegedauthenticationusingsrcuserid
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns PrivilegedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

---

Get Privileged Authentication Events by user_id [Splunk]

Description

This Transform returns PrivilegedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Privileged Authentication Events by user_id [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoauthenticationprivilegedauthenticationusinguserid
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns PrivilegedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

---

Get Failed Privileged Authentication Events by src_user_id [Splunk]

Description

This Transform returns FailedPrivilegedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Failed Privileged Authentication Events by src_user_id [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoauthenticationfailedprivilegedauthenticationusingsrcuserid
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns FailedPrivilegedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

---

Get Failed Privileged Authentication Events by user_id [Splunk]

Description

This Transform returns FailedPrivilegedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Failed Privileged Authentication Events by user_id [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoauthenticationfailedprivilegedauthenticationusinguserid
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns FailedPrivilegedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

---

Get Successful Privileged Authentication Events by src_user_id [Splunk]

Description

This Transform returns SuccessfulPrivilegedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Successful Privileged Authentication Events by src_user_id [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoauthenticationsuccessfulprivilegedauthenticationusingsrcuserid
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns SuccessfulPrivilegedAuthentication events where the field ‘SrcUserId’ is equal to the value of the input Alias.The CIM defines the field name SrcUserId as ‘The unique id of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.’

---

Get Successful Privileged Authentication Events by user_id [Splunk]

Description

This Transform returns SuccessfulPrivilegedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Successful Privileged Authentication Events by user_id [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastoauthenticationsuccessfulprivilegedauthenticationusinguserid
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns SuccessfulPrivilegedAuthentication events where the field ‘UserId’ is equal to the value of the input Alias.The CIM defines the field name UserId as ‘The unique id of the user involved in the event. For authentication privilege escalation events this should represent the user targeted by the escalation.’

---

Get All Traffic Events by src_ip [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get All Traffic Events by src_ip [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstonetworktrafficalltrafficusingsrcip	maltego.IPv4Address	This Transform returns AllTraffic events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The ip address of the source.’
ipv6addresstonetworktrafficalltrafficusingsrcip	maltego.IPv6Address	This Transform returns AllTraffic events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The ip address of the source.’

---

Get All Traffic Events by src [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get All Traffic Events by src [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstonetworktrafficalltrafficusingsrc	maltego.IPv4Address	This Transform returns AllTraffic events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The source of the network traffic (the client requesting the connection). You can alias this from more specific fields such as src_host src_ip or src_name.’
ipv6addresstonetworktrafficalltrafficusingsrc	maltego.IPv6Address	This Transform returns AllTraffic events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The source of the network traffic (the client requesting the connection). You can alias this from more specific fields such as src_host src_ip or src_name.’

---

Get All Traffic Events by dest_ip [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get All Traffic Events by dest_ip [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstonetworktrafficalltrafficusingdestip	maltego.IPv4Address	This Transform returns AllTraffic events where the field ‘DestIp’ is equal to the value of the input IPv4Address.The CIM defines the field name DestIp as ‘The IP address of the destination.’
ipv6addresstonetworktrafficalltrafficusingdestip	maltego.IPv6Address	This Transform returns AllTraffic events where the field ‘DestIp’ is equal to the value of the input IPv6Address.The CIM defines the field name DestIp as ‘The IP address of the destination.’

---

Get All Traffic Events by dvc_ip [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get All Traffic Events by dvc_ip [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstonetworktrafficalltrafficusingdvcip	maltego.IPv4Address	This Transform returns AllTraffic events where the field ‘DvcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name DvcIp as ‘The ip address of the device.’
ipv6addresstonetworktrafficalltrafficusingdvcip	maltego.IPv6Address	This Transform returns AllTraffic events where the field ‘DvcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name DvcIp as ‘The ip address of the device.’

---

Get All Traffic Events by dvc [Splunk]

Description

This Transform returns AllTraffic events where the field ‘Dvc’ is equal to the value of the input Alias.The CIM defines the field name Dvc as ‘The device that reported the traffic event. You can alias this from more specific fields such as dvc_host dvc_ip or dvc_name.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get All Traffic Events by dvc [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastonetworktrafficalltrafficusingdvc
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns AllTraffic events where the field ‘Dvc’ is equal to the value of the input Alias.The CIM defines the field name Dvc as ‘The device that reported the traffic event. You can alias this from more specific fields such as dvc_host dvc_ip or dvc_name.’

---

Get All Traffic Events by user [Splunk]

Description

This Transform returns AllTraffic events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user that requested the traffic flow.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get All Traffic Events by user [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastonetworktrafficalltrafficusinguser
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns AllTraffic events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user that requested the traffic flow.’

---

Get Allowed Traffic Events by src_ip [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Allowed Traffic Events by src_ip [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstonetworktrafficallowedtrafficusingsrcip	maltego.IPv4Address	This Transform returns AllowedTraffic events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The ip address of the source.’
ipv6addresstonetworktrafficallowedtrafficusingsrcip	maltego.IPv6Address	This Transform returns AllowedTraffic events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The ip address of the source.’

---

Get Allowed Traffic Events by dest_ip [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Allowed Traffic Events by dest_ip [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstonetworktrafficallowedtrafficusingdestip	maltego.IPv4Address	This Transform returns AllowedTraffic events where the field ‘DestIp’ is equal to the value of the input IPv4Address.The CIM defines the field name DestIp as ‘The IP address of the destination.’
ipv6addresstonetworktrafficallowedtrafficusingdestip	maltego.IPv6Address	This Transform returns AllowedTraffic events where the field ‘DestIp’ is equal to the value of the input IPv6Address.The CIM defines the field name DestIp as ‘The IP address of the destination.’

---

Get Allowed Traffic Events by dvc_ip [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Allowed Traffic Events by dvc_ip [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstonetworktrafficallowedtrafficusingdvcip	maltego.IPv4Address	This Transform returns AllowedTraffic events where the field ‘DvcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name DvcIp as ‘The ip address of the device.’
ipv6addresstonetworktrafficallowedtrafficusingdvcip	maltego.IPv6Address	This Transform returns AllowedTraffic events where the field ‘DvcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name DvcIp as ‘The ip address of the device.’

---

Get Blocked Traffic Events by src_ip [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Blocked Traffic Events by src_ip [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstonetworktrafficblockedtrafficusingsrcip	maltego.IPv4Address	This Transform returns BlockedTraffic events where the field ‘SrcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name SrcIp as ‘The ip address of the source.’
ipv6addresstonetworktrafficblockedtrafficusingsrcip	maltego.IPv6Address	This Transform returns BlockedTraffic events where the field ‘SrcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name SrcIp as ‘The ip address of the source.’

---

Get Blocked Traffic Events by dest_ip [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Blocked Traffic Events by dest_ip [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstonetworktrafficblockedtrafficusingdestip	maltego.IPv4Address	This Transform returns BlockedTraffic events where the field ‘DestIp’ is equal to the value of the input IPv4Address.The CIM defines the field name DestIp as ‘The IP address of the destination.’
ipv6addresstonetworktrafficblockedtrafficusingdestip	maltego.IPv6Address	This Transform returns BlockedTraffic events where the field ‘DestIp’ is equal to the value of the input IPv6Address.The CIM defines the field name DestIp as ‘The IP address of the destination.’

---

Get Blocked Traffic Events by dvc_ip [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Blocked Traffic Events by dvc_ip [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstonetworktrafficblockedtrafficusingdvcip	maltego.IPv4Address	This Transform returns BlockedTraffic events where the field ‘DvcIp’ is equal to the value of the input IPv4Address.The CIM defines the field name DvcIp as ‘The ip address of the device.’
ipv6addresstonetworktrafficblockedtrafficusingdvcip	maltego.IPv6Address	This Transform returns BlockedTraffic events where the field ‘DvcIp’ is equal to the value of the input IPv6Address.The CIM defines the field name DvcIp as ‘The ip address of the device.’

---

Get Malware Attacks Events by src [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Malware Attacks Events by src [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstomalwaremalwareattacksusingsrc	maltego.IPv4Address	This Transform returns MalwareAttacks events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’
ipv6addresstomalwaremalwareattacksusingsrc	maltego.IPv6Address	This Transform returns MalwareAttacks events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’

---

Get Malware Attacks Events by src_user [Splunk]

Description

This Transform returns MalwareAttacks events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Malware Attacks Events by src_user [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastomalwaremalwareattacksusingsrcuser
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns MalwareAttacks events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’

---

Get Malware Attacks Events by user [Splunk]

Description

This Transform returns MalwareAttacks events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the malware event.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Malware Attacks Events by user [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastomalwaremalwareattacksusinguser
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns MalwareAttacks events where the field ‘User’ is equal to the value of the input Alias.The CIM defines the field name User as ‘The user involved in the malware event.’

---

Get Malware Attacks Events by url [Splunk]

Description

This Transform returns MalwareAttacks events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Malware Attacks Events by url [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	urltomalwaremalwareattacksusingurl
Input Entities	maltego.URL
Output Entities	Phrase
Short Description	This Transform returns MalwareAttacks events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’

---

Get Malware Attacks Events by file_hash [Splunk]

Description

This Transform returns MalwareAttacks events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Malware Attacks Events by file_hash [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	hashtomalwaremalwareattacksusingfilehash
Input Entities	maltego.Hash
Output Entities	Phrase
Short Description	This Transform returns MalwareAttacks events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’

---

Get Allowed Malware Events by src [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Allowed Malware Events by src [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstomalwareallowedmalwareusingsrc	maltego.IPv4Address	This Transform returns AllowedMalware events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’
ipv6addresstomalwareallowedmalwareusingsrc	maltego.IPv6Address	This Transform returns AllowedMalware events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’

---

Get Allowed Malware Events by src_user [Splunk]

Description

This Transform returns AllowedMalware events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Allowed Malware Events by src_user [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastomalwareallowedmalwareusingsrcuser
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns AllowedMalware events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’

---

Get Allowed Malware Events by url [Splunk]

Description

This Transform returns AllowedMalware events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Allowed Malware Events by url [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	urltomalwareallowedmalwareusingurl
Input Entities	maltego.URL
Output Entities	Phrase
Short Description	This Transform returns AllowedMalware events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’

---

Get Allowed Malware Events by file_hash [Splunk]

Description

This Transform returns AllowedMalware events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Allowed Malware Events by file_hash [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	hashtomalwareallowedmalwareusingfilehash
Input Entities	maltego.Hash
Output Entities	Phrase
Short Description	This Transform returns AllowedMalware events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’

---

Get Blocked Malware Events by src [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Blocked Malware Events by src [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstomalwareblockedmalwareusingsrc	maltego.IPv4Address	This Transform returns BlockedMalware events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’
ipv6addresstomalwareblockedmalwareusingsrc	maltego.IPv6Address	This Transform returns BlockedMalware events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’

---

Get Blocked Malware Events by src_user [Splunk]

Description

This Transform returns BlockedMalware events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Blocked Malware Events by src_user [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastomalwareblockedmalwareusingsrcuser
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns BlockedMalware events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’

---

Get Blocked Malware Events by url [Splunk]

Description

This Transform returns BlockedMalware events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Blocked Malware Events by url [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	urltomalwareblockedmalwareusingurl
Input Entities	maltego.URL
Output Entities	Phrase
Short Description	This Transform returns BlockedMalware events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’

---

Get Blocked Malware Events by file_hash [Splunk]

Description

This Transform returns BlockedMalware events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Blocked Malware Events by file_hash [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	hashtomalwareblockedmalwareusingfilehash
Input Entities	maltego.Hash
Output Entities	Phrase
Short Description	This Transform returns BlockedMalware events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’

---

Get Deferred Malware Events by src [Splunk]

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Deferred Malware Events by src [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Output Entities	Phrase

Variants

Transform Name	Input Entities	Short Description
ipv4addresstomalwaredeferredmalwareusingsrc	maltego.IPv4Address	This Transform returns DeferredMalware events where the field ‘Src’ is equal to the value of the input IPv4Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’
ipv6addresstomalwaredeferredmalwareusingsrc	maltego.IPv6Address	This Transform returns DeferredMalware events where the field ‘Src’ is equal to the value of the input IPv6Address.The CIM defines the field name Src as ‘The source of the endpoint event such as a DAT file relay server. You can alias this from more specific fields such as src_host src_ip or src_name.’

---

Get Deferred Malware Events by src_user [Splunk]

Description

This Transform returns DeferredMalware events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Deferred Malware Events by src_user [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	aliastomalwaredeferredmalwareusingsrcuser
Input Entities	maltego.Alias
Output Entities	Phrase
Short Description	This Transform returns DeferredMalware events where the field ‘SrcUser’ is equal to the value of the input Alias.The CIM defines the field name SrcUser as ‘The reported sender of an email-based attack.’

---

Get Deferred Malware Events by url [Splunk]

Description

This Transform returns DeferredMalware events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Deferred Malware Events by url [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	urltomalwaredeferredmalwareusingurl
Input Entities	maltego.URL
Output Entities	Phrase
Short Description	This Transform returns DeferredMalware events where the field ‘Url’ is equal to the value of the input URL.The CIM defines the field name Url as ‘A URL containing more information about the vulnerability.’

---

Get Deferred Malware Events by file_hash [Splunk]

Description

This Transform returns DeferredMalware events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Deferred Malware Events by file_hash [Splunk]
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source	Splunk
Transform Name	hashtomalwaredeferredmalwareusingfilehash
Input Entities	maltego.Hash
Output Entities	Phrase
Short Description	This Transform returns DeferredMalware events where the field ‘FileHash’ is equal to the value of the input Hash.The CIM defines the field name FileHash as ‘The hash of the file with suspected malware.’

---

Get All Sessions Events (any field)

Description

Returns events where the input Entity value was observed

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get All Sessions Events (any field)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns events where the input Entity value was observed

Variants

Transform Name	Input Entities
rawsearchallsessionsusingipv4address	maltego.IPv4Address
rawsearchallsessionsusingipv6address	maltego.IPv6Address
rawsearchallsessionsusinghash	maltego.Hash
rawsearchallsessionsusingalias	maltego.Alias
rawsearchallsessionsusingemailaddress	maltego.EmailAddress
rawsearchallsessionsusingphrase	maltego.Phrase
rawsearchallsessionsusingdomain	maltego.Domain
rawsearchallsessionsusingcve	maltego.CVE

---

Get DHCP Events (any field)

Description

Returns events where the input Entity value was observed

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get DHCP Events (any field)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns events where the input Entity value was observed

Variants

Transform Name	Input Entities
rawsearchdhcpusingipv4address	maltego.IPv4Address
rawsearchdhcpusingipv6address	maltego.IPv6Address
rawsearchdhcpusinghash	maltego.Hash
rawsearchdhcpusingalias	maltego.Alias
rawsearchdhcpusingemailaddress	maltego.EmailAddress
rawsearchdhcpusingphrase	maltego.Phrase
rawsearchdhcpusingdomain	maltego.Domain
rawsearchdhcpusingcve	maltego.CVE

---

Get DNS Events (any field)

Description

Returns events where the input Entity value was observed

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get DNS Events (any field)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns events where the input Entity value was observed

Variants

Transform Name	Input Entities
rawsearchdnsusingipv4address	maltego.IPv4Address
rawsearchdnsusingipv6address	maltego.IPv6Address
rawsearchdnsusinghash	maltego.Hash
rawsearchdnsusingalias	maltego.Alias
rawsearchdnsusingemailaddress	maltego.EmailAddress
rawsearchdnsusingphrase	maltego.Phrase
rawsearchdnsusingdomain	maltego.Domain
rawsearchdnsusingcve	maltego.CVE

---

Get Ports Events (any field)

Description

Returns events where the input Entity value was observed

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Ports Events (any field)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns events where the input Entity value was observed

Variants

Transform Name	Input Entities
rawsearchportsusingipv4address	maltego.IPv4Address
rawsearchportsusingipv6address	maltego.IPv6Address
rawsearchportsusinghash	maltego.Hash
rawsearchportsusingalias	maltego.Alias
rawsearchportsusingemailaddress	maltego.EmailAddress
rawsearchportsusingphrase	maltego.Phrase
rawsearchportsusingdomain	maltego.Domain
rawsearchportsusingcve	maltego.CVE

---

Get Processes Events (any field)

Description

Returns events where the input Entity value was observed

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Processes Events (any field)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns events where the input Entity value was observed

Variants

Transform Name	Input Entities
rawsearchprocessesusingipv4address	maltego.IPv4Address
rawsearchprocessesusingipv6address	maltego.IPv6Address
rawsearchprocessesusinghash	maltego.Hash
rawsearchprocessesusingalias	maltego.Alias
rawsearchprocessesusingemailaddress	maltego.EmailAddress
rawsearchprocessesusingphrase	maltego.Phrase
rawsearchprocessesusingdomain	maltego.Domain
rawsearchprocessesusingcve	maltego.CVE

---

Get Services Events (any field)

Description

Returns events where the input Entity value was observed

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Services Events (any field)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns events where the input Entity value was observed

Variants

Transform Name	Input Entities
rawsearchservicesusingipv4address	maltego.IPv4Address
rawsearchservicesusingipv6address	maltego.IPv6Address
rawsearchservicesusinghash	maltego.Hash
rawsearchservicesusingalias	maltego.Alias
rawsearchservicesusingemailaddress	maltego.EmailAddress
rawsearchservicesusingphrase	maltego.Phrase
rawsearchservicesusingdomain	maltego.Domain
rawsearchservicesusingcve	maltego.CVE

---

Get Filesystem Events (any field)

Description

Returns events where the input Entity value was observed

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Filesystem Events (any field)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns events where the input Entity value was observed

Variants

Transform Name	Input Entities
rawsearchfilesystemusingipv4address	maltego.IPv4Address
rawsearchfilesystemusingipv6address	maltego.IPv6Address
rawsearchfilesystemusinghash	maltego.Hash
rawsearchfilesystemusingalias	maltego.Alias
rawsearchfilesystemusingemailaddress	maltego.EmailAddress
rawsearchfilesystemusingphrase	maltego.Phrase
rawsearchfilesystemusingdomain	maltego.Domain
rawsearchfilesystemusingcve	maltego.CVE

---

Get Registry Events (any field)

Description

Returns events where the input Entity value was observed

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Registry Events (any field)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns events where the input Entity value was observed

Variants

Transform Name	Input Entities
rawsearchregistryusingipv4address	maltego.IPv4Address
rawsearchregistryusingipv6address	maltego.IPv6Address
rawsearchregistryusinghash	maltego.Hash
rawsearchregistryusingalias	maltego.Alias
rawsearchregistryusingemailaddress	maltego.EmailAddress
rawsearchregistryusingphrase	maltego.Phrase
rawsearchregistryusingdomain	maltego.Domain
rawsearchregistryusingcve	maltego.CVE

---

Get Vulnerabilities Events (any field)

Description

Returns events where the input Entity value was observed

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Vulnerabilities Events (any field)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns events where the input Entity value was observed

Variants

Transform Name	Input Entities
rawsearchvulnerabilitiesusingipv4address	maltego.IPv4Address
rawsearchvulnerabilitiesusingipv6address	maltego.IPv6Address
rawsearchvulnerabilitiesusinghash	maltego.Hash
rawsearchvulnerabilitiesusingalias	maltego.Alias
rawsearchvulnerabilitiesusingemailaddress	maltego.EmailAddress
rawsearchvulnerabilitiesusingphrase	maltego.Phrase
rawsearchvulnerabilitiesusingdomain	maltego.Domain
rawsearchvulnerabilitiesusingcve	maltego.CVE

---

Get Authentication Events (any field)

Description

Returns events where the input Entity value was observed

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Authentication Events (any field)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns events where the input Entity value was observed

Variants

Transform Name	Input Entities
rawsearchauthenticationusingipv4address	maltego.IPv4Address
rawsearchauthenticationusingipv6address	maltego.IPv6Address
rawsearchauthenticationusinghash	maltego.Hash
rawsearchauthenticationusingalias	maltego.Alias
rawsearchauthenticationusingemailaddress	maltego.EmailAddress
rawsearchauthenticationusingphrase	maltego.Phrase
rawsearchauthenticationusingdomain	maltego.Domain
rawsearchauthenticationusingcve	maltego.CVE

---

Get All Traffic Events (any field)

Description

Returns events where the input Entity value was observed

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get All Traffic Events (any field)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns events where the input Entity value was observed

Variants

Transform Name	Input Entities
rawsearchalltrafficusingipv4address	maltego.IPv4Address
rawsearchalltrafficusingipv6address	maltego.IPv6Address
rawsearchalltrafficusinghash	maltego.Hash
rawsearchalltrafficusingalias	maltego.Alias
rawsearchalltrafficusingemailaddress	maltego.EmailAddress
rawsearchalltrafficusingphrase	maltego.Phrase
rawsearchalltrafficusingdomain	maltego.Domain
rawsearchalltrafficusingcve	maltego.CVE

---

Get Malware Attacks Events (any field)

Description

Returns events where the input Entity value was observed

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Malware Attacks Events (any field)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns events where the input Entity value was observed

Variants

Transform Name	Input Entities
rawsearchmalwareattacksusingipv4address	maltego.IPv4Address
rawsearchmalwareattacksusingipv6address	maltego.IPv6Address
rawsearchmalwareattacksusinghash	maltego.Hash
rawsearchmalwareattacksusingalias	maltego.Alias
rawsearchmalwareattacksusingemailaddress	maltego.EmailAddress
rawsearchmalwareattacksusingphrase	maltego.Phrase
rawsearchmalwareattacksusingdomain	maltego.Domain
rawsearchmalwareattacksusingcve	maltego.CVE

---

Get Malware Operations Events (any field)

Description

Returns events where the input Entity value was observed

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Get Malware Operations Events (any field)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns events where the input Entity value was observed

Variants

Transform Name	Input Entities
rawsearchmalwareoperationsusingipv4address	maltego.IPv4Address
rawsearchmalwareoperationsusingipv6address	maltego.IPv6Address
rawsearchmalwareoperationsusinghash	maltego.Hash
rawsearchmalwareoperationsusingalias	maltego.Alias
rawsearchmalwareoperationsusingemailaddress	maltego.EmailAddress
rawsearchmalwareoperationsusingphrase	maltego.Phrase
rawsearchmalwareoperationsusingdomain	maltego.Domain
rawsearchmalwareoperationsusingcve	maltego.CVE

---

Search All Events (any field)

Description

Returns Splunk events where the input Entity value was observed

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Search All Events (any field)
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Output Entities	Phrase
Short Description	Returns Splunk events where the input Entity value was observed

Variants

Transform Name	Input Entities
rawmultisearchallmodelsusingipv4address	maltego.IPv4Address
rawmultisearchallmodelsusingipv6address	maltego.IPv6Address
rawmultisearchallmodelsusinghash	maltego.Hash
rawmultisearchallmodelsusingalias	maltego.Alias
rawmultisearchallmodelsusingemailaddress	maltego.EmailAddress
rawmultisearchallmodelsusingphrase	maltego.Phrase
rawmultisearchallmodelsusingdomain	maltego.Domain
rawmultisearchallmodelsusingcve	maltego.CVE

---

Run Raw Splunk Query

Description

Transform executes the given Splunk query

Transform Settings

Display Name	Setting Type	Default Value	Optional	Popup	Authentication
Date Range	daterange		False	false	false
Host	string		False	false	false
Password	string		False	false	false
Port	int		False	false	false
Token	string		False	false	false
Username	string		False	false	false

Transform Meta Info

Information	Value
Display Name	Run Raw Splunk Query
Owner	Maltego Technologies GmbH
Author	dev@maltego.com
Data Source
Transform Name	phrasetorawquery
Input Entities	maltego.Phrase
Output Entities	Phrase
Short Description	Transform executes the given Splunk query