Overview
As a built-in feature in Maltego to automate standard or repetitive investigative steps, Maltego Machines allow users to speed through the process of data collection and allocate more time to analyzing an automatically populated graph.
This guide documents a list of Maltego Machines exclusively available to Maltego Enterprise users.
Built according to standard and common workflows used in cybersecurity, cybercriminal, and social media investigations, these Machines allow investigators to quickly gather fundamental data points, thus finishing the groundwork of their investigations with a few clicks of the mouse.
For questions regarding Maltego Machines or suggestions for building future Machines, please reach out to your contact representative at Maltego or write to us at support@maltego.com.
You can also download our Complete Guide to Maltego Enterprise Machines.
Installing Maltego Enterprise Machines
To begin using the Maltego Enterprise Machines, install the Enterprise Machines Hub item as well as all the other Hub items used to create the Machines on your Maltego Desktop Client.
You can find a list of the Hub items used for each Enterprise Machine on the following pages:
Troubleshooting
Please be aware of the following common error/s which you may encounter, and take note of the prescribed recovery steps:
1. Error message: The Transform <TransformName> was not found.
Prescribed recovery steps: Please ensure that all required hub items for the particular Machine are installed, or please re-install Hub items if the error persists.
Should you require additional support, please do not hesitate to contact us by emailing support@maltego.com or reach out to us using our contact form.
Maltego Enterprise Machines for Cybersecurity Investigations
This set is designed to support cybersecurity operations.
Intelligence Gathering L1 – Hashes [OSINT, Splunk]
The Intelligence Gathering L1 – Hashes [OSINT, Splunk] Machine supports basic intelligence gathering on Hash Entities and Splunk validation.
This Machine is essential for SOC teams looking to reduce the amount of time required to enrich information associated with malware hashes—infrastructure information such as C2 domains, URLs, IP addresses, file names, etc.—while at the same time, comparing these findings against their Splunk instance, giving them an edge when fighting malware infections.
Required Hub Items:
- Abuse.ch URLhaus
- AlienVault OTX
- Intezer Analyze
- Shodan
- Splunk Enterprise Security
- VirusTotal Public API
Starting Point: Maltego.Hash Entity
Intelligence Gathering L2 – Hashes [OSINT, Splunk]
While the L1 Machine focuses on providing the first level of information about the hashes and files, this L2 Machine not only checks for infrastructure associated with them, but also checks the data against your Splunk instances.
Required Hub Items Additional to those of the L1 Machine:
- AbuseIPDB
- GreyNoise Community
- Host.io
- NIST NVD
- SSL Certificate Transforms
- WhoisXML API
Starting Point: Maltego.Hash Entity
Maltego Enterprise Machines for Cybercrime Investigations
This set is designed to support cybercrime investigations.
Identify Relevant Threat Actors [Intel 471]
The Identify Relevant Threat Actors [Intel 471] Machine queries the Intel 471 underground dataset to identify threat actors who have authored posts mentioning specific keywords.
This Machine is of great help to threat intelligence analysts, government investigators, journalists, and security researchers looking to gain additional insights from conversations taking place on dark web forums.
Required Hub Item:
- Intel 471(Enterprise)
Starting Point: maltego.Phrase Entity
Identify Relevant Forum Threads [Intel 471]
The Identify Relevant Forum Threads [Intel 471] Machine identifies forum threads mentioning a keyword as well as the corresponding thread authors.
This Machine identifies dark web forum thread topics as well as the threat actors behind the conversations.
Required Hub Item:
- Intel 471(Enterprise)
Starting Point: maltego.Phrase Entity
Maltego Enterprise Machines for Social Media & Person-of-Interest Investigations
This set is designed to support investigations tapping into social media and personal identifier information.
Basic Digital Footprint [OSINT]
The Basic Digital Footprint [OSINT] Machine maps the online footprint of a person’s name or alias. This is a perfect Machine to gain a basic, yet comprehensive overview of where a person’s name or alias has appeared on the internet, as well as what images, locations, and other individuals or organizations are associated with said name or alias.
The Machine is available for free and requires no additional API keys for the Hub items involved. During the data gathering process, the Machine will prompt you to examine the relevance of the query results to ensure high relevancy of the output delivery.
Required Hub Items:
- Maltego Standard Transforms
- TinEye
Starting Point: maltego.Phrase Entity
Full Identity Footprint [Pipl]
The Full Identity Footprint [Pipl] Machines are useful for zooming in on a person’s real-life information and quickly building a profile of your person-of-interest.
Querying the Pipl identity database, this Machine retrieves a person’s current and historical information:
- Full Name
- Image(s)
- Physical Address(es)
- Email Address(es)
- Phone Number(s)
- Website(s) & Social Media Handle(s)
- Education and Career History
- Associate(s) & Relation(s)
- Hobbies and Interests
Required Hub Item:
- Pipl
Starting Point: maltego.Person, maltego.Alias, maltego.EmailAddress or maltego.URL Entities
Deep Social Media Footprint [ShadowDragon Social Net]
The Deep Social Media Footprint [ShadowDragon SocialNet] Machine maps the social media footprint of a person’s name or alias. The Machine focuses on the person’s associated network of connections on Instagram and Twitter.
This Machine gives an extensive insight into the following social aspects of a person-of-interest:
- Whose content they consume via Twitter following
- Where they visit via Instagram location sharing
Required Hub Items:
- ShadowDragon’s SocialNet
- Maltego Standard Transforms
- Google Maps Geocoding
Starting Point: maltego.Person or maltego.Alias Entity
