on 05-17-2017 02:48 AM - edited on 10-24-2019 08:51 AM by Retired Member
The table lists the transforms available in Maltego, the entity type they operate on, what they return, and notes on how each one works logically.
| Transform | Operates On | Returns | Notes | Inbuilt filters (customer view) |
| AutoFocus - Explode Tags (All) | maltego.Hash | maltego.Tag | Takes a file hash and returns any tags in AutoFocus associated with the file | None |
| AutoFocus - Explode Tags (U42) | maltego.Hash | maltego.Tag | Takes a file hash and returns any Unit42 Scope tags in AutoFocus associated with the file | None |
| AutoFocus - Explode Tags (Malware) | maltego.Hash | maltego.Tag | Takes a file hash and returns any Malware Class tags in AutoFocus associated with the file | None |
| AutoFocus - Explode Tags (Campaign) | maltego.Hash | maltego.Tag | Takes a file hash and returns any Campaign Class tags in AutoFocus associated with the file | None |
| AutoFocus - Explode Tags (Actor) | maltego.Hash | maltego.Tag | Takes a file hash and returns any Actor Class tags in AutoFocus associated with the file | None |
| AutoFocus - Fetch File Metadata | maltego.Hash | maltego.Hash | Takes a file hash and returns metadata about that file back to the same entity | None |
| AutoFocus - Get C2 By Sample | maltego.Hash | maltego.Domain maltego.IPv4Address |
Takes a file hash and identifies C2 addresses associated with the samples in the DNS Activity and Connection Activity tabs | No Private IP addresses included; Some background noise domains excluded; |
| AutoFocus - Get Sample by Mutex | maltego.Mutex | maltego.Hash | Takes a mutex and identifies samples whose Mutex Activity contains that Mutex | None |
| AutoFocus - Get Sample by IP | maltego.IPv4Address | maltego.Hash | Takes an IP Address and identifies files whose Connection Activity includes the IP Address | None |
| AutoFocus - Get Sample by Hostname | maltego.Domain | maltego.Hash | Takes a hostname/domain and identifies files whose DNS activity includes the hostname/domain. | None |
| AutoFocus - Get Sample by Query | PaloAltoNetworks.AFQuery | maltego.Hash | Takes a query exported from AutoFocus and retrieves file hashes matching that query | None |
| AutoFocus - Get Sample by Tag | PaloAltoNetworks.Tag | maltego.Hash | Takes a tag (note that tags must include the fullname of the tag) and identifies associated files. | None |
| AutoFocus - Get Sample by URL | maltego.URL | maltego.Hash | Takes a full URL and searches for samples that communicate with that URL (e.g. www.google.com/images.php) | None |
| AutoFocus - Get Sample by URL Path | maltego.URL | maltego.Hash | Takes a full or partial URL and searches for samples that communicate with the PATH component of the URL, e.g. (www.google.com/images.php --> images.php) | None |
| AutoFocus - Get URLS by sample | maltego.Hash | maltego.URL | Takes a file hash and identifies full URLs the malware communicates with | None |
| AutoFocus - Get Mutex By Sample | maltego.Hash | maltego.Mutex | Takes a file hash and identifies associated mutexes | Mutexes which appear in more than 5000 samples are tuned out |
| AutoFocus - Get Service created by Sample | maltego.Hash | maltego.ServiceName | Takes a file hash and identifies created Service Names | None |
| AutoFocus - Get Imphash by Sample | maltego.Hash | maltego.Imphash | Takes a file hash and identifies the associated importhash | None |
| AutoFocus - Get Sample by Imphash | maltego.Imphash | maltego.Hash | Takes an importhash and finds files which have the same importhash | None |
| AutoFocus - Get Sample by Service | maltego.ServiceName | maltego.Hash | Takes a service name and searches for files which include the servicename | None |
| AutoFocus - Get Sample by FileActivity | maltego.Filename | maltego.Hash | Takes a filename and returns files whose File Activity includes the supplied filename | None |
| AutoFocus - Get Sessions by Sample | maltego.Hash | PaloAltoNetworks.WildfireSession | Takes a given file hash and returns sessions observed using the same Hash | Sessions with no company data are excluded |
| AutoFocus - Get Sessions by Query | PaloAltoNetworks.AutoFocusQuery | PaloAltoNetworks.WildfireSession | Takes a given query exported from AutoFocus and returns associated sessions. | Sessions with no company data are excluded |
| AutoFocus - Get Sessions by URL Path | maltego.URL | PaloAltoNetworks.WildfireSession | Takes the supplied URL and returns sessions which whose ITW URL contains the supplied URL. | Sessions with no company data are excluded |
| AutoFocus - Get Sessions by Tag | PaloAltoNetworks.Tag | PaloAltoNetworks.WildfireSession | Takes a supplied tag and returns matching sessions | Sessions with no company data are excluded |
| AutoFocus - Get ITW data as metadata | maltego.Hash | maltego.Hash | Takes a file hash and returns metadata about that file back to the same entity | Sessions with no company data are excluded |
| AutoFocus - Get ITW URLs as entities | maltego.Hash | maltego.URL | Takes a file hash and returns associated ITW URLs back as URL entities | None |
| AutoFocus - Get ITW Host | maltego.Hash | maltego.Domain maltego.IPv4Address |
Takes a file hash and returns associated ITW URLs back as domain names and IP addresses. | No Private IP addresses included; Some background noise domains excluded; |
| AutoFocus - Get ITW Filename by Sample | maltego.Hash | maltego.Filename | Takes a file hash and returns associated ITW filenames with it | None |
| AutoFocus - Get Sample by Session | PaloAltoNetworks.WildfireSession | maltego.Hash | Takes a session and returns the File analysed as part of the session | Sessions with no company data are excluded |
| AutoFocus - Get ITW URL by Session | PaloAltoNetworks.WildfireSession | maltego.URL | Takes a session and returns the ITW URL observed as part of the session (if available) | Sessions with no company data are excluded |
| AutoFocus - Get ITW Host by Session | PaloAltoNetworks.WildfireSession | maltego.Domain maltego.IPv4Address |
Takes a session and returns associated ITW URLs back as domain names and IP addresses. | No Private IP addresses included; Some background noise domains excluded; |
| AutoFocus - Get ITW Filename by Session | PaloAltoNetworks.WildfireSession | maltego.Filename | Takes a session and returns associated ITW filenames with it | None |
| AutoFocus - Get Sample by ITW Filename | maltego.Filename | maltego.Hash | Takes an ITW filename and returns files seen with the same filename ITW | None |
| AutoFocus - Get Samples by ITW Hostname | maltego.Domain | maltego.Hash | Takes a hostname and finds files that have been spotted with the same hostname ITW | None |
| AutoFocus - Get Samples by ITW IP address | maltego.IPv4Address | maltego.Hash | Takes an IP Address and identifies files that have been spotted with the same hostname ITW | None |
| AutoFocus - Get Samples by ITW URL | maltego.URL | maltego.Hash | Takes a URL and finds files hosted at that URL ITW | None |
| AutoFocus - Get Digtial Signer By Sample | maltego.Hash | PaloAltoNetworks.DigitalCertificateCN | Takes a sample and returns the name of the listed signer (As shown in AutoFocus) | None |
| AutoFocus - Get Sample By Digital Signer | PaloAltoNetworks.DigitalCertificateCN | maltego.Hash | Takes a digital signer and returns samples in AutoFocus whose signer matches the provided one | None |
