Maltego OpenCTI Transform
3 min read
Prerequisites:
- Maltego CE (Community Edition) or Maltego XL installed.
- Access to an OpenCTI instance (set up your own or use a hosted instance).
- Knowledge of the OpenCTI API (https://github.com/OpenCTI-Platform/opencti).
Step 1: Download the OpenCTI Transform from the Transform Hub
Before you can create Maltego transforms, you need to download the OpenCTI transform from the Maltego Transform Hub:
- Open Maltego.
- Go to the “Apps” tab on the left sidebar.
- In the “Transform Hub” section, search for “OpenCTI” or the specific transform package provided by OpenCTI.
- Click on it and then click “Download” or “Install.”
Step 2: Set Up OpenCTI
Before you can create and use OpenCTI transforms, ensure you have a working OpenCTI instance with the necessary data you want to query. Follow the OpenCTI documentation for setup and data integration.
Step 3: Create Custom Maltego Transforms
To create custom Maltego transforms for OpenCTI, follow these steps:
- Select an Entity Type: Decide what type of entities in Maltego you want to associate with OpenCTI data (e.g., IP addresses, domains, or email addresses).
- Write Transform Scripts: Write Python scripts for Maltego transforms. These scripts should perform the following:
- Accept an input entity (e.g., an IP address) as a parameter.
- Use the input entity to construct an API request to your OpenCTI instance.
- Send the request to OpenCTI, retrieve the relevant data (including URLs if available), and format it for Maltego.
- Parse API Responses: Parse the API responses to extract the relevant information, including any URLs associated with the entity. You’ll need to include this URL information in the Maltego transform output.
- Output Format: Format the output of the transform in a way that Maltego understands. You should include the URLs in the output if they are available.
- Test the Transforms: Test your transforms to ensure they work as expected. You can run them from the Maltego interface.
Step 4: Configure Maltego for Custom Transforms
Once you have your custom transforms, configure Maltego to use them:
- Open Maltego.
- In the “Transform Manager” or a similar configuration section, add your custom transforms, specifying their input and output entities, and set the appropriate transform parameters.
Step 5: Use the Custom Transforms
With your custom transforms configured, you can use them in your Maltego investigations:
- Right-click on an entity (e.g., an IP address) in your Maltego graph.
- In the context menu, select “Run Transform.”
- Choose your custom OpenCTI transform from the list.
- Click “Run.”
The transform will query OpenCTI for relevant information and include URLs in the output if they are available.
Step 6: Save and Export
After performing your analysis and enriching your Maltego graph with OpenCTI data (including URLs), you can save your graph and export it in various formats for reporting and sharing.
Please note that developing custom transforms requires programming skills, knowledge of the OpenCTI API, and adherence to OpenCTI’s data access policies.
