Scribd
Upload
106 views29 pages

Maltego Whitepaper Threat Intel Providers For Small SOC Teams

Uploaded by

Ivan Dori
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
106 views29 pages

Maltego Whitepaper Threat Intel Providers For Small SOC Teams

Uploaded by

Ivan Dori
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

36 Top Threat whitepaper

Intelligence
Providers for
SOC Teams
Executive Summary
A Security Operations Center (SOC) team is evant to an organization is generated by com-
tasked with continuously monitoring its en- bining the traces found in the organization’s
vironment to detect, analyze, and respond to internal telemetry—such as firewall and event
remarkable cybersecurity events that might logs—with industry-specific threat data and
become incidents, ultimately improving the se- information obtained through different intel
curity posture of the organization. sources, feeds, platforms, or providers.
However, for SOC teams to effectively mon-
itor their environment, it is not enough to sim- Sources and Feeds
ply deploy security systems and tools that alert Two common threat intelligence sources are
them to an indiscriminate number of events. open-source intelligence (OSINT) and threat
They need to know what internal or external intelligence feeds. OSINT refers to intelligence
threat actors are doing, what their activity may derived from publicly available information,
look like, and how to find traces of said activity which is collected, analyzed, and shared to sup-
across their infrastructure. port specific investigations. Threat intelligence
Usually, the traces left behind by threat ac- feeds are non-prioritized streams of data or
tors and picked up by the monitoring systems digital artifacts and focus on specific areas or
or hunting teams will be known as observ- data types, such as suspicious domains, ma-
ables or indicators of compromise (IOCs) — licious URLs, known malware hashes, and IP
IP addresses, host and domain names, email addresses associated with malicious activity,
addresses, filenames, file hashes, and even among others.
log entries such as unusual login attempts — While free threat intelligence feeds are usu-
which, on their own and out of context, won’t ally gathered from open sources, paid threat
be enough to conduct an in-depth investigation. feeds provide curated and contextualized data
For a proper analysis that can lead to an ef- from closed sources, such as the dark web and
fective assessment, including correlation to cybercrime forums, or they may aggregate and
known or trending attacks as well as potential process open-source feeds.
attribution, SOC analysts need to enrich and
contextualize the traces found in their internal Platforms and Providers
systems. This is where internal information A threat intelligence platform (TIP) is a soft-
and especially threat intelligence can help. ware used to organize several feeds—both free
and paid—into a single stream. It makes them
Threat Intelligence: Sources, Feeds, actionable across different protection, detec-
Platforms, and Providers tion, and reaction tools.
Threat intelligence is actionable and timely Lastly, a threat intelligence provider is a ven-
knowledge rooted in data. It provides analysts dor that collects and produces threat intelli-
with the necessary context to understand gence indicators and reports, sometimes using
threat actors’ motivations, methods, tools, and a mix of human and automated analysis. The
infrastructure, helping them prevent or mitigate provider then offers the intelligence via premi-
attacks. um data feeds, as a report (an example would
Practically speaking, threat intelligence rel- be the Mandiant’s APT1 report), or as part of a

M A LT EG O
software product. 3. Broad information about attacker trends
The human-generated part may include mo- 4. Specific threat behaviors and TTPs of the
tivations, tactics, techniques, and procedures adversary
(TTPs) and attribution to a known actor, linking 5. Specific IOCs to plug into IT and security in
to past or ongoing campaigns, signatures for frastructure to block or find attacks
detection and hunting (such as Sigma or YARA
rules), as well as response and forensic strate-
gies. The automated part provides lists of ob-
servables in machine-readable format.

Incorporating Threat Intel into the


SOC Team
It’s easy to see how one may stumble around in
search of the right product to incorporate into
their SOC team just by looking at the variety of
options out there. With that in mind, SOC teams
should first gain an insider view and compre-
hensive understanding of the following:
1. Their network infrastructure
2. The type of risks unique to their industry
3. Where their security posture stands based Based on these criteria, we have created a
on their current resources and capabilities to list of high-quality threat intelligence options
manage defensive and reactive activities for SOC teams that have proven to be among
4. Their available budget our end-users’ favorites and are suitable for all
5. Resources they can dedicate to the project budget sizes.

However, even with the previous elements


established, it is often difficult for SOC teams
to choose the threat intelligence solution best
suited to them and to determine how to prop-
erly take advantage of the data it provides with-
out further burdening the analysts.

Maltego’s Top 36 Threat Intelligence


Providers for SOC Teams
According to the 2022 SANS Cyber Threat
Intelligence (CTI) Survey published in February
2022, the types of threat intelligence that are
most useful for CTI operations include:
1. Detailed information about malware being
used in attacks
2. Information about vulnerabilities being tar
geted by attackers

G R A P H I C S O U R C E: SANS 2022 CYBER THREAT INTELLIGENCE SURVEY


Table of Content
36 Recommended Cyber Threat Intelligence Providers by Data Types. . . 5
Infrastructure & Network Information . . . . . . . . . . . . . . . . . . . . . . . . 5
Malware, TTPs & Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Deep & Dark Web / Cryptocurrency. . . . . . . . . . . . . . . . . . . . . . . . . 5
Endpoint & Security Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Overview of 36 Recommended Cyber Threat Intelligence Providers . . . . 7


AbuseIPDB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
AlienVault OTX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
alphaMountain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
ATT&CK - MISP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
CipherTrace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Cisco Threat Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Constella Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
CrowdStrike . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Cybersixgill . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
District 4 Darkside. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
DNSTwist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
DomainTools Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
DomainTools Iris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Farsight DNSDB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Flashpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
GreyNoise Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
GreyNoise Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Have I Been Pwned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Host.io . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
IBM QRadar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Intel471 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Mandiant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
OpenPhish . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
PolySwarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Recorded Future . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
RiskIQ Passive Total . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Shodan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Silobreaker. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Splunk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

M A LT EG O
SpyCloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Tatum Blockchain Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
ThreatConnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
VirusTotal Premium API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
VirusTotal Public API. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
WhoisXML API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
ZeroFOX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

How to Access Your Favorite Data Sources in Maltego. . . . . . . . . . . . 26

M A LT EG O 4
36 Recommended Cyber Threat
Intelligence Providers by Data Types
Infrastructure & Network Information • AlienVault OTX
Data sources with access to a wide range • alphaMountain
of publicly available data related to domain • ATT&CK - MISP
names, IP addresses, network activity, histori- • Cisco Threat Grid
cal DNS records, and other internet infrastruc- • CrowdStrike
ture-related information. They can help you • Intel471
augment your investigations by providing in- • Mandiant
sights into potential security threats and aiding • OpenPhish
in proactive threat detection and response. • PolySwarm
• Recorded Future
Providers: • Shodan
• AbuseIPDB • Silobreaker
• AlienVault OTX • ThreatConnect
• alphaMountain • VirusTotal Premium
• DNSTwist • VirusTotal Public
• DomainTools Enterprise • ZeroFOX
• DomainTools Iris
• Farsight DNSDB Deep & Dark Web / Cryptocurrency
• GreyNoise Community Data sources for tracking cybercriminal
• GreyNoise Enterprise activities, investigating cryptocurrency trans-
• Host.io actions, gathering OSINT-based threat intelli-
• RiskIQ Passive Total gence, and detecting stolen credentials. These
• Shodan sources aid SOC analysts in conducting OSINT
• VirusTotal Premium API investigations to stay ahead of cyber threats
• VirusTotal Public API and monitor illicit activities on the hidden inter-
• WhoisXML API net and cryptocurrency platforms.

Malware, TTPs & Vulnerabilities Providers:


Data sources offering insights into malicious • CipherTrace
activities, attack techniques, and software vul- • Constella Intelligence
nerabilities. Relevant to OSINT investigations, • Cybersixgill
they help cybersecurity professionals detect • District 4 Darkside
threats, analyze malware behaviors, monitor • Flashpoint
breaches, and access valuable threat intelli- • Have I Been Pwned
gence for proactive responses. • Intel471
• Silobreaker
Providers: • SpyCloud
• AbuseIPDB • Tatum Blockchain Explorer

5
Endpoint & Security Events
Data sources that help SOC analysts conduct
OSINT investigations by monitoring and cor-
relating security events from endpoints. These
solutions enhance threat detection and analy-
sis, providing insights into potential threats and
vulnerabilities.

Providers:
• CrowdStrike
• IBM QRadar
• Splunk

M A LT EG O 6
Overview of 36 Recommended Cyber
Threat Intelligence Providers
AbuseIPDB MALTEGO ENTERPRISE
Free Data (API Key Required)
CATEGORY: Bring Your Own Key
INFRASTRUCTURE & NETWORK INFORMATION
MALWARE, TTPS & VULNERABILITIES
AlienVault OTX
What is AbuseIPDB?
AbuseIPDB is a project that aims to combat CATEGORY:
the spread of hackers, spammers, and other INFRASTRUCTURE & NETWORK INFORMATION
abusive activities on the internet. It collects IP MALWARE, TTPS & VULNERABILITIES
addresses associated with malicious online
activities through crowdsourcing and offers a What is AlienVault OTX?
centralized blacklist for webmasters, system AlienVault OTX is an open threat intelligence
administrators, and other concerned parties. community that facilitates collaborative de-
Contributions from users and organizations fense through actionable, community-pow-
across the web, who report malicious traffic on ered threat data. It automatically extracts IOCs
their sites and servers, result in the generation from various sources like blogs, threat reports,
of thousands of daily reports. emails, and PCAPs, providing current insights
into emerging threats, attack methods, and
How can you use AbuseIPDB in Maltego? malicious actors. The feed offers threat sum-
With AbuseIPDB Transforms, you can: maries including targeted software and IOCs,
• Check if an IP address has been reported for such as IP addresses, domain names, file hash-
abuse and what those reports say specifically es, and CVE numbers. With over 20 million daily
• Report an IP address associated with mali- contributed threat indicators, it aids in identify-
cious activity themselves directly from Maltego ing threat sources within an organization and
• Obtain additional information on an IP, such as prioritizing responses.
usage type, country, ISP, etc.
• Reduce the time taken to confirm if a particu- How can you use AlienVault OTX in Maltego?
lar IP address is malicious and see if anyone else With AlienVault OTX Transforms, you can:
has reported malicious activities from that IP • Visualize AlienVault OTX Pulses along with
related IOCs and other infrastructure data,
How to access AbuseIPDB in Maltego? such as IP addresses, domains, hostnam-
MALTEGO CE es (subdomains), email addresses, URLs/
Free Data (API Key Required) URIs, and file hashes (including MD5, SHA1,
Bring Your Own Key SHA256, PEHASH, IMPHASH), CIDR Rules,
MALTEGO PRO File Paths, MUTEX names, and CVE numbers)
Free Data (API Key Required) • Query and browse threat indicators provided
Bring Your Own Key by the community within a single interface

M A LT EG O 7
and pivot across other disparate data sources MALTEGO PRO
available on the Transform Hub Click-and-Run: 50 Transforms Runs/Month
Maltego Data Subscriptions
How to access AlienVault OTX in Maltego? Bring Your Own Key
MALTEGO CE MALTEGO ENTERPRISE
Free Data (API Key Required) Click-and-Run: 100 Transforms Runs/Month
MALTEGO PRO Maltego Data Subscriptions
Free Data (API Key Required) Bring Your Own Key
MALTEGO ENTERPRISE
Free Data (API Key Required)
ATT&CK - MISP

alphaMountain CATEGORY:
MALWARE, TTPS & VULNERABILITIES
CATEGORY:
INFRASTRUCTURE & NETWORK INFORMATION What is ATT&CK - MISP?
MALWARE, TTPS & VULNERABILITIES MITRE ATT&CK sets the standard for model-
ing and communicating real-world adversarial
What is alphaMountain? tactics and techniques. The ATT&CK Matrices,
alphaMountain.ai offers threat intelligence, provided and maintained by MITRE, empower
web reputation, and content classification ser- numerous communities to enhance cyberse-
vices. It is powered by artificial intelligence curity practices. The MISP threat intelligence
technology and provides cybersecurity data, platform facilitates sharing and storing IOCs of
including reputation scores for domains, IPs, targeted attacks, threat intelligence, financial
URLs, and hosts, to measure their credibility. fraud, vulnerability, and even counter-terrorism
You can utilize alphaMountain data to block data. It provides TTPs for intrusion sets and
internet access points or investigate potential groups, as well as campaigns. This data can
threats using log analysis tools. be consumed via an MISP instance.

How can you use alphaMountain in Maltego? How can you use ATT&CK - MISP in Maltego?
With alphaMountain Transforms, you can: With ATT&CK – MISP Transforms and access
• Conduct investigations based on reputation to a MISP instance, you can:
scores of unknown hosts, domains, and IP • Discover, monitor, and analyze attack surfac-
addresses of the target es and unknown internet assets
• Identify hidden and emerging threats with • Retrieve data from a MISP Threat Sharing in-
the assistance of advanced AI models stance and explore other MISP events, attri-
• Reduce incident response times with in- butes, objects, tags, and galaxies within one
formed threat intelligence data tool
• Access details about attack techniques, in-
How to access alphaMountain in Maltego? cluding the employed malware, software,
MALTEGO CE and tools, and identify specific threat actors
Click-and-Run: 25 Transforms Runs/Month recognized for using these attack patterns

M A LT EG O 8
How to access ATT&CK - MISP in Maltego? MALTEGO PRO
MALTEGO CE Maltego Data Subscriptions
Free Data (API Key Required) Bring Your Own Key
MALTEGO PRO MALTEGO ENTERPRISE
Free Data (API Key Required) Click-and-Run: 100 Transforms Runs/Month
MALTEGO ENTERPRISE Maltego Data Subscriptions
Free Data (API Key Required) Bring Your Own Key

CipherTrace Cisco Threat Grid

CATEGORY: CATEGORY:
DEEP & DARK WEB / CRYPTOCURRENCY MALWARE, TTPS & VULNERABILITIES

What is CipherTrace? What is Cisco Threat Grid?


CipherTrace provides cryptocurrency threat in- Threat Grid is a malware analysis and threat in-
telligence, assisting investigators and research- telligence solution built by Cisco Systems. Its
ers in tracking cryptocurrencies. It assists in malware knowledge base assists threat intel-
de-anonymizing transactions, monitoring cryp- ligence teams and security analysts in swiftly
to transactions for compliance concerns, re- and precisely identifying and countering poten-
vealing suspicious activities, detecting money tial malware attacks. Threat Grid conducts dy-
laundering, and tracing illicit payments, such as namic analysis on millions of samples annually,
stolen funds, ransomware, and unauthorized indexing indicators, such as domains, IP ad-
transactions. The platform offers transaction dresses, URLs, hash files, mutex, and file paths,
risk scoring for cryptocurrency investigations from each analysis.
and compliance with anti-money laundering
(AML) regulations. CipherTrace utilizes both How can you use Cisco Threat Grid in Maltego?
open and closed source blockchain attribution, With Cisco Threat Grid Transforms, you can:
combined with machine learning and multi-in- • Access and visualize distinct malware rela-
put clustering algorithms, to present actionable tionships between malware samples and in-
intelligence and ensure adherence to crypto- dicators in the Threat Grid database
currency regulations. • Pivot from network indicators to host indica-
tors during an incident to facilitate quicker
How can you use CipherTrace in Maltego? remediation
With CipherTrace Transforms, you can:
• Create cryptocurrency transaction maps How to access Cisco Threat Grid in Maltego?
• Access cryptocurrency tracing information MALTEGO CE
for Bitcoin, Ethereum, Bitcoin Cash, Litecoin Available only with a Maltego commercial
license
How to access CipherTrace in Maltego? MALTEGO PRO
MALTEGO CE Bring Your Own Key
Available only with a Maltego commercial MALTEGO ENTERPRISE
license Bring Your Own Key

M A LT EG O 9
Constella Intelligence CrowdStrike

CATEGORY: CATEGORY:
DEEP & DARK WEB / CRYPTOCURRENCY MALWARE, TTPS & VULNERABILITIES
ENDPOINT & SECURITY EVENTS
What is Constella Intelligence?
Constella Intelligence provides access to iden- What is CrowdStrike?
tity exposure data for corporate investigators, CrowdStrike offers endpoint protection and
incident response teams, and cybercrime in- threat intelligence solutions to prevent damage
vestigators. They can search through over 124 from targeted attacks and detect and attribute
billion breach records to uncover aliases, nick- advanced malware across all endpoints. The
names, and domains. The breach data encom- company developed the cloud-based Crowd-
passes identity records that reveal connections Strike Falcon Intelligence platform for collect-
among names, emails, IP addresses, payment ing and analyzing data from endpoints, net-
details, usernames, and various PII. This ex- works, and internet sources to identify potential
pedites identity validation and attribution, as- cyber threats. This data is then transformed
sisting organizations in fortifying themselves into actionable threat intelligence, equipping
against fraud, insider threats, phishing cam- cyber threat intelligence teams with timely, rel-
paigns, and credential theft, which may lead to evant, and contextualized information to en-
account takeovers or ransomware attacks. hance their capabilities.

How can you use Constella Intelligence in How can you use CrowdStrike in Maltego?
Maltego? With CrowdStrike ThreatGraph Transforms,
With Constella Intelligence Transforms, you you can:
can: • Query the CrowdStrike ThreatGraph API to
• Leverage breach identity records to detect interact with CrowdStrike Falcon data
threat actors • Traverse the graph to investigate relation-
• Visualize the exposures of individuals or ships between events
businesses With CrowdStrike Intel Transforms, you can:
• Pivot and merge results using filtering and • Query the CrowdStrike Intelligence API to ob-
verification process to reduce false positives tain attribution and additional data for indica-
tors of adversaries
How to access Constella Intelligence in • See the correlation between adversaries, in-
Maltego? dicators, malware families, and campaigns
MALTEGO CE
Available only with a Maltego commercial How to access CrowdStrike in Maltego?
license MALTEGO CE
MALTEGO PRO Available only with a Maltego commercial
Maltego Data Subscriptions license
MALTEGO ENTERPRISE MALTEGO PRO
Click-and-Run: 20 Transforms Runs/Month Bring Your Own Key
Maltego Data Subscriptions MALTEGO ENTERPRISE
Bring Your Own Key

M A LT EG O 10
Cybersixgill District 4 Darkside

CATEGORY: CATEGORY:
DEEP & DARK WEB / CRYPTOCURRENCY DEEP & DARK WEB / CRYPTOCURRENCY

What is Cybersixgill? What is District 4 Darkside?


Cybersixgill is a fully automated threat intelli- District4’s flagship product, Darkside, is an
gence solution focused on deep and dark web open-source data solution that taps into one
monitoring and gathering insights about cyber of the largest repositories of compromised re-
threats and malicious activities. It aids cyber cords and personal data gathered from the
threat intelligence teams by automatically an- deep and dark web. It aids online investigations
alyzing IOCs, TTPs, and relevant details. Re- to uncover threat actors, assess online threats,
al-time alerts are provided for detected threats, and support fraud inquiries. The Darkside da-
along with contextualized information about tabase can help security teams understand a
threat actors, their motives, and targets. This company’s dark web exposure, encompassing
data enables organizations to safeguard as- breached employee records, signs of compro-
sets, reduce fraud and data breaches, protect mised customers, and vulnerabilities of top ex-
their brand, and minimize attack vulnerabilities. ecutives.

How can you use Cybersixgill in Maltego? How can you use District 4 Darkside in
With Cybersixgill Transforms, you can: Maltego?
• Receive early warnings of new threats as With District 4 Darkside Transforms, you can:
they develop on the dark web before they are • Reveal the true identity of individuals linked
deployed in the wild to anonymous email addresses, phone num-
• Conduct deep analysis of malware available bers, domains, IP addresses, usernames,
for download on the deep and dark web and social media profiles
• Enrich investigations with contextual infor- • Investigate corporate IP addresses or com-
mation on each IOC and search specific key- pany domains to assess the level of employ-
words for deeper insight ee or customer compromise
• Develop a comprehensive online profile of a
How to access Cybersixgill in Maltego? subject using Darkside data and integrate it
MALTEGO CE with other sources on the Transform Hub
Available only with a Maltego commercial • Pivot within Darkside data to spot otherwise
license unidentifiable person of interest details or
MALTEGO PRO explore integrated sources
Maltego Data Subscriptions
Bring Your Own Key How to access District 4 Darkside in Maltego?
MALTEGO ENTERPRISE MALTEGO CE
Click-and-Run: 50 Transforms Runs/Month Available only with a Maltego commercial
Maltego Data Subscriptions license
Bring Your Own Key MALTEGO PRO
Maltego Data Subscriptions
Bring Your Own Key

M A LT EG O 11
MALTEGO ENTERPRISE MALTEGO PRO
Click-and-Run: 50 Transforms Runs/Month Click-and-Run: 30 Transforms Runs/Month
Maltego Data Subscriptions MALTEGO ENTERPRISE
Bring Your Own Key Click-and-Run: 300 Transforms Runs/Month

DNSTwist DomainTools Enterprise

CATEGORY: CATEGORY:
INFRASTRUCTURE & NETWORK INFORMATION INFRASTRUCTURE & NETWORK INFORMATION

What is DNSTwist? What is DomainTools Enterprise?


DNSTwist is a cybersecurity tool that detects DomainTools Enterprise offers robust threat
and mitigates domain-related threats such intelligence and investigative solutions that
as spoofing and typosquatting. It helps orga- combine high-quality domain intelligence, risk
nizations identify potential malicious activity scoring, and passive DNS data from top-tier
through domain names resembling legitimate providers, including Farsight. This platform fo-
ones, aiding in spotting risks like phishing cam- cuses on providing insights into domains and
paigns. This tool offers threat intelligence for IP addresses, offering historical and real-time
domain-related cyber threats, providing Whois data, including DNS records, Whois details,
info, IP addresses, and mail server details. It and hosting information. Cyber threat analysts
assists cybersecurity, threat intelligence, and rely on DomainTools Enterprise to investigate
fraud analysts in proactively identifying risks, and monitor domain names and IP addresses
preventing phishing attacks, and safeguarding linked to potentially malicious activities. It aids
the organization’s brand and online presence in identifying phishing domains, tracking threat
while enhancing threat intelligence and risk as- actor infrastructures, and gathering vital data
sessment. for incident response and threat hunting.

How can you use DNSTwist in Maltego? How can you use DomainTools Enterprise in
With DNSTwist Transforms, you can: Maltego?
• Identify potential phishing domains and per- With DomainTools Enterprise Transforms, you
form phishing detection can:
• Visualize potential phishing domains within • Pivot and establish connections between do-
your Maltego graph to understand the rela- mains using historical and reverse datasets
tionships between domains and identify po- • Retrieve Whois information, uncover past
tential threats identities, and discover related domains by
• Monitor potential malicious domains that the owner, among other capabilities
could damage the reputation of a company
or brand How to access DomainTools Enterprise in
Maltego?
How to access DNSTwist in Maltego? MALTEGO CE
MALTEGO CE Available only with a Maltego commercial
Click-and-Run: 15 Transform Runs/Month license

M A LT EG O 12
MALTEGO PRO Bring Your Own Key
Bring Your Own Key
MALTEGO ENTERPRISE
Bring Your Own Key Farsight DNSDB

CATEGORY:
DomainTools Iris INFRASTRUCTURE & NETWORK INFORMATION

CATEGORY: What is Farsight DNSDB?


INFRASTRUCTURE & NETWORK INFORMATION Farsight DNSDB is a historical DNS data da-
tabase by Farsight Security. It assists cyber
What is DomainTools Iris? threat intelligence teams by tracing domain
Iris is DomainTools’ threat intelligence and in- and IP changes over time, aiding in threat de-
vestigation platform that merges domain in- tection, attribution, incident response, and pro-
telligence, risk scoring, and passive DNS data active hunting. It’s a valuable tool for identi-
from notable providers, aiding efficient inves- fying malicious infrastructure, tracking threat
tigation of potential cybercriminal activities. actors, and providing early warnings about po-
It provides insights into domain names, IP tential threats.
addresses, and online infrastructure, helping
organizations identify and counteract cyber How can you use Farsight DNSDB in Maltego?
threats. DomainTools Iris supports risk assess- With Farsight DNSDB Transforms, you can:
ment, attribution, phishing detection, and inci- • Correlate and contextualize real-time and
dent response, thereby enhancing an organiza- historical DNS data to expose networks and
tion’s cyber threat detection, prevention, and infrastructure
response capabilities. • Backtrack historical activities of a removed
website by retrieving snapshots and content
How can you use DomainTools Iris in Maltego? previously located on the website
With DomainTools Iris Transforms, you can:
• Perform infrastructure risk assessment and How to access Farsight DNSDB in Maltego?
map connected infrastructure MALTEGO CE
• Run correlations, look at attribution, and Click-and-Run: 8,640 Transforms Runs/Month
highlight risky domains Bring Your Own Key
MALTEGO PRO
How to access DomainTools Iris in Maltego? Click-and-Run: 8,640 Transforms Runs/Month
MALTEGO CE Maltego Data Subscriptions
Available only with a Maltego commercial Bring Your Own Key
license MALTEGO ENTERPRISE
MALTEGO PRO Click-and-Run: 8,640 Transforms Runs/Month
Maltego Data Subscriptions Maltego Data Subscriptions
Bring Your Own Key Bring Your Own Key
MALTEGO ENTERPRISE
Click-and-Run: 15 Transforms Runs/Month
Maltego Data Subscriptions

M A LT EG O 13
Flashpoint What is GreyNoise Community?
GreyNoise Community offers a simplified ver-
CATEGORY: sion of the GreyNoise cybersecurity platform,
DEEP & DARK WEB / CRYPTOCURRENCY suitable for individual analysts and small or-
ganizations. It helps analysts by providing in-
What is Flashpoint? sights into internet-wide scanning and recon-
Flashpoint is a threat intelligence platform that naissance activities, reducing noise in threat
provides actionable insights into cyber threats alerts, and aiding in the identification of poten-
and illicit activities by cybercriminals. It special- tially malicious IP addresses. This community
izes in monitoring and analyzing hidden online platform encourages collaboration among
sources like forums, communities, and mar- cybersecurity enthusiasts, facilitating shared
ketplaces to gather information on potential knowledge and data for improved threat aware-
threats. This assists organizations in proactive ness and response efforts.
defense, strategic decision-making, and effec-
tive incident response to counter a wide range How can you use GreyNoise Community in
of cyber threats. Maltego?
With GreyNoise Community Transforms, you
How can you use Flashpoint in Maltego? can:
With Flashpoint Transforms, you can: • Query an IP via the Community API to view
• Search illicit online communities for fraudu- basic information like the owning organiza-
lent activities, malicious actors, and threats tion and recent scanning activity within the
• Identify and understand the criminal network last 90 days
across posts, forums, and users • Gain a comprehensive investigative perspec-
• Enhance perspectives by integrating diverse tive by accessing various data sources in
data sources in Maltego, accelerating rela- one unified user interface through the Trans-
tionship visualization, and obtaining action- form Hub
able intelligence to mitigate risks and com-
bat adversaries How to access GreyNoise Community in
Maltego?
How to access Flashpoint in Maltego? MALTEGO CE
MALTEGO CE Click-and-Run: 1,500 Trans. Runs/Month
Available only with a Maltego commercial MALTEGO PRO
license Click-and-Run: 3,000 Trans. Runs/Month
MALTEGO PRO Maltego Data Subscriptions
Bring Your Own Key Bring Your Own Key
MALTEGO ENTERPRISE MALTEGO ENTERPRISE
Bring Your Own Key Click-and-Run: 15,000 Trans. Runs/Month
Maltego Data Subscriptions
Bring Your Own Key
GreyNoise Community

CATEGORY:
INFRASTRUCTURE & NETWORK INFORMATION

M A LT EG O 14
GreyNoise Enterprise Bring Your Own Key
MALTEGO ENTERPRISE
CATEGORY: Free Data (API Key Required)
INFRASTRUCTURE & NETWORK INFORMATION Bring Your Own Key

What is GreyNoise Enterprise?


GreyNoise Enterprise represents the advanced Have I Been Pwned
tier of the GreyNoise cybersecurity platform, tai-
lored for organizations with robust cybersecu- CATEGORY:
rity needs. Building upon GreyNoise’s core ca- DEEP & DARK WEB
pabilities, it excels at reducing noise and false
positives in threat data by analyzing benign in- What is Have I Been Pwned?
ternet background noise. GreyNoise Enterprise Have I Been Pwned is a free service that mon-
collects and analyzes comprehensive inter- itors security breaches and password leaks,
net-wide scan and attack data, which is made enabling users to quickly check if their online
available through integrations and APIs. This accounts have been compromised. It aggre-
advanced service empowers cyber threat ana- gates data from breaches where unauthorized
lysts to excel in their roles by aiding in contex- access occurred. This online platform helps in-
tualizing alerts, eliminating false positives, identify- dividuals identify compromised personal data,
ing compromised devices, and monitoring emer- like email addresses and passwords, by index-
ging threats. GreyNoise Enterprise’s enhanced fea- ing information from various breaches. This
tures and capabilities support organizations in assists cyber threat intelligence teams in en-
bolstering their threat detection, incident response, hancing threat intelligence, breach attribution,
and overall cybersecurity infrastructure. and incident response.

How can you use GreyNoise Enterprise in How can you use Have I Been Pwned in
Maltego? Maltego?
With GreyNoise Enterprise Transforms, you With Have I Been Pwned Transforms, you can:
can: • Check for password or domain breaches,
• Identify and correlate activity that is related aliases, or email listings in Pastebin posts
to mass-internet scanning • Examine digital profiles and social media
• Retrieve all GreyNoise data associated with footprints
an IP address, including specific information
on observed scanning for CVEs, tags, or ac- How to access Have I Been Pwned in Maltego?
tivities, along with their correlations MALTEGO CE
Click-and-Run: Unlimited
How to access GreyNoise Enterprise in MALTEGO PRO
Maltego? Click-and-Run: Unlimited
MALTEGO CE MALTEGO ENTERPRISE
Available only with a Maltego commercial Click-and-Run: Unlimited
license
MALTEGO PRO
Free Data (API Key Required)

M A LT EG O 15
Host.io IBM QRadar

CATEGORY: CATEGORY:
INFRASTRUCTURE & NETWORK INFORMATION ENDPOINT & SECURITY EVENTS

What is Host.io? What is IBM QRadar?


Host.io compiles data on all known domain IBM QRadar is an advanced Security Informa-
names across TLDs, including DNS records tion and Event Management (SIEM) solution of-
and website data. As a domain and IP intel- fering threat detection, incident response, and
ligence platform, Host.io focuses on provid- security intelligence. It collects and analyzes
ing data about internet infrastructure, domain data from diverse IT sources to spot potential
names, and IP addresses. It supports orga- anomalies and security threats. Using defined
nizations in understanding digital footprints, rules, QRadar monitors security events and
boosting threat intelligence and cybersecurity network flows, triggering offenses when cri-
efforts. This data assists cyber threat intelli- teria are met, indicating suspected attacks or
gence teams in threat detection, attribution, breaches. It assists cyber threat intelligence
incident response, and brand protection. By teams by gathering, analyzing, and correlat-
delivering comprehensive internet infrastruc- ing data to detect threats, expedite incident
ture data, it enhances an organization’s capa- response, and enhance security. Integrated
city to efficiently identify and counteract cyber threat intelligence feeds strengthen identifi-
threats. cation of known threats, while its analytics aid
proactive threat hunting and forensic analysis.
How can you use Host.io in Maltego?
With Host.io Transforms, you can: How can you use IBM QRadar in Maltego?
• Enrich domains with outbound links, back- With IBM QRadar Transforms, you can:
links, DNS info, and location • Extract insights from a QRadar instance, in-
• Gather DNS details, website content, links, cluding host assets, offense details, IOCs,
and hosting info for any domain and event logs
• Enhance threat intelligence by obtaining at- • Cross-reference data points like IP Address-
tack origin information es, domains, hashes, URLs, and other IOCs
with internal intelligence stored in QRadar via
How to access Host.io in Maltego? Maltego
MALTEGO CE • Analyze cross-referenced event information
Free Data (API Key Required) to understand common offense patterns,
Bring Your Own Key such as asset targeting, port usage, account
MALTEGO PRO abuse, and more
Free Data (API Key Required)
Bring Your Own Key How to access IBM QRadar in Maltego?
MALTEGO ENTERPRISE MALTEGO CE
Free Data (API Key Required) Available only with a Maltego Enterprise plan
Bring Your Own Key MALTEGO PRO
Available only with a Maltego Enterprise
plan

M A LT EG O 16
MALTEGO ENTERPRISE MALTEGO ENTERPRISE
Bring Your Own Key Maltego Data Subscriptions
Bring Your Own Key

Intel471
Mandiant
CATEGORY:
MALWARE, TTPS & VULNERABILITIES CATEGORY:
DEEP & DARK WEB / CRYPTOCURRENCY MALWARE, TTPS & VULNERABILITIES

What is Intel471? What is Mandiant?


Intel 471 is a threat intelligence provider that Mandiant is known for its in-depth research,
specializes in monitoring underground forums, cyber threat analysis, and threat actor attri-
marketplaces, and cybercriminal communities. bution. They offer customized, contextualized
By analyzing these sources, it offers contex- threat intelligence, encompassing a wide range
tualized insights into cyber threats, attacks, of services from IOC feeds to incident response
and malicious activities. This intelligence as- support, malware analysis, security consulta-
sists cyber threat intelligence teams in attrib- tion, continuous monitoring, and security awar-
uting attacks, detecting early warning signs, eness. Mandiant is a comprehensive resource
and enhancing incident response. It provides for organizations seeking to enhance cyber-
TTPs used by cybercriminals and associated security defenses with actionable intelligence.
IOCs, aiding in proactive threat detection and Their data sources serve various use cases,
response. Intel 471 also profiles threat actors from informing strategic planning and risk
and groups, revealing their motivations and assessments to enabling real-time threat de-
strategies, aiding in understanding threat land- tection and response, empowering organiza-
scapes and changing tactics. tions to stay ahead of the ever-evolving cyber
threat landscape and strengthen their defens-
How can you use Intel471 in Maltego? es against malicious actors.
With INTEL471 Transforms, you can:
• Access adversary, malware, and vulnerability How can you use Mandiant in Maltego?
intelligence for security operations support With Mandiant Transforms, you can:
• Identify specific threat actors and their affili- • With Mandiant Transforms, investigators can
ate and extract related reports, dark web fo- search Mandiant Intelligence holdings for
rum threads, and aliases of post authors reports matching indicators in your environ-
ment, related reports and indicators
How to access Intel471 in Maltego? • Perform powerful visual link analysis based
MALTEGO CE on Mandiant intelligence accessed via the
Available only with a Maltego Enterprise Mandiant API and gain insights about rela-
plan tionship between different Entities
MALTEGO PRO
Maltego Data Subscriptions How to access Mandiant in Maltego?
Bring Your Own Key MALTEGO CE
Available only with a Maltego Enterprise plan

M A LT EG O 17
MALTEGO PRO MALTEGO ENTERPRISE
Bring Your Own Key Click-and-Run: 30 Trans. Runs/Month
MALTEGO ENTERPRISE Maltego Data Subscriptions
Bring Your Own Key

PolySwarm
OpenPhish
CATEGORY:
CATEGORY: MALWARE, TTPS & VULNERABILITIES
MALWARE, TTPS & VULNERABILITIES
What is PolySwarm?
What is OpenPhish? PolySwarm is a decentralized threat intelli-
OpenPhish is a phishing intelligence platform gence marketplace where experts and antivirus
that aids in detecting and preventing phishing engines analyze files and URLs for threats. This
attacks. It maintains a structured database of diverse, real-time analysis offers contextual in-
phishing websites, including metadata useful sights for rapid response to emerging threats.
for incident analysis and trend tracking. This Utilizing blockchain for reputation, it enhances
data also serves as AI training, bolstering threat reliability. PolySwarm aids cyber threat intelli-
detection accuracy. OpenPhish supports cyber gence teams by providing dynamic, scalable,
threat intelligence teams by offering insights, and diverse threat data, attributing threats, and
aiding incident response, and enhancing cyber- broadening visibility.
security strategies.
How can you use PolySwarm in Maltego?
How can you use OpenPhish in Maltego? With PolySwarm Transforms, you can:
With OpenPhish Transforms, you can: • Obtain malware insights via file hash, do-
• Discover URLs, ASNs, IPs, and other data main, or IP addresses
used for brand impersonation • Analyze and visualize threat actor activity, in-
• Analyze patterns in URLs, IPs, and ASNs cluding malware distribution and IOCs
linked to detected phishing, answering ques- • Enrich and link unknown hashes, domains,
tions about shared hostnames and consis- IPs, and URLs to global threat intelligence,
tent URL patterns offering real-time insights into threat cam-
• Uncover hidden links between unrelated paigns and impacts
phishing campaigns by analyzing phishing • Analyze digital evidence for criminal inves-
URL metadata tigations, such as establishing connections
between suspect crypto wallets, IP address-
How to access OpenPhish in Maltego? es, and file hashes to identify potential crim-
MALTEGO CE inal activity
Available only with a Maltego commercial
license How to access PolySwarm in Maltego?
MALTEGO PRO MALTEGO CE
Click-and-Run: 15 Trans. Runs/Month Click-and-Run: 50 Trans. Runs/Month
Maltego Data Subscriptions MALTEGO PRO
Click-and-Run: 250 Trans. Runs/Month

M A LT EG O 18
Maltego Data Subscriptions RiskIQ Passive Total
Bring Your Own Key
MALTEGO ENTERPRISE CATEGORY:
Click-and-Run: 500 Trans. Runs/Month INFRASTRUCTURE & NETWORK INFORMATION
Maltego Data Subscriptions
Bring Your Own Key What is RiskIQ PassiveTotal?
RiskIQ PassiveTotal gathers internet-wide data
to detect threats and attacker infrastructure,
Recorded Future using machine learning to scale threat hunting.
It provides context on attackers, their tools, sys-
CATEGORY: tems, and IOCs and accelerates investigations
MALWARE, TTPS & VULNERABILITIES by connecting internal and external threat indi-
cators, aiding cyber threat intelligence teams
What is Recorded Future? in attributing attacks and proactive defense.
Recorded Future is a renowned threat intel- This platform enhances visibility, investigations,
ligence vendor that employs advanced ma- and team collaboration for effective threat mit-
chine analysis and human expertise to deliver igation.
real-time security intelligence. By integrating
diverse sources such as open source, dark web, How can you use RiskIQ PassiveTotal in
technical data, and original research, it empo- Maltego?
wers cyber threat intelligence teams with con- With RiskIQ PassiveTotal Transforms, you can:
text-rich insights. These insights aid proactive • Search across OSINT datasets like Whois
defense, prioritize threats, analyze trends, and records, IP resolutions, DNS and SSL certifi-
facilitate informed decision-making. cate data, and more
• Query Entities like domains, IPv4 addresses,
How can you use Recorded Future in Maltego? URLs, emails, and SSL certificates for effec-
With Recorded Future Transforms, you can: tive data triage
• Gain the full picture of threat actors, includ-
ing known exploit kits, vulnerabilities, or oth- How to access RiskIQ PassiveTotal in Maltego?
er TTPs associated with them MALTEGO CE
• Add extensive intelligence to the Entities re- Free Data (API Key Required)
turned by Maltego Transforms, such as IP Bring Your Own Key
addresses, domains, hashes and summary MALTEGO PRO
lists related to infrastructure, malware, or Free Data (API Key Required)
CVE vulnerabilities Bring Your Own Key
MALTEGO ENTERPRISE
How to access Recorded Future in Maltego? Free Data (API Key Required)
MALTEGO CE Bring Your Own Key
Available with a Maltego commercial license
MALTEGO PRO
Bring Your Own Key
MALTEGO ENTERPRISE
Bring Your Own Key

M A LT EG O 19
Shodan Silobreaker

CATEGORY: CATEGORY:
INFRASTRUCTURE & NETWORK INFORMATION MALWARE, TTPS & VULNERABILITIES
MALWARE, TTPS & VULNERABILITIES DEEP & DARK WEB / CRYPTOCURRENCY

What is Shodan? What is Silobreaker?


Shodan is a search engine that gathers data Silobreaker is a data analytics company that
from diverse internet-connected devices, pro- aggregates, analyzes, and contextualizes digi-
viding insights beyond traditional web search tal information. Their platform offers a holistic
engines. It focuses on SCADA systems and view of an organization’s threat landscape by
offers valuable information about running revealing connections between various threats,
software through indexed banners. With glo- actors, campaigns, targets, people, and places.
bal servers continuously crawling the internet, Silobreaker’s extensive coverage encompass-
Shodan covers servers, networks, and the en- es over a million sources in 18 languages, in-
tire Internet of Things (IoT), aiding cyber inves- cluding news, blogs, reports, dark web forums,
tigations and offering a broader perspective and social media from diverse sources. This
on risks. aids cyber threat intelligence teams in under-
standing the complex threat environment, at-
How can you use Shodan in Maltego? tributing attacks, and making informed deci-
With Shodan Transforms, you can: sions.
• Access and visualize global IoT and infra-
structure data in their investigative work- How can you use Silobreaker in Maltego?
flows within Maltego With Silobreaker Transforms, you can:
• Track ransomware impact by measuring the • Access deep and dark web for enriching in-
number of affected devices vestigations on malware, threat actors, and
• Pivot across diverse data sources in the TTPs
Transform Hub for a comprehensive investi- • Enhance search context with additional Silo-
gative perspective within a single UI breaker data
• Enrich indicators, investigate malware, threat
How to access Shodan in Maltego? actors, attack methods, countries, and tar-
MALTEGO CE gets
Free Data (API Key Required) • Conduct reputational risk research by cross-
Bring Your Own Key referencing assets with tailored search terms
MALTEGO PRO • Perform actor and handle investigations
Free Data (API Key Required) across deep and dark web sources, inclu-
Bring Your Own Key ding physical security inquiries
MALTEGO ENTERPRISE
Free Data (API Key Required) How to access Silobreaker in Maltego?
Bring Your Own Key MALTEGO CE
Available with a Maltego commercial license
MALTEGO PRO
Bring Your Own Key

M A LT EG O 20
MALTEGO ENTERPRISE SpyCloud
Bring Your Own Key
CATEGORY:
DEEP & DARK WEB / CRYPTOCURRENCY
Splunk
What is SpyCloud?
CATEGORY: SpyCloud Cybercrime Investigations is a plat-
ENDPOINT & SECURITY EVENTS form that specializes in threat intelligence re-
lated to cybercrime. It monitors the dark web
What is Splunk? and illegal sources for compromised creden-
Splunk is a real-time software platform for tials and stolen data, helping organizations pre-
monitoring, searching, analyzing, and visual- vent the misuse of pilfered credentials and en-
izing machine-generated log data. It offers hance overall security. Cyber threat intelligence
insights into technology infrastructure, secu- teams can benefit from the platform’s insights
rity systems, and business applications to en- into ongoing cybercriminal activities, which aid
hance operational performance and outcomes. in proactive defense, incident response, and cy-
Splunk assists cyber threat intelligence teams bersecurity measures.
by collecting and analyzing machine-generated
log data for proactive threat detection, incident How can you use SpyCloud in Maltego?
response, and operational optimization. It iden- With SpyCloud Transforms, you can:
tifies security vulnerabilities, anomalies, and po- • Enrich your search with SpyCloud’s vast
tential threats through advanced analytics and breach and malware dataset
visualization. • Integrate various data sources, including in-
ternal and external threat intelligence, along
How can you use Splunk in Maltego? with additional OSINT sources like VirusTotal,
With Splunk Transforms, you can: Passive DNS, and Whois
• Cross-reference internal intelligence with • Correlate new information, selectors, and
IOCs like IP Addresses, domains, hashes, digital traces to gain contextual insights into
and URLs your research subject
• Perform raw searches in Splunk’s search
processing language for additional events How to access SpyCloud in Maltego?
• Pivot from Splunk events to data in other MALTEGO CE
threat intelligence feeds like VirusTotal and Available only with a Maltego Enterprise plan
AbuseIPDB within the same graph MALTEGO PRO
Available only with a Maltego Enterprise plan
How to access Splunk in Maltego? MALTEGO ENTERPRISE
MALTEGO CE Bring Your Own Key
Available only with a Maltego Enterprise plan
MALTEGO PRO
Available only with a Maltego Enterprise plan
MALTEGO ENTERPRISE
Bring Your Own Key

M A LT EG O 21
Tatum Blockchain Explorer ThreatConnect

CATEGORY: CATEGORY:
DEEP & DARK WEB / CRYPTOCURRENCY MALWARE, TTPS & VULNERABILITIES

What is Tatum Blockchain Explorer? What is ThreatConnect?


Tatum Blockchain Explorer is a component of ThreatConnect is a platform that offers ag-
the Tatum blockchain development platform, gregated threat intelligence from diverse data
which supports 40+ protocols and 2000+ digi- sources such as OSINT feeds, blogs, or RSS
tal assets. It assists developers in creating feeds, along with indicators sent from a threat
blockchain apps and driving adoption. By pro- intelligence feed by an ISAC or Premium Pro-
viding insights into blockchain activities, it aids vider. It provides timely detection of emer-
in detecting threats and monitoring malicious ging threats, contextual analysis of indicators,
transactions. Its multi-protocol support en- and facilitates informed decision-making. This
ables teams to analyze attack vectors and in- empowers cyber threat intelligence teams to
tegrate data with threat intelligence systems proactively defend against evolving risks and
for proactive defense. collaborate for a stronger cybersecurity stance.

How can you use Tatum Blockchain Explorer How can you use ThreatConnect in Maltego?
in Maltego? With ThreatConnect Transforms, you can:
With Tatum Blockchain Explorer Transforms, • Visualize relationships among malware, do-
you can: mains, IPs, and other indicators
• Explore and trace transactions on various • Discover connections between your private
blockchains such as Bitcoin, Ethereum, Lite- ThreatConnect data and Community data.
coin, Bitcoin Cash, and Dogecoin • Utilize indicator and threat attributes to cre-
• Cross-reference addresses or gather intelli- ate Maltego graphs without losing contextu-
gence with other data sources available on al data
the Transform Hub, such as CipherTrace or • Pivot from ThreatConnect data and exter-
OpenCTI nal open source data sources using other
Maltego Transform sets
How to access Tatum Blockchain Explorer in
Maltego? How to access ThreatConnect in Maltego?
MALTEGO CE MALTEGO CE
Click-and-Run: 2,000 Trans. Runs/Month Available only with a Maltego commercial
Bring Your Own Key license
MALTEGO PRO MALTEGO PRO
Click-and-Run: 20,000 Trans. Runs/Month Bring Your Own Key
Bring Your Own Key MALTEGO ENTERPRISE
MALTEGO ENTERPRISE Bring Your Own Key
Click-and-Run: 40,000 Trans. Runs/Month
Bring Your Own Key

M A LT EG O 22
VirusTotal Premium API How to access VirusTotal Premium API in
Maltego?
CATEGORY: MALTEGO CE
INFRASTRUCTURE & NETWORK INFORMATION Available only with a Maltego commercial
license
What is VirusTotal Premium API? MALTEGO PRO
The VirusTotal Premium API, built upon Virus- Bring Your Own Key
Total’s massive database and community-driv- MALTEGO ENTERPRISE
en approach, offers an advanced solution for Bring Your Own Key
cyber threat intelligence professionals. With
real-time access to comprehensive threat data,
including detailed scan results, historical in- VirusTotal Public API
formation, and additional context, this sub-
scription-based service is tailored for in-depth CATEGORY:
threat analysis and rapid response. It equips INFRASTRUCTURE & NETWORK INFORMATION
analysts with higher request limits, batch scan-
ning capabilities, and programmatic access What is VirusTotal Public API?
to the VirusTotal Intelligence platform. This VirusTotal is a renowned cybersecurity re-
API is indispensable for organizations and ana- source with a massive database of over two bil-
lysts seeking to monitor evolving cyber threats, lion analyzed files, primarily dedicated to mal-
perform thorough investigations, and seamles- ware research. Leveraging a community-driven
sly integrate VirusTotal data into their security approach, VirusTotal addresses resource limi-
workflows. tations in gathering malware samples and indi-
cators, making it a valuable tool for cyber threat
How can you use VirusTotal Premium API in intelligence teams. The free Public API allows
Maltego? analysts to tap into VirusTotal’s extensive mal-
With VirusTotal Premium API Transforms, you ware database and community insights, facili-
can: tating quick assessments of potential threats.
• Query the VirusTotal Premium API for infor- Designed for users with limited requirements, it
mation regarding IP addresses, hash files, provides basic scan results, file metadata, and
domains, and URLs, allowing you to visu- some threat indicators. Threat intelligence ana-
ally uncover threat commonalities and un- lysts can utilize this API for initial investigations,
derstand relationships within your Maltego quick assessments of files, URLs, or domains,
graph and basic research tasks. The VirusTotal Pub-
• Examine any file uploaded to the service, lic API serves as a valuable starting point for
access whitelisting and trusted source in- those looking to dip their toes into threat anal-
formation, aiding in the distinction between ysis and obtain fundamental information about
trusted files and URLs and potential threats potential threats.
• Pivot to or from VirusTotal datasets in con-
junction with other data entities and sources How can you use VirusTotal Public API in
available on the Maltego Transform Hub Maltego?
With VirusTotal Public API Transforms, you can:
• Query VirusTotal Public API for information

M A LT EG O 23
about IP addresses, hash files, domains, and domains, websites, IP addresses, and more
URLs and visually uncover threat common- details to criminal activities
alities and understand relationships within • Enhance user protection against spam, harm-
your Maltego graph ful websites, network infiltrations, and online
• Pivot to or from VirusTotal datasets along- misdeeds, while also investigating third-par-
side other data entities and sources on the ty risks
Maltego Transform Hub
How to access WhoisXML API in Maltego?
How to access VirusTotal Public API in MALTEGO CE
Maltego? Click-and-Run:
MALTEGO CE Whois: 25 Transforms Runs/Month
Free Data (API Key Required) DRS: 10 Transforms Runs/Month
MALTEGO PRO Free Data (API Key Required)
Free Data (API Key Required) Bring Your Own Key
MALTEGO ENTERPRISE MALTEGO PRO
Free Data (API Key Required) Click-and-Run:
Whois: 250 Transforms Runs/Month
DRS: 250 Transforms Runs/Month
WhoisXML API Free Data (API Key Required)
Bring Your Own Key
CATEGORY: MALTEGO ENTERPRISE
INFRASTRUCTURE & NETWORK INFORMATION Click-and-Run:
Whois: 500 Transforms Runs/Month
What is WhoisXML API? DRS: 500 Transforms Runs/Month
For over a decade, WhoisXML API has been Free Data (API Key Required)
gathering, analyzing, and correlating domain, Bring Your Own Key
IP, and DNS data to bolster internet transparen-
cy and security. This data is transformed into
understandable intelligence sources, includ- ZeroFOX
ing a distinct collection of cyber threat feeds.
These feeds fortify threat data, bolster com- CATEGORY:
mercial security platforms (SIEM, SOAR, TIP), MALWARE, TTPS & VULNERABILITIES
and empower SOC teams for superior network
visibility. WhoisXML API’s contributions enable What is ZeroFOX?
informed decisions and effective cyber threat ZeroFOX is a cybersecurity solution that offers
mitigation. expertise, technology, and operational efficien-
cy to protect enterprises from diverse digital
How can you use WhoisXML API in Maltego? threats to their public attack surface. Through
With WhoisXML API Transforms, you can: AI-based analysis and varied data sources, it
• Look up the hidden identity of past domain helps identify and mitigate phishing attacks,
owners and identify the attacker’s historical credential compromise, brand misuse, and
footprints before privacy records more on social and digital platforms. The plat-
• Map attackers’ infrastructure by connecting form offers comprehensive protection, early

M A LT EG O 24
threat detection, timely remediation, and en-
hanced visibility for cyber threat intelligence
teams and organizations. It employs patented
SaaS technology to identify, analyze, and re-
mediate credible threats across the social and
digital landscape, encompassing platforms
like LinkedIn, Facebook, Slack, Twitter, and the
deep and dark web.

How can you use ZeroFOX in Maltego?


With ZeroFOX Transforms, you can:
• Search and enrich context for cyber attacks
originating from social media and digital
channels
• Visualize incoming threats using ZeroFOX
alerts across diverse digital surfaces, inclu-
ding web, social media, deep and dark web,
mobile apps, domains, marketplaces, and
more
• Explore activity on your digital footprint to
identify and analyze perpetrators targeting
your brand and executives

How to access ZeroFOX in Maltego?


MALTEGO CE
Available only with a Maltego commercial
license
MALTEGO PRO
Bring Your Own Key
MALTEGO ENTERPRISE
Bring Your Own Key

M A LT EG O 25
How to Access All Your Favorite
Data Sources in Maltego
With effective threat intelligence integration,
your SOC team can prioritize alerts and re-
duce the workload for incident responders and
threat analysts. This can be achieved through
the use of Maltego, the most widely used cyber
investigation platform.
Maltego is purpose-built as a centralized in-
terface for querying disparate data sources
and aggregating data relationships into visua-
lizations, streamlining time-consuming inves-
tigative processes by querying diverse data
sources and revealing hidden data relation-
ships, ultimately enhancing your organization’s
safety.
In Maltego, you can access data from top
providers within a single interface, simplifying
your investigations. It serves as your efficient,
all-in-one solution for investigations, centrali-
zing various data sources and tools in a unified
interface.
To learn more about Maltego’s capabilities
for integrating SOC tools, visit our website and
get in touch with us!

M A LT EG O 26
For more information, please visit Maltego is a comprehensive tool for graphical
maltego.com
link analyses that offers real-time data mining
and information gathering, as well as the repre-
sentation of this information on a node-based
graph, making patterns and multiple order
connections between said information easily
identifiable. With Maltego, you can easily mine
data from dispersed sources, automatically
merge matching information in one graph, and
visually map it to explore your data landscape.
Maltego offers the ability to easily connect
data and functionalities from diverse sources
using Transforms. Via the Transform Hub, you
can connect data from over 30 data partners,
a variety of public sources (OSINT) as well as
your own data. Our different Desktop Client
versions, data sources, and server solutions
enable you to tailor Maltego to your specific
needs in terms of data access, functionalities,
and security requirements.

M A LT EG O
whitepaper

Email: [email protected]
Phone: +49-89-24418490

You might also like