Custom Entities


Existing Entities

Entities are used to describe types of information, while Maltego does come with a number of pre-configured entities there may be cases where you want to create your own entities. These cases could be because you are simply building up a mind map of offline information or that you have developed transforms for a type of information not covered by the default.

Before re-inventing the wheel by create entities that already exist, have a look at the Entity Reference Guide for all the standard entities that are included in the Maltego client.

CaseFile comes with a lot more entities than Maltego that are generally used in law enforcement type investigations. These entities do not come with any transforms but can still be installed to your Maltego client from the transform hub.

casefile_entities.PNG

 

Creating Custom Entities

New entities can be created from the Maltego client and is explained in the following section of the Maltego User Guide.

Best Practices when creating entities

Entity creation is one of the most important steps when implementing Maltego in your environment. There are a few things to remember when doing this. Initially we recommend creating a table of all the types of information that you have available and would like to integrate with on both the x and y axis and then determine where you will need transforms and if any of the information is a duplicate. Once you have completed this you should have just the information you are interested in representing in Maltego and can then create these entities. 

  1. Dead end entities - Dead end entities are entities which do not have any transforms that can be run on them. It is important to try and re-use the default entities or entities which you already have transforms built for. 
  2. Entity Inheritance - It is strongly recommended that if you have do have entities that could be related to entities pre-existing in the tool that you use entity inheritance to avoid having to duplicate transforms. An example of this is the website, NS record and MX record that all inherit from the DNS entity. This means that instead of having to recreate the 'to IP Address' transform for each type we create it only once for the DNS record entity and the transform will be available to all of the different types.
  3. Entity Naming / Sharing - To avoid having entities recreated by multiple people within a team it is recommended that a naming schema is used to categorise as well as share entities across your organisation / team. This also applies for the properties of entities to avoid things like 'firstName', 'FIRSTNAME' and 'first.name' which will create a lot of confusion amongst the developers. 

Advanced Entity Creation

Calculated properties

Another concept that was introduced to Maltego was the use of calculated properties. A person’s fullname for instance is calculated by the concatenation of the firstnames and the lastname. This is exposed in the Maltego client:

calculated_property.png

The only entities that use calculated properties are:

  • maltego.Person
  • maltego.Location
  • maltego.PhoneNumber

Inheritance

CaseFile offered many more entities than Maltego. In CaseFile you can have a Judge, Criminal and Officer that are essentially all Persons. When importing a graph made in CaseFile into Maltego you would want to be able to run the Person transforms on all of these but the early data model did not support it.

We added the concept of inheritance – for the standard Maltego installation this meant that the MXRecord, NSRecord and Website entities were really just specialized DNSNames. The upside of it is that one transform (DNSName 2 IPAddress) worked on all of them – this saved a lot of transform configuration. For example - if you specify on the TDS that a transform will run on a DNSName it will also run on all entities down the ‘family tree’ – MXRecord, Website and NSRecord. 

At the top of the tree is ‘maltego.Unknown’. This means that if you configure a transform to run on this base entity type – it will be available when you right click … on any entity. 

Entity Distribution

iTDS/MDS Integration

One of the Pros of using a iTDS or MDS server is that it allows for the distribution of configurations which include entities as well as the icons associated with them. You can read more about it on the paired configuration page. Alternatively if you are not using a server or wish to simply share your entities with another Maltego client you can following the exporting guide below. 
 

Exporting Configuration

First setup your Maltego client with the various entities you would like to export. Once you have completed this you can export your custom entities by following the entity export guide found in our Maltego user guide. This will export your custom entities to a .mtz file that can be shared with other Maltego users. 

Continue to the Viewlets page.



© Copyright 2017, Paterva PTY Limited