MDS Reference


Reference guide

Query options

These are enclosed in $$ tokens and are replaced at runtime with the passed-on value.

  • E.Value – Value of the entity

  • E.Property(“property name”) – Property of entity

  • E.Weight – Weight of entity

  • E.Type – Type of entity

  • E.Setting(“setting name”) – Transform setting

Example Splunk query:

host=www.paterva.com useragent="*$$E.Value$$*" clientip="$$E.Property("IP")$$" | dedup uri | table uri

Example SQL query:

SELECT * FROM table WHERE username=”$$E.Value$$”

Mapping options

The format of the mapping is:

{Entity1}{Entity2}..{EntityN}

Note that multiple entity types can be returned.

Inside the entity braces the following should be used:

{E.this1=$that1; E.this2=$that2; …}

Note that all values should be treated as string and that every statement end in a semicolon (‘;’). A dollar sign (‘$’) is used to denote the column name or number. Numbering starts at 0. Columns can be re-used.

The following are available. Red means write only – e.g. these values are not sent back to the server on subsequent transforms. At a minimum, a type and value must be set.

  • Type - The type of the node – please see reference guide for built-in types

  • Value - The display value of the node.

  • Weight - The weight of the node.

  • Property(“property name”) Sets the value of a property of the entity. Also Field(‘fieldname’) – for legacy code.

  • DisplayInfo(“heading”) Information that’s displayed in the Detail View. The heading is displayed in Maltego and can be collapsed. DisplayInfo is HTML aware.

  • IconURL should be a valid URL – sets the icon that’s used for the entity. 48px PNGs are recommended.

  • Notesthe notes placed top right of node.

  • Bookmark color of bookmark - refer to reference guide for options.

  • LinkLabel sets the label of the link.

  • LinkColor Link color is in format 0xRRGGBB. Values are for red, green and blue and in hexadecimal –for example 0xff00ff.

  • LinkStyle refer to reference guide for options.

  • LinkThickness number between 1 and 10.

Example of mapping:

{E.Type=sp.Agent; E.Value=$useragent; E.Property('IP')=$clientip;}

Bookmark color options

  • -1: NONE

  • 0: BLUE

  • 1: GREEN

  • 2: YELLOW

  • 3: ORANGE

  • 4: RED

  • 0: NORMAL

  • 1: DASHED

  • 2: DOTTED

  • 3: DASHDOT

Global variables

Defined in the MDS interface. To use enclose in $$ signs. Can be used in mappings, queries, and any filter. For example:

{E.Type=whatever.URI; E.Value=$uri; E.DisplayInfo("Link")="$$URILinkRender$$";}

Where URILinkRender is defined as a global variable in the interface as

Click on <a href = http://www.paterva.com$uri>link</a>

Filters

Both pre and post filter have full access to the input entity (from the Maltego client). This is exposed as object ‘E’. The following members and methods are available by default:

  • E.Value (String)-# The value of the node as displayed on the graph.
  • E.Weight (Integer) - The weight of the node.
  • E.Slider (Integer) - The slider's value.
  • E.Type (String) - The type of the input node.
  • E.Properties (dict) - A dictionary of properties of the node.
  • E.TransformSettings (dict) - The settings for the transform.

Methods to read input entity’s properties and settings:

  • E.getProperty (String Key) - Returns the value of the key.
  • E.getTransformSetting(String Key) - Returns the value of the key.

Pre-filters

Runs before entity is passed to the query. Pre-filters can modify the entity directly. Also - the pre filter can override the query by modifying the variable:

_query

As example – a pre filter that’s overriding the query could look as follows:

if (E.getProperty('IP') is not None):
    _query='useragent="*$$E.Value$$*" clientip="$$E.Property("IP")$$" | dedup uri | table uri'
else:
    _query='useragent="*$$E.Value$$*" | dedup uri | table uri'

Pre filters can also change the entity directly. Example of a pre-filter stripping spaces from the value of an entity before it’s passed to the query:

E.value = E.value.strip()

Post filters

Post filter have access to the data returned from the query as well as the input entity.

Data returned from the query is contained as a dictionary in the variable:

rawResults

An example of a post-filter adding a column called ‘fullname’ to a resultant table is as follows:

finalResults = []
for result in rawResults:
    firstname = result['Firstname']
    lastname = result['Lastname']
    result["fullname"] = firstname + " " + lastname
    finalResults.append(result)
rawResults = finalResults

An example of a post-filter adding a column called 'ua_escaped’ to the returned data is as follow:

import urllib
for k,v in enumerate(rawResults):
    rawResults[k]['ua_escaped'] = urllib.quote_plus(rawResults[k]['useragent'])

Post-filters can override the mapping by using the variable:

_mapping

An example of a post-filter overriding the mapping is as follows:

if E.getTransformSetting('UniqueAgent') == 'N':
    _mapping="{E.Type=sp.Agent; E.Value=$useragent;}"
else:
    _mapping="{E.Type=sp.Agent; E.Value=$useragent; E.Property('IP')=$clientip;}"

The filter above assumes that $clientip is returned from the data source. In the first mapping it’s used, in the second mapping it’s omitted.

Rediscovering from Maltego GUI

You need to rediscover when changes were made to:

  • Seed (adding, removing transforms)
  • Paired config (new config added)
  • Transform name
  • Transform settings
  • Input entity

You don’t need to rediscover when you’ve made changes to:

  • Query
  • Mapping
  • Post/Pre filter
  • Global Variables
  • Entities (list of)

© Copyright 2017, Paterva PTY Limited