Introduced in Maltego 4, collections aim to clean up the graph by grouping 'similar' entities, making it easier to view portions of the graph and find the key relationships you are looking for. The underlying collection rules all adhere to the following criteria:
Only entities of the same type may be collected together in a single collection,
Entities that are pinned (pinned to the graph) may not be collected,
A minimum entity limit exists which must be satisfied for a collection node to form, i.e. a collection node may not contain less than the minimum limit of entities.
The image below shows the controls on the Collections tab of the ribbon as configured for a fresh install of Maltego.
Figure 198: Collections tab
Collections are enabled by default and may be toggled off/on by pressing the Disable/Enable Collections button. On the Simplify Graph section a slider and spinner work in tandem to control the level of graph simplification. The numbers on the slider and that of the spinner correspond, designating the minimum number of entities that any collection node may contain. Dragging the slider to the left decreases this global minimum entity limit for collections, thereby increasing the amount of graph simplification. The Show Collections Tutorial button shows this tutorial in the Maltego client. The Select Collections button selects all the collection nodes on the current graph.
A typical use case for using collection nodes is analysing Twitter followers. The image below shows the Detail View for three different Twitter accounts for which their followers where found, sorted alphabetically according to the entity name. Since transforms were run on these entities as input, none of them have incoming links. "Paterva" has the highest number of Twitter followers (outgoing links) among the 3 entities, with 3432, which according to the transform rules resulted in a weight of 100.
Figure 199: Detail view of starting three Twitter accounts
With collections disabled (and for pre-Maltego4 versions), the graph output looks like the image below when in organic layout (zoomed to 2%). The graph consists of 4164 entities (4489 links in total), making it difficult to visualise the interesting relationships and common followers without having to continuously zoom in and out of the graph.
Figure 200: Followers of the initial three Twitter accounts
With collections enabled and the slider in its default position of 25 entities, the graph output looks as follows in circular layout (zoomed to 15%).
Figure 201: Collections enabled in circular view
Notice the circular entities (uncollected) and square collection nodes. Dragging the slider to the far left for the greatest amount of graph simplification, renders the graph as follows (zoomed to 100%). The graph is now simpler and much easier to work with.
Figure 202: Collection enabled - full simplification
With the collection node containing 269 entities selected (designated by "269" in the collection node heading on the graph), the selected entities can be viewed in list form in the Detail View, and sorted according to various columns (multi-column sorting is also supported using the Shift key in conjunction with mouse clicks on the column headings). Hovering over or clicking on the entities in this list shows the relevant entity properties in the Property View.
Clicking on the icon in the Inspect column in the image above (shown by the orange plus (+) sign), shows in-depth details of that single entity (image below). Double-clicking on the Twitter user icon in the image below, will open the Details dialog. Clicking on the Back To List button (or right-clicking inside the Detail View component) in the image below, returns to the Detail View list of the entities in the collection node as in the image above.
By double-clicking on the entity name in the Detail View list (or clicking on the icon in the Collected column which shows the number of entities in the collection node), the graph will automatically pan and zoom to the selected entity, briefly flashing the entity inside the collection node in white as in the image below.
Collections are simply visual elements -- if an entity is of specific interest and it must not be grouped within the collection node, one can press on the pin icon of that entity, either on the graph's collection component (as in the image below) or in the Detail View list. Having multiple entities selected and then clicking on the pin icon will pin all selected entities to the graph (uncollect from collection). Alternatively, all entities in a collection can be pinned to the graph by clicking the larger pin icon in the collection component heading (seen as a very faint overlay in the top-right corner of the image below).
By clicking on the pin icon with only the "Black Hat" entity selected, this isolates the entity from the collection node, essentially pinning the entity to the graph (see image below). Other rules for exclusion from a collection node are if the entity has attachments or notes. When dragging entities onto the graph, they are pinned by default.
If the orange pin icon of a pinned entity, such as the "Black Hat" entity below, is clicked to unpin the entity from the graph, the entity becomes available to be collected, and will only be collected should it satisfy the criteria outlined in the overview (top of page), and share relationships with (i.e. are 'similar' to) other entities of the same type. Typically, this will boil down to whether it is linked to (shares) common parent and child entities, although the rules can understandably become quite complex for heavily meshed graphs.
With collection nodes, there is the same functionality that has always been in Maltego. For instance, one can find entities on the graph containing certain word(s), whether they form part of a collection node or not, by using the Quick Find functionality on the Investigate tab of the ribbon.
Alternatively, when using the Detail View list with the "269" collection node selected, the "Black Hat" entity can be pinned to the graph from this listed view, which would uncollect it but keep it among the selected entities displayed in the list. The list entities can then further be filtered according to entities containing the word "black" in them as in the image below. As can be seen by the text inside the icon in the "Collected" column, the collection node now only contains 268 entities, and the pinned "Black Hat" entity is displayed as a normal (circle) entity.
While on the graph all 269 entities of the original collection node are still selected, the Detail View list only shows the 2 filtered entities. By clearing the filter textfield, all 269 entities will again be displayed within the list. Alternatively, by selecting the 2 list entities in the image above, and clicking on the Sync Selection to Graph button to the left of the filter textfield, the graph selection changes to only these 2 entities and will be displayed as in the image below.
Solid orange borders signify full selection (all entities within the visual element selected), while a dashed orange border (as for the "268" collection node above), signifies partial selection. The collection node heading in this case indicates that only 1 of the 268 entities within the collection node is selected. Since pinned entities (and other entities not in collection nodes) only represent a single entity, these entities can therefore never be in a state of partial selection.
Transforms can also be run within the Detail View list using the context menu (on either single or multiple entities). Simply select the entities in the Detail View list, right-click to invoke the context menu (see image below), and run transforms as usual.
© Copyright 2017, Paterva PTY Limited