STIX2 Directory
| Display Name | STIX2 Directory |
| Entity Name | maltego.STIX2.directory |
| Short Description | The Directory Object represents the properties common to a file system directory. |
| Entity Category | STIX 2 observables |
| Base Entities | maltego.Document, maltego.STIX2.core |
Entity Properties
| title | title | string | | |
| type | type | string | The value of this property MUST be d irectory. | directory |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent the content in this cyber-observable. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| is_defanged | is_defanged | string | Defines whether or not the data contained within the object has been defanged. | |
| extensions | extensions | string | Specifies any extensions of the object, as a dictionary. | |
| url | url | string | Specifies the path, as originally observed, to the directory on the file system. | |
| path_enc | path_enc | string | Specifies the observed encoding for the path. | |
| ctime | ctime | string | Specifies the date/time the directory was created. | |
| mtime | mtime | string | Specifies the date/time the directory was last written t o/modified. | |
| atime | atime | string | Specifies the date/time the directory was last accessed. | |
| co ntains_refs | co ntains_refs | string[] | Specifies a list of references to other File and/or Directory Objects contained within the directory. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {"url": "path", "title": "id"} |
Entity Description
The Directory Object represents the properties common to a file system directory.
STIX2 Autonomous System
| Display Name | STIX2 Autonomous System |
| Entity Name | maltego.STIX2.autonomous-system |
| Short Description | The AS object represents the properties of an Autonomous Systems (AS). |
| Entity Category | STIX 2 observables |
| Base Entities | maltego.AS, maltego.STIX2.core |
Entity Properties
| type | type | string | The value of this property MUST be autonomou s-system. | autono mous-system |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent the content in this cyber-observable. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| is_defanged | is_defanged | string | Defines whether or not the data contained within the object has been defanged. | |
| id | id | string | | |
| extensions | extensions | string | Specifies any extensions of the object, as a dictionary. | |
| as.number | as.number | string | Specifies the number assigned to the AS. Such assignments are typically performed by a Regional Internet Registries (RIR). | |
| name | name | string | Specifies the name of the AS. | |
| rir | rir | string | Specifies the name of the Regional Internet Registry (RIR) that assigned the number to the AS. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {" as.number": "number"} |
Entity Description
The AS object represents the properties of an Autonomous Systems (AS).
STIX2 User Account
| Display Name | STIX2 User Account |
| Entity Name | maltego.STIX2.user-account |
| Short Description | The User Account Object represents an instance of any type of user account, including but not limited to operating system, device, messaging service, and social media platform accounts. |
| Entity Category | STIX 2 observables |
| Base Entities | maltego.Alias, maltego.STIX2.core |
Entity Properties
| type | type | string | The value of this property MUST be user -account. | u ser-account |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent the content in this cyber-observable. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| is_defanged | is_defanged | string | Defines whether or not the data contained within the object has been defanged. | |
| id | id | string | | |
| extensions | extensions | string | The User Account Object defines the following extensions. In addition to these, producers MAY create their own. Extensions: unix-a ccount-ext. | |
| alias | alias | string | Specifies the identifier of the account. | |
| credential | credential | string | Specifies a cleartext credential. This is only intended to be used in capturing metadata from malware analysis (e.g., a hard-coded domain ad ministrator password that the malware attempts to use for lateral movement) and SHOULD NOT be used for sharing of PII. | |
| ac count_login | ac count_login | string | Specifies the account login string, used in cases where the user_id property specifies something other than what a user would type when they login. | |
| a ccount_type | a ccount_type | string | Specifies the type of the account. This is an open vocabulary and values SHOULD come from the acco unt-type-ov vocabulary. | |
| d isplay_name | d isplay_name | string | Specifies the display name of the account, to be shown in user interfaces, if applicable. | |
| is_serv ice_account | is_serv ice_account | string | Indicates that the account is associated with a network service or system process (daemon), not a specific individual. | |
| is _privileged | is _privileged | string | Specifies that the account has elevated privileges (i.e., in the case of root on Unix or the Windows Ad ministrator account). | |
| can_esc alate_privs | can_esc alate_privs | string | Specifies that the account has the ability to escalate privileges (i.e., in the case of sudo on Unix or a Windows Domain Admin account). | |
| is_disabled | is_disabled | string | Specifies if the account is disabled. | |
| acco unt_created | acco unt_created | string | Specifies when the account was created. | |
| acco unt_expires | acco unt_expires | string | Specifies the expiration date of the account. | |
| c redential_l ast_changed | c redential_l ast_changed | string | Specifies when the account credential was last changed. | |
| account first_login | account first_login | string | Specifies when the account was first accessed. | |
| account _last_login | account _last_login | string | Specifies when the account was last accessed. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {"alias": "user_id"} |
Entity Description
The User Account Object represents an instance of any type of user account, including but not limited to operating system, device, messaging service, and social media platform accounts.
STIX2 Email Message
| Display Name | STIX2 Email Message |
| Entity Name | maltego.STIX2.email-message |
| Short Description | The Email Message Object represents an instance of an email message. |
| Entity Category | STIX 2 observables |
| Base Entities | maltego.ConversationEmail, maltego.STIX2.core |
Entity Properties
| type | type | string | The value of this property MUST be email -message. | em ail-message |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent the content in this cyber-observable. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| is_defanged | is_defanged | string | Defines whether or not the data contained within the object has been defanged. | |
| id | id | string | | |
| extensions | extensions | string | Specifies any extensions of the object, as a dictionary. | |
| email | email | string | Specifies the value of the 'From' field of the email message. | |
| email .recipients | email .recipients | string[] | Specifies the mailboxes that are 'To:' recipients of the email message. | |
| title | title | string | Specifies the subject of the email message. | |
| date | date | string | Specifies the date/time that the email message was sent. | |
| c ontent_type | c ontent_type | string | Specifies the value of the 'Co ntent-Type' header of the email message. | |
| from_ref | from_ref | string | Specifies the value of the 'From:' header of the email message. | |
| cc_refs | cc_refs | string[] | Specifies the mailboxes that are 'CC:' recipients of the email message. | |
| bcc_refs | bcc_refs | string[] | Specifies the mailboxes that are 'BCC:' recipients of the email message. | |
| message_id | message_id | string | Specifies the Message-ID field of the email message. | |
| rec eived_lines | rec eived_lines | string[] | Specifies one or more Received header fields that may be included in the email headers. | |
| ad ditional_he ader_fields | ad ditional_he ader_fields | string | Specifies any other header fields found in the email message, as a dictionary. | |
| ra w_email_ref | ra w_email_ref | string | Specifies the raw binary contents of the email message, including both the headers and body, as a reference to an Artifact Object. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {"email": "s ender_ref", "email.r ecipients": "to_refs", "title": "subject"} |
| i s_multipart | i s_multipart | string | Indicates whether the email body contains multiple MIME parts. | True |
| body | body | string | Specifies a string containing the email body. This field MAY only be used if i s_multipart is false. | |
| bod y_multipart | bod y_multipart | string[] | Specifies a list of the MIME parts that make up the email body. This property MAY only be used if i s_multipart is true. | |
Entity Description
The Email Message Object represents an instance of an email message.
STIX2 Email Addr
| Display Name | STIX2 Email Addr |
| Entity Name | maltego.STIX2.email-addr |
| Short Description | The Email Address Object represents a single email address. |
| Entity Category | STIX 2 observables |
| Base Entities | maltego.EmailAddress, maltego.STIX2.core |
Entity Properties
| type | type | string | The value of this property MUST be em ail-addr. | email-addr |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent the content in this cyber-observable. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| is_defanged | is_defanged | string | Defines whether or not the data contained within the object has been defanged. | |
| id | id | string | | |
| extensions | extensions | string | Specifies any extensions of the object, as a dictionary. | |
| email | email | string | Specifies a single email address. This MUST not include the display name. | |
| d isplay_name | d isplay_name | string | Specifies a single email display name, i.e., the name that is displayed to the human user of a mail a pplication. | |
| bel ongs_to_ref | bel ongs_to_ref | string | Specifies the user account that the email address belongs to, as a reference to a User Account Object. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {"email": "value"} |
Entity Description
The Email Address Object represents a single email address.
STIX2 File
| Display Name | STIX2 File |
| Entity Name | maltego.STIX2.file |
| Short Description | The File Object represents the properties of a file. |
| Entity Category | STIX 2 observables |
| Base Entities | maltego.File, maltego.STIX2.core |
Entity Properties
| type | type | string | The value of this property MUST be file. | file |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent the content in this cyber-observable. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| is_defanged | is_defanged | string | Defines whether or not the data contained within the object has been defanged. | |
| id | id | string | | |
| extensions | extensions | string | The File Object defines the following extensions. In addition to these, producers MAY create their own. Extensions: ntfs-ext, raster -image-ext, pdf-ext, a rchive-ext, windows-p ebinary-ext | |
| description | description | string | Specifies the name of the file. | |
| hashes | hashes | string | Specifies a dictionary of hashes for the file. | |
| size | size | string | Specifies the size of the file, in bytes, as a n on-negative integer. | |
| name_enc | name_enc | string | Specifies the observed encoding for the name of the file. | |
| magic _number_hex | magic _number_hex | string | Specifies the hexadecimal constant ('magic number') associated with a specific file format that corresponds to the file, if applicable. | |
| mime_type | mime_type | string | Specifies the MIME type name specified for the file, e.g., 'applicati on/msword'. | |
| ctime | ctime | string | Specifies the date/time the file was created. | |
| mtime | mtime | string | Specifies the date/time the file was last written t o/modified. | |
| atime | atime | string | Specifies the date/time the file was last accessed. | |
| parent_di rectory_ref | parent_di rectory_ref | string | Specifies the parent directory of the file, as a reference to a Directory Object. | |
| co ntains_refs | co ntains_refs | string[] | Specifies a list of references to other Observable Objects contained within the file. | |
| content_ref | content_ref | string | Specifies the content of the file, represented as an Artifact Object. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {"source": "path", "de scription": "name"} |
Entity Description
The File Object represents the properties of a file.
STIX2 Software
| Display Name | STIX2 Software |
| Entity Name | maltego.STIX2.software |
| Short Description | The Software Object represents high-level properties associated with software, including software products. |
| Entity Category | STIX 2 observables |
| Base Entities | maltego.STIX2.core |
Entity Properties
| type | type | string | The value of this property MUST be software. | software |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent the content in this cyber-observable. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| is_defanged | is_defanged | string | Defines whether or not the data contained within the object has been defanged. | |
| id | id | string | | |
| extensions | extensions | string | Specifies any extensions of the object, as a dictionary. | |
| name | name | string | Specifies the name of the software. | |
| cpe | cpe | string | Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary. | |
| swid | swid | string | Specifies the Software Ide ntification (SWID) Tags entry for the software, if available. | |
| languages | languages | string[] | Specifies the languages supported by the software. The value of each list member MUST be an ISO 639-2 language code. | |
| vendor | vendor | string | Specifies the name of the vendor of the software. | |
| version | version | string | Specifies the version of the software. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {} |
Entity Description
The Software Object represents high-level properties associated with software, including software products.
STIX2 Artifact
| Display Name | STIX2 Artifact |
| Entity Name | maltego.STIX2.artifact |
| Short Description | The Artifact Object permits capturing an array of bytes (8-bits), as a base64-encoded string string, or linking to a file-like payload. |
| Entity Category | STIX 2 observables |
| Base Entities | maltego.STIX2.core |
Entity Properties
| type | type | string | The value of this property MUST be artifact. | artifact |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent the content in this cyber-observable. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| is_defanged | is_defanged | string | Defines whether or not the data contained within the object has been defanged. | |
| id | id | string | | |
| extensions | extensions | string | Specifies any extensions of the object, as a dictionary. | |
| mime_type | mime_type | string | The value of this property MUST be a valid MIME type as specified in the IANA Media Types registry. | |
| payload_bin | payload_bin | string | Specifies the binary data contained in the artifact as a bas e64-encoded string. | |
| url | url | string | The value of this property MUST be a valid URL that resolves to the unencoded content. | |
| hashes | hashes | string | Specifies a dictionary of hashes for the contents of the url or the p ayload_bin. This MUST be provided when the url property is present. | |
| encryptio n_algorithm | encryptio n_algorithm | string | If the artifact is encrypted, specifies the type of encryption algorithm the binary data (either via payload_bin or url) is encoded in. | |
| dec ryption_key | dec ryption_key | string | Specifies the decryption key for the encrypted binary data (either via payload_bin or url). | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {} |
Entity Description
The Artifact Object permits capturing an array of bytes (8-bits), as a base64-encoded string string, or linking to a file-like payload.
STIX2 Url
| Display Name | STIX2 Url |
| Entity Name | maltego.STIX2.url |
| Short Description | The URL Object represents the properties of a uniform resource locator (URL). |
| Entity Category | STIX 2 observables |
| Base Entities | maltego.URL, maltego.STIX2.core |
Entity Properties
| short-title | short-title | string | | |
| type | type | string | The value of this property MUST be url. | url |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent the content in this cyber-observable. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| is_defanged | is_defanged | string | Defines whether or not the data contained within the object has been defanged. | |
| extensions | extensions | string | Specifies any extensions of the object, as a dictionary. | |
| url | url | string | Specifies the value of the URL. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {"url": "value", "sh ort-title": "id"} |
Entity Description
The URL Object represents the properties of a uniform resource locator (URL).
STIX2 Ipv4 Addr
| Display Name | STIX2 Ipv4 Addr |
| Entity Name | maltego.STIX2.ipv4-addr |
| Short Description | The IPv4 Address Object represents one or more IPv4 addresses expressed using CIDR notation. |
| Entity Category | STIX 2 observables |
| Base Entities | maltego.IPv4Address, maltego.STIX2.core |
Entity Properties
| type | type | string | The value of this property MUST be i pv4-addr. | ipv4-addr |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent the content in this cyber-observable. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| is_defanged | is_defanged | string | Defines whether or not the data contained within the object has been defanged. | |
| id | id | string | | |
| extensions | extensions | string | Specifies any extensions of the object, as a dictionary. | |
| i pv4-address | i pv4-address | string | Specifies one or more IPv4 addresses expressed using CIDR notation. | |
| resol ves_to_refs | resol ves_to_refs | string[] | Specifies a list of references to one or more Layer 2 Media Access Control (MAC) addresses that the IPv4 address resolves to. | |
| belo ngs_to_refs | belo ngs_to_refs | string[] | Specifies a reference to one or more autonomous systems (AS) that the IPv4 address belongs to. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {"ipv 4-address": "value"} |
Entity Description
The IPv4 Address Object represents one or more IPv4 addresses expressed using CIDR notation.
STIX2 Domain Name
| Display Name | STIX2 Domain Name |
| Entity Name | maltego.STIX2.domain-name |
| Short Description | The Domain Name represents the properties of a network domain name. |
| Entity Category | STIX 2 observables |
| Base Entities | maltego.Domain, maltego.STIX2.core |
Entity Properties
| type | type | string | The value of this property MUST be dom ain-name. | domain-name |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent the content in this cyber-observable. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| is_defanged | is_defanged | string | Defines whether or not the data contained within the object has been defanged. | |
| id | id | string | | |
| extensions | extensions | string | Specifies any extensions of the object, as a dictionary. | |
| fqdn | fqdn | string | Specifies the value of the domain name. | |
| resol ves_to_refs | resol ves_to_refs | string[] | Specifies a list of references to one or more IP addresses or domain names that the domain name resolves to. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {"fqdn": "value"} |
Entity Description
The Domain Name represents the properties of a network domain name.
STIX2 Windows Registry Key
| Display Name | STIX2 Windows Registry Key |
| Entity Name | maltego.STIX2.windows-registry-key |
| Short Description | The Registry Key Object represents the properties of a Windows registry key. |
| Entity Category | STIX 2 observables |
| Base Entities | maltego.STIX2.core |
Entity Properties
| type | type | string | The value of this property MUST be w indows-regi stry-key. | windows-r egistry-key |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent the content in this cyber-observable. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| is_defanged | is_defanged | string | Defines whether or not the data contained within the object has been defanged. | |
| id | id | string | | |
| extensions | extensions | string | Specifies any extensions of the object, as a dictionary. | |
| key | key | string | Specifies the full registry key including the hive. | |
| values | values | string[] | Specifies the values found under the registry key. | |
| mo dified_time | mo dified_time | string | Specifies the last date/time that the registry key was modified. | |
| creat or_user_ref | creat or_user_ref | string | Specifies a reference to a user account, represented as a User Account Object, that created the registry key. | |
| number _of_subkeys | number _of_subkeys | string | Specifies the number of subkeys contained under the registry key. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {} |
Entity Description
The Registry Key Object represents the properties of a Windows registry key.
STIX2 X509 Certificate
| Display Name | STIX2 X509 Certificate |
| Entity Name | maltego.STIX2.x509-certificate |
| Short Description | The X509 Certificate Object represents the properties of an X.509 certificate. |
| Entity Category | STIX 2 observables |
| Base Entities | maltego.X509Certificate, maltego.STIX2.core |
Entity Properties
| type | type | string | The value of this property MUST be x509-cer tificate. | x509-certificate |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent the content in this cyber-observable. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| is_defanged | is_defanged | string | Defines whether or not the data contained within the object has been defanged. | |
| id | id | string | | |
| extensions | extensions | string | Specifies any extensions of the object, as a dictionary. | |
| serial | serial | string | Specifies the unique identifier for the c ertificate, as issued by a specific Certificate Authority. | |
| issuer | issuer | string | Specifies the name of the Certificate Authority that issued the c ertificate. | |
| validFrom | validFrom | string | Specifies the date on which the certificate validity period begins. | |
| validUntil | validUntil | string | Specifies the date on which the certificate validity period ends. | |
| subject | subject | string | Specifies the name of the entity associated with the public key stored in the subject public key field of the c ertificate. | |
| is self_signed | is self_signed | string | Specifies whether the certificate is s elf-signed, i.e., whether it is signed by the same entity whose identity it certifies. | |
| hashes | hashes | string | Specifies any hashes that were calculated for the entire contents of the c ertificate. | |
| version | version | string | Specifies the version of the encoded c ertificate. | |
| signatur e_algorithm | signatur e_algorithm | string | Specifies the name of the algorithm used to sign the c ertificate. | |
| subjec t_public_ke y_algorithm | subjec t_public_ke y_algorithm | string | Specifies the name of the algorithm with which to encrypt data being sent to the subject. | |
| subj ect_public key_modulus | subj ect_public key_modulus | string | Specifies the modulus portion of the subject’s public RSA key. | |
| subje ct_public_k ey_exponent | subje ct_public_k ey_exponent | string | Specifies the exponent portion of the subject’s public RSA key, as an integer. | |
| x509_v3 _extensions | x509_v3 _extensions | string | Specifies any standard X.509 v3 extensions that may be used in the c ertificate. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {"subject": "subject", "serial": "seri al_number", "issuer": "issuer", " validFrom": "validity_n ot_before", "v alidUntil": "validity not_after"} |
Entity Description
The X509 Certificate Object represents the properties of an X.509 certificate.
STIX2 Network Traffic
| Display Name | STIX2 Network Traffic |
| Entity Name | maltego.STIX2.network-traffic |
| Short Description | The Network Traffic Object represents arbitrary network traffic that originates from a source and is addressed to a destination. |
| Entity Category | STIX 2 observables |
| Base Entities | maltego.STIX2.core |
Entity Properties
| type | type | string | The value of this property MUST be network -traffic. | netw ork-traffic |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent the content in this cyber-observable. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| is_defanged | is_defanged | string | Defines whether or not the data contained within the object has been defanged. | |
| id | id | string | | |
| extensions | extensions | string | The Network Traffic Object defines the following extensions. In addition to these, producers MAY create their own. Extensions: http-ext, tcp-ext, icmp-ext, socket-ext | |
| start | start | string | Specifies the date/time the network traffic was initiated, if known. | |
| end | end | string | Specifies the date/time the network traffic ended, if known. | |
| src_ref | src_ref | string | Specifies the source of the network traffic, as a reference to an Observable Object. | |
| dst_ref | dst_ref | string | Specifies the destination of the network traffic, as a reference to an Observable Object. | |
| src_port | src_port | string | Specifies the source port used in the network traffic, as an integer. The port value MUST be in the range of 0 - 65535. | |
| dst_port | dst_port | string | Specifies the destination port used in the network traffic, as an integer. The port value MUST be in the range of 0 - 65535. | |
| protocols | protocols | string[] | Specifies the protocols observed in the network traffic, along with their co rresponding state. | |
| src _byte_count | src _byte_count | string | Specifies the number of bytes sent from the source to the d estination. | |
| dst _byte_count | dst _byte_count | string | Specifies the number of bytes sent from the destination to the source. | |
| src_packets | src_packets | string | Specifies the number of packets sent from the source to the d estination. | |
| dst_packets | dst_packets | string | Specifies the number of packets sent destination to the source. | |
| ipfix | ipfix | string | | |
| src payload_ref | src payload_ref | string | Specifies the bytes sent from the source to the d estination. | |
| dst payload_ref | dst payload_ref | string | Specifies the bytes sent from the source to the d estination. | |
| encaps ulates_refs | encaps ulates_refs | string[] | Links to other netw ork-traffic objects e ncapsulated by a netwo rk-traffic. | |
| encapsul ated_by_ref | encapsul ated_by_ref | string | Links to another netw ork-traffic object which e ncapsulates this object. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {} |
| is_active | is_active | string | Indicates whether the network traffic is still ongoing. | True |
Entity Description
The Network Traffic Object represents arbitrary network traffic that originates from a source and is addressed to a destination.
STIX2 Ipv6 Addr
| Display Name | STIX2 Ipv6 Addr |
| Entity Name | maltego.STIX2.ipv6-addr |
| Short Description | The IPv6 Address Object represents one or more IPv6 addresses expressed using CIDR notation. |
| Entity Category | STIX 2 observables |
| Base Entities | maltego.IPv6Address, maltego.STIX2.core |
Entity Properties
| type | type | string | The value of this property MUST be i pv6-addr. | ipv6-addr |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent the content in this cyber-observable. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| is_defanged | is_defanged | string | Defines whether or not the data contained within the object has been defanged. | |
| id | id | string | | |
| extensions | extensions | string | Specifies any extensions of the object, as a dictionary. | |
| i pv6-address | i pv6-address | string | Specifies one or more IPv6 addresses expressed using CIDR notation. | |
| resol ves_to_refs | resol ves_to_refs | string[] | Specifies a list of references to one or more Layer 2 Media Access Control (MAC) addresses that the IPv6 address resolves to. | |
| belo ngs_to_refs | belo ngs_to_refs | string[] | Specifies a reference to one or more autonomous systems (AS) that the IPv6 address belongs to. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {"ipv 6-address": "value"} |
Entity Description
The IPv6 Address Object represents one or more IPv6 addresses expressed using CIDR notation.
STIX2 Mutex
| Display Name | STIX2 Mutex |
| Entity Name | maltego.STIX2.mutex |
| Short Description | The Mutex Object represents the properties of a mutual exclusion (mutex) object. |
| Entity Category | STIX 2 observables |
| Base Entities | maltego.STIX2.core |
Entity Properties
| type | type | string | The value of this property MUST be mutex. | mutex |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent the content in this cyber-observable. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| is_defanged | is_defanged | string | Defines whether or not the data contained within the object has been defanged. | |
| id | id | string | | |
| extensions | extensions | string | Specifies any extensions of the object, as a dictionary. | |
| name | name | string | Specifies the name of the mutex object. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {} |
Entity Description
The Mutex Object represents the properties of a mutual exclusion (mutex) object.
STIX2 Mac Addr
| Display Name | STIX2 Mac Addr |
| Entity Name | maltego.STIX2.mac-addr |
| Short Description | The MAC Address Object represents a single Media Access Control (MAC) address. |
| Entity Category | STIX 2 observables |
| Base Entities | maltego.MacAddress, maltego.STIX2.core |
Entity Properties
| type | type | string | The value of this property MUST be mac-addr. | mac-addr |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent the content in this cyber-observable. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| is_defanged | is_defanged | string | Defines whether or not the data contained within the object has been defanged. | |
| id | id | string | | |
| extensions | extensions | string | Specifies any extensions of the object, as a dictionary. | |
| macaddress | macaddress | string | Specifies one or more mac addresses expressed using CIDR notation. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {"m acaddress": "value"} |
Entity Description
The MAC Address Object represents a single Media Access Control (MAC) address.
STIX2 Process
| Display Name | STIX2 Process |
| Entity Name | maltego.STIX2.process |
| Short Description | The Process Object represents common properties of an instance of a computer program as executed on an operating system. |
| Entity Category | STIX 2 observables |
| Base Entities | maltego.STIX2.core |
Entity Properties
| type | type | string | The value of this property MUST be `process`. | process |
| s pec_version | s pec_version | string | The version of the STIX sp ecification used to represent the content in this cyber-observable. | |
| object_m arking_refs | object_m arking_refs | string[] | The list of marking -definition objects to be applied to this object. | |
| granul ar_markings | granul ar_markings | string[] | The set of granular markings that apply to this object. | |
| is_defanged | is_defanged | string | Defines whether or not the data contained within the object has been defanged. | |
| id | id | string | | |
| extensions | extensions | string | The Process Object defines the following extensions. In addition to these, producers MAY create their own. Extensions: windows-p rocess-ext, windows-s ervice-ext. | |
| is_hidden | is_hidden | string | Specifies whether the process is hidden. | |
| pid | pid | string | Specifies the Process ID, or PID, of the process. | |
| created | created | string | Specifies the date/time at which the process was created. | |
| cwd | cwd | string | Specifies the current working directory of the process. | |
| c ommand_line | c ommand_line | string | Specifies the full command line used in executing the process, including the process name (which may be specified i ndividually via the bina ry_ref.name property) and any arguments. | |
| environmen t_variables | environmen t_variables | string | Specifies the list of environment variables associated with the process as a dictionary. | |
| opened_conn ection_refs | opened_conn ection_refs | string[] | Specifies the list of network connections opened by the process, as a reference to one or more Network Traffic Objects. | |
| creat or_user_ref | creat or_user_ref | string | Specifies the user that created the process, as a reference to a User Account Object. | |
| image_ref | image_ref | string | Specifies the executable binary that was executed as the process image, as a reference to a File Object. | |
| parent_ref | parent_ref | string | Specifies the other process that spawned (i.e. is the parent of) this one, as represented by a Process Object. | |
| child_refs | child_refs | string[] | Specifies the other processes that were spawned by (i.e. children of) this process, as a reference to one or more other Process Objects. | |
| rec overy_prope rty_mapping | rec overy_prope rty_mapping | string | The mapping of Maltego internal property names to STIX property names used for this entity. | {} |
Entity Description
The Process Object represents common properties of an instance of a computer program as executed on an operating system.