Maltego TRX for ThreatQ
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 2.0.0 |
| Compatible with ThreatQ Versions | >= 5.6.0 |
| Python Version | 3.6 |
| Third-Party Application | Maltego Desktop Application |
| Support Tier | ThreatQ Supported |
Introduction
The Maltego TRX for ThreatQ is a transforms library enabling bi-directional communication between ThreatQ and Maltego and enables analysts to have more visibility into their threat intelligence knowledgebase, via ThreatQ. The included transforms allow an analyst to perform contextual lookups for IOCs and other object types. This includes relationships, tags, attributes, and more.
The library comes with over 500 transforms allowing you to interact with all sorts of IOC types within the Maltego, as well as custom entity types representing custom objects within ThreatQ. In addition, analysts will be able to interact with certain entities from the official STIX2 plugin.
The Maltego TRX for ThreatQ integration replaces the Maltego Transforms for ThreatQ (mac and windows) integrations.
Prerequisites
The following is required by the integration:
- Maltego Desktop Application (free) installed on your local machine. This application can be downloaded from https://www.maltego.com/downloads/.
- A python 3 environment installed on your local host.
- The Maltego and ThreatQ SDKs installed on your local host.
Installing Python 3 Environment
You must first install Python 3 onto your host machine. This can be done in various ways, depending on your operating system. The following links will provide you with the steps based on your operating system:
- Windows: https://docs.python-guide.org/starting/install3/win/
- Linux: https://docs.python-guide.org/starting/install3/linux/
- macOS: https://docs.python-guide.org/starting/install3/osx/
Continue on to installing the required SDKs once you have installed and activated your python 3 environment.
Installing Maltego and ThreatQ SDKs
After you have installed and activated your python 3 environment, proceed with installing the required SDKs.
- Install the Maltego SDK:
pip install maltego-trx
- Install the ThreatQ SDK via the ThreatQ download repository:
pip install -i https://<username>:<password>@extensions.threatq.com/threatq/sdk threatqsdk
Replace the <username> and <password> placeholders with your repository credentials given to you by your ThreatQ Support Team.
Integration Dependencies
The integration must be installed in a python 3.6 environment.
The following is a list of required dependencies for the integration. These dependencies are downloaded and installed during the installation process. If you are an Air Gapped Data Sync (AGDS) user, or run an instance that cannot connect to network services outside of your infrastructure, you will need to download and install these dependencies separately as the integration will not be able to download them during the install process.
Items listed in bold are pinned to a specific version. In these cases, you should download the version specified to ensure proper function of the integration.
| Dependency | Version | Notes |
|---|---|---|
| threatqsdk | >=1.8.7 | N/A |
| maltego-trx | N/A | N/A |
Installation of ThreatQ Local Transforms
The following steps will instruct you on how to install and configure the integration with ThreatQ, into Maltego.
Confirm that all the prerequisites listed have been addressed prior to starting the installation steps below.
- Navigate to the ThreatQ Marketplace, and download the zip file for the integration.
- Transfer the zip file to a directory on the same host running the Maltego Desktop Application. For example:
- Windows: C:\Users\username>\Documents\ThreatQ\Code
- Linux: /usr/local/bin/ThreatQ/Code
- maxOS: /Users/username>/Documents/ThreatQ/Code
- Extract the integration:
unzip threatq-maltego-trx.zip
- Navigate into the extracted code directory.
- Locate the threatquotient.cfg.example configuration file and make a copy of it, removing the
.examplesuffix.threatquotient.cfg
- Update the threatquotient.cfg file with the following parameters:
Parameter Description host This is the host of the ThreatQ instance, either the IP Address or Hostname as resolvable by ThreatQ. username For User-based Authentication - this is the email address of the user in the ThreatQ System that will manage integrations. password For User-based Authentication - the password for the above ThreatQ account. clientid For User-based Authentication - this is the OAuth id that can be found at Settings Gear → User Management → API details within the user’s details. oauth_client_id For OAuth Authentication - this is the OAuth Client ID, generated via the ThreatQ CLI. oauth_client_secret For OAuth Authentication - the is the OAuth Client Secret, generated via the ThreatQ CLI. - Run the integration once to generate the transform import files:
python src/project.py local runserver
You may see a handful of WARNING logs. These warnings can be ignored.
- Open Maltego and navigate to the Import | Export tab and click on the Import Config button.
- Use the file browser to locate the .mtz files in
./artifacts/mtz. - Select the threatq-entities.mtz package and click Next.
- Use the checkboxes to select what you want to import and then click Next.
- Complete the import and repeat steps 7-10 with the threatq-transforms.mtz package.
You should now be able to run the ThreatQ transforms on your Maltego entities.
Usage
The following section provides information on integration transforms and steps for setting a python 3 executable path.
Transforms
The integration provides over 500 transforms. You can execute the following transforms on a variety of entity types:
- IOC -> Object Relationships
- Object -> Object Relationships
- STIX2 Object -> Object Relationships
- Supported STIX2 Object Types: Attack Pattern, Course of Action, Threat Actor, Malware, Tool
- Fetch IOC Attributes as Properties
This includes attributes, tags, score, status, type, description, etc.
- Fetch Object Attributes as Properties
This includes attributes, tags, status, type, description, etc.
Custom Python 3 Executable
The following steps will allow you to set a custom python 3 executable path.
These steps assume that the transforms for ThreatQ are already installed.
- Open Maltego.
- From the the Transforms tab, click the Transform Manager button.
- Search for ThreatQ in the the transforms search bar.
- Select all the transforms by holding clicking the first entry, holding shift, and then selecting the last entry.
- Enter your custom Python executable path for the Command field in the bottom right configuration box.
After hitting enter, allow the Maltego window a few minutes to aggregate and make the changes.
Known Issues / Limitations
- The URL Attributes to Properties transform does not export the attributes to Maltego.
- Exporting relationships between entities and URLs from ThreatQ is not working due to an issue on Maltego.
Change Log
- Version 2.0.0
- Complete rewrite of the integration based on the new Maltego TRX SDK.
- Added support for running transforms on ThreatQ custom objects
- Added transform to fetch object metadata (context: Attributes, Tags, Relationships, etc.)
- Added transform to create an entity (i.e. Indicator, Malware, etc.) in ThreatQ.
- Added support for running transforms on more entity types
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| Maltego TRX for ThreatQ Guide v2.0.0 | 5.6.0 or Greater |