INTEGRATING

SPLUNK ENTERPRISE
WITH MALTEGO

Summary
This document provides an overview of how on-premise or cloud deployments of Splunk can be
integrated into Maltego in a simple way. In just a few lines of code, using the Maltego-TRX library,
a custom Transform is realized to allow querying Splunk. Integrating Splunk into Maltego allows
analysts to conveniently cross-reference data points like IP Addresses, domains, hashes, URLs and
other indicators of compromise with organization-wide internal intelligence stored in Splunk directly
via Maltego. Transforms that upload data into Splunk can also be realized in an analogous way.

Architecture
On a technical level, connecting Splunk and Maltego only requires us to write custom Transform code using the
Maltego-TRX library and then to configure the Transforms in an iTDS to allow multiple Maltego clients to use them. The
diagram below provides an overview of what such a deployment looks like:

Maltego
Desktop
iTDS Maltego-TRX Server
Client

Discover & Run - Configuration of Transforms Forward - Implementation of Transforms API Splunk Rest
Transforms - Enables clients to discover Transforms Requests - Easy to Dockerize calls API
- Available as on-premise deployment - Handles user authentication, other
(ships as VM or docker-compose) business logic
Maltego
Desktop
Client

Transform Design
To keep thing simple, only one Transform was implemented for this example:

“[Splunk] Search for Events”

• Works with any input Entity
• Various Transform Settings: Splunk location and authentication, oldest/newest event time filter
• Returns splunk.Event Entities containing all fields of each matched Event

1
To more fully integrate Splunk into Maltego, plenty of additional Transforms which make use of Splunk’s extensive
API could be added, including products like Splunk Enterprise Security. For example, we could write a Transform that
only searches for Events tagged as “notable” in order to leverage the Enterprise Security feature. We could also add
a Transform for uploading a Maltego Entity to Splunk as new Threat Intelligence. For the purposes of this proof-of-
concept, we’ll keep things simple and focus on searching for Events.

Implementation of Transforms
By referencing Splunk’s documentation, we can quickly determine that there are simple ways to search incidents
across our Splunk instance using the Splunk SDK for Python. We’ll opt to use the one-shot search feature to simply
run a search and stream the results. First, we create a helper method for connecting to Splunk and running a search:

from splunklib import results

from splunklib.client import Service, connect

def run_splunk_search(

query, splunk_host, splunk_port, splunk_pwd, splunk_user,

earliest_time=None, latest_time=None, count=100
):
service: Service = connect(
host=splunk_host, port=splunk_port, username=splunk_user, password=splunk_pwd
)

# Set the parameters for the search

kwargs_oneshot = {“count”: count}
if earliest_time and earliest_time.strip():
kwargs_oneshot[“earliest_time”] = earliest_time
if latest_time and latest_time.strip():
kwargs_oneshot[“latest_time”] = latest_time

# Run the search

searchquery = f”search {query} | fields *”
search_results = service.jobs.oneshot(searchquery, **kwargs_oneshot)

# Get the results and process them using the ResultsReader

results_stream = results.ResultsReader(search_results)
return results_stream

Let’s also create a helper method for translating the dictionary objects returned from the Splunk library to Maltego
Entities. To keep it simple, we will map every key-value pair in the result JSON to a Property on the Maltego Entity.

def splunk_result_to_maltego_entity(match):
entity = MaltegoEntity(
type=”splunk.Event”,
value=match[“_raw”]
)
for field_name, field_value in match.items():
entity.addProperty(
fieldName=field_name, displayName=field_name,
value=field_value, matchingRule=”strict”
)
return entity

2
The MaltegoEntity type and its addProperty method are provided by the Maltego-TRX library.

Finally, below is sample code for the actual Transform that will use these methods for creating a new incident, as well
as attaching the input Entity to it. We’re using the Maltego-TRX library for everything that’s Maltego-specific here:

from maltego_trx.maltego import UIM_TYPES, MaltegoMsg, MaltegoEntity

from maltego_trx.transform import DiscoverableTransform
from splunklib import results
from splunklib.client import Service, connect

class RunQuery(DiscoverableTransform):

"""
Create a ServiceNow incident from any kind of entity, and attach the entity to it.

"""

@classmethod
def create_entities(cls, request: MaltegoMsg, response):
query = request.Value
count = request.Slider

splunk_host = request.TransformSettings[“host”]
splunk_port = request.TransformSettings[“port”]
splunk_user = request.TransformSettings[“user”]
splunk_pwd = request.TransformSettings[“pwd”]

# can be formatted date, or e.g. “-7d”

earliest_time = request.TransformSettings[“earliestTime”]
latest_time = request.TransformSettings[“latestTime”]

results_stream = run_splunk_search(
query, splunk_host, splunk_port,
splunk_pwd, splunk_user,
earliest_time, latest_time,
count
)

matches_dicts = []
for item in results_stream:
if isinstance(item, dict):
matches_dicts.append(dict(item))
elif isinstance(item, results.Message): response.addUIMessage(f”Splunk Message: {item}”)

# Create Maltego Entities

for match in matches_dicts:
entity = splunk_result_to_maltego_entity(match)
response.entities.append(entity)

And that’s it! The TRX Server can now run this Transform as a web service so that it can be connected to an iTDS for
Maltego clients to discover and use it.

Deployment and iTDS Configuration

The Maltego TRX repository includes a sample Dockerfile and docker-compose.yml for spinning up our TRX server.
We can use the same file structure as the example provided and replace the demo Transforms with our newly created
ones and spin up the server as shown.
Once the TRX server is up and running (and reachable from our iTDS), we’ll go ahead and configure the Transforms
within our iTDS. Here is how we might configure the “Search for Events“ Transform we’ve just created:

3
Note that for this example we did create and add a few Transform Settings. For these, we simply make sure that their
name exactly matches that of the corresponding key we used in our Python code.

Adding the Transforms to the Maltego Client

Under the “Adding Transforms to the Client” section, could you please add the content from this page, using the text
below:
To add a new Transform seed to your client follow these steps:

1. You can go to the Transform Hub and click on the big plus (+) button.

4
2. You can then add the Seed URL, unique name and display name for the Seed and click OK.

3. Finally you can click Install to have the transforms and configurations in that Seed installed to your Maltego Client.

Maltego Integration Services

If you are interested in integrating your preferred SIEM, threat intelligence provider or internal ticketing
systems into Maltego, we offer the following services:
• Use case discovery
• Transform design and writing
• Transform deployment, hosting and maintenance

Get in touch with our integrations expert to discuss how we can help
you simplify and expedite your cyber security investigations!

Philipp Dowling
[email protected]

About Maltego
Maltego empowers investigators worldwide to speed up and increase the precision of their investigations through
easy data integration in a single interface, aided by powerful visualization and collaborative capabilities to quickly
zero in on relevant information. Maltego is a proven tool that has empowered over one million investigations
worldwide since its first launch in 2008. Due to its wide range of possible use cases ranging from threat
intelligence to fraud investigations, Maltego is used by a broad audience, from security professionals and pen
testers to forensic investigators, investigative journalists, and market researchers.

Learn more about how we can empower your investigations on https://www.maltego.com.