Maltiverse provides a complete incident search engine that can be used by our clients to execute advanced research into potential incidents detected in the organization.
The use of this comprehensive dashboard provides time savings in analysis and investigation that can be crucial in responding to a security incident.
The Dashboard screen is the first screen displayed after the user connects to the platform. It consists of six main sections: the “search” panel, the threat analyzer panel, the list of latest IOCs, the available feeds, access to the team view, access to the API, access to the Maltiverse community and finally the view for the recently ingested of indicators.
In the search tab, complex searches can be carried out under lucene syntax to refine the search to the desired level.
Searches can be carried out by any of the attributes of the indicators, such as hash, url, ip, asn, region, country, type of attack. Those fields are specified below in the field reference.
The Maltiverse Query Language is a simple syntax for filtering data using free text search or field-based search. It runs an Elasticsearch database under the hood and uses its syntax based on Lucene Query Syntax to parse and split the provided query string based on operators, such as AND or NOT. The query then analyzes each split text independently before returning matching documents.
The Maltiverse Query Language is a simple syntax for filtering data using free text search or field-based search.
Examples #
Malicious IPs #
type:ip AND classification:malicious
Malicious IPs geolocated in China #
type:ip AND classification:malicious AND country_code:CN
Malicious IPs located in the Autonomous System AS4134 #
type:ip AND classification:malicious AND as_name:AS4134*
Malicious IPs located in the Autonomous System AS4134 that are distributing malware #
type:ip AND classification:malicious AND as_name:AS4134* AND is_distributing_malware:true
Malicious IPs located in the Autonomous System AS4134 that are Command&Controls #
type:ip AND classification:malicious AND as_name:AS4134* AND is_cnc:true
Malicious IPs blamed to be related to Cobalt Strike malware family #
type:ip AND classification:malicious AND blacklist.description:"Cobalt Strike"
Hostnames blamed to be related to Cobalt Strike malware family allocated in Tencent infrastructure #
type:hostname AND blacklist.description:”Cobalt Strike” AND domain.keyword:”tencentcs.com”
Malicious Hostnames that are allocating between 1 and 1000 malicious URLs #
type:hostname AND number_of_online_malicious_urls_allocated:[1 TO 1000]
Malicious URLs related to the Mexican Government Top Level Domain #
type:url AND classification:malicious AND tld:gob.mx
Malicious Samples with the antivirus description “HEUR:Trojan.Script.Generic” #
type:sample AND antivirus.description:"HEUR:Trojan.Script.Generic"
Malicious Samples with the antivirus description “HEUR:Trojan.Script.Generic” with extension .vbs #
type:sample AND antivirus.description:"HEUR:Trojan.Script.Generic" AND filename:*.vbs
Field Reference #
Blacklist Item #
| Field | Description |
|---|---|
| blacklist.description* | string example: Emotet |
| blacklist.source* | string example: Maltiverse Research Team |
| blacklist.first_seen | date (YYYY:MM:DD hh:mm:ss) First date when the blacklist blame was noticed. If no specified takes the current date value. This date can’t point to the future and must be less or equal than last_seen |
| blacklist.last_seen | date (YYYY:MM:DD hh:mm:ss) Last date when the blacklist blame was noticed. If no specified takes the current date value. This date can’t point to the future and must be greater or equal than first_seen |
| blacklist.external_references.source_name | string example: MitreThe source within which the external-reference is defined (system, registry, organization, etc.) |
| blacklist.external_references.description | string example: User Execution: Malicious FileA human readable description |
| blacklist.external_references.url | string($uri) example: https://attack.mitre.org/techniques/T1204/002/A URL reference to an external resource. |
| blacklist.external_references.external_id | string example: T1204.002An identifier for the external reference content. |
IP Item #
| Field | Description |
|---|---|
| ip_addr* | string($ipv4) example: 77.53.9.158 |
| type* | stringEnum: [ ip ] |
| classification* | string Enum: [ malicious, suspicious, neutral, whitelisted ] |
| tag | [ uniqueItems: true example: List [ “c&c”, “banker”, “phishing”, “compromised” ]string] |
| blacklist | […] |
| creation_time | date (YYYY:MM:DD hh:mm:ss) example: 2021-12-27 01:36:09The the date when the indicator is created. If no specified takes the current date value |
| modification_time | date (YYYY:MM:DD hh:mm:ss) example: 2021-12-27 01:36:09The the date when the indicator got its last modification. If no specified takes the current date value |
| country_code | string minLength: 2 maxLength: 2 example: SECountry code related to the IP address. |
| city | string City related to the IP address. |
| state | string State related to the IP address. |
| location | locationItem{…} |
| […] | |
| address | string Address related to the IP address. |
| as_name | string Autonomous system related to the IP address. |
| asn_cidr | string Autonomous system CIDR related to the IP address. |
| asn_country_code | string Country Code related to the IP address. |
| asn_date | string ASN date related to the IP address. |
| asn_registry | string ASN registry related to the IP address. |
| cidr | string CIDR related to the IP address. |
| registrant_name | string Registrant name related to the IP address. |
| postal_code | string Postal code to the IP address. |
| last_updated | date (YYYY:MM:DD hh:mm:ss) Last time the whois reocord related to the IP address was updated. |
| is_iot_threat | boolean example: falseFlag that determines if the IP Address performs malicious activity against Internet of Things targets. |
| is_hosting | boolean example: false Flag that determines if the IP Address is allocating several domains and is considered to be a hosting. |
| is_cdn | boolean example: false Flag that determines if the IP Address belongs to a Content Distribution Network. |
| is_cnc | boolean example: false Flag that determines if the IP Address performs Command & Control activities |
| is_distributing_malware | boolean example: false Flag that determines if the IP Address is distributing malware |
| is_known_attacker | boolean example: trueFlag that determines if the IP Address is a known attacker |
| is_known_scanner | boolean example: false Flag that determines if the IP Address is a known scanner |
| is_mining_pool | boolean example: false Flag that determines if the IP Address belongs to a mining pool |
| is_open_proxy | boolean example: false Flag that determines if the IP Address behaves like an open proxy |
| is_sinkhole | boolean example: false Flag that determines if the IP Address is a sinkhole that redirects malicious communications to a safe controller |
| is_tor_node | boolean example: false Flag that determines if the IP Address runs a tor node |
| is_vpn_node | boolean example: false Flag that determines if the IP Address behaves like an VPN node |
Hostname Item #
| Field | Description |
|---|---|
| hostname* | string example: paypal.com-information-update-activity-account.gq |
| type* | string Enum: [ hostname ] |
| classification* | string Enum: [ malicious, suspicious, neutral, whitelisted ] |
| tag | [ uniqueItems: true example: List [ “c&c”, “banker”, “phishing”, “compromised” ]string] |
| blacklist | […] |
| creation_time | date (YYYY:MM:DD hh:mm:ss) The the date when the indicator is created. If no specified takes the current date value |
| modification_time | date (YYYY:MM:DD hh:mm:ss) The the date when the indicator got its last modification. If no specified takes the current date value |
| is_iot_threat | boolean example: false Flag that determines if the hostname performs malicious activity against Internet of Things targets. |
| is_alive | boolean example: false Flag that determines if the hostname is currently resolving against some IP Address. |
| is_cnc | boolean example: false Flag that determines if the IP Address performs Command & Control activities |
| is_distributing_malware | boolean example: false Flag that determines if the IP Address is distributing malware |
| is_mining_pool | boolean example: false Flag that determines if the IP Address belongs to a mining pool |
| is_storing_phishing | boolean example: false Flag that determines if the hostname is currently allocating some phishing URL. |
| is_phishing | boolean example: false Flag that determines if the hostname |
URL Item #
| Field | Description |
|---|---|
| url* | string($uri) example: http://assocolours.com/mu/i/LoginVerification.php |
| type* | stringEnum: [ url ] |
| classification* | stringEnum: [ malicious, suspicious, neutral, whitelisted ] |
| tag | [ uniqueItems: true example: List [ “c&c”, “banker”, “phishing”, “compromised” ]string] |
| blacklist | […] |
| creation_time | date (YYYY:MM:DD hh:mm:ss) The the date when the indicator is created. If no specified takes the current date value |
| modification_time | date (YYYY:MM:DD hh:mm:ss) The the date when the indicator got its last modification. If no specified takes the current date value |
| is_iot_threat | boolean example: false Flag that determines if the hostname performs malicious activity against Internet of Things targets. |
| is_alive | boolean example: false Flag that determines if the hostname is currently resolving against some IP Address. |
| is_cnc | boolean example: false Flag that determines if the IP Address performs Command & Control activities |
| is_distributing_malware | boolean example: false Flag that determines if the IP Address is distributing malware |
| is_phishing | boolean example: false Flag that determines if the hostname |
Sample Item #
| Field | Description |
|---|---|
| md5 | string minLength: 32 maxLength: 32 |
| sha1 | string minLength: 40 maxLength: 40 |
| sha256* | string minLength: 64 maxLength: 64 example: a6dd716f4ef6ec69f14720e41a9f04b577413283ddae601dba88421c0c4e4044 |
| filename | string example: dropper.exe] |
| antivirus.name | string example: Trojan.Linux.Mirai.1 |
| antivirus.description | string example: FireEye |
| filetype | string |
| type* | string Enum: [ sample ] |
| classification* | stringEnum: [ malicious, suspicious, neutral, whitelisted ] |
| tag | [ uniqueItems: true example: List [ “rat”, “ransomware”, “banker”, “geodo” ]string] |
| blacklist | […] |
| creation_time | date (YYYY:MM:DD hh:mm:ss) The the date when the indicator is created. If no specified takes the current date value |
| modification_time | date (YYYY:MM:DD hh:mm:ss) The the date when the indicator got its last modification. If no specified takes the current date value |
