Entities are used to describe types of information, while Maltego does come with a number of pre-configured entities there may be cases where you want to create your own entities. These cases could be because you are simply building up a mind map of offline information or that you have developed transforms for a type of information not covered by the default.
CaseFile comes with a lot more entities than Maltego and while these can be imported into Maltego they will not have transforms associated with them. If you wish to use these you can simply follow the distribution guide for these transforms.
Creating your own entities within Maltego is a very simple and painless process, once again guided by a wizard. First under the Manage tab select the the "New Entity Type" dropdown. This will give you the options for creating a basic entity and an advanced one. For the majority of entity creation the simple wizard will provide all the functionality required.
The default guide will initially greet you with the following screen:
The fields for this wizard are as follows:
Display Name - The name shown in the client.
Short Description - A description shown when a Maltego user hovers over the entity in the pallette.
Unique Type Name - This is *VERY* important and cannot be changed. This is essentially the variable name used within transforms and should carefully describe what the piece of information (entity) is. Generally it is suggested that you use something in the format of organisation_section.information_type, eg. MyCompany.SecurityIncident.
Transforms are designed to run only on a specific type, for example you can run the 'To MX Record' transform on a Domain, but not on a person. Sometimes however you do want transforms to run on additional entities that might extend base entities. One example of this is that you could have an "internal user" entity that has all of the properties of the default Person entity (firstname, lastname) but also contains additional fields such as 'Username' and 'Organisational Unit'. Rather than re-create all of the default Person entities you can now simply have your "internal user" entity inherit from a Person entity. What this means is that the default Person entity will only have the normal transforms associated with it whilst the "internal user" entity will have both the normal person transforms as well as the ones built specifically for internal user.
Icons are used throughout the tool and are available in two different sizes: 16x16 and 48x48 pixels. The smaller icons are used within the palette whilst the larger ones within the graph area. When choosing icons you can either use some of the preconfigured icons that come with the tool or add your own.
To add a preconfigured icon simple click browse and use the tabs at the top of the screen to select the icon you wish, as seen below:
If you wish to add your own icons, you can create these as a set by clicking on the browse button. From here select the manage tab and follow as per the images below:
Properties for an entity describe the fields that an entity contains. A number of entities contain just a single field such as a DNS Name and for most entities creating a single field is enough. The fields on this screen will seldomly need to be changed and for the most part you will merely need to populate the display name, short description and sample value. The data type dropdown allows you to select a different data type.. We recommend that you make this setting a string as it provides a lot more flexibility to use different types of data.
The final screen of the basic wizard allows you to select a palette category to add the new entity to, this can either be a new category (simply fill in the name) or select a currently configured category from the wizard as seen below:
The advanced wizard has the same primary functions as the basic wizard mentioned above apart from three new sections: Additional Properties, Display Settings, Advanced Settings. These sections are each individually covered below:
Entities for the most part contain a single property (that is shown on the graph, covered in the Display Settings section next). However there are times where entities need to contain multiple pieces of information, for example if you had a domain you would need the domain (obviously!) but you might also want to store the whois information associated with that domain. This information is stored in properties within the entity. To add a property to an entity within the "Additional Properties" screen simply click on "Add Property" and fill in the details. These details are the same as the previous section:
Name - This is the variable name, we recommend using something that describes the type of information and something you will remember!
Display Name - The description displayed within the client to the end user, make this as descriptive as possible.
Type - Different types of information, we recommend using a string as it allows for the most flexibility in what you can extend.
Display settings determine 3 different properties for an entity: what is edited when changing the value on the graph, what is displayed on the graph and what icon should be used in place of the default icon. It might seem very strange to have a different property edited to what is displayed but as an example to illustrate this look at the URL entity. Whilst you still need the actual URL of a page (that could be very long) you do not want that displayed on the graph, but rather something like the title of the page.
Edit Value - This property determines which field is edited when you double click on the entity text by default.
Display Value - The property that is displayed on the graph.
Large Image - If a property is a URL to an image you can use this to replace the icon on the graph (useful for showing things like a thumbnail of a website where it is different for each website entity).
The final section of the advanced wizard allows you to set the plural options for when multiple entities are described in the tool as well as configure regular expressions for property mapping and clipboard pasting:
Regular Expression for matching entities
The above image describes the regular expression used for matching a domain entity with the tool, essentially when you paste into the graph the tool will compare the text pasted to the regular expression and if matched automagically create an entity of that type. The regular expression for a domain is as follows:
Apart from matching you can also populate specific fields within the tool. An example of this is the person entity which when pasting will automatically populate the firstname and last name fields of the entity if you paste something such as "Andrew MacPherson" into the tool.