STIXViz Usage
The STIXViz proof of concept prototype can be used to visually explore relationships defined in STIX data files. For the examples shown, the files Mandiant_APT1_Report.xml and Appendix_G_IOCs_Full.xml have been loaded. The files are available from http://stix.mitre.org/downloads/APT1-STIX.zip.
Figure 1 shows a tree containing all of the entities in the two files. The nodes in the top row are grouping nodes for entities of a particular type. A single click will expand a node to show its children.
In this case, the ThreatActor node has been clicked. Then the China Pudong New Area node, the APT1 TTP, and the Utility Indicator nodes have been clicked in turn.
You can see both down arrows and up arrows in the tree. Down arrows indicate that the child node is referenced by the parent. For instance, the APT1 TTP shown is an Observed_TTP for the selected ThreatActor. Up arrows indicate that the child node references the parent. In this tree, the GDOCUPLOAD indicator specifies the APT1 TTP as an Indicated_TTP. Additionally, indicators are grouped by indicator type.
Also, note that the tree is really a graph in tree form (we call it an "infinite tree"). The APT1 TTP node is a child of the China Pudong New Area ThreatActor, and the same ThreatActor is a child of that TTP.
As you expand the tree, hovering over a node will highlight that node and any other copies of it that are currently visible in the infinite tree. This can be seen in Figure 2.
Additionally, double-clicking a node will cause it to become the root of the tree, hiding nodes along other paths. Figure 3 shows a subtree with the China Pudong New Area ThreatActor as its root. Double-clicking again will re-display the entire tree.
Figure 4 shows the interaction of STIXViz and the XSLT transform. In this image, we right-clicked on the APT1 TTP node and selected 'show HTML' to display the transform. Very large files could take a minute or two to process.
