User-level tooling can help abstract away the STIX XML and provide you with different views or capabilities for working with STIX that may not require you to know XML at all. Currently, the two more capable user-level tools are STIXViz and STIX to HTML.
A visualization tool that renders STIX documents in three unique ways which capture and present hierarchical, relational, and temporal perspectives of the content.
StixViz is implemented in Javascript as a standalone application using the node-webkit application runtime which is based on the Chromium rendering engine and node.js. It is packaged and available for download as both a Windows and OSX executable but when built from source, can run on other platforms or could even be integrated into a webpage.
STIXViz helps you understand the connections and relationships between the components of a STIX document through three different views:
STIXViz also includes the STIX to HTML as a component, allowing users to view the details and contents of the rendered nodes.
If you’re just starting out in STIX and want to see what it’s capable of, we suggest downloading STIXViz and opening up the more complex reports available on the STIX Sample Reports page (e.g., FireEye Poison Ivy Report and Mandiant APT1 Report) in the tool.
STIX to HTML is an XSLT stylesheet that can transform a STIX XML document into a human-readable HTML view. It was designed to be leveraged by developers, either as a mechanism for batch rendering STIX document or to be embedded as a visualization component within a STIX-capable application.
The STIX to HTML transform is leveraged by STIXViz to display the contents and details of individual components.
Because STIX to HTML is an XSLT stylesheet, users must be familiar with XSLT or XSLT processing libraries/engines (e.g., Saxon or libxslt) in order to use it. If you’re not familiar with XSLT or how to run it against XML, we suggest downloading STIXViz and looking at the STIX to HTML output that it includes instead.
Because STIX to HTML was created by and for developers, allowing for customization and extension were a priority. Documentation on how to customize STIX to HTML to fit your application/operational needs is also available.
The STIX project develops and maintains utilities for the STIX community which generate, translate, or otherwise leverage STIX content in useful ways. Many of our projects utilize our own developer tools and APIs, so other developers can use these utilities as examples of how to navigate the STIX API landscape!
OpenIOC to STIX is a Python utility to convert Mandiant’s OpenIOC format into STIX Indicators (with CybOX Observables). This tool was used to generate the Indicators file in the APT1 report mapping on the STIX Sample Reports page.
While useful for it’s stated purpose, the other way to use this tool is as an example of how to generate STIX content programmatically using the machine-generated bindings included in the python-stix APIs. Looking through the source code is a great way to see how they work and how to import/use them, in particular for generating indicators with CybOX content.
STIX Validator is a command-line Python utility which validates STIX XML documents in three different ways:
The STIX Validator can also translate Excel STIX Profiles into either ISO Schematron or XSLT documents to be used within other applications or validation environments.
The Java STIX Validator is a Java FX application, which can perform STIX XML Schema validation via a graphical user interface.
The STIX project develops and maintains APIs which aid developers in parsing, creating, and manipulating STIX content programmatically.
The python-stix APIs provide machine-generated bindings and higher-level APIs that aid in the creation, consumption, and manipulation of STIX content. STIX documents can be serialized to and from Python dictionaries, JSON, and schema-valid XML documents.
Our hope is to lift developers above the XML and allow them to focus on creating and parsing cyber threat intelligence as STIX without having to worry about things like XML namespaces, document ordering of elements, or schema locations.
The STIX project provides a java-stix library for both Java and JAXB XML developers. It provides convenience methods to the XJC generated JAXB model. java-stix is not intended to be a one-for-one replacement for the python-stix API.
Please send any feedback about java-stix to stix@mitre.org.
The STIX project does not provide bindings for .NET. Community members, however, have used Microsoft’s standard XML tooling to work with STIX documents and create useful utilities.
We would be glad to link to a .NET project providing bindings. Please contact us at stix@mitre.org.
Using JRuby, it’s possible to use generated JAXB or XMLBeans bindings and import them into Ruby via a Rubygem. Though we don’t provide this capability, the process is essentially:
We would be glad to link to a Ruby project providing bindings. Please contact us at stix@mitre.org.