Getting Started
How threatTRANSFORM works.

Installation

Feel free to test out the threatTRANSFORM demo site at https://www.threattransform.com/try.html. However if you would like to install it locally then follow the instructions below.

Requirements:
1. A webserver (any sort of web container such as Apache, Tomcat, IIS, etc. should do)
2. Any modern browser, though it works best with Chrome.

Instructions:
1. Go to https://github.com/threatTransform/threatTransform
2. Clone a copy of threatTRANSFORM
3. Copy the files and directories to your webserver of choice

Using

Creating STIX™ datasets can be confusing and time-consuming. threatTRANSFORM makes it really easy in three simple steps. Just get your data ready and head over to your local copy of threatTRANSFORM or try out the demo site, https://www.threattransform.com/try.html.

Step 1: Input

There are three sections on the threatTRANSFORM page. You can click a section heading to expand or contract the section. Your options will change based off of what selection you make for the Package Intent. For example, for the Campaign Characterization package intent you can add Intended Effects and Courses of Action. Make sure you click the Add link under those so that they get saved as you continue to generate your dataset.

Step 2: Generate

Little did you know, but your STIX™ dataset was being generated on the fly. Take a look at the bottom XML Output section and you’ll see your masterpiece. If you need to make a change you can go back up and make your changes in the other sections. The XML will dynamically update. At this point you can either copy the XML from the XML Output field or you can save it into an XML document. To download a generate XML document just choose Final or Draft and click the Save button.

Step 3: Apply

Now you can take your STIX™ dataset and share it directly with others or save it in a database, CMS, SIEM or your favorite big data solution. This standardized structured representation of threat data makes it much more easy for you to share, correlate, search, and report your data. Enjoy!

Improving

threatTRANSFORM was created to address issues that many security professionals face in sharing and analyzing threat information. Since STIX is rapidly evolving, threatTRANSFORM needs to quickly change and improve too. Please consider improving it and sharing with the community. There are still many STIX types that need to be modelled, and forms that need to be created. Please check out the technical section below to see how you can start contributing now.

Behind the Scenes: Modeling STIX XML as Javascript Objects

Each STIX object is created by implementing the XmlWrapper class. Below is the STIX Statement type, which has sub-elements of value,description and confidence. The XML is rendered in the toString method.

function StixStatement() {
        this.value = new XmlWrapper().tag('stixCommon:Value')
                                     .additional('xsi:type="stixVocabs:IntendedEffectVocab-1.0"');
        this.description = new XmlWrapper().tag('stixCommon:Description');
        this.confidence = new XmlWrapper().tag('stixCommon:Confidence')
                                          .additional('vocab_name="CONFIRMED/POSSIBLE/UNKNOWN/DISPROVED"');
        this.toString = function() { // render XML
            text = this.value.toString() + this.description.toString() + this.confidence.toString();
            return text;
        };
}         
                    

The IntendedEffect object maps to the STIX defined "Intended Effect":

function IntendedEffect(scope) {
        this.tag = scope + ':Intended_Effect';
        this.statement = new StixStatement();
        this.toString = function() {
            text = '<' + this.tag + '>\n' + this.statement.toString() + '</' + this.tag + '>';
            return text;
        };
}                        
                    

It implements the previously defined StixStatement object and also renders itself via toString. New STIX objects can be mapped easily by choosing the elements you want to represent, and then defining them as javascript objects.

Once you have wired up your models, you simply need to define a function in the angular controller ttFormCntrl that can add them to a collection:

$scope.addIntendedEffect = function() {
        ie = new IntendedEffect($scope.ieObject.ieScope);
        ie.statement.description.val($scope.ieObject.ieDescription);
        ie.statement.value.val($scope.ieObject.ieValue.value);
        ie.statement.confidence.val($scope.ieObject.ieConfidence.value);
        $scope.intendedEffects.push(ie);
    };
                    

Form and Function: Form Units

threatTransform uses reusable "form units" to create complex forms for user input:

        <div class="col-md-6">
            <div class="badger-left" data-badger="Intended Effects">
                <span>{{ieCount()}} Intended Effects defined in this document</span>
                <form ng-submit="addIntendedEffect()">
                    <div class="form-group">
                        <label for ="ieValue"> Intended Effect </label>
                        <select ng-model="ieObject.ieValue" 
                        class="form-control" 
                        ng-options="intendedEffect.value for intendedEffect in intendedEffectsEnum | orderBy: 'value'" 
                        id="ieValue">
                        </select>
                    </div>
                    <div class="form-group">
                        <label for ="ieDescription"> Description </label>
                        <textarea class="form-control" 
                        ng-model="ieObject.ieDescription" 
                        id="ieDescription" 
                        rows="5">
                        </textarea>
                    </div>
                    <div class="form-group">
                        <label for ="ieConfidence"> Confidence </label>
                        <select ng-model="ieObject.ieConfidence" 
                        class="form-control" 
                        ng-options="confidence.value for confidence in confidenceEnum | orderBy: 'value'" 
                        id="ieConfidence">
                        </select>
                    </div>
                    <input class="btn-link" ng-click="addIntendedEffect()" value="Add Intended Effect">
                </form>
            </div>
        </div>