stixview icon indicating copy to clipboard operation
stixview copied to clipboard
verified publisher icon traut

Extension Definition links not rendering as edges on the graph

Open himynamesdave opened this issue 4 months ago • 0 comments

STIX 2.2 is pushing move towards increased use of extension definitions to add new objects or add new properties to existing objects.

e.g.

{
    "type": "attack-action",
    "spec_version": "2.1",
    "id": "attack-action--e97912d9-2058-510f-8e1b-728015f789e7",
    "created": "2025-08-27T05:24:18.87093Z",
    "modified": "2025-08-27T05:24:18.87093Z",
    "technique_id": "T1204.002",
    "technique_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
    "tactic_id": "TA0002",
    "tactic_ref": "x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5",
    "name": "User executes extracted malicious file",
    "effect_refs": [
        "attack-action--282f141b-791f-53e6-a9be-8b56775b2864"
    ],
    "description": "After extraction, the user opens the embedded file (e.g., .doc, .pdf, .xls such as malware.pdf, or the executable bad.com), causing the malicious payload to run.",
    "extensions": {
        "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
            "extension_type": "new-sdo"
        }
    }
},
{
    "type": "extension-definition",
    "spec_version": "2.1",
    "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4",
    "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4",
    "created": "2022-08-02T19:34:35.143Z",
    "modified": "2022-08-02T19:34:35.143Z",
    "name": "Attack Flow",
    "description": "Extends STIX 2.1 with features to create Attack Flows.",
    "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json",
    "version": "2.0.0",
    "extension_types": [
        "new-sdo"
    ],
    "external_references": [
        {
            "source_name": "Documentation",
            "description": "Documentation for Attack Flow",
            "url": "https://center-for-threat-informed-defense.github.io/attack-flow"
        },
        {
            "source_name": "GitHub",
            "description": "Source code repository for Attack Flow",
            "url": "https://github.com/center-for-threat-informed-defense/attack-flow"
        }
    ]
}

the relationship is defined in the object under extensions. e.g. extensions.extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4

stixview should support the rendering of edges to visualise this relationship.

Example of how it looks now

Image

himynamesdave avatar Sep 04 '25 09:09 himynamesdave