To get an idea of what MANTIS currently provides, take a look at the following screenshots.
Django’s standard login screen, rendered with the Grappelli skin that is used by Mantis. You can customize Django to do authentication differently (see the Django documentation on customizing authentication.)
The screenshot below shows the overview of imported information objects right after import of MITRE’s conversion of the MITRE STIX conversion of APT-1 report. We imported the top-level STIX package and the Appendix G with full indicators of compromise (i.e., Mandiant OpenIOC is embedded into the STIX XML). The count shows a quite large number of objects, and we obviously need a way to find our way around. So in the next step, we filter the list a bit.
The filter box on the page showing the information object list allows filtering with respect
to several commonly used criteria. Here, we filter by information object type, and chose
Filtering results for
STIX_Packages yields two results: the package that represents
the top-level of the APT-1 report and the package that represents appendix G.
Clicking on the STIX package for the top-level of the APT-1 report shows MANTIS’s representation of the info object:
At the top, we have identifiying information.
The bulk of the display in the center concerns the facts contained in the object (the color coding shows the structuring of the facts – it takes a bit of getting used to ... but this is just a view after all: you can create a view that suits you better.)
The fact values that appear in blue are actually links to other info objects that have been extracted from the STIX package. You see two objects called
PLACEHOLDER: as it turns out, the STIX package references these two objects without actually defining them. Would they be imported at a later point of time (identified by identifier and namespace of the identifier), the placeholders would be overwritten.
The view also shows the marking that has been extracted and associated with this info object and all other info objects extracted from the STIX package.
Curently, there is a single revision of the object in the system. If there were more revisions, these would be shown (as well as whether the revision you are looking at is the most recent revision).
This information object is not embedded in another info object; if it were, information about these objects would be displayed.
Clicking on the value of the third fact with fact term
we see the facts contained in this info object ... and now there
is also information about info objects in which this info object is
Clicking once more, this time into an address object (here, the pre-defined
naming schema did not work and produced the name
AddressObject (4 facts) –
but you can configure additional naming schemas), we view another info object:
Again, we have information about which objects this particular object is embedded in: we get two results, and two times the same object, because it has been referenced two times (once by mistake, it seems.)
Mantis stores objects internally as lists of facts (refer to the DINGOS model description to learn more about the internal data model), but can also produce a JSON representation of each object.
Unfortunately, the JSON representation has still a slight problem: in the last few
lines, the identifiers for
@kill_chain_id would have to be
treated akin to the “normal” references using
STIX is very flexible and allows the embedding of other standards, such as Mandiant’s OpenIOC. For example, the MITRE STIX conversion of APT-1 report contains one version of the “Appendix G”, that contains embedded OpenIOC indicators. The Mantis STIX importer recognizes such occurrences and hands off to the Mantis OpenIOC importer.
Clicking on the embedded
ioc object (here, the naming went wrong, it should display the value of the
in the IOC) in line
Test_Mechanisms/Test_Mechanism/ioc yields a view of the imported OpenIOC info object.
We also can search for facts:
The search page allows us to search for values, e.g. the word
This yields several results. The display shows the info objects in which
the value occurs, the info object type of these objects, and the
fact term under which the value occurs.
Clicking on one of the objects shows the object and marks in red the occurrence of the searched term.
Django features a very powerful admin interface. We us it to view and manage enumerables such as info object types, fact data types, etc.
For example, here the list of info object types in the system.
Access to the info object types via the admin interface is especially relevant, because naming schemas that govern how objects are named are defined per info object type.