Added diagrams and JSON, removed items

--Added diagrams to index.md for STIX and TAXII
--Added JSON and a diagram to compare.md
--Removed TAXII and STIX about pages from the menu
--Edited CSS for images

_includes/header.html

@@ -11,9 +11,9 @@
             <span class="icon-bar"></span>
             <span class="icon-bar"></span>
           </button>
-          
+
         </div>
-        
+
         <div id="navbar" class="collapse navbar-collapse">
           <ul class="nav navbar-nav">
             <li>
@@ -25,28 +25,28 @@
                 {% for pg in site.pages %}
                   {% if pg.categories contains 'stix' and (pg.title or pg.short_title) %}
                     <li {% if p.url == page.url %}class="active"{% endif %}>
-                      {% include page-link.html p=pg %} 
+                      {% include page-link.html p=pg %}
                     </li>
                   {% endif %}
                 {% endfor %}
               </ul>
             </li>
-            <li class="dropdown">
+            <!-- <li class="dropdown">
               <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true">TAXII <span class="caret"></span></a>
               <ul class="dropdown-menu">
                 {% for pg in site.pages %}
                   {% if pg.categories contains 'taxii' and (pg.title or pg.short_title) %}
                     <li {% if p.url == page.url %}class="active"{% endif %}>
-                      {% include page-link.html p=pg %} 
+                      {% include page-link.html p=pg %}
                     </li>
                   {% endif %}
                 {% endfor %}
               </ul>
-            </li>
+            </li> -->
             {% for pg in site.pages %}
               {% unless (pg.categories contains 'taxii' or pg.categories contains 'stix') %}
                 <li>
-                  {% include page-link.html p=pg %} 
+                  {% include page-link.html p=pg %}
                 </li>
               {% endunless %}
             {% endfor %}

_sass/_layout.scss

@@ -208,6 +208,9 @@ nav.navbar {
     width: 50%;
     padding: 10px;
 }
+.panel .figure {
+    width: 100%;
+}
 .figure img {
     padding-bottom: 15px;
 }

index.md

@@ -25,6 +25,12 @@ layout: default
         <p>
           STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more.
         </p>
+        <p>
+        <div class="figure center-block text-center" markdown="span">
+        ![STIX 2.0 Diagram 2]({{ site.baseurl }}/img/STIXdiagram2.PNG){: .figure-img .img-fluid}
+        **STIX Relationship Diagram with Sighting**
+        </div>
+        </p>
         <h3>Sample:</h3>
 {% highlight json%}
 {
@@ -63,6 +69,12 @@ layout: default
         </p>
           TAXII is specifically designed to support the exchange of CTI represented in STIX.
         </p>
+        <p>
+        <div class="figure center-block text-center" markdown="span">
+          ![TAXII Collections and Channels]({{ site.baseurl }}/img/taxii_diagram.png){: .figure-img .img-fluid}
+          **TAXII Collections and Channels**
+        </div>
+        </p>
         <p>
           <h3>Links:</h3>
           <ul>

stix/compare.md

@@ -23,10 +23,53 @@ All objects in STIX 2.0 are [at the top-level](https://docs.google.com/document/
 
 The generic TTP (tactics, techniques, procedures) and Exploit Target types from STIX 1.x have been split into separate top-level objects (Attack Pattern, Malware, Tool and Vulnerability) with specific purposes in STIX 2.0.
 
+### Sample SDO
+
+```
+{
+  "type": "attack-pattern",
+  "id": "attack-pattern--3098c57b-d623-4c11-92f4-5905da66658b",
+  "created": "2015-05-15T09:11:12.515000Z",
+  "modified": "2015-05-15T09:11:12.515000Z",
+  "name": "Initial Compromise",  
+  "external_references": [
+    {
+      "source_name": "capec",
+      "description": "spear phishing",
+      "external_id": "CAPEC-163"
+    }
+  ],
+  "kill_chain_phases": [
+    {
+      "kill_chain_name": "mandiant-attack-lifecycle-model",
+      "phase_name": "initial-compromise"
+    }
+  ]
+ }
+```
+
 ## Relationships as top-level objects
 
 STIX 2.0 introduces a top-level [Relationship object](https://docs.google.com/document/d/1IcA5KhglNdyX3tO17bBluC5nqSf70M5qgK9nuAoYJgw/edit#heading=h.l326yout8qc1), which links two other top-level objects via a named relationship type. STIX 2.0 content can be thought of as a connected graph, where nodes are SDOs and edges are Relationship Objects. The STIX 2.0 specification suggests different named relationships, but content producers are able to define their own. In STIX 1.x relationships were “embedded” in other objects. The types of relationships supported was restricted by the STIX 1.x specification. Because STIX 1.x relationships themselves were not top-level objects, you could not express a relationship between two objects without changing one of them. In CTI, it is often desirable for others to assert a relationship. Using this new Relationship object, others, besides the original content creator, can add to the shared knowledge in an independent way.
 
+### Sample Relationship
+
+```
+ {
+    "type": "relationship",
+    "id": "relationship--1fbd9a8d-4c14-431c-9520-3ccc50b748c1",
+    "created": "2017-02-09T11:13:27.431000Z",
+    "modified": "2017-02-09T11:13:27.431000Z",
+    "relationship_type": "uses",
+    "source_ref": "attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4",
+    "target_ref": "tool--806a8f83-4913-4216-bb19-02b48ae25da5"
+ }
+```
+<div class="figure center-block text-center" markdown="span">
+![STIX 2.0 Diagram 3]({{ site.baseurl }}/img/STIXdiagram3.PNG){: .figure-img .img-fluid}
+**STIX Diagram Showing Attack Pattern using a Tool**
+</div>
+
 ## Streamlined Model
 
 Experience with STIX 1.x showed that a common set of features were widely used and well understood while many other features lacked shared understanding and had only limited, if any use at all. In addition, almost all properties of objects were optional. Overall, the breadth of STIX 1.x was an impediment to sharing intelligence, and necessitated a formal agreement among threat groups on what should be shared (i.e., profiles).
@@ -43,6 +86,29 @@ However, the need to incorporate concepts not yet in the specification is enable
 
 Indicator patterns in STIX 1.x were expressed using XML syntax. This made all but the simplest patterns difficult to create and to understand. STIX 2.0 takes a different approach, specifying [a language for patterns](https://docs.google.com/document/d/1suvd7z7YjNKWOwgko-vJ84jfGuxSYZjOQlw5leCswPY) which is independent of the serialization language \[5\]. Patterns written in the STIX patterning language are more compact and easier to read. Additionally, there is no confusion between patterns and observations, because a pattern is not a top-level object, but a property of an indicator object.
 
+### Indicator Example with Pattern
+
+```
+ {
+  "type": "indicator",
+  "id": "indicator--031778a4-057f-48e6-9db9-c8d72b81ccd5",
+  "created": "2017-02-09T12:11:11.415000Z",
+  "modified": "2017-02-09T12:11:11.415000Z",
+  "name": "HTRAN Hop Point Accessor",
+  "pattern": "[ipv4addr:value = '223.166.0.0/15']",
+  "labels": [
+  "malicious-activity"
+  ],
+  "valid_from": "2015-05-15T09:00:00.000000Z",
+  "kill_chain_phases": [
+    {
+      "kill_chain_name": "mandiant-attack-lifecycle-model",
+      "phase_name": "establish-foothold"
+    }
+  ]
+ }
+```
+
 ## Coming Attractions
 
 STIX 2.0 does not currently support several CTI concepts, such as Incidents, Confidence, Assets and Infrastructure, Impact Assessment, Personas, Victims and Victim Targeting. Many of these are under development for STIX 2.1, which is currently being defined. Likewise, only the most “popular” cyber observable objects are currently supported. Again, more will be added in future releases.

stix/walkthrough.md

@@ -119,7 +119,7 @@ So the Relationship object used in our scenario for Company A links the **source
 With this Relationship SRO, Company A has related the Indicator SDO to the Malware SDO. A diagram of this relationship below shows the SDO “nodes” and the SRO “edge”.
 
 <div class="figure center-block text-center" markdown="span">
-![STIX 2.0 Architecture]({{ site.baseurl }}/img/STIXDiagram1.png){: .figure-img .img-fluid}
+![STIX 2.0 Diagram 1]({{ site.baseurl }}/img/STIXdiagram1.PNG){: .figure-img .img-fluid}
 **STIX Diagram Showing Relationship**
 </div>
 
@@ -185,7 +185,7 @@ If Company B uses the Indicator provided by Company A and gets a match, it means
 Company B creates a Sighting SRO with the **sighting_of_ref** property that references the id of the Indicator object that contains the pattern for the malware hash of the CryptoLocker Malware (first created by Company A). Company B can publish this back to the TAXII server to let others know they also saw this malware present in their network. A STIX diagram with the Sighting object added can be seen below:
 
 <div class="figure center-block text-center" markdown="span">
-![STIX 2.0 Architecture]({{ site.baseurl }}/img/STIXDiagram2.png){: .figure-img .img-fluid}
+![STIX 2.0 Diagram 2]({{ site.baseurl }}/img/STIXdiagram2.PNG){: .figure-img .img-fluid}
 **STIX Diagram with Sighting**
 </div>