8. Graphs
FoxyRecon provides also a web page that allows you to create a graph based on STIX 2.1 format. You can use graph to model and visualize the date you collected during your analysis.
The web page is accessible through the button located in the settings menu of the popup
You can add several types of STIX Objects as graph nodes:
- Domain Objects:
- Attack Pattern
- Campaign
- Course of Action
- Identity
- Infrastructure
- Intrusion Set
- Location
- Malware
- Malware Analysis
- Note
- Report
- Threat Actor
- Tool
- Vulnerability
- Cyber Observable Objects:
- Autonomous System
- Domain Name
- Email Address
- File
- IPv4 Address
- IPv6 Address
- MAC Address
- Network Traffic
- Software
- URL
- User Account
For each object you can provide several data according to the STIX format (https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html).
You can also add a relationships between two nodes, by clicking on "Add Link" button, then click on a node and drag the edge to another node to connect them. You can provide a name to the relationships.
You can customize the graph visualization by using the options on the left. Selecting a node will show you its STIX content.
You can also add a node to the graph via the popup by clicking on the plus button.
Once you have added a node, you can create a relationship between it and another node in the graph.
A dialog is displayed to create the relationship:
FoxyRecon provides a feature to automatically create a graph based on researches you perform through FoxyRecon. With this feature, the indicator you submit in FoxyRecon will be added to the graph along with other indicators collected by the web resource you selected. This feature is disabled by default, but you can enable it in the settings section:
As of now, this option is supported only on the following web resources:
- AbuseIPDB
- AlienVault
- Host.io
- Talos Intelligence
- Netcraft
- URLscan