agentic-threat-hunting-framework 0.2.0__py3-none-any.whl → 0.2.2__py3-none-any.whl

{agentic_threat_hunting_framework-0.2.0.dist-info → agentic_threat_hunting_framework-0.2.2.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: agentic-threat-hunting-framework
-Version: 0.2.0
+Version: 0.2.2
 Summary: Agentic Threat Hunting Framework - Memory and AI for threat hunters
 Author-email: Sydney Marrone <athf@nebulock.io>
 Maintainer-email: Sydney Marrone <athf@nebulock.io>

agentic_threat_hunting_framework-0.2.2.dist-info/RECORD

@@ -0,0 +1,23 @@
+agentic_threat_hunting_framework-0.2.2.dist-info/licenses/LICENSE,sha256=_KObErRfiKoolznt-DF0nJnr3U9Rdh7Z4Ba7G5qqckk,1071
+athf/__init__.py,sha256=OrjZe8P97_BTEkscapnwSsqKSjwXNP9d8-HtGr19Ni0,241
+athf/__version__.py,sha256=p9cAuZ-dTEMpo-qoeYkFo2166r8LvKpa5qHBZihGq3w,59
+athf/cli.py,sha256=XLNRXEs9kHPH6utJ7_SnzLFcldbGAnACPMTe0xMOkhQ,4492
+athf/commands/__init__.py,sha256=uDyr0bz-agpGO8fraXQl24wuQCxqbeCevZsJ2bDK29s,25
+athf/commands/context.py,sha256=XpMtTf9Pq6NxMhawp6f1NYnTKYt1IuGx9CNDIY8K8Do,11956
+athf/commands/env.py,sha256=AisRllJXbyCjK_2ii21qBBmCz9raxhBUemwM7BxqIYg,11859
+athf/commands/hunt.py,sha256=2KORNWAqEvLY-Wc1q-a894g8kOpcqw_iJfnenKJeTDI,23019
+athf/commands/init.py,sha256=L_29fvZF8SZ1BKh2D6NyDuacCC5JXOTezIxdBnnK88E,10941
+athf/commands/investigate.py,sha256=mK_id5vjfN_ukqB_-fyia0FNa0pBmtn0Xv6CKHQI1Qo,24663
+athf/commands/similar.py,sha256=ROoMs4NP1otCaXwM1XzpLWxmANknoeASlBT7zuMDqas,11793
+athf/core/__init__.py,sha256=yG7C8ljx3UW4QZoYvDjUxsWHlbS8M-GLGB7Je7rRfqo,31
+athf/core/attack_matrix.py,sha256=QZKKmxckQ6-U7lqVdGUJoj2jEAhP3Juvr3sqaNx2oTw,3238
+athf/core/hunt_manager.py,sha256=6DC3wmreJ5IBiC7vi9xB9DP_WDXOetmGceFPTqjYVRU,11366
+athf/core/hunt_parser.py,sha256=FUj0yyBIcZnaS9aItMImeBDhegQwpkewIwUMNXW_ZWU,5122
+athf/core/investigation_parser.py,sha256=wbfjnq4gFgIc0a4bHIAnidVNPhbHDpIXWY1SGLk0Xls,6804
+athf/core/template_engine.py,sha256=vNTVhlxIXZpxU7VmQyrqCSt6ORS0IVjAV54TOmUDMTE,5636
+athf/utils/__init__.py,sha256=aEAPI1xnAsowOtc036cCb9ZOek5nrrfevu8PElhbNgk,30
+agentic_threat_hunting_framework-0.2.2.dist-info/METADATA,sha256=zFr9-YmLEz0jqC0rmqEUmOmMhl-yMUr20U9IrqUrfcI,15472
+agentic_threat_hunting_framework-0.2.2.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+agentic_threat_hunting_framework-0.2.2.dist-info/entry_points.txt,sha256=GopR2iTiBs-yNMWiUZ2DaFIFglXxWJx1XPjTa3ePtfE,39
+agentic_threat_hunting_framework-0.2.2.dist-info/top_level.txt,sha256=Cxxg6SMLfawDJWBITsciRzq27XV8fiaAor23o9Byoes,5
+agentic_threat_hunting_framework-0.2.2.dist-info/RECORD,,

athf/__version__.py

@@ -1,3 +1,3 @@
 """Version information for ATHF."""
 
-__version__ = "0.2.0"
+__version__ = "0.2.2"

athf/commands/context.py

@@ -197,7 +197,7 @@ def _build_context(
 
 def _read_and_optimize(file_path: Path) -> str:
     """Read file and optimize for token efficiency."""
-    content = file_path.read_text()
+    content = file_path.read_text(encoding='utf-8')
 
     # First pass: Remove all control characters except tabs and newlines
     # Control characters are U+0000 through U+001F (0-31), except tab (9), LF (10), CR (13)
@@ -234,7 +234,7 @@ def _find_hunts_by_tactic(tactic: str) -> List[Path]:
     normalized_tactic = tactic.replace("-", " ").lower()
 
     for hunt_file in hunts_dir.glob("H-*.md"):
-        content = hunt_file.read_text()
+        content = hunt_file.read_text(encoding='utf-8')
 
         # Check YAML frontmatter for tactics field
         if content.startswith("---"):
@@ -263,7 +263,7 @@ def _find_hunts_by_platform(platform: str) -> List[Path]:
     normalized_platform = platform.lower()
 
     for hunt_file in hunts_dir.glob("H-*.md"):
-        content = hunt_file.read_text()
+        content = hunt_file.read_text(encoding='utf-8')
 
         # Check YAML frontmatter for platform field
         if content.startswith("---"):

athf/commands/env.py

@@ -3,6 +3,7 @@
 import subprocess  # nosec B404
 import sys
 from pathlib import Path
+from typing import Union
 
 import click
 from rich.console import Console
@@ -280,7 +281,7 @@ def info() -> None:
 
     # Get installed packages count
     pip_path = python_path.parent / "pip"
-    package_count: int | str
+    package_count: Union[int, str]
     try:
         result = subprocess.run(
             [str(pip_path), "list", "--format", "freeze"],

athf/commands/investigate.py

@@ -3,7 +3,7 @@
 import json
 from datetime import datetime
 from pathlib import Path
-from typing import Optional
+from typing import List, Optional, Tuple
 
 import click
 import yaml
@@ -82,8 +82,8 @@ def new(
     title: Optional[str],
     investigation_type: Optional[str],
     tags: Optional[str],
-    data_source: tuple[str, ...],
-    related_hunt: tuple[str, ...],
+    data_source: Tuple[str, ...],
+    related_hunt: Tuple[str, ...],
     investigator: Optional[str],
     non_interactive: bool,
 ) -> None:
@@ -200,9 +200,9 @@ def _render_investigation_template(
     title: str,
     investigator: str,
     investigation_type: str,
-    tags: list[str],
-    data_sources: list[str],
-    related_hunts: list[str],
+    tags: List[str],
+    data_sources: List[str],
+    related_hunts: List[str],
 ) -> str:
     """Render investigation template with provided values.
 
@@ -569,8 +569,8 @@ def validate(investigation_id: str) -> None:
 def promote(
     investigation_id: str,
     technique: Optional[str],
-    tactic: tuple[str, ...],
-    platform: tuple[str, ...],
+    tactic: Tuple[str, ...],
+    platform: Tuple[str, ...],
     status: str,
     non_interactive: bool,
 ) -> None:

athf/commands/similar.py

@@ -121,7 +121,7 @@ def _get_hunt_text(hunt_id: str) -> Optional[str]:
     hunt_file = Path(f"hunts/{hunt_id}.md")
     if not hunt_file.exists():
         return None
-    return hunt_file.read_text()
+    return hunt_file.read_text(encoding='utf-8')
 
 
 def _find_similar_hunts(
@@ -132,8 +132,8 @@ def _find_similar_hunts(
 ) -> List[Dict[str, Any]]:
     """Find similar hunts using TF-IDF similarity."""
     try:
-        from sklearn.feature_extraction.text import TfidfVectorizer  # type: ignore
-        from sklearn.metrics.pairwise import cosine_similarity  # type: ignore
+        from sklearn.feature_extraction.text import TfidfVectorizer
+        from sklearn.metrics.pairwise import cosine_similarity
     except ImportError:
         console.print("[red]Error: scikit-learn not installed[/red]")
         console.print("[dim]Install with: pip install scikit-learn[/dim]")
@@ -156,7 +156,7 @@ def _find_similar_hunts(
         if exclude_hunt and hunt_id == exclude_hunt:
             continue
 
-        content = hunt_file.read_text()
+        content = hunt_file.read_text(encoding='utf-8')
         metadata = _extract_hunt_metadata(content)
 
         # Extract searchable text (weighted semantic sections)

athf/core/attack_matrix.py

@@ -4,9 +4,20 @@ This module contains reference data for the MITRE ATT&CK Enterprise matrix,
 including tactic ordering and technique counts.
 """
 
+from typing import Dict, List, TypedDict
+
+
+class TacticInfo(TypedDict):
+    """Type definition for tactic information."""
+
+    name: str
+    technique_count: int
+    order: int
+
+
 # MITRE ATT&CK Enterprise Matrix v14 (January 2024)
 # Approximate technique counts per tactic (includes sub-techniques)
-ATTACK_TACTICS = {
+ATTACK_TACTICS: Dict[str, TacticInfo] = {
     "reconnaissance": {
         "name": "Reconnaissance",
         "technique_count": 10,
@@ -92,7 +103,9 @@ def get_tactic_display_name(tactic_key: str) -> str:
     Returns:
         Display name (e.g., "Credential Access")
     """
-    return ATTACK_TACTICS.get(tactic_key, {}).get("name", tactic_key.replace("-", " ").title())
+    if tactic_key in ATTACK_TACTICS:
+        return ATTACK_TACTICS[tactic_key]["name"]
+    return tactic_key.replace("-", " ").title()
 
 
 def get_tactic_technique_count(tactic_key: str) -> int:
@@ -104,10 +117,12 @@ def get_tactic_technique_count(tactic_key: str) -> int:
     Returns:
         Total technique count for the tactic
     """
-    return ATTACK_TACTICS.get(tactic_key, {}).get("technique_count", 0)
+    if tactic_key in ATTACK_TACTICS:
+        return ATTACK_TACTICS[tactic_key]["technique_count"]
+    return 0
 
 
-def get_sorted_tactics() -> list[str]:
+def get_sorted_tactics() -> List[str]:
     """Get all tactic keys sorted by ATT&CK matrix order.
 
     Returns:

athf/core/hunt_manager.py

@@ -2,7 +2,7 @@
 
 import re
 from pathlib import Path
-from typing import Any, Dict, List, Optional
+from typing import Any, Dict, List, Optional, Set
 
 from athf.core.attack_matrix import ATTACK_TACTICS, TOTAL_TECHNIQUES, get_sorted_tactics
 from athf.core.hunt_parser import parse_hunt_file
@@ -261,7 +261,7 @@ class HuntManager:
                 "total_techniques": ATTACK_TACTICS[tactic_key]["technique_count"],
             }
 
-        all_unique_techniques: set[str] = set()
+        all_unique_techniques: Set[str] = set()
 
         for hunt in hunts:
             hunt_id = hunt.get("hunt_id", "UNKNOWN")

athf/core/investigation_parser.py

@@ -8,7 +8,7 @@ Investigation parser is simpler than hunt parser:
 
 import re
 from pathlib import Path
-from typing import Any, Dict, List
+from typing import Any, Dict, List, Tuple
 
 import yaml
 
@@ -85,7 +85,7 @@ class InvestigationParser:
 
         return content_without_fm.strip()
 
-    def validate(self) -> tuple[bool, List[str]]:
+    def validate(self) -> Tuple[bool, List[str]]:
         """Validate investigation structure.
 
         Lightweight validation - only checks minimal required fields.
@@ -140,7 +140,7 @@ def parse_investigation_file(file_path: Path) -> Dict[str, Any]:
     return parser.parse()
 
 
-def validate_investigation_file(file_path: Path) -> tuple[bool, List[str]]:
+def validate_investigation_file(file_path: Path) -> Tuple[bool, List[str]]:
     """Convenience function to validate an investigation file.
 
     Args:

agentic_threat_hunting_framework-0.2.0.dist-info/RECORD

@@ -1,23 +0,0 @@
-agentic_threat_hunting_framework-0.2.0.dist-info/licenses/LICENSE,sha256=_KObErRfiKoolznt-DF0nJnr3U9Rdh7Z4Ba7G5qqckk,1071
-athf/__init__.py,sha256=OrjZe8P97_BTEkscapnwSsqKSjwXNP9d8-HtGr19Ni0,241
-athf/__version__.py,sha256=qT3kQNuJrw6IXvX9OpVNABZ8axShk7vcwAcufNBLlls,59
-athf/cli.py,sha256=XLNRXEs9kHPH6utJ7_SnzLFcldbGAnACPMTe0xMOkhQ,4492
-athf/commands/__init__.py,sha256=uDyr0bz-agpGO8fraXQl24wuQCxqbeCevZsJ2bDK29s,25
-athf/commands/context.py,sha256=nWETwEqPMTxxkUdsfVwH-K3Td41_EKQkxutdPbbIwos,11908
-athf/commands/env.py,sha256=Y1UZXn5sStpkRYMJ0ZMjr_ox3ve4ZuhqGGJPBo6Ytko,11828
-athf/commands/hunt.py,sha256=2KORNWAqEvLY-Wc1q-a894g8kOpcqw_iJfnenKJeTDI,23019
-athf/commands/init.py,sha256=L_29fvZF8SZ1BKh2D6NyDuacCC5JXOTezIxdBnnK88E,10941
-athf/commands/investigate.py,sha256=WjwPtafs9bOSu09RC1QW4CVFYJjdn2C96wRa9M_o2PI,24650
-athf/commands/similar.py,sha256=d8AArbknc08qlyGw8kTzF35q9Dk-qBXN4SMP5n0z4-I,11793
-athf/core/__init__.py,sha256=yG7C8ljx3UW4QZoYvDjUxsWHlbS8M-GLGB7Je7rRfqo,31
-athf/core/attack_matrix.py,sha256=Tp-519BLjjov8NAQ84iRvIv7STegLBtF09E5vf7jO9s,2958
-athf/core/hunt_manager.py,sha256=5fxGXbtRGfUR8B0E2jb62peSQhwISmim71SZPRrJRr0,11361
-athf/core/hunt_parser.py,sha256=FUj0yyBIcZnaS9aItMImeBDhegQwpkewIwUMNXW_ZWU,5122
-athf/core/investigation_parser.py,sha256=tZnUqrFGLMUif9rayu7hgb6sKBWIvui46siUdDokAAA,6797
-athf/core/template_engine.py,sha256=vNTVhlxIXZpxU7VmQyrqCSt6ORS0IVjAV54TOmUDMTE,5636
-athf/utils/__init__.py,sha256=aEAPI1xnAsowOtc036cCb9ZOek5nrrfevu8PElhbNgk,30
-agentic_threat_hunting_framework-0.2.0.dist-info/METADATA,sha256=4XD3KtzPLvRcA4a4lfjmRhLAuA5AAkQBF1IdXFM7ZvQ,15472
-agentic_threat_hunting_framework-0.2.0.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-agentic_threat_hunting_framework-0.2.0.dist-info/entry_points.txt,sha256=GopR2iTiBs-yNMWiUZ2DaFIFglXxWJx1XPjTa3ePtfE,39
-agentic_threat_hunting_framework-0.2.0.dist-info/top_level.txt,sha256=Cxxg6SMLfawDJWBITsciRzq27XV8fiaAor23o9Byoes,5
-agentic_threat_hunting_framework-0.2.0.dist-info/RECORD,,