agentic-threat-hunting-framework 0.2.1__py3-none-any.whl → 0.2.3__py3-none-any.whl

{agentic_threat_hunting_framework-0.2.1.dist-info → agentic_threat_hunting_framework-0.2.3.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: agentic-threat-hunting-framework
-Version: 0.2.1
+Version: 0.2.3
 Summary: Agentic Threat Hunting Framework - Memory and AI for threat hunters
 Author-email: Sydney Marrone <athf@nebulock.io>
 Maintainer-email: Sydney Marrone <athf@nebulock.io>

agentic_threat_hunting_framework-0.2.3.dist-info/RECORD

@@ -0,0 +1,23 @@
+agentic_threat_hunting_framework-0.2.3.dist-info/licenses/LICENSE,sha256=_KObErRfiKoolznt-DF0nJnr3U9Rdh7Z4Ba7G5qqckk,1071
+athf/__init__.py,sha256=OrjZe8P97_BTEkscapnwSsqKSjwXNP9d8-HtGr19Ni0,241
+athf/__version__.py,sha256=p9cAuZ-dTEMpo-qoeYkFo2166r8LvKpa5qHBZihGq3w,59
+athf/cli.py,sha256=XLNRXEs9kHPH6utJ7_SnzLFcldbGAnACPMTe0xMOkhQ,4492
+athf/commands/__init__.py,sha256=uDyr0bz-agpGO8fraXQl24wuQCxqbeCevZsJ2bDK29s,25
+athf/commands/context.py,sha256=WvOf0OuttAsEk_h4QDtdfqYI4CulDg2UCtq_5r5iJAA,12686
+athf/commands/env.py,sha256=AisRllJXbyCjK_2ii21qBBmCz9raxhBUemwM7BxqIYg,11859
+athf/commands/hunt.py,sha256=2KORNWAqEvLY-Wc1q-a894g8kOpcqw_iJfnenKJeTDI,23019
+athf/commands/init.py,sha256=L_29fvZF8SZ1BKh2D6NyDuacCC5JXOTezIxdBnnK88E,10941
+athf/commands/investigate.py,sha256=mK_id5vjfN_ukqB_-fyia0FNa0pBmtn0Xv6CKHQI1Qo,24663
+athf/commands/similar.py,sha256=ROoMs4NP1otCaXwM1XzpLWxmANknoeASlBT7zuMDqas,11793
+athf/core/__init__.py,sha256=yG7C8ljx3UW4QZoYvDjUxsWHlbS8M-GLGB7Je7rRfqo,31
+athf/core/attack_matrix.py,sha256=QZKKmxckQ6-U7lqVdGUJoj2jEAhP3Juvr3sqaNx2oTw,3238
+athf/core/hunt_manager.py,sha256=PFsg8Ecg94NCpuFZpApo82lyORkgK5IfOIih-7-XsmM,11580
+athf/core/hunt_parser.py,sha256=FUj0yyBIcZnaS9aItMImeBDhegQwpkewIwUMNXW_ZWU,5122
+athf/core/investigation_parser.py,sha256=wbfjnq4gFgIc0a4bHIAnidVNPhbHDpIXWY1SGLk0Xls,6804
+athf/core/template_engine.py,sha256=vNTVhlxIXZpxU7VmQyrqCSt6ORS0IVjAV54TOmUDMTE,5636
+athf/utils/__init__.py,sha256=aEAPI1xnAsowOtc036cCb9ZOek5nrrfevu8PElhbNgk,30
+agentic_threat_hunting_framework-0.2.3.dist-info/METADATA,sha256=I3x8s2Rff1A7BjYz-lfy_M6I_qw0-nDBC2Ypc0DcxTA,15472
+agentic_threat_hunting_framework-0.2.3.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+agentic_threat_hunting_framework-0.2.3.dist-info/entry_points.txt,sha256=GopR2iTiBs-yNMWiUZ2DaFIFglXxWJx1XPjTa3ePtfE,39
+agentic_threat_hunting_framework-0.2.3.dist-info/top_level.txt,sha256=Cxxg6SMLfawDJWBITsciRzq27XV8fiaAor23o9Byoes,5
+agentic_threat_hunting_framework-0.2.3.dist-info/RECORD,,

athf/__version__.py

@@ -1,3 +1,3 @@
 """Version information for ATHF."""
 
-__version__ = "0.2.1"
+__version__ = "0.2.2"

athf/commands/context.py

@@ -22,6 +22,9 @@ Examples:
   # Export context for macOS platform hunts
   athf context --platform macos
 
+  # Combine filters: persistence hunts on Linux
+  athf context --tactic persistence --platform linux
+
   # Export full repository context (large output)
   athf context --full
 
@@ -86,18 +89,20 @@ def context(
     • With context: 1 command, ~1,000 tokens
     • Savings: ~2,000 tokens per hunt (~$0.03 per hunt)
     """
-    # Validate mutually exclusive options
-    exclusive_options = sum([bool(hunt), bool(tactic), bool(platform), full])
-    if exclusive_options == 0:
-        console.print("[red]Error: Must specify one of: --hunt, --tactic, --platform, or --full[/red]")
+    # Validate that at least one filter is provided
+    has_filter = any([hunt, tactic, platform, full])
+    if not has_filter:
+        console.print("[red]Error: Must specify at least one of: --hunt, --tactic, --platform, or --full[/red]")
         console.print("\n[dim]Examples:[/dim]")
         console.print("  athf context --hunt H-0013")
         console.print("  athf context --tactic credential-access")
         console.print("  athf context --platform macos")
+        console.print("  athf context --tactic persistence --platform linux")
         raise click.Abort()
 
-    if exclusive_options > 1:
-        console.print("[red]Error: Only one filter option allowed at a time[/red]")
+    # --full flag is mutually exclusive with other filters
+    if full and (hunt or tactic or platform):
+        console.print("[red]Error: --full cannot be combined with other filters[/red]")
         raise click.Abort()
 
     # Build context bundle
@@ -158,17 +163,26 @@ def _build_context(
     if index_path.exists():
         context["hunt_index"] = _read_and_optimize(index_path)
 
-    # Load hunts based on filter
-    if hunt:
-        hunt_files = [Path(f"hunts/{hunt}.md")]
-    elif tactic:
-        hunt_files = _find_hunts_by_tactic(tactic)
-    elif platform:
-        hunt_files = _find_hunts_by_platform(platform)
-    elif full:
+    # Load hunts based on filters (can be combined)
+    if full:
+        # Full export: include all hunts
         hunt_files = list(Path("hunts").glob("H-*.md"))
+    elif hunt:
+        # Specific hunt: only load that one
+        hunt_files = [Path(f"hunts/{hunt}.md")]
     else:
-        hunt_files = []
+        # Combine tactic and platform filters
+        if tactic and platform:
+            # Both filters: find hunts matching both criteria
+            tactic_hunts = set(_find_hunts_by_tactic(tactic))
+            platform_hunts = set(_find_hunts_by_platform(platform))
+            hunt_files = list(tactic_hunts & platform_hunts)  # Intersection
+        elif tactic:
+            hunt_files = _find_hunts_by_tactic(tactic)
+        elif platform:
+            hunt_files = _find_hunts_by_platform(platform)
+        else:
+            hunt_files = []
 
     # Load hunt content
     for hunt_file in hunt_files:
@@ -197,7 +211,7 @@ def _build_context(
 
 def _read_and_optimize(file_path: Path) -> str:
     """Read file and optimize for token efficiency."""
-    content = file_path.read_text()
+    content = file_path.read_text(encoding='utf-8')
 
     # First pass: Remove all control characters except tabs and newlines
     # Control characters are U+0000 through U+001F (0-31), except tab (9), LF (10), CR (13)
@@ -234,7 +248,7 @@ def _find_hunts_by_tactic(tactic: str) -> List[Path]:
     normalized_tactic = tactic.replace("-", " ").lower()
 
     for hunt_file in hunts_dir.glob("H-*.md"):
-        content = hunt_file.read_text()
+        content = hunt_file.read_text(encoding='utf-8')
 
         # Check YAML frontmatter for tactics field
         if content.startswith("---"):
@@ -263,7 +277,7 @@ def _find_hunts_by_platform(platform: str) -> List[Path]:
     normalized_platform = platform.lower()
 
     for hunt_file in hunts_dir.glob("H-*.md"):
-        content = hunt_file.read_text()
+        content = hunt_file.read_text(encoding='utf-8')
 
         # Check YAML frontmatter for platform field
         if content.startswith("---"):

athf/commands/investigate.py

@@ -3,7 +3,7 @@
 import json
 from datetime import datetime
 from pathlib import Path
-from typing import Optional
+from typing import List, Optional, Tuple
 
 import click
 import yaml
@@ -82,8 +82,8 @@ def new(
     title: Optional[str],
     investigation_type: Optional[str],
     tags: Optional[str],
-    data_source: tuple[str, ...],
-    related_hunt: tuple[str, ...],
+    data_source: Tuple[str, ...],
+    related_hunt: Tuple[str, ...],
     investigator: Optional[str],
     non_interactive: bool,
 ) -> None:
@@ -200,9 +200,9 @@ def _render_investigation_template(
     title: str,
     investigator: str,
     investigation_type: str,
-    tags: list[str],
-    data_sources: list[str],
-    related_hunts: list[str],
+    tags: List[str],
+    data_sources: List[str],
+    related_hunts: List[str],
 ) -> str:
     """Render investigation template with provided values.
 
@@ -569,8 +569,8 @@ def validate(investigation_id: str) -> None:
 def promote(
     investigation_id: str,
     technique: Optional[str],
-    tactic: tuple[str, ...],
-    platform: tuple[str, ...],
+    tactic: Tuple[str, ...],
+    platform: Tuple[str, ...],
     status: str,
     non_interactive: bool,
 ) -> None:

athf/commands/similar.py

@@ -121,7 +121,7 @@ def _get_hunt_text(hunt_id: str) -> Optional[str]:
     hunt_file = Path(f"hunts/{hunt_id}.md")
     if not hunt_file.exists():
         return None
-    return hunt_file.read_text()
+    return hunt_file.read_text(encoding='utf-8')
 
 
 def _find_similar_hunts(
@@ -156,7 +156,7 @@ def _find_similar_hunts(
         if exclude_hunt and hunt_id == exclude_hunt:
             continue
 
-        content = hunt_file.read_text()
+        content = hunt_file.read_text(encoding='utf-8')
         metadata = _extract_hunt_metadata(content)
 
         # Extract searchable text (weighted semantic sections)

athf/core/attack_matrix.py

@@ -4,7 +4,7 @@ This module contains reference data for the MITRE ATT&CK Enterprise matrix,
 including tactic ordering and technique counts.
 """
 
-from typing import Dict, TypedDict
+from typing import Dict, List, TypedDict
 
 
 class TacticInfo(TypedDict):
@@ -122,7 +122,7 @@ def get_tactic_technique_count(tactic_key: str) -> int:
     return 0
 
 
-def get_sorted_tactics() -> list[str]:
+def get_sorted_tactics() -> List[str]:
     """Get all tactic keys sorted by ATT&CK matrix order.
 
     Returns:

athf/core/hunt_manager.py

@@ -2,7 +2,7 @@
 
 import re
 from pathlib import Path
-from typing import Any, Dict, List, Optional
+from typing import Any, Dict, List, Optional, Set
 
 from athf.core.attack_matrix import ATTACK_TACTICS, TOTAL_TECHNIQUES, get_sorted_tactics
 from athf.core.hunt_parser import parse_hunt_file
@@ -154,7 +154,14 @@ class HuntManager:
         results = []
         query_lower = query.lower()
 
+        # Exclude documentation files
+        exclude_files = {"README.md", "FORMAT_GUIDELINES.md"}
+
         for hunt_file in self.hunts_dir.glob("*.md"):
+            # Skip documentation files
+            if hunt_file.name in exclude_files:
+                continue
+
             try:
                 with open(hunt_file, "r", encoding="utf-8") as f:
                     content = f.read()
@@ -261,7 +268,7 @@ class HuntManager:
                 "total_techniques": ATTACK_TACTICS[tactic_key]["technique_count"],
             }
 
-        all_unique_techniques: set[str] = set()
+        all_unique_techniques: Set[str] = set()
 
         for hunt in hunts:
             hunt_id = hunt.get("hunt_id", "UNKNOWN")

athf/core/investigation_parser.py

@@ -8,7 +8,7 @@ Investigation parser is simpler than hunt parser:
 
 import re
 from pathlib import Path
-from typing import Any, Dict, List
+from typing import Any, Dict, List, Tuple
 
 import yaml
 
@@ -85,7 +85,7 @@ class InvestigationParser:
 
         return content_without_fm.strip()
 
-    def validate(self) -> tuple[bool, List[str]]:
+    def validate(self) -> Tuple[bool, List[str]]:
         """Validate investigation structure.
 
         Lightweight validation - only checks minimal required fields.
@@ -140,7 +140,7 @@ def parse_investigation_file(file_path: Path) -> Dict[str, Any]:
     return parser.parse()
 
 
-def validate_investigation_file(file_path: Path) -> tuple[bool, List[str]]:
+def validate_investigation_file(file_path: Path) -> Tuple[bool, List[str]]:
     """Convenience function to validate an investigation file.
 
     Args:

agentic_threat_hunting_framework-0.2.1.dist-info/RECORD

@@ -1,23 +0,0 @@
-agentic_threat_hunting_framework-0.2.1.dist-info/licenses/LICENSE,sha256=_KObErRfiKoolznt-DF0nJnr3U9Rdh7Z4Ba7G5qqckk,1071
-athf/__init__.py,sha256=OrjZe8P97_BTEkscapnwSsqKSjwXNP9d8-HtGr19Ni0,241
-athf/__version__.py,sha256=JMSRfysx6Kj8rOPSF3-d9x_3-QAfDP47yKOeqdgkH1M,59
-athf/cli.py,sha256=XLNRXEs9kHPH6utJ7_SnzLFcldbGAnACPMTe0xMOkhQ,4492
-athf/commands/__init__.py,sha256=uDyr0bz-agpGO8fraXQl24wuQCxqbeCevZsJ2bDK29s,25
-athf/commands/context.py,sha256=nWETwEqPMTxxkUdsfVwH-K3Td41_EKQkxutdPbbIwos,11908
-athf/commands/env.py,sha256=AisRllJXbyCjK_2ii21qBBmCz9raxhBUemwM7BxqIYg,11859
-athf/commands/hunt.py,sha256=2KORNWAqEvLY-Wc1q-a894g8kOpcqw_iJfnenKJeTDI,23019
-athf/commands/init.py,sha256=L_29fvZF8SZ1BKh2D6NyDuacCC5JXOTezIxdBnnK88E,10941
-athf/commands/investigate.py,sha256=WjwPtafs9bOSu09RC1QW4CVFYJjdn2C96wRa9M_o2PI,24650
-athf/commands/similar.py,sha256=sgCNwI1Ru0lbavNm_3fjOdcJjeRPVD827vGdMF2LMBM,11761
-athf/core/__init__.py,sha256=yG7C8ljx3UW4QZoYvDjUxsWHlbS8M-GLGB7Je7rRfqo,31
-athf/core/attack_matrix.py,sha256=ayr9StkOskgFTsNum8MwTuCd4Z7Rhy5NNCNx1ncLYKs,3232
-athf/core/hunt_manager.py,sha256=5fxGXbtRGfUR8B0E2jb62peSQhwISmim71SZPRrJRr0,11361
-athf/core/hunt_parser.py,sha256=FUj0yyBIcZnaS9aItMImeBDhegQwpkewIwUMNXW_ZWU,5122
-athf/core/investigation_parser.py,sha256=tZnUqrFGLMUif9rayu7hgb6sKBWIvui46siUdDokAAA,6797
-athf/core/template_engine.py,sha256=vNTVhlxIXZpxU7VmQyrqCSt6ORS0IVjAV54TOmUDMTE,5636
-athf/utils/__init__.py,sha256=aEAPI1xnAsowOtc036cCb9ZOek5nrrfevu8PElhbNgk,30
-agentic_threat_hunting_framework-0.2.1.dist-info/METADATA,sha256=WMcuK9M13SlUPyRtud9frS8t4_7lFeRXiwevmicJMgk,15472
-agentic_threat_hunting_framework-0.2.1.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-agentic_threat_hunting_framework-0.2.1.dist-info/entry_points.txt,sha256=GopR2iTiBs-yNMWiUZ2DaFIFglXxWJx1XPjTa3ePtfE,39
-agentic_threat_hunting_framework-0.2.1.dist-info/top_level.txt,sha256=Cxxg6SMLfawDJWBITsciRzq27XV8fiaAor23o9Byoes,5
-agentic_threat_hunting_framework-0.2.1.dist-info/RECORD,,