agentic-threat-hunting-framework 0.3.0__tar.gz → 0.4.0__tar.gz

{agentic_threat_hunting_framework-0.3.0/agentic_threat_hunting_framework.egg-info → agentic_threat_hunting_framework-0.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: agentic-threat-hunting-framework
-Version: 0.3.0
+Version: 0.4.0
 Summary: Agentic Threat Hunting Framework - Memory and AI for threat hunters
 Author-email: Sydney Marrone <athf@nebulock.io>
 Maintainer-email: Sydney Marrone <athf@nebulock.io>
@@ -33,6 +33,7 @@ Requires-Dist: click>=8.0.0
 Requires-Dist: pyyaml>=6.0
 Requires-Dist: rich>=10.0.0
 Requires-Dist: jinja2>=3.0.0
+Requires-Dist: python-dotenv>=0.19.0
 Requires-Dist: importlib_resources>=5.0.0; python_version < "3.9"
 Provides-Extra: dev
 Requires-Dist: pytest>=7.0.0; extra == "dev"
@@ -49,6 +50,8 @@ Requires-Dist: mkdocs>=1.5.0; extra == "docs"
 Requires-Dist: mkdocs-material>=9.0.0; extra == "docs"
 Provides-Extra: similarity
 Requires-Dist: scikit-learn>=1.0.0; extra == "similarity"
+Provides-Extra: splunk
+Requires-Dist: requests>=2.25.0; extra == "splunk"
 Dynamic: license-file
 
 # Agentic Threat Hunting Framework (ATHF)

{agentic_threat_hunting_framework-0.3.0 → agentic_threat_hunting_framework-0.4.0/agentic_threat_hunting_framework.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: agentic-threat-hunting-framework
-Version: 0.3.0
+Version: 0.4.0
 Summary: Agentic Threat Hunting Framework - Memory and AI for threat hunters
 Author-email: Sydney Marrone <athf@nebulock.io>
 Maintainer-email: Sydney Marrone <athf@nebulock.io>
@@ -33,6 +33,7 @@ Requires-Dist: click>=8.0.0
 Requires-Dist: pyyaml>=6.0
 Requires-Dist: rich>=10.0.0
 Requires-Dist: jinja2>=3.0.0
+Requires-Dist: python-dotenv>=0.19.0
 Requires-Dist: importlib_resources>=5.0.0; python_version < "3.9"
 Provides-Extra: dev
 Requires-Dist: pytest>=7.0.0; extra == "dev"
@@ -49,6 +50,8 @@ Requires-Dist: mkdocs>=1.5.0; extra == "docs"
 Requires-Dist: mkdocs-material>=9.0.0; extra == "docs"
 Provides-Extra: similarity
 Requires-Dist: scikit-learn>=1.0.0; extra == "similarity"
+Provides-Extra: splunk
+Requires-Dist: requests>=2.25.0; extra == "splunk"
 Dynamic: license-file
 
 # Agentic Threat Hunting Framework (ATHF)

{agentic_threat_hunting_framework-0.3.0 → agentic_threat_hunting_framework-0.4.0}/agentic_threat_hunting_framework.egg-info/SOURCES.txt

@@ -23,6 +23,11 @@ assets/athf_manual_v_ai.png
 athf/__init__.py
 athf/__version__.py
 athf/cli.py
+athf/agents/__init__.py
+athf/agents/base.py
+athf/agents/llm/__init__.py
+athf/agents/llm/hunt_researcher.py
+athf/agents/llm/hypothesis_generator.py
 athf/commands/__init__.py
 athf/commands/agent.py
 athf/commands/context.py
@@ -32,12 +37,14 @@ athf/commands/init.py
 athf/commands/investigate.py
 athf/commands/research.py
 athf/commands/similar.py
+athf/commands/splunk.py
 athf/core/__init__.py
 athf/core/attack_matrix.py
 athf/core/hunt_manager.py
 athf/core/hunt_parser.py
 athf/core/investigation_parser.py
 athf/core/research_manager.py
+athf/core/splunk_client.py
 athf/core/template_engine.py
 athf/core/web_search.py
 athf/data/__init__.py

{agentic_threat_hunting_framework-0.3.0 → agentic_threat_hunting_framework-0.4.0}/agentic_threat_hunting_framework.egg-info/requires.txt

@@ -2,6 +2,7 @@ click>=8.0.0
 pyyaml>=6.0
 rich>=10.0.0
 jinja2>=3.0.0
+python-dotenv>=0.19.0
 
 [:python_version < "3.9"]
 importlib_resources>=5.0.0
@@ -23,3 +24,6 @@ mkdocs-material>=9.0.0
 
 [similarity]
 scikit-learn>=1.0.0
+
+[splunk]
+requests>=2.25.0

{agentic_threat_hunting_framework-0.3.0 → agentic_threat_hunting_framework-0.4.0}/athf/__version__.py

@@ -1,3 +1,3 @@
 """Version information for ATHF."""
 
-__version__ = "0.3.0"
+__version__ = "0.4.0"

agentic_threat_hunting_framework-0.4.0/athf/agents/__init__.py

@@ -0,0 +1,14 @@
+"""ATHF Agent Framework.
+
+This module provides base classes and implementations for ATHF agents.
+Agents can be deterministic (Python-only) or LLM-powered (using Claude API).
+"""
+
+from athf.agents.base import Agent, AgentResult, DeterministicAgent, LLMAgent
+
+__all__ = [
+    "Agent",
+    "AgentResult",
+    "DeterministicAgent",
+    "LLMAgent",
+]

agentic_threat_hunting_framework-0.4.0/athf/agents/base.py

@@ -0,0 +1,141 @@
+"""Base classes for hunt-vault agents."""
+
+import os
+from abc import ABC, abstractmethod
+from dataclasses import dataclass, field
+from typing import Any, Dict, Generic, List, Optional, TypeVar
+
+# Type variables for input/output
+InputT = TypeVar("InputT")
+OutputT = TypeVar("OutputT")
+
+
+@dataclass
+class AgentResult(Generic[OutputT]):
+    """Standard result format for all agents."""
+
+    success: bool
+    data: Optional[OutputT]
+    error: Optional[str] = None
+    warnings: List[str] = field(default_factory=list)
+    metadata: Dict[str, Any] = field(default_factory=dict)
+
+    @property
+    def is_success(self) -> bool:
+        """Check if the agent execution was successful."""
+        return self.success and self.error is None
+
+
+class Agent(ABC, Generic[InputT, OutputT]):
+    """Base class for all agents."""
+
+    def __init__(self, config: Optional[Dict[str, Any]] = None):
+        """Initialize agent with optional configuration.
+
+        Args:
+            config: Optional configuration dictionary
+        """
+        self.config = config or {}
+        self._setup()
+
+    def _setup(self) -> None:
+        """Optional setup method for subclasses."""
+        pass
+
+    @abstractmethod
+    def execute(self, input_data: InputT) -> AgentResult[OutputT]:
+        """Execute agent logic.
+
+        Args:
+            input_data: Input for the agent
+
+        Returns:
+            AgentResult with output data or error
+        """
+        pass
+
+    def __call__(self, input_data: InputT) -> AgentResult[OutputT]:
+        """Allow calling agent as a function."""
+        return self.execute(input_data)
+
+
+class DeterministicAgent(Agent[InputT, OutputT]):
+    """Base class for deterministic Python agents (no LLM)."""
+
+    pass
+
+
+class LLMAgent(Agent[InputT, OutputT]):
+    """Base class for LLM-powered agents."""
+
+    def __init__(self, config: Optional[Dict[str, Any]] = None, llm_enabled: bool = True):
+        """Initialize LLM agent.
+
+        Args:
+            config: Optional configuration dictionary
+            llm_enabled: Whether to enable LLM functionality
+        """
+        self.llm_enabled = llm_enabled
+        super().__init__(config)
+
+    def _log_llm_metrics(
+        self,
+        agent_name: str,
+        model_id: str,
+        input_tokens: int,
+        output_tokens: int,
+        cost_usd: float,
+        duration_ms: int,
+    ) -> None:
+        """Log LLM call metrics to centralized tracker.
+
+        Args:
+            agent_name: Name of the agent (e.g., "hypothesis-generator")
+            model_id: Bedrock model ID
+            input_tokens: Number of input tokens
+            output_tokens: Number of output tokens
+            cost_usd: Estimated cost in USD
+            duration_ms: Call duration in milliseconds
+        """
+        try:
+            from athf.core.metrics_tracker import MetricsTracker  # type: ignore[import-not-found]
+
+            MetricsTracker.get_instance().log_bedrock_call(
+                agent=agent_name,
+                model_id=model_id,
+                input_tokens=input_tokens,
+                output_tokens=output_tokens,
+                cost_usd=cost_usd,
+                duration_ms=duration_ms,
+            )
+        except Exception:
+            pass  # Never fail agent execution due to metrics logging
+
+    def _get_llm_client(self) -> Any:
+        """Get AWS Bedrock runtime client for Claude models.
+
+        Returns:
+            Bedrock runtime client instance or None if LLM is disabled
+
+        Raises:
+            ValueError: If AWS credentials are not configured
+            ImportError: If boto3 package is not installed
+        """
+        if not self.llm_enabled:
+            return None
+
+        try:
+            import boto3  # type: ignore[import-untyped]
+
+            # Get AWS region from environment or use default
+            region = os.getenv("AWS_REGION", os.getenv("AWS_DEFAULT_REGION", "us-east-1"))
+
+            # Create Bedrock runtime client
+            # Uses AWS credentials from environment, ~/.aws/credentials, or IAM role
+            client = boto3.client(service_name="bedrock-runtime", region_name=region)
+
+            return client
+        except ImportError:
+            raise ImportError("boto3 package not installed. Run: pip install boto3")
+        except Exception as e:
+            raise ValueError(f"Failed to create Bedrock client: {e}")

agentic_threat_hunting_framework-0.4.0/athf/agents/llm/__init__.py

@@ -0,0 +1,27 @@
+"""LLM-powered agents for ATHF.
+
+These agents use Claude API for creative and analytical tasks.
+All LLM agents have fallback to deterministic methods when LLM is disabled.
+"""
+
+from athf.agents.llm.hunt_researcher import (
+    HuntResearcherAgent,
+    ResearchInput,
+    ResearchOutput,
+    ResearchSkillOutput,
+)
+from athf.agents.llm.hypothesis_generator import (
+    HypothesisGenerationInput,
+    HypothesisGenerationOutput,
+    HypothesisGeneratorAgent,
+)
+
+__all__ = [
+    "HypothesisGeneratorAgent",
+    "HypothesisGenerationInput",
+    "HypothesisGenerationOutput",
+    "HuntResearcherAgent",
+    "ResearchInput",
+    "ResearchOutput",
+    "ResearchSkillOutput",
+]