txt2detection 1.0.11__tar.gz → 1.0.12__tar.gz

{txt2detection-1.0.11 → txt2detection-1.0.12}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: txt2detection
-Version: 1.0.11
+Version: 1.0.12
 Summary: A command line tool that takes a txt file containing threat intelligence and turns it into a detection rule.
 Project-URL: Homepage, https://github.com/muchdogesec/txt2detection
 Project-URL: Issues, https://github.com/muchdogesec/txt2detection/issues
@@ -162,8 +162,7 @@ Use this mode to generate a set of rules from an input text file;
     * Provider (env var required `ANTHROPIC_API_KEY`): `anthropic:`, models e.g.: `claude-3-5-sonnet-latest`, `claude-3-5-haiku-latest`, `claude-3-opus-latest` ([More here](https://docs.anthropic.com/en/docs/about-claude/models))
     * Provider (env var required `GOOGLE_API_KEY`): `gemini:models/`, models: `gemini-1.5-pro-latest`, `gemini-1.5-flash-latest` ([More here](https://ai.google.dev/gemini-api/docs/models/gemini))
     * Provider (env var required `DEEPSEEK_API_KEY`): `deepseek:`, models `deepseek-chat` ([More here](https://api-docs.deepseek.com/quick_start/pricing))
-* `--ai_create_attack_flow` (boolean): passing this flag will also prompt the AI model (the same entered for `--ai_provider`, default `false`) to generate an [Attack Flow](https://center-for-threat-informed-defense.github.io/attack-flow/) for the MITRE ATT&CK tags to define the logical order in which they are being described. Note, Sigma currently supports ATT&CK Enterprise only.
-* `--ai_create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate a [MITRE ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK tags. Note, Sigma currently supports ATT&CK Enterprise only. You don't need to pass this if `--ai_create_attack_flow` is set to `true` (as this mode relies on this setting being true)
+* `--create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate a [MITRE ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK tags. Note, Sigma currently supports ATT&CK Enterprise only.
 
 Note, in this mode, the following values will be automatically assigned to the rule
 
@@ -190,8 +189,7 @@ Note, in this mode you should be aware of a few things;
 * `--external_refs` (optional): txt2detection will automatically populate the `external_references` of the report object it creates for the input. You can use this value to add additional objects to `external_references`. Note, you can only add `source_name` and `external_id` values currently. Pass as `source_name=external_id`. e.g. `--external_refs txt2stix=demo1 source=id` would create the following objects under the `external_references` property: `{"source_name":"txt2stix","external_id":"demo1"},{"source_name":"source","external_id":"id"}`
 * `status` (optional): either `stable`, `test`, `experimental`, `deprecated`, `unsupported`. If passed, will overwrite any existing `status` recorded in the rule
 * `level` (optional): either `informational`, `low`, `medium`, `high`, `critical`. If passed, will overwrite any existing `level` recorded in the rule
-* `--ai_create_attack_flow` (boolean): passing this flag will also prompt the AI model (the same entered for `--ai_provider`, default `false`) to generate an [Attack Flow](https://center-for-threat-informed-defense.github.io/attack-flow/) for the MITRE ATT&CK tags to define the logical order in which they are being described. Note, Sigma currently supports ATT&CK Enterprise only.
-* `--ai_create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate a [MITRE ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK tags. Note, Sigma currently supports ATT&CK Enterprise only. You don't need to pass this if `--ai_create_attack_flow` is set to `true` (as this mode relies on this setting being true)
+* `--create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate a [MITRE ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK tags.
 
 ### A note on observable extraction
 

{txt2detection-1.0.11 → txt2detection-1.0.12}/README.md

@@ -121,8 +121,7 @@ Use this mode to generate a set of rules from an input text file;
     * Provider (env var required `ANTHROPIC_API_KEY`): `anthropic:`, models e.g.: `claude-3-5-sonnet-latest`, `claude-3-5-haiku-latest`, `claude-3-opus-latest` ([More here](https://docs.anthropic.com/en/docs/about-claude/models))
     * Provider (env var required `GOOGLE_API_KEY`): `gemini:models/`, models: `gemini-1.5-pro-latest`, `gemini-1.5-flash-latest` ([More here](https://ai.google.dev/gemini-api/docs/models/gemini))
     * Provider (env var required `DEEPSEEK_API_KEY`): `deepseek:`, models `deepseek-chat` ([More here](https://api-docs.deepseek.com/quick_start/pricing))
-* `--ai_create_attack_flow` (boolean): passing this flag will also prompt the AI model (the same entered for `--ai_provider`, default `false`) to generate an [Attack Flow](https://center-for-threat-informed-defense.github.io/attack-flow/) for the MITRE ATT&CK tags to define the logical order in which they are being described. Note, Sigma currently supports ATT&CK Enterprise only.
-* `--ai_create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate a [MITRE ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK tags. Note, Sigma currently supports ATT&CK Enterprise only. You don't need to pass this if `--ai_create_attack_flow` is set to `true` (as this mode relies on this setting being true)
+* `--create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate a [MITRE ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK tags. Note, Sigma currently supports ATT&CK Enterprise only.
 
 Note, in this mode, the following values will be automatically assigned to the rule
 
@@ -149,8 +148,7 @@ Note, in this mode you should be aware of a few things;
 * `--external_refs` (optional): txt2detection will automatically populate the `external_references` of the report object it creates for the input. You can use this value to add additional objects to `external_references`. Note, you can only add `source_name` and `external_id` values currently. Pass as `source_name=external_id`. e.g. `--external_refs txt2stix=demo1 source=id` would create the following objects under the `external_references` property: `{"source_name":"txt2stix","external_id":"demo1"},{"source_name":"source","external_id":"id"}`
 * `status` (optional): either `stable`, `test`, `experimental`, `deprecated`, `unsupported`. If passed, will overwrite any existing `status` recorded in the rule
 * `level` (optional): either `informational`, `low`, `medium`, `high`, `critical`. If passed, will overwrite any existing `level` recorded in the rule
-* `--ai_create_attack_flow` (boolean): passing this flag will also prompt the AI model (the same entered for `--ai_provider`, default `false`) to generate an [Attack Flow](https://center-for-threat-informed-defense.github.io/attack-flow/) for the MITRE ATT&CK tags to define the logical order in which they are being described. Note, Sigma currently supports ATT&CK Enterprise only.
-* `--ai_create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate a [MITRE ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK tags. Note, Sigma currently supports ATT&CK Enterprise only. You don't need to pass this if `--ai_create_attack_flow` is set to `true` (as this mode relies on this setting being true)
+* `--create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate a [MITRE ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK tags.
 
 ### A note on observable extraction
 

{txt2detection-1.0.11 → txt2detection-1.0.12}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "txt2detection"
-version = "1.0.11"
+version = "1.0.12"
 authors = [
   { name = "dogesec" }
 ]

{txt2detection-1.0.11 → txt2detection-1.0.12}/tests/files/sigma-rule-attack-enterprise.yml

@@ -13,6 +13,7 @@ tags:
     - attack.t1671
     - attack.t1025
     - attack.command-and-control
+    - attack.credential_access # not sigma spec format, but still supported
     - attack.t1661 # will fail is mobile
 logsource:
     product: okta

{txt2detection-1.0.11 → txt2detection-1.0.12}/tests/files/sigma-rule-master.yml

@@ -1,21 +1,32 @@
 title: Okta Policy Modified or Deleted
+name: Always optional
 id: 1667a172-ed4c-463c-9969-efd92195319a
-status: test
+related:
+  - id: 08fbc97d-0a2f-491c-ae21-8ffcfd3174e9
+    type: derived
+  - id: 929a690e-bef0-4204-a928-ef5e620d6fcc
+    type: obsolete
 description: Detects when an Okta policy is modified or deleted.
 references:
     - https://developer.okta.com/docs/reference/api/system-log/
     - https://developer.okta.com/docs/reference/api/event-types/
-author: Austin Songer @austinsonger
-date: 2021-09-12
-modified: 2022-10-09
+author: dogesec tests
+date: 2020-01-01
+modified: 2023-12-25
 tags:
-    - tlp.red
+    - tlp.clear
     - attack.t1547
+    - attack.t1671
+    - attack.t1025
     - attack.command-and-control
-    - cve.2024-56520
+    - attack.credential_access # not sigma spec format, but still supported
+    - attack.t1661 # will fail is mobile
+    - custom.tag
 logsource:
     product: okta
     service: okta
+    category: login
+    definition: Logging must be enabled.
 detection:
     selection:
         eventtype:
@@ -26,5 +37,11 @@ falsepositives:
     - Okta Policies being modified or deleted may be performed by a system administrator.
     - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
     - Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+fields: 
+    - sourceIPAddress
+    - userIdentity.arn
+scope:
+    - server
+status: test
 level: low
 license: MIT

{txt2detection-1.0.11 → txt2detection-1.0.12}/tests/files/sigma-rule-no-title.yml

@@ -1,4 +1,5 @@
 id: 1667a172-ed4c-463c-9969-efd92195319a
+name: is always optional
 status: test
 description: Detects when an Okta policy is modified or deleted.
 references:

txt2detection-1.0.12/tests/manual-tests/README.md

@@ -0,0 +1 @@
+# Tests

txt2detection-1.0.12/tests/manual-tests/input-file-mode.md

@@ -0,0 +1,148 @@
+# File mode tests
+
+## Check TLP
+
+```shell
+python3 txt2detection.py file \
+  --input_file tests/files/CVE-2024-56520.txt \
+  --name "Check TLP" \
+  --ai_provider openai:gpt-4o \
+  --tlp_level red \
+  --report_id e91a49ba-f935-4844-8b37-0d5e963f0683
+```
+
+## Check labels
+
+Should fail because no namespace
+
+```shell
+python3 txt2detection.py file \
+  --input_file tests/files/CVE-2024-56520.txt \
+  --name "Check bad labels" \
+  --ai_provider openai:gpt-4o \
+  --labels "label1","label_2" \
+  --report_id 139d8b41-c5c8-48fa-aa25-39a54dfa1227
+```
+
+Should pass
+
+```shell
+python3 txt2detection.py file \
+  --input_file tests/files/CVE-2024-56520.txt \
+  --name "Check labels" \
+  --ai_provider openai:gpt-4o \
+  --labels "namespace.label1" "namespace.label_2" \
+  --report_id a3731edf-e834-43d2-95b8-e03f37bde9ba
+```
+
+## Check special labels
+
+Should fail because disallowed tag
+
+```shell
+python3 txt2detection.py file \
+  --input_file tests/files/CVE-2024-56520.txt \
+  --name "Disallowed tag" \
+  --ai_provider openai:gpt-4o \
+  --labels "tlp.red" \
+  --report_id a6f2aaff-4e33-4280-bb01-ab1bd3b95362
+```
+
+Should have cve tag and matching vulnerability object
+
+```shell
+python3 txt2detection.py file \
+  --input_file tests/files/CVE-2024-56520.txt \
+  --name "CVE tags" \
+  --ai_provider openai:gpt-4o \
+  --labels "cve.2025-3593" \
+  --report_id fab3707e-00fc-4f35-9d6d-e72dc0b6ba08
+```
+
+Should have attack tags and matching attack pattern and x-mitre-tactic objects
+
+```shell
+python3 txt2detection.py file \
+  --input_file tests/files/CVE-2024-56520.txt \
+  --name "ATT&CK tags tag" \
+  --ai_provider openai:gpt-4o \
+  --labels "attack.t1071.001" "attack.command-and-control" \
+  --report_id 940e8807-381e-41df-a27e-08914bafd93c
+```
+
+## Check custom identity
+
+```shell
+python3 txt2detection.py file \
+  --input_file tests/files/CVE-2024-56520.txt \
+  --name "Check custom identity" \
+  --ai_provider openai:gpt-4o \
+  --use_identity '{"type":"identity","spec_version":"2.1","id":"identity--8ef05850-cb0d-51f7-80be-50e4376dbe63","created_by_ref":"identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5","created":"2020-01-01T00:00:00.000Z","modified":"2020-01-01T00:00:00.000Z","name":"siemrules","description":"https://github.com/muchdogesec/siemrules","identity_class":"system","sectors":["technology"],"contact_information":"https://www.dogesec.com/contact/","object_marking_refs":["marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487","marking-definition--97ba4e8b-04f6-57e8-8f6e-3a0f0a7dc0fb"]}' \
+  --report_id f6f5bcb9-095f-47fb-b286-92b6a2aee221
+```
+
+## Check created by time
+
+```shell
+python3 txt2detection.py file \
+  --input_file tests/files/CVE-2024-56520.txt \
+  --name "Check created by time" \
+  --ai_provider openai:gpt-4o \
+  --created 2010-01-01T00:00:00 \
+  --report_id 17ea21d3-a73d-44ec-bb12-eb1d34890027
+```
+
+## External references
+
+```shell
+python3 txt2detection.py file \
+  --input_file tests/files/CVE-2024-56520.txt \
+  --name "External references" \
+  --external_refs txt2stix=demo1 source=id \
+  --ai_provider openai:gpt-4o \
+  --report_id 79be13c7-15dd-4b66-a29a-8161fca77877
+```
+
+## Reference URLs
+
+```shell
+python3 txt2detection.py file \
+  --input_file tests/files/CVE-2024-56520.txt \
+  --name "Reference URLs" \
+  --reference_urls "https://www.google.com/" "https://www.facebook.com/" \
+  --ai_provider openai:gpt-4o \
+  --report_id a9928bf1-b0ab-4748-8ab8-47eb7a34ca80
+```
+
+## Check Vulmatch / CTI Butler
+
+```shell
+python3 txt2detection.py file \
+  --input_file tests/files/CVE-2024-56520.txt \
+  --name "Check Vulmatch / CTI Butler" \
+  --ai_provider openai:gpt-4o \
+  --report_id 9c78f6e4-4955-4c48-91f0-c669f744b44e
+```
+
+
+
+## Check license
+
+```shell
+python3 txt2detection.py file \
+  --input_file tests/files/CVE-2024-56520.txt \
+  --name "Check license" \
+  --ai_provider openai:gpt-4o \
+  --license MIT \
+  --report_id e37506ca-b3e4-45b8-8205-77b815b88d7f
+```
+
+## Check observable extraction
+
+```shell
+python3 txt2detection.py file \
+  --input_file tests/files/observables.txt \
+  --name "Check observables" \
+  --ai_provider openai:gpt-4o \
+  --report_id 4aa5924b-2081-42ed-9934-ebf200427302
+```

txt2detection-1.0.11/tests/manual-tests/README.md → txt2detection-1.0.12/tests/manual-tests/input-sigma-mode.md

@@ -1,165 +1,57 @@
-# AI Rule Gen Tests
+# Sigma Mode
 
-## Check TLP
+## Good test cases
 
-```shell
-python3 txt2detection.py file \
-  --input_file tests/files/CVE-2024-56520.txt \
-  --name "Check TLP" \
-  --ai_provider openai:gpt-4o \
-  --tlp_level red \
-  --report_id e91a49ba-f935-4844-8b37-0d5e963f0683
-```
-
-## Check labels
-
-Should fail because no namespace
-
-```shell
-python3 txt2detection.py file \
-  --input_file tests/files/CVE-2024-56520.txt \
-  --name "Check bad labels" \
-  --ai_provider openai:gpt-4o \
-  --labels "label1","label_2" \
-  --report_id 139d8b41-c5c8-48fa-aa25-39a54dfa1227
-```
-
-Should pass
-
-```shell
-python3 txt2detection.py file \
-  --input_file tests/files/CVE-2024-56520.txt \
-  --name "Check labels" \
-  --ai_provider openai:gpt-4o \
-  --labels "namespace.label1" "namespace.label_2" \
-  --report_id a3731edf-e834-43d2-95b8-e03f37bde9ba
-```
-
-## Check special labels
-
-Should fail because disallowed tag
-
-```shell
-python3 txt2detection.py file \
-  --input_file tests/files/CVE-2024-56520.txt \
-  --name "Disallowed tag" \
-  --ai_provider openai:gpt-4o \
-  --labels "tlp.red" \
-  --report_id a6f2aaff-4e33-4280-bb01-ab1bd3b95362
-```
-
-Should have cve tag and matching vulnerability object
-
-```shell
-python3 txt2detection.py file \
-  --input_file tests/files/CVE-2024-56520.txt \
-  --name "CVE tags" \
-  --ai_provider openai:gpt-4o \
-  --labels "cve.2025-3593" \
-  --report_id fab3707e-00fc-4f35-9d6d-e72dc0b6ba08
-```
-
-Should have attack tags and matching attack pattern and x-mitre-tactic objects
+### A rule with all properties
 
 ```shell
-python3 txt2detection.py file \
-  --input_file tests/files/CVE-2024-56520.txt \
-  --name "ATT&CK tags tag" \
-  --ai_provider openai:gpt-4o \
-  --labels "attack.t1071.001" "attack.command-and-control" \
-  --report_id 940e8807-381e-41df-a27e-08914bafd93c
-```
-
-## Check custom identity
-
-```shell
-python3 txt2detection.py file \
-  --input_file tests/files/CVE-2024-56520.txt \
-  --name "Check custom identity" \
-  --ai_provider openai:gpt-4o \
-  --use_identity '{"type":"identity","spec_version":"2.1","id":"identity--8ef05850-cb0d-51f7-80be-50e4376dbe63","created_by_ref":"identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5","created":"2020-01-01T00:00:00.000Z","modified":"2020-01-01T00:00:00.000Z","name":"siemrules","description":"https://github.com/muchdogesec/siemrules","identity_class":"system","sectors":["technology"],"contact_information":"https://www.dogesec.com/contact/","object_marking_refs":["marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487","marking-definition--97ba4e8b-04f6-57e8-8f6e-3a0f0a7dc0fb"]}' \
-  --report_id f6f5bcb9-095f-47fb-b286-92b6a2aee221
+python3 txt2detection.py sigma \
+  --sigma_file tests/files/sigma-rule-master.yml \
+  --name "Complete Sigma Rule" \
+  --create_attack_navigator_layer \
+  --ai_provider openai:gpt-5 \
+  --report_id a18e76d1-f152-4b87-a552-d46f41afd637
 ```
 
-## Check created by time
-
-```shell
-python3 txt2detection.py file \
-  --input_file tests/files/CVE-2024-56520.txt \
-  --name "Check created by time" \
-  --ai_provider openai:gpt-4o \
-  --created 2010-01-01T00:00:00 \
-  --report_id 17ea21d3-a73d-44ec-bb12-eb1d34890027
-```
+Check that derived is created (original rule id is 1667a172-ed4c-463c-9969-efd92195319a) and rule id matches the report it
 
-## External references
+### Test with no report ID passed
 
 ```shell
-python3 txt2detection.py file \
-  --input_file tests/files/CVE-2024-56520.txt \
-  --name "External references" \
-  --external_refs txt2stix=demo1 source=id \
-  --ai_provider openai:gpt-4o \
-  --report_id 79be13c7-15dd-4b66-a29a-8161fca77877
-```
-
-## Reference URLs
-
-```shell
-python3 txt2detection.py file \
-  --input_file tests/files/CVE-2024-56520.txt \
-  --name "Reference URLs" \
-  --reference_urls "https://www.google.com/" "https://www.facebook.com/" \
-  --ai_provider openai:gpt-4o \
-  --report_id a9928bf1-b0ab-4748-8ab8-47eb7a34ca80
+python3 txt2detection.py sigma \
+  --sigma_file tests/files/sigma-rule-master.yml \
+  --name "Complete Sigma Rule" \
+  --create_attack_navigator_layer \
+  --ai_provider openai:gpt-5
 ```
 
-## Check Vulmatch / CTI Butler
+Check that derived is created (original rule id is 1667a172-ed4c-463c-9969-efd92195319a). Rule id generation (and report) is random. This happens because we can't be sure all id's in Rules uploaded will conform to UUIDv4 RFC.
 
-```shell
-python3 txt2detection.py file \
-  --input_file tests/files/CVE-2024-56520.txt \
-  --name "Check Vulmatch / CTI Butler" \
-  --ai_provider openai:gpt-4o \
-  --report_id 9c78f6e4-4955-4c48-91f0-c669f744b44e
-```
-
-## Testing input txt
+### Check required properties CLI overide
 
 ```shell
-python3 txt2detection.py text \
-  --input_text "a rule detecting suspicious logins on windows systems" \
-  --name "Testing input txt" \
-  --ai_provider openai:gpt-4o \
-  --report_id ca20d4a1-e40d-47a9-a454-1324beff4727
+python3 txt2detection.py sigma \
+  --sigma_file tests/files/sigma-rule-no-title.yml \
+  --name "A new title" \
+  --report_id 272daf95-2790-4fd5-9ca6-ee8cef08315d
 ```
 
-## Check license
+Here rule contains no name, but is passed in the request to ensure compliance so script will generate a rule.
 
-```shell
-python3 txt2detection.py file \
-  --input_file tests/files/CVE-2024-56520.txt \
-  --name "Check license" \
-  --ai_provider openai:gpt-4o \
-  --license MIT \
-  --report_id e37506ca-b3e4-45b8-8205-77b815b88d7f
-```
+### Append related
 
-## Check observable extraction
+`related` property exist, check append of new related property for this run is correct
 
 ```shell
-python3 txt2detection.py file \
-  --input_file tests/files/observables.txt \
-  --name "Check observables" \
-  --ai_provider openai:gpt-4o \
-  --report_id 4aa5924b-2081-42ed-9934-ebf200427302
+python3 txt2detection.py sigma \
+  --sigma_file tests/files/sigma-rule-existing-related.yml \
+  --name "Append related" \
+  --report_id 655f0689-5209-4ad5-a6de-3f198c696060
 ```
 
-# Manual Rule Gen
+## Bad test cases
 
-## Title
-
-Should fail
+### No title
 
 ```shell
 python3 txt2detection.py sigma \
@@ -169,49 +61,10 @@ python3 txt2detection.py sigma \
 
 Title, but report name is override by CLI input
 
-```shell
-python3 txt2detection.py sigma \
-  --sigma_file tests/files/sigma-rule-master.yml \
-  --name "A new title" \
-  --report_id 272daf95-2790-4fd5-9ca6-ee8cef08315d
-```
 
-## No description
 
-```shell
-python3 txt2detection.py sigma \
-  --sigma_file tests/files/sigma-rule-no-description.yml \
-  --name "No description" \
-  --report_id fd38cd23-93af-41ad-ab43-a6fa0ca69bf5
-```
 
-## Check that derived-from is created
 
-```shell
-python3 txt2detection.py sigma \
-  --sigma_file tests/files/sigma-rule-master.yml \
-  --name "Manual Rule Gen" \
-  --report_id 80fc4d1c-f02c-4bff-80bf-d97490a04542
-```
-
-## Random ID
-
-```shell
-python3 txt2detection.py sigma \
-  --sigma_file tests/files/sigma-rule-master.yml \
-  --name "Random ID"
-```
-
-## Append related
-
-`related` property exist, check append is correct
-
-```shell
-python3 txt2detection.py sigma \
-  --sigma_file tests/files/sigma-rule-existing-related.yml \
-  --name "Append related" \
-  --report_id 655f0689-5209-4ad5-a6de-3f198c696060
-```
 
 ## Check dates
 
@@ -448,16 +301,6 @@ python3 txt2detection.py sigma \
 ```
 
 
-## Attack Flow
-
-```shell
-python3 txt2detection.py sigma \
-  --sigma_file tests/files/sigma-rule-attack-flow.yml \
-  --name "Create ATT&CK Flow" \
-  --report_id 330e2030-1dc2-45e6-be13-9342b102621b \
-  --ai_provider openai:gpt-5 \
-  --ai_create_attack_flow
-```
 
 ## Attack Navigator
 
@@ -468,10 +311,9 @@ python3 txt2detection.py sigma \
   --sigma_file tests/files/sigma-rule-attack-enterprise.yml \
   --name "Attack Navigator Enterprise" \
   --report_id a18e76d1-f152-4b87-a552-d46f41afd637 \
+  --create_attack_navigator_layer \
   --ai_provider openai:gpt-5 \
-  --ai_create_attack_navigator_layer
+  
 ```
 
-### Mobile / ICS
-
-Not currently supported by Sigma.
+### Mobile / ICS

txt2detection-1.0.12/tests/manual-tests/input-text-mode.md

@@ -0,0 +1,23 @@
+## Testing input txt
+
+Basic input
+
+```shell
+python3 txt2detection.py text \
+  --input_text "a rule detecting suspicious logins on windows systems" \
+  --name "Testing input txt" \
+  --ai_provider openai:gpt-5 \
+  --report_id ca20d4a1-e40d-47a9-a454-1324beff4727
+```
+
+
+## Write multiple rules
+
+```shell
+python3 txt2detection.py text \
+  --input_text "Write rule to detect 1.1.1.1.\n Write a second rule to detect google.com" \
+  --name "Multi rule" \
+  --ai_provider openai:gpt-5 \
+  --create_attack_navigator_layer \
+  --report_id 3daabf35-a632-43be-a2b0-1c35a93069b1
+```

txt2detection-1.0.12/tests/src/test_attack_flow.py

@@ -0,0 +1,7 @@
+from unittest.mock import MagicMock
+
+def make_fake_tactics(*tactic_name):
+    return {k: dict(external_references=dict(external_id=tactic_name)) for k in tactic_name}
+def test_map_technique_tactic():
+    global_tactics = make_fake_tactics('initial-access', 'defense-evasion')
+    rule_tactics = make_fake_tactics('defense-evasion', 'exfiltration')