PyPI - txt2detection - Versions diffs - 1.0.14__tar.gz → 1.1.0__tar.gz - Mend

txt2detection 1.0.14tar.gz → 1.1.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of txt2detection might be problematic. Click here for more details.

Files changed (64) hide show

{txt2detection-1.0.14 → txt2detection-1.1.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: txt2detection
-Version: 1.0.14
+Version: 1.1.0
 Summary: A command line tool that takes a txt file containing threat intelligence and turns it into a detection rule.
 Project-URL: Homepage, https://github.com/muchdogesec/txt2detection
 Project-URL: Issues, https://github.com/muchdogesec/txt2detection/issues

{txt2detection-1.0.14 → txt2detection-1.1.0}/docs/README.md RENAMED Viewed

@@ -8,6 +8,12 @@ The following marking defintion ID is added to all `object_marking_refs` of STIX
 https://raw.githubusercontent.com/muchdogesec/stix4doge/refs/heads/main/objects/marking-definition/txt2detection.json
+### Sigma Extension Definition
+Because we use custom properties in the Indicator object, we also import an Extension Definition object into all bundles
+https://raw.githubusercontent.com/muchdogesec/stix2extensions/refs/heads/main/extension-definitions/properties/indicator-sigma_rule.json
 ### AI creation mode
 #### Report SDO (`report`)
@@ -68,6 +74,19 @@ For each detection rule produced by the AI (there could be more than one) an Ind
     "description": "<AI DESCRIPTION>",
     "pattern_type": "sigma",
     "pattern": "<DETECTION_RULE>",
+    "x_sigma_type": "base",
+    "x_sigma_level": "<LEVEL>",
+    "x_sigma_status": "<STATUS>",
+    "x_sigma_license": "<LICENSE>",
+    "x_sigma_fields": [
+        "<FIELD>"
+    ],
+    "x_sigma_falsepositives": [
+        "<FALSE POSITIVE>"
+    ],
+    "x_sigma_scope": [
+        "<SCOPE>"
+    ],
     "labels": [
         "<LABELS ADDED BY USER VIA CLI, EXCEPT SPECIAL LABELS ATTACK / CVE>"
     ],
@@ -79,18 +98,6 @@ For each detection rule produced by the AI (there could be more than one) an Ind
             "description": "rule_md5_hash",
             "external_id": "<MD5 HASH OF PATTERN FIELD>"
         },
-        {
-            "source_name": "sigma-level",
-            "description": "<LEVEL>"
-        },
-        {
-            "source_name": "sigma-status",
-            "description": "<STATUS>"
-        },
-        {
-            "source_name": "sigma-license",
-            "description": "<LICENSE, IF DOES NOT EXIST IS OMITTED>"
-        },
         {
             "source_name": "mitre-attack",
             "url": "https://attack.mitre.org/techniques/<ID, IF DOES NOT EXIST IS OMITTED>",
@@ -111,7 +118,12 @@ For each detection rule produced by the AI (there could be more than one) an Ind
     "object_marking_refs": [
         "marking-definition--<TLP LEVEL SET AT CLI>",
         "marking-definition--a4d70b75-6f4a-5d19-9137-da863edd33d7"
-    ]
+    ],
+    "extensions": {
+        "extension-definition--c16c84c5-9cfd-50a2-970d-09c0ff2700f7": {
+            "extension_type": "toplevel-property-extension"
+        }
+    }
 }
 ```
@@ -466,6 +478,19 @@ For the detection rule produced an Indicator object is created as follows;
     "description": "<DESCRIPTION OF RULE, IF DOES NOT EXIST IS OMITTED>",
     "pattern_type": "sigma",
     "pattern": "<DETECTION_RULE>",
+    "x_sigma_type": "base",
+    "x_sigma_level": "<LEVEL>",
+    "x_sigma_status": "<STATUS>",
+    "x_sigma_license": "<LICENSE>",
+    "x_sigma_fields": [
+        "<FIELD>"
+    ],
+    "x_sigma_falsepositives": [
+        "<FALSE POSITIVE>"
+    ],
+    "x_sigma_scope": [
+        "<SCOPE>"
+    ],
     "labels": [
         "<LABELS ADDED BY USER AT CLI, EXCEPT SPECIAL LABELS ATTACK / CVE>"
         "<TAGS FROM RULE EXCLUDING CVE,ATTACK,TLP>"
@@ -482,18 +507,6 @@ For the detection rule produced an Indicator object is created as follows;
             "source_name": "sigma-old-id",
             "description": "<SIGMA ID REPLACED, ELSE BLANK>"
         },
-        {
-            "source_name": "sigma-level",
-            "description": "<LEVEL, IF DOES NOT EXIST IS OMITTED>"
-        },
-        {
-            "source_name": "sigma-status",
-            "description": "<STATUS, IF DOES NOT EXIST IS OMITTED>"
-        },
-        {
-            "source_name": "sigma-license",
-            "description": "<LICENSE, IF DOES NOT EXIST IS OMITTED>"
-        },
         {
             "source_name": "mitre-attack",
             "url": "https://attack.mitre.org/techniques/<ID, IF DOES NOT EXIST IS OMITTED>",

{txt2detection-1.0.14 → txt2detection-1.1.0}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "txt2detection"
-version = "1.0.14"
+version = "1.1.0"
 authors = [{ name = "dogesec" }]
 maintainers = [{ name = "dogesec" }]
 description = "A command line tool that takes a txt file containing threat intelligence and turns it into a detection rule."

{txt2detection-1.0.14 → txt2detection-1.1.0}/tests/manual-tests/input-text-mode.md RENAMED Viewed

@@ -4,9 +4,10 @@ Basic input
 ```shell
 python3 txt2detection.py text \
-  --input_text "a rule detecting suspicious logins on windows systems" \
+  --input_text "a rule detecting suspicious logins on windows systems and another deteting suspicious logins on unix systems" \
   --name "Testing input txt" \
   --ai_provider openai:gpt-5 \
+  --create_attack_navigator_layer \
   --report_id ca20d4a1-e40d-47a9-a454-1324beff4727
 ```
@@ -15,7 +16,7 @@ python3 txt2detection.py text \
 ```shell
 python3 txt2detection.py text \
-  --input_text "Write rule to detect 1.1.1.1.\n Write a second rule to detect google.com" \
+  --input_text "Write rule to detect 1.1.1.1.\n Write a second rule to detect google.com." \
   --name "Multi rule" \
   --ai_provider openai:gpt-5 \
   --create_attack_navigator_layer \

{txt2detection-1.0.14 → txt2detection-1.1.0}/tests/src/test_bundler.py RENAMED Viewed

@@ -376,6 +376,7 @@ def test_generate_navigators(bundler_instance, dummy_detection):
     ] == {
         "name": "Test Detection",
         "domain": "enterprise-attack",
+        "description": "Detects something suspicious.",
         "versions": {
             "layer": "4.5",
             "attack": bundler_instance.mitre_version,

{txt2detection-1.0.14 → txt2detection-1.1.0}/txt2detection/attack_navigator.py RENAMED Viewed

@@ -38,9 +38,11 @@ def create_navigator_layer(report, indicator, technique_mapping, mitre_version):
         if tactic:
             technique_item["tactic"] = tactic
         techniques.append(technique_item)
     return {
         "name": indicator["name"],
         "domain": "enterprise-attack",
+        "description": indicator["description"],
         "versions": {
             "layer": "4.5",
             "attack": mitre_version,