txt2detection 1.0.15__tar.gz → 1.1.1__tar.gz

{txt2detection-1.0.15 → txt2detection-1.1.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: txt2detection
-Version: 1.0.15
+Version: 1.1.1
 Summary: A command line tool that takes a txt file containing threat intelligence and turns it into a detection rule.
 Project-URL: Homepage, https://github.com/muchdogesec/txt2detection
 Project-URL: Issues, https://github.com/muchdogesec/txt2detection/issues

{txt2detection-1.0.15 → txt2detection-1.1.1}/docs/README.md

@@ -8,6 +8,12 @@ The following marking defintion ID is added to all `object_marking_refs` of STIX
 
 https://raw.githubusercontent.com/muchdogesec/stix4doge/refs/heads/main/objects/marking-definition/txt2detection.json
 
+### Sigma Extension Definition
+
+Because we use custom properties in the Indicator object, we also import an Extension Definition object into all bundles
+
+https://raw.githubusercontent.com/muchdogesec/stix2extensions/refs/heads/main/extension-definitions/properties/indicator-sigma_rule.json
+
 ### AI creation mode
 
 #### Report SDO (`report`)
@@ -68,6 +74,19 @@ For each detection rule produced by the AI (there could be more than one) an Ind
     "description": "<AI DESCRIPTION>",
     "pattern_type": "sigma",
     "pattern": "<DETECTION_RULE>",
+    "x_sigma_type": "base",
+    "x_sigma_level": "<LEVEL>",
+    "x_sigma_status": "<STATUS>",
+    "x_sigma_license": "<LICENSE>",
+    "x_sigma_fields": [
+        "<FIELD>"
+    ],
+    "x_sigma_falsepositives": [
+        "<FALSE POSITIVE>"
+    ],
+    "x_sigma_scope": [
+        "<SCOPE>"
+    ],
     "labels": [
         "<LABELS ADDED BY USER VIA CLI, EXCEPT SPECIAL LABELS ATTACK / CVE>"
     ],
@@ -79,18 +98,6 @@ For each detection rule produced by the AI (there could be more than one) an Ind
             "description": "rule_md5_hash",
             "external_id": "<MD5 HASH OF PATTERN FIELD>"
         },
-        {
-            "source_name": "sigma-level",
-            "description": "<LEVEL>"
-        },
-        {
-            "source_name": "sigma-status",
-            "description": "<STATUS>"
-        },
-        {
-            "source_name": "sigma-license",
-            "description": "<LICENSE, IF DOES NOT EXIST IS OMITTED>"
-        },
         {
             "source_name": "mitre-attack",
             "url": "https://attack.mitre.org/techniques/<ID, IF DOES NOT EXIST IS OMITTED>",
@@ -111,7 +118,12 @@ For each detection rule produced by the AI (there could be more than one) an Ind
     "object_marking_refs": [
         "marking-definition--<TLP LEVEL SET AT CLI>",
         "marking-definition--a4d70b75-6f4a-5d19-9137-da863edd33d7"
-    ]
+    ],
+    "extensions": {
+        "extension-definition--c16c84c5-9cfd-50a2-970d-09c0ff2700f7": {
+            "extension_type": "toplevel-property-extension"
+        }
+    }
 }
 ```
 
@@ -466,6 +478,19 @@ For the detection rule produced an Indicator object is created as follows;
     "description": "<DESCRIPTION OF RULE, IF DOES NOT EXIST IS OMITTED>",
     "pattern_type": "sigma",
     "pattern": "<DETECTION_RULE>",
+    "x_sigma_type": "base",
+    "x_sigma_level": "<LEVEL>",
+    "x_sigma_status": "<STATUS>",
+    "x_sigma_license": "<LICENSE>",
+    "x_sigma_fields": [
+        "<FIELD>"
+    ],
+    "x_sigma_falsepositives": [
+        "<FALSE POSITIVE>"
+    ],
+    "x_sigma_scope": [
+        "<SCOPE>"
+    ],
     "labels": [
         "<LABELS ADDED BY USER AT CLI, EXCEPT SPECIAL LABELS ATTACK / CVE>"
         "<TAGS FROM RULE EXCLUDING CVE,ATTACK,TLP>"
@@ -482,18 +507,6 @@ For the detection rule produced an Indicator object is created as follows;
             "source_name": "sigma-old-id",
             "description": "<SIGMA ID REPLACED, ELSE BLANK>"
         },
-        {
-            "source_name": "sigma-level",
-            "description": "<LEVEL, IF DOES NOT EXIST IS OMITTED>"
-        },
-        {
-            "source_name": "sigma-status",
-            "description": "<STATUS, IF DOES NOT EXIST IS OMITTED>"
-        },
-        {
-            "source_name": "sigma-license",
-            "description": "<LICENSE, IF DOES NOT EXIST IS OMITTED>"
-        },
         {
             "source_name": "mitre-attack",
             "url": "https://attack.mitre.org/techniques/<ID, IF DOES NOT EXIST IS OMITTED>",

{txt2detection-1.0.15 → txt2detection-1.1.1}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "txt2detection"
-version = "1.0.15"
+version = "1.1.1"
 authors = [{ name = "dogesec" }]
 maintainers = [{ name = "dogesec" }]
 description = "A command line tool that takes a txt file containing threat intelligence and turns it into a detection rule."

{txt2detection-1.0.15 → txt2detection-1.1.1}/tests/manual-tests/input-text-mode.md

@@ -4,9 +4,10 @@ Basic input
 
 ```shell
 python3 txt2detection.py text \
-  --input_text "a rule detecting suspicious logins on windows systems" \
+  --input_text "a rule detecting suspicious logins on windows systems and another deteting suspicious logins on unix systems" \
   --name "Testing input txt" \
   --ai_provider openai:gpt-5 \
+  --create_attack_navigator_layer \
   --report_id ca20d4a1-e40d-47a9-a454-1324beff4727
 ```
 
@@ -15,7 +16,7 @@ python3 txt2detection.py text \
 
 ```shell
 python3 txt2detection.py text \
-  --input_text "Write rule to detect 1.1.1.1.\n Write a second rule to detect google.com" \
+  --input_text "Write rule to detect 1.1.1.1.\n Write a second rule to detect google.com." \
   --name "Multi rule" \
   --ai_provider openai:gpt-5 \
   --create_attack_navigator_layer \

{txt2detection-1.0.15 → txt2detection-1.1.1}/txt2detection/bundler.py

@@ -401,7 +401,7 @@ class Bundler:
             indicator = [
                 f
                 for f in self.bundle.objects
-                if str(f["id"]).endswith(detection_id) and f["type"] == "indicator"
+                if str(f["id"]).endswith(str(detection_id)) and f["type"] == "indicator"
             ][0]
             self.data.navigator_layer[detection_id] = (
                 attack_navigator.create_navigator_layer(