txt2detection 1.0.7__tar.gz → 1.0.9__tar.gz

{txt2detection-1.0.7 → txt2detection-1.0.9}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: txt2detection
-Version: 1.0.7
+Version: 1.0.9
 Summary: A command line tool that takes a txt file containing threat intelligence and turns it into a detection rule.
 Project-URL: Homepage, https://github.com/muchdogesec/txt2detection
 Project-URL: Issues, https://github.com/muchdogesec/txt2detection/issues
@@ -21,6 +21,7 @@ Requires-Dist: python-slugify
 Requires-Dist: pyyaml
 Requires-Dist: requests>=2.31.0; python_version >= '3.7'
 Requires-Dist: stix2
+Requires-Dist: stix2extensions
 Requires-Dist: tqdm>=4.66.4; python_version >= '3.7'
 Requires-Dist: validators>=0.34.0
 Provides-Extra: anthropic
@@ -71,12 +72,6 @@ txt2detection allows a user to enter some threat intelligence as a file to consi
 2. Based on the user input, AI prompts structured and sent to produce an intelligence rule
 3. Rules converted into STIX objects
 
-## tl;dr
-
-[![txt2detection](https://img.youtube.com/vi/uJWXYKyu3Xg/0.jpg)](https://www.youtube.com/watch?v=uJWXYKyu3Xg)
-
-[Watch the demo](https://www.youtube.com/watch?v=uJWXYKyu3Xg).
-
 ## Usage
 
 ### Setup
@@ -161,12 +156,14 @@ Use this mode to generate a set of rules from an input text file;
 * `--license` (optional): [License of the rule according the SPDX ID specification](https://spdx.org/licenses/). Will be added to the rule.
 * `--reference_urls` (optional): A list of URLs to be added as `references` in the Sigma Rule property and in the `external_references` property of the Indicator and Report STIX object created. e.g `"https://www.google.com/" "https://www.facebook.com/"`
 * `--external_refs` (optional): txt2detection will automatically populate the `external_references` of the report object it creates for the input. You can use this value to add additional objects to `external_references`. Note, you can only add `source_name` and `external_id` values currently. Pass as `source_name=external_id`. e.g. `--external_refs txt2stix=demo1 source=id` would create the following objects under the `external_references` property: `{"source_name":"txt2stix","external_id":"demo1"},{"source_name":"source","external_id":"id"}`
-* `ai_provider` (required): defines the `provider:model` to be used to generate the rule. Select one option. Currently supports:
+* `--ai_provider` (required): defines the `provider:model` to be used to generate the rule. Select one option. Currently supports:
     * Provider (env var required `OPENROUTER_API_KEY`): `openrouter:`, providers/models `openai/gpt-4o`, `deepseek/deepseek-chat` ([More here](https://openrouter.ai/models))
     * Provider (env var required `OPENAI_API_KEY`): `openai:`, models e.g.: `gpt-4o`, `gpt-4o-mini`, `gpt-4-turbo`, `gpt-4` ([More here](https://platform.openai.com/docs/models))
     * Provider (env var required `ANTHROPIC_API_KEY`): `anthropic:`, models e.g.: `claude-3-5-sonnet-latest`, `claude-3-5-haiku-latest`, `claude-3-opus-latest` ([More here](https://docs.anthropic.com/en/docs/about-claude/models))
     * Provider (env var required `GOOGLE_API_KEY`): `gemini:models/`, models: `gemini-1.5-pro-latest`, `gemini-1.5-flash-latest` ([More here](https://ai.google.dev/gemini-api/docs/models/gemini))
     * Provider (env var required `DEEPSEEK_API_KEY`): `deepseek:`, models `deepseek-chat` ([More here](https://api-docs.deepseek.com/quick_start/pricing))
+* `--ai_create_attack_flow` (boolean): passing this flag will also prompt the AI model (the same entered for `--ai_provider`, default `false`) to generate an [Attack Flow](https://center-for-threat-informed-defense.github.io/attack-flow/) for the MITRE ATT&CK tags to define the logical order in which they are being described. Note, Sigma currently supports ATT&CK Enterprise only.
+* `--ai_create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate a [MITRE ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK tags. Note, Sigma currently supports ATT&CK Enterprise only. You don't need to pass this if `--ai_create_attack_flow` is set to `true` (as this mode relies on this setting being true)
 
 Note, in this mode, the following values will be automatically assigned to the rule
 
@@ -193,6 +190,8 @@ Note, in this mode you should be aware of a few things;
 * `--external_refs` (optional): txt2detection will automatically populate the `external_references` of the report object it creates for the input. You can use this value to add additional objects to `external_references`. Note, you can only add `source_name` and `external_id` values currently. Pass as `source_name=external_id`. e.g. `--external_refs txt2stix=demo1 source=id` would create the following objects under the `external_references` property: `{"source_name":"txt2stix","external_id":"demo1"},{"source_name":"source","external_id":"id"}`
 * `status` (optional): either `stable`, `test`, `experimental`, `deprecated`, `unsupported`. If passed, will overwrite any existing `status` recorded in the rule
 * `level` (optional): either `informational`, `low`, `medium`, `high`, `critical`. If passed, will overwrite any existing `level` recorded in the rule
+* `--ai_create_attack_flow` (boolean): passing this flag will also prompt the AI model (the same entered for `--ai_provider`, default `false`) to generate an [Attack Flow](https://center-for-threat-informed-defense.github.io/attack-flow/) for the MITRE ATT&CK tags to define the logical order in which they are being described. Note, Sigma currently supports ATT&CK Enterprise only.
+* `--ai_create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate a [MITRE ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK tags. Note, Sigma currently supports ATT&CK Enterprise only. You don't need to pass this if `--ai_create_attack_flow` is set to `true` (as this mode relies on this setting being true)
 
 ### A note on observable extraction
 

{txt2detection-1.0.7 → txt2detection-1.0.9}/README.md

@@ -31,12 +31,6 @@ txt2detection allows a user to enter some threat intelligence as a file to consi
 2. Based on the user input, AI prompts structured and sent to produce an intelligence rule
 3. Rules converted into STIX objects
 
-## tl;dr
-
-[![txt2detection](https://img.youtube.com/vi/uJWXYKyu3Xg/0.jpg)](https://www.youtube.com/watch?v=uJWXYKyu3Xg)
-
-[Watch the demo](https://www.youtube.com/watch?v=uJWXYKyu3Xg).
-
 ## Usage
 
 ### Setup
@@ -121,12 +115,14 @@ Use this mode to generate a set of rules from an input text file;
 * `--license` (optional): [License of the rule according the SPDX ID specification](https://spdx.org/licenses/). Will be added to the rule.
 * `--reference_urls` (optional): A list of URLs to be added as `references` in the Sigma Rule property and in the `external_references` property of the Indicator and Report STIX object created. e.g `"https://www.google.com/" "https://www.facebook.com/"`
 * `--external_refs` (optional): txt2detection will automatically populate the `external_references` of the report object it creates for the input. You can use this value to add additional objects to `external_references`. Note, you can only add `source_name` and `external_id` values currently. Pass as `source_name=external_id`. e.g. `--external_refs txt2stix=demo1 source=id` would create the following objects under the `external_references` property: `{"source_name":"txt2stix","external_id":"demo1"},{"source_name":"source","external_id":"id"}`
-* `ai_provider` (required): defines the `provider:model` to be used to generate the rule. Select one option. Currently supports:
+* `--ai_provider` (required): defines the `provider:model` to be used to generate the rule. Select one option. Currently supports:
     * Provider (env var required `OPENROUTER_API_KEY`): `openrouter:`, providers/models `openai/gpt-4o`, `deepseek/deepseek-chat` ([More here](https://openrouter.ai/models))
     * Provider (env var required `OPENAI_API_KEY`): `openai:`, models e.g.: `gpt-4o`, `gpt-4o-mini`, `gpt-4-turbo`, `gpt-4` ([More here](https://platform.openai.com/docs/models))
     * Provider (env var required `ANTHROPIC_API_KEY`): `anthropic:`, models e.g.: `claude-3-5-sonnet-latest`, `claude-3-5-haiku-latest`, `claude-3-opus-latest` ([More here](https://docs.anthropic.com/en/docs/about-claude/models))
     * Provider (env var required `GOOGLE_API_KEY`): `gemini:models/`, models: `gemini-1.5-pro-latest`, `gemini-1.5-flash-latest` ([More here](https://ai.google.dev/gemini-api/docs/models/gemini))
     * Provider (env var required `DEEPSEEK_API_KEY`): `deepseek:`, models `deepseek-chat` ([More here](https://api-docs.deepseek.com/quick_start/pricing))
+* `--ai_create_attack_flow` (boolean): passing this flag will also prompt the AI model (the same entered for `--ai_provider`, default `false`) to generate an [Attack Flow](https://center-for-threat-informed-defense.github.io/attack-flow/) for the MITRE ATT&CK tags to define the logical order in which they are being described. Note, Sigma currently supports ATT&CK Enterprise only.
+* `--ai_create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate a [MITRE ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK tags. Note, Sigma currently supports ATT&CK Enterprise only. You don't need to pass this if `--ai_create_attack_flow` is set to `true` (as this mode relies on this setting being true)
 
 Note, in this mode, the following values will be automatically assigned to the rule
 
@@ -153,6 +149,8 @@ Note, in this mode you should be aware of a few things;
 * `--external_refs` (optional): txt2detection will automatically populate the `external_references` of the report object it creates for the input. You can use this value to add additional objects to `external_references`. Note, you can only add `source_name` and `external_id` values currently. Pass as `source_name=external_id`. e.g. `--external_refs txt2stix=demo1 source=id` would create the following objects under the `external_references` property: `{"source_name":"txt2stix","external_id":"demo1"},{"source_name":"source","external_id":"id"}`
 * `status` (optional): either `stable`, `test`, `experimental`, `deprecated`, `unsupported`. If passed, will overwrite any existing `status` recorded in the rule
 * `level` (optional): either `informational`, `low`, `medium`, `high`, `critical`. If passed, will overwrite any existing `level` recorded in the rule
+* `--ai_create_attack_flow` (boolean): passing this flag will also prompt the AI model (the same entered for `--ai_provider`, default `false`) to generate an [Attack Flow](https://center-for-threat-informed-defense.github.io/attack-flow/) for the MITRE ATT&CK tags to define the logical order in which they are being described. Note, Sigma currently supports ATT&CK Enterprise only.
+* `--ai_create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate a [MITRE ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK tags. Note, Sigma currently supports ATT&CK Enterprise only. You don't need to pass this if `--ai_create_attack_flow` is set to `true` (as this mode relies on this setting being true)
 
 ### A note on observable extraction
 

{txt2detection-1.0.7 → txt2detection-1.0.9}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "txt2detection"
-version = "1.0.7"
+version = "1.0.9"
 authors = [
   { name = "dogesec" }
 ]
@@ -31,6 +31,7 @@ dependencies = [
     "validators>=0.34.0",
     "llama-index-core>=0.12.42",
     'llama-index-llms-openai>=0.4.5',
+    'stix2extensions',
   ]
 [project.urls]
 Homepage = "https://github.com/muchdogesec/txt2detection"

txt2detection-1.0.9/tests/files/sigma-rule-attack-enterprise.yml

@@ -0,0 +1,27 @@
+title: Attack Navigator Enterprise
+id: a18e76d1-f152-4b87-a552-d46f41afd637
+status: test
+description: Build an Attack Enterprise Navigator layer
+references:
+    - https://www.dogesec.com
+author: dogesec
+date: 2020-01-01
+modified: 2020-01-02
+tags:
+    - tlp.clear
+    - attack.t1547
+    - attack.t1671
+    - attack.t1025
+    - attack.command-and-control
+    - attack.t1661 # will fail is mobile
+logsource:
+    product: okta
+    service: okta
+detection:
+    selection:
+        eventtype:
+            - policy.lifecycle.update
+            - policy.lifecycle.delete
+    condition: selection
+level: low
+license: MIT

txt2detection-1.0.9/tests/files/sigma-rule-attack-flow.yml

@@ -0,0 +1,25 @@
+title: Attack Flow demo
+id: 7894eba6-b0e5-48d9-be52-26bf5a556e45
+status: test
+description: Build an Attack Flow from a Sigma Rule
+references:
+    - https://www.dogesec.com
+author: dogesec
+date: 2020-01-01
+modified: 2020-01-02
+tags:
+    - tlp.clear
+    - attack.t1547
+    - attack.t1671
+    - attack.t1025
+logsource:
+    product: okta
+    service: okta
+detection:
+    selection:
+        eventtype:
+            - policy.lifecycle.update
+            - policy.lifecycle.delete
+    condition: selection
+level: low
+license: MIT

{txt2detection-1.0.7 → txt2detection-1.0.9}/tests/files/sigma-rule-custom-tags.yml

@@ -11,7 +11,7 @@ modified: 2022-10-09
 tags:
     - tlp.red
     - attack.t1547
-    - attack.command_and_control
+    - attack.command-and-control
     - cve.2024-56520
     - detection.xyz
 logsource:

{txt2detection-1.0.7 → txt2detection-1.0.9}/tests/files/sigma-rule-master.yml

@@ -11,7 +11,7 @@ modified: 2022-10-09
 tags:
     - tlp.red
     - attack.t1547
-    - attack.command_and_control
+    - attack.command-and-control
     - cve.2024-56520
 logsource:
     product: okta

{txt2detection-1.0.7 → txt2detection-1.0.9}/tests/files/sigma-rule-no-description.yml

@@ -10,7 +10,6 @@ modified: 2022-10-09
 tags:
     - tlp.red
     - attack.t1547
-    - attack.command_and_control
     - cve.2024-56520
 logsource:
     product: okta

{txt2detection-1.0.7 → txt2detection-1.0.9}/tests/files/sigma-rule-no-level.yml

@@ -11,7 +11,6 @@ modified: 2022-10-09
 tags:
     - tlp.red
     - attack.t1547
-    - attack.command_and_control
     - cve.2024-56520
 logsource:
     product: okta

{txt2detection-1.0.7 → txt2detection-1.0.9}/tests/files/sigma-rule-no-license.yml

@@ -11,7 +11,6 @@ modified: 2022-10-09
 tags:
     - tlp.red
     - attack.t1547
-    - attack.command_and_control
     - cve.2024-56520
 logsource:
     product: okta

{txt2detection-1.0.7 → txt2detection-1.0.9}/tests/files/sigma-rule-no-status.yml

@@ -10,7 +10,6 @@ modified: 2022-10-09
 tags:
     - tlp.red
     - attack.t1547
-    - attack.command_and_control
     - cve.2024-56520
 logsource:
     product: okta

{txt2detection-1.0.7 → txt2detection-1.0.9}/tests/files/sigma-rule-observables.yml

@@ -11,7 +11,6 @@ modified: 2022-10-09
 tags:
     - tlp.red
     - attack.t1547
-    - attack.command_and_control
     - cve.2024-56520
 logsource:
     product: okta

{txt2detection-1.0.7 → txt2detection-1.0.9}/tests/manual-tests/README.md

@@ -445,4 +445,33 @@ python3 txt2detection.py sigma \
   --name "Overwrite status" \
   --status unsupported \
   --report_id d2d01afa-dc55-4a80-8d62-15d154450112
-```
+```
+
+
+## Attack Flow
+
+```shell
+python3 txt2detection.py sigma \
+  --sigma_file tests/files/sigma-rule-attack-flow.yml \
+  --name "Create ATT&CK Flow" \
+  --report_id 330e2030-1dc2-45e6-be13-9342b102621b \
+  --ai_provider openai:gpt-5 \
+  --ai_create_attack_flow
+```
+
+## Attack Navigator
+
+### Enterprise
+
+```shell
+python3 txt2detection.py sigma \
+  --sigma_file tests/files/sigma-rule-attack-enterprise.yml \
+  --name "Attack Navigator Enterprise" \
+  --report_id a18e76d1-f152-4b87-a552-d46f41afd637 \
+  --ai_provider openai:gpt-5 \
+  --ai_create_attack_navigator_layer
+```
+
+### Mobile / ICS
+
+Not currently supported by Sigma.

{txt2detection-1.0.7 → txt2detection-1.0.9}/tests/src/test_bundler.py

@@ -16,9 +16,9 @@ def dummy_detection():
     detection = SigmaRuleDetection(
         title="Test Detection",
         description="Detects something suspicious.",
-        detection=dict(condition="selection1", selection1=dict(ip='1.1.1.1')),
+        detection=dict(condition="selection1", selection1=dict(ip="1.1.1.1")),
         tags=["tlp.red", "sigma.execution"],
-        id=str(uuid.uuid4()),
+        id="cd7ff0b1-fbf3-4c2d-ba70-5d127eb8b4be",
         external_references=[],
         logsource=dict(
             category="network-connection",
@@ -28,15 +28,6 @@ def dummy_detection():
     return detection
 
 
-@pytest.fixture
-def bundler_instance():
-    return Bundler(
-        name="Test Report",
-        identity=None,
-        tlp_level="red",
-        description="This is a test report.",
-        labels=["tlp.red", "test.test-var"],
-    )
 
 
 def test_bundler_initialization(bundler_instance):
@@ -229,7 +220,7 @@ def test_bundler_generates_valid_bundle(dummy_detection):
 
 def test_bundle_detections(dummy_detection, bundler_instance):
     container = DetectionContainer(success=False, detections=[])
-    with patch.object(Bundler, 'add_rule_indicator') as mock_add_rule_indicator:
+    with patch.object(Bundler, "add_rule_indicator") as mock_add_rule_indicator:
         bundler_instance.bundle_detections(container)
         mock_add_rule_indicator.assert_not_called()
         mock_add_rule_indicator.reset_mock()
@@ -238,3 +229,57 @@ def test_bundle_detections(dummy_detection, bundler_instance):
         container.success = True
         bundler_instance.bundle_detections(container)
         mock_add_rule_indicator.assert_called_once_with(detection)
+
+
+def test_bundle_detections__creates_log_source(dummy_detection, bundler_instance):
+    dummy_detection.detection_id = "d73e1632-c541-4b09-8281-95dc7f9c5782"
+    bundler_instance.add_rule_indicator(dummy_detection)
+    objects = [
+        obj
+        for obj in bundler_instance.bundle_dict["objects"]
+        if obj["id"]
+        in (
+            "data-source--f078a18f-0f04-5fde-b6cd-a5af90b6346b",
+            "relationship--fe0a3715-6a21-5472-840f-39ea9c61ee83",
+        )
+    ]
+    assert objects == [
+        {
+            "type": "data-source",
+            "spec_version": "2.1",
+            "id": "data-source--f078a18f-0f04-5fde-b6cd-a5af90b6346b",
+            "category": "network-connection",
+            "product": "firewall",
+            "extensions": {
+                "extension-definition--afeeb724-bce2-575e-af3d-d705842ea84b": {
+                    "extension_type": "new-sco"
+                }
+            },
+        },
+        {
+            "type": "relationship",
+            "spec_version": "2.1",
+            "id": "relationship--fe0a3715-6a21-5472-840f-39ea9c61ee83",
+            "created_by_ref": "identity--a4d70b75-6f4a-5d19-9137-da863edd33d7",
+            "created": "2025-01-01T00:00:00.000Z",
+            "modified": "2025-01-01T00:00:00.000Z",
+            "relationship_type": "related-to",
+            "description": "Test Detection is created from log-source {category=network-connection, product=firewall}",
+            "source_ref": "indicator--d73e1632-c541-4b09-8281-95dc7f9c5782",
+            "target_ref": "data-source--f078a18f-0f04-5fde-b6cd-a5af90b6346b",
+            "object_marking_refs": [
+                "marking-definition--e828b379-4e03-4974-9ac4-e53a884c97c1",
+                "marking-definition--a4d70b75-6f4a-5d19-9137-da863edd33d7",
+            ],
+        },
+    ]
+
+def test_get_attack_objects(bundler_instance):
+    retval = bundler_instance.get_attack_objects(['T1190', 'T1547'])
+    print({r['id'] for r in retval})
+    assert {r['id'] for r in retval} == {'attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf', 'attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c'}
+
+def test_get_cve_objects(bundler_instance):
+    cves = ['CVE-2025-1234', 'CVE-2024-1234']
+    retval = bundler_instance.get_cve_objects(cves)
+    assert {r['name'] for r in retval} == set(cves)