txt2detection 1.0.8__py3-none-any.whl → 1.0.9__py3-none-any.whl

txt2detection/bundler.py

@@ -15,8 +15,15 @@ from stix2 import (
 from stix2.serialization import serialize
 import hashlib
 
-from txt2detection import observables
-from txt2detection.models import AIDetection, BaseDetection, DetectionContainer, UUID_NAMESPACE, SigmaRuleDetection
+from txt2detection import attack_flow, observables
+from txt2detection.models import (
+    AIDetection,
+    BaseDetection,
+    DataContainer,
+    DetectionContainer,
+    UUID_NAMESPACE,
+    SigmaRuleDetection,
+)
 
 from datetime import UTC, datetime as dt
 import uuid
@@ -28,56 +35,57 @@ from txt2detection.utils import STATUSES, remove_rule_specific_tags
 
 logger = logging.getLogger("txt2detection.bundler")
 
+
 class Bundler:
     identity = None
     object_marking_refs = []
     uuid = None
     id_map = dict()
-    detections: DetectionContainer
+    data: DataContainer
     # https://raw.githubusercontent.com/muchdogesec/stix4doge/refs/heads/main/objects/identity/txt2detection.json
-    default_identity = Identity(**{
-        "type": "identity",
-        "spec_version": "2.1",
-        "id": "identity--a4d70b75-6f4a-5d19-9137-da863edd33d7",
-        "created_by_ref": "identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5",
-        "created": "2020-01-01T00:00:00.000Z",
-        "modified": "2020-01-01T00:00:00.000Z",
-        "name": "txt2detection",
-        "description": "https://github.com/muchdogesec/txt2detection",
-        "identity_class": "system",
-        "sectors": [
-            "technology"
-        ],
-        "contact_information": "https://www.dogesec.com/contact/",
-        "object_marking_refs": [
-            "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
-            "marking-definition--97ba4e8b-04f6-57e8-8f6e-3a0f0a7dc0fb"
-        ]
-    })
+    default_identity = Identity(
+        **{
+            "type": "identity",
+            "spec_version": "2.1",
+            "id": "identity--a4d70b75-6f4a-5d19-9137-da863edd33d7",
+            "created_by_ref": "identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5",
+            "created": "2020-01-01T00:00:00.000Z",
+            "modified": "2020-01-01T00:00:00.000Z",
+            "name": "txt2detection",
+            "description": "https://github.com/muchdogesec/txt2detection",
+            "identity_class": "system",
+            "sectors": ["technology"],
+            "contact_information": "https://www.dogesec.com/contact/",
+            "object_marking_refs": [
+                "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
+                "marking-definition--97ba4e8b-04f6-57e8-8f6e-3a0f0a7dc0fb",
+            ],
+        }
+    )
     # https://raw.githubusercontent.com/muchdogesec/stix4doge/refs/heads/main/objects/marking-definition/txt2detection.json
-    default_marking = MarkingDefinition(**{
-        "type": "marking-definition",
-        "spec_version": "2.1",
-        "id": "marking-definition--a4d70b75-6f4a-5d19-9137-da863edd33d7",
-        "created_by_ref": "identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5",
-        "created": "2020-01-01T00:00:00.000Z",
-        "definition_type": "statement",
-        "definition": {
-            "statement": "This object was created using: https://github.com/muchdogesec/txt2detection"
-        },
-        "object_marking_refs": [
-            "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
-            "marking-definition--97ba4e8b-04f6-57e8-8f6e-3a0f0a7dc0fb"
-        ]
-    })
+    default_marking = MarkingDefinition(
+        **{
+            "type": "marking-definition",
+            "spec_version": "2.1",
+            "id": "marking-definition--a4d70b75-6f4a-5d19-9137-da863edd33d7",
+            "created_by_ref": "identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5",
+            "created": "2020-01-01T00:00:00.000Z",
+            "definition_type": "statement",
+            "definition": {
+                "statement": "This object was created using: https://github.com/muchdogesec/txt2detection"
+            },
+            "object_marking_refs": [
+                "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
+                "marking-definition--97ba4e8b-04f6-57e8-8f6e-3a0f0a7dc0fb",
+            ],
+        }
+    )
 
     @classmethod
     def generate_report_id(cls, created_by_ref, created, name):
         if not created_by_ref:
-            created_by_ref = cls.default_identity['id']
-        return str(
-            uuid.uuid5(UUID_NAMESPACE, f"{created_by_ref}+{created}+{name}")
-        )
+            created_by_ref = cls.default_identity["id"]
+        return str(uuid.uuid5(UUID_NAMESPACE, f"{created_by_ref}+{created}+{name}"))
 
     def __init__(
         self,
@@ -89,7 +97,7 @@ class Bundler:
         created=None,
         modified=None,
         report_id=None,
-        external_refs: list=None,
+        external_refs: list = None,
         reference_urls=None,
         license=None,
         **kwargs,
@@ -97,14 +105,24 @@ class Bundler:
         self.created = created or dt.now(UTC)
         self.modified = modified or self.created
         self.identity = identity or self.default_identity
-        self.tlp_level = TLP_LEVEL.get(tlp_level or 'clear')
-        self.uuid = report_id or self.generate_report_id(self.identity.id, self.created, name)
+        self.tlp_level = TLP_LEVEL.get(tlp_level or "clear")
+        self.uuid = report_id or self.generate_report_id(
+            self.identity.id, self.created, name
+        )
         self.reference_urls = reference_urls or []
         self.labels = labels or []
         self.license = license
 
         self.job_id = f"report--{self.uuid}"
-        self.external_refs = (external_refs or []) + [dict(source_name='txt2detection', url=url, description='txt2detection-reference') for url in self.reference_urls]
+        self.external_refs = (external_refs or []) + [
+            dict(
+                source_name="txt2detection",
+                url=url,
+                description="txt2detection-reference",
+            )
+            for url in self.reference_urls
+        ]
+        self.data = DataContainer.model_construct()
 
         self.report = Report(
             created_by_ref=self.identity.id,
@@ -124,7 +142,8 @@ class Bundler:
                     source_name="description_md5_hash",
                     external_id=hashlib.md5((description or "").encode()).hexdigest(),
                 )
-            ] + self.external_refs,
+            ]
+            + self.external_refs,
         )
         self.report.object_refs.clear()  # clear object refs
         self.set_defaults()
@@ -150,13 +169,15 @@ class Bundler:
         self.all_objects.add(sdo_id)
 
     def add_rule_indicator(self, detection: SigmaRuleDetection):
-        indicator_types = getattr(detection, 'indicator_types', None)
+        indicator_types = getattr(detection, "indicator_types", None)
         if isinstance(detection, AIDetection):
             detection = detection.to_sigma_rule_detection(self)
-        assert isinstance(detection, SigmaRuleDetection), f"detection of type {type(detection)} not supported"
+        assert isinstance(
+            detection, SigmaRuleDetection
+        ), f"detection of type {type(detection)} not supported"
         indicator = {
             "type": "indicator",
-            "id": "indicator--"+str(detection.detection_id),
+            "id": "indicator--" + str(detection.detection_id),
             "spec_version": "2.1",
             "created_by_ref": self.report.created_by_ref,
             "created": self.report.created,
@@ -165,66 +186,87 @@ class Bundler:
             "name": detection.title,
             "description": detection.description,
             "labels": remove_rule_specific_tags(self.labels),
-            "pattern_type": 'sigma',
+            "pattern_type": "sigma",
             "pattern": detection.make_rule(self),
             "valid_from": self.report.created,
             "object_marking_refs": self.report.object_marking_refs,
             "external_references": self.external_refs + detection.external_references,
         }
-        indicator['external_references'].append(
+        indicator["external_references"].append(
             {
-            "source_name": "rule_md5_hash",
-            "external_id": hashlib.md5(indicator['pattern'].encode()).hexdigest()
+                "source_name": "rule_md5_hash",
+                "external_id": hashlib.md5(indicator["pattern"].encode()).hexdigest(),
             }
         )
         logsource = detection.make_data_source()
 
         logger.debug(f"===== rule {detection.detection_id} =====")
-        logger.debug("```yaml\n"+indicator['pattern']+"\n```")
+        logger.debug("```yaml\n" + indicator["pattern"] + "\n```")
         logger.debug(f" =================== end of rule =================== ")
 
+        self.data.attacks = dict.fromkeys(detection.mitre_attack_ids, "Not found")
         for obj in self.get_attack_objects(detection.mitre_attack_ids):
             self.add_ref(obj)
             self.add_relation(indicator, obj)
+            self.data.attacks[obj["external_references"][0]["external_id"]] = obj["id"]
 
+        self.data.cves = dict.fromkeys(detection.cve_ids, "Not found")
         for obj in self.get_cve_objects(detection.cve_ids):
             self.add_ref(obj)
             self.add_relation(indicator, obj)
+            self.data.cves[obj["name"]] = obj["id"]
 
         self.add_ref(parse_stix(indicator, allow_custom=True), append_report=True)
-        print('everywhere')
         self.add_ref(logsource, append_report=True)
-        print('here')
-        self.add_relation(indicator, logsource, description=f'{indicator["name"]} is created from {make_logsouce_string(logsource)}')
-        print('there')
+        self.add_relation(
+            indicator,
+            logsource,
+            description=f'{indicator["name"]} is created from {make_logsouce_string(logsource)}',
+        )
 
-        for ob_type, ob_value in set(observables.find_stix_observables(detection.detection)):
+        self.data.observables = []
+        for ob_type, ob_value in set(
+            observables.find_stix_observables(detection.detection)
+        ):
+            self.data.observables.append(dict(type=ob_type, value=ob_value))
             try:
                 obj = observables.to_stix_object(ob_type, ob_value)
                 self.add_ref(obj)
-                self.add_relation(indicator, obj, 'related-to', target_name=ob_value)
-            except:
+                self.add_relation(indicator, obj, "related-to", target_name=ob_value)
+            except Exception as e:
+                self.data.observables[-1]["error"] = str(e)
                 logger.exception(f"failed to process observable {ob_type}/{ob_value}")
 
-    def add_relation(self, indicator, target_object, relationship_type='related-to', target_name=None, description=None):
+    def add_relation(
+        self,
+        indicator,
+        target_object,
+        relationship_type="related-to",
+        target_name=None,
+        description=None,
+    ):
         ext_refs = []
 
         with contextlib.suppress(Exception):
-            indicator['external_references'].append(target_object['external_references'][0])
-            ext_refs = [target_object['external_references'][0]]
+            indicator["external_references"].append(
+                target_object["external_references"][0]
+            )
+            ext_refs = [target_object["external_references"][0]]
 
         if not description:
-            target_name = target_name or f"{target_object['external_references'][0]['external_id']} ({target_object['name']})"
+            target_name = (
+                target_name
+                or f"{target_object['external_references'][0]['external_id']} ({target_object['name']})"
+            )
             description = f"{indicator['name']} {relationship_type} {target_name}"
 
-        rel =  Relationship(
-            id="relationship--" + str(
-                uuid.uuid5(
-                    UUID_NAMESPACE, f"{indicator['id']}+{target_object['id']}"
-                )
+        rel = Relationship(
+            id="relationship--"
+            + str(
+                uuid.uuid5(UUID_NAMESPACE, f"{indicator['id']}+{target_object['id']}")
             ),
-            source_ref=indicator['id'],
-            target_ref=target_object['id'],
+            source_ref=indicator["id"],
+            target_ref=target_object["id"],
             relationship_type=relationship_type,
             created_by_ref=self.report.created_by_ref,
             description=description,
@@ -247,50 +289,82 @@ class Bundler:
         if not attack_ids:
             return []
         logger.debug(f"retrieving attack objects: {attack_ids}")
-        endpoint = urljoin(os.environ['CTIBUTLER_BASE_URL'] + '/', f"v1/attack-enterprise/objects/?attack_id="+','.join(attack_ids))
+        endpoint = urljoin(
+            os.environ["CTIBUTLER_BASE_URL"] + "/",
+            f"v1/attack-enterprise/objects/?attack_id=" + ",".join(attack_ids),
+        )
 
         headers = {}
-        if api_key := os.environ.get('CTIBUTLER_API_KEY'):
-            headers['API-KEY'] = api_key
+        if api_key := os.environ.get("CTIBUTLER_API_KEY"):
+            headers["API-KEY"] = api_key
 
         return self._get_objects(endpoint, headers)
 
-    def get_cve_objects(self, cve_ids):
+    @classmethod
+    def get_attack_tactics(cls):
+        headers = {}
+        api_root = os.environ["CTIBUTLER_BASE_URL"] + "/"
+        if api_key := os.environ.get("CTIBUTLER_API_KEY"):
+            headers["API-KEY"] = api_key
+
+        endpoint = urljoin(
+            api_root, f"v1/attack-enterprise/objects/?attack_type=Tactic"
+        )
+        version_url = urljoin(api_root, f"v1/attack-enterprise/versions/installed/")
+        tactics = cls._get_objects(endpoint, headers=headers)
+        retval = dict(
+            version=requests.get(version_url, headers=headers).json()["latest"]
+        )
+        for tac in tactics:
+            retval[tac["x_mitre_shortname"]] = tac
+            retval[tac["external_references"][0]["external_id"]] = tac
+        return retval
+
+    @classmethod
+    def get_cve_objects(cls, cve_ids):
         if not cve_ids:
             return []
         logger.debug(f"retrieving cve objects: {cve_ids}")
-        endpoint = urljoin(os.environ['VULMATCH_BASE_URL'] + '/', f"v1/cve/objects/?cve_id="+','.join(cve_ids))
+        endpoint = urljoin(
+            os.environ["VULMATCH_BASE_URL"] + "/",
+            f"v1/cve/objects/?cve_id=" + ",".join(cve_ids),
+        )
         headers = {}
-        if api_key := os.environ.get('VULMATCH_API_KEY'):
-            headers['API-KEY'] = api_key
+        if api_key := os.environ.get("VULMATCH_API_KEY"):
+            headers["API-KEY"] = api_key
 
-        return self._get_objects(endpoint, headers)
+        return cls._get_objects(endpoint, headers)
 
-    def _get_objects(self, endpoint, headers):
+    @classmethod
+    def _get_objects(cls, endpoint, headers):
         data = []
         page = 1
         while True:
-            resp = requests.get(endpoint, params=dict(page=page, page_size=1000), headers=headers)
+            resp = requests.get(
+                endpoint, params=dict(page=page, page_size=1000), headers=headers
+            )
             if resp.status_code != 200:
                 break
             d = resp.json()
-            if len(d['objects']) == 0:
+            if len(d["objects"]) == 0:
                 break
-            data.extend(d['objects'])
-            page+=1
-            if d['page_results_count'] < d['page_size']:
+            data.extend(d["objects"])
+            page += 1
+            if d["page_results_count"] < d["page_size"]:
                 break
         return data
 
     def bundle_detections(self, container: DetectionContainer):
-        self.detections = container
+        self.data = DataContainer(detections=container)
         if not container.success:
             return
         for d in container.detections:
             self.add_rule_indicator(d)
 
+
 def make_logsouce_string(source: dict):
-    d = [f'{k}={v}' for k, v in source.items()
-        if k in ['product', 'service', 'category']]
-    d_str = ', '.join(d)
-    return 'log-source {'+d_str+'}'
+    d = [
+        f"{k}={v}" for k, v in source.items() if k in ["product", "service", "category"]
+    ]
+    d_str = ", ".join(d)
+    return "log-source {" + d_str + "}"

txt2detection/credential_checker.py

@@ -5,7 +5,6 @@ from urllib.parse import urljoin
 import requests
 
 
-
 def check_llms():
     from txt2detection.__main__ import parse_model
 
@@ -23,14 +22,17 @@ def check_llms():
 
 def check_ctibutler_vulmatch(service):
     session = requests.Session()
-    if service == 'vulmatch':
-        base_url = os.getenv('VULMATCH_BASE_URL')
-        url = urljoin(base_url, 'v1/cve/objects/vulnerability--f552f6f4-39da-48dc-8717-323772c99588/')
-        session.headers['API-KEY'] = os.environ.get('VULMATCH_API_KEY')
-    elif service == 'ctibutler':
-        base_url = os.getenv('CTIBUTLER_BASE_URL')
-        url = urljoin(base_url, 'v1/location/versions/available/')
-        session.headers['API-KEY'] = os.environ.get('CTIBUTLER_API_KEY')
+    if service == "vulmatch":
+        base_url = os.getenv("VULMATCH_BASE_URL")
+        url = urljoin(
+            base_url,
+            "v1/cve/objects/vulnerability--f552f6f4-39da-48dc-8717-323772c99588/",
+        )
+        session.headers["API-KEY"] = os.environ.get("VULMATCH_API_KEY")
+    elif service == "ctibutler":
+        base_url = os.getenv("CTIBUTLER_BASE_URL")
+        url = urljoin(base_url, "v1/location/versions/available/")
+        session.headers["API-KEY"] = os.environ.get("CTIBUTLER_API_KEY")
 
     try:
         resp = session.get(url)

txt2detection/models.py

@@ -19,6 +19,8 @@ from stix2 import (
     MarkingDefinition,
 )
 
+from txt2detection.ai_extractor.models import AttackFlowList
+
 if typing.TYPE_CHECKING:
     from txt2detection.bundler import Bundler
 
@@ -398,6 +400,15 @@ class DetectionContainer(BaseModel):
     detections: list[Union[BaseDetection, AIDetection, SigmaRuleDetection]]
 
 
+class DataContainer(BaseModel):
+    detections: DetectionContainer
+    attack_flow: AttackFlowList = Field(default=None)
+    navigator_layer: list = Field(default=None)
+    observables: list[dict] = Field(default=None)
+    cves: dict[str, str] = Field(default=None)
+    attacks: dict[str, str] = Field(default=None)
+
+
 def tlp_from_tags(tags: list[SigmaTag]):
     for tag in tags:
         ns, _, level = tag.partition(".")

txt2detection/observables.py

@@ -183,4 +183,3 @@ def to_stix_object(observable_type: str, value):
 
 # for a, b in observables:
 #     print(to_stix_object(a, b))
-

txt2detection/utils.py

@@ -17,11 +17,14 @@ from .models import UUID_NAMESPACE
 class DetectionLanguage(SimpleNamespace):
     pass
 
+
 def parse_model(value: str):
-    splits = value.split(':', 1)
+    splits = value.split(":", 1)
     provider = splits[0]
     if provider not in ALL_AI_EXTRACTORS:
-        raise NotImplementedError(f"invalid AI provider in `{value}`, must be one of {list(ALL_AI_EXTRACTORS)}")
+        raise NotImplementedError(
+            f"invalid AI provider in `{value}`, must be one of {list(ALL_AI_EXTRACTORS)}"
+        )
     provider = ALL_AI_EXTRACTORS[provider]
     try:
         if len(splits) == 2:
@@ -30,8 +33,10 @@ def parse_model(value: str):
     except Exception as e:
         raise ModelError(f"Unable to initialize model `{value}`") from e
 
+
 def make_identity(name, namespace=None, created_by_ref=None, object_marking_refs=None):
     from .bundler import Bundler
+
     if isinstance(namespace, str):
         namespace = uuid.UUID(namespace)
     namespace = namespace or UUID_NAMESPACE
@@ -41,25 +46,31 @@ def make_identity(name, namespace=None, created_by_ref=None, object_marking_refs
         created_by_ref=created_by_ref or Bundler.default_identity.id,
         created=datetime(2020, 1, 1),
         modified=datetime(2020, 1, 1),
-        object_marking_refs=object_marking_refs or [
+        object_marking_refs=object_marking_refs
+        or [
             "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
-            "marking-definition--a4d70b75-6f4a-5d19-9137-da863edd33d7"
+            "marking-definition--a4d70b75-6f4a-5d19-9137-da863edd33d7",
         ],
     )
 
 
 def validate_token_count(max_tokens, input, extractor: BaseAIExtractor):
-    logging.info('INPUT_TOKEN_LIMIT = %d', max_tokens)
+    logging.info("INPUT_TOKEN_LIMIT = %d", max_tokens)
     token_count = extractor.count_tokens(input)
-    logging.info('TOKEN COUNT FOR %s: %d', extractor.extractor_name, token_count)
-    if  token_count > max_tokens:
-        raise Exception(f"{extractor.extractor_name}: input_file token count ({token_count}) exceeds INPUT_TOKEN_LIMIT ({max_tokens})")
+    logging.info("TOKEN COUNT FOR %s: %d", extractor.extractor_name, token_count)
+    if token_count > max_tokens:
+        raise Exception(
+            f"{extractor.extractor_name}: input_file token count ({token_count}) exceeds INPUT_TOKEN_LIMIT ({max_tokens})"
+        )
 
 
 @lru_cache(maxsize=5)
 def get_licenses(date):
-    resp = requests.get("https://github.com/spdx/license-list-data/raw/refs/heads/main/json/licenses.json")
-    return {l['licenseId']: l['name'] for l in resp.json()['licenses']}
+    resp = requests.get(
+        "https://github.com/spdx/license-list-data/raw/refs/heads/main/json/licenses.json"
+    )
+    return {l["licenseId"]: l["name"] for l in resp.json()["licenses"]}
+
 
 def valid_licenses():
     return get_licenses(datetime.now().date().isoformat())
@@ -75,9 +86,10 @@ def remove_rule_specific_tags(tags):
     return labels
 
 
-def as_date(d: 'date|datetime'):
+def as_date(d: "date|datetime"):
     if isinstance(d, datetime):
         return d.date()
     return d
 
-STATUSES = ['stable', 'test', 'experimental', 'deprecated', 'unsupported']
+
+STATUSES = ["stable", "test", "experimental", "deprecated", "unsupported"]

{txt2detection-1.0.8.dist-info → txt2detection-1.0.9.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: txt2detection
-Version: 1.0.8
+Version: 1.0.9
 Summary: A command line tool that takes a txt file containing threat intelligence and turns it into a detection rule.
 Project-URL: Homepage, https://github.com/muchdogesec/txt2detection
 Project-URL: Issues, https://github.com/muchdogesec/txt2detection/issues
@@ -72,12 +72,6 @@ txt2detection allows a user to enter some threat intelligence as a file to consi
 2. Based on the user input, AI prompts structured and sent to produce an intelligence rule
 3. Rules converted into STIX objects
 
-## tl;dr
-
-[![txt2detection](https://img.youtube.com/vi/uJWXYKyu3Xg/0.jpg)](https://www.youtube.com/watch?v=uJWXYKyu3Xg)
-
-[Watch the demo](https://www.youtube.com/watch?v=uJWXYKyu3Xg).
-
 ## Usage
 
 ### Setup
@@ -162,12 +156,14 @@ Use this mode to generate a set of rules from an input text file;
 * `--license` (optional): [License of the rule according the SPDX ID specification](https://spdx.org/licenses/). Will be added to the rule.
 * `--reference_urls` (optional): A list of URLs to be added as `references` in the Sigma Rule property and in the `external_references` property of the Indicator and Report STIX object created. e.g `"https://www.google.com/" "https://www.facebook.com/"`
 * `--external_refs` (optional): txt2detection will automatically populate the `external_references` of the report object it creates for the input. You can use this value to add additional objects to `external_references`. Note, you can only add `source_name` and `external_id` values currently. Pass as `source_name=external_id`. e.g. `--external_refs txt2stix=demo1 source=id` would create the following objects under the `external_references` property: `{"source_name":"txt2stix","external_id":"demo1"},{"source_name":"source","external_id":"id"}`
-* `ai_provider` (required): defines the `provider:model` to be used to generate the rule. Select one option. Currently supports:
+* `--ai_provider` (required): defines the `provider:model` to be used to generate the rule. Select one option. Currently supports:
     * Provider (env var required `OPENROUTER_API_KEY`): `openrouter:`, providers/models `openai/gpt-4o`, `deepseek/deepseek-chat` ([More here](https://openrouter.ai/models))
     * Provider (env var required `OPENAI_API_KEY`): `openai:`, models e.g.: `gpt-4o`, `gpt-4o-mini`, `gpt-4-turbo`, `gpt-4` ([More here](https://platform.openai.com/docs/models))
     * Provider (env var required `ANTHROPIC_API_KEY`): `anthropic:`, models e.g.: `claude-3-5-sonnet-latest`, `claude-3-5-haiku-latest`, `claude-3-opus-latest` ([More here](https://docs.anthropic.com/en/docs/about-claude/models))
     * Provider (env var required `GOOGLE_API_KEY`): `gemini:models/`, models: `gemini-1.5-pro-latest`, `gemini-1.5-flash-latest` ([More here](https://ai.google.dev/gemini-api/docs/models/gemini))
     * Provider (env var required `DEEPSEEK_API_KEY`): `deepseek:`, models `deepseek-chat` ([More here](https://api-docs.deepseek.com/quick_start/pricing))
+* `--ai_create_attack_flow` (boolean): passing this flag will also prompt the AI model (the same entered for `--ai_provider`, default `false`) to generate an [Attack Flow](https://center-for-threat-informed-defense.github.io/attack-flow/) for the MITRE ATT&CK tags to define the logical order in which they are being described. Note, Sigma currently supports ATT&CK Enterprise only.
+* `--ai_create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate a [MITRE ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK tags. Note, Sigma currently supports ATT&CK Enterprise only. You don't need to pass this if `--ai_create_attack_flow` is set to `true` (as this mode relies on this setting being true)
 
 Note, in this mode, the following values will be automatically assigned to the rule
 
@@ -194,6 +190,8 @@ Note, in this mode you should be aware of a few things;
 * `--external_refs` (optional): txt2detection will automatically populate the `external_references` of the report object it creates for the input. You can use this value to add additional objects to `external_references`. Note, you can only add `source_name` and `external_id` values currently. Pass as `source_name=external_id`. e.g. `--external_refs txt2stix=demo1 source=id` would create the following objects under the `external_references` property: `{"source_name":"txt2stix","external_id":"demo1"},{"source_name":"source","external_id":"id"}`
 * `status` (optional): either `stable`, `test`, `experimental`, `deprecated`, `unsupported`. If passed, will overwrite any existing `status` recorded in the rule
 * `level` (optional): either `informational`, `low`, `medium`, `high`, `critical`. If passed, will overwrite any existing `level` recorded in the rule
+* `--ai_create_attack_flow` (boolean): passing this flag will also prompt the AI model (the same entered for `--ai_provider`, default `false`) to generate an [Attack Flow](https://center-for-threat-informed-defense.github.io/attack-flow/) for the MITRE ATT&CK tags to define the logical order in which they are being described. Note, Sigma currently supports ATT&CK Enterprise only.
+* `--ai_create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate a [MITRE ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK tags. Note, Sigma currently supports ATT&CK Enterprise only. You don't need to pass this if `--ai_create_attack_flow` is set to `true` (as this mode relies on this setting being true)
 
 ### A note on observable extraction
 

txt2detection-1.0.9.dist-info/RECORD

@@ -0,0 +1,24 @@
+txt2detection/__init__.py,sha256=Fc460P0q_eb2u3Xc89z-fwl-4ai3jrPqPNVwJQYNkNQ,89
+txt2detection/__main__.py,sha256=s5XcIctE59ALjys6Y8lRIqS_pQWi1mlNo2gyG8_XS5s,11622
+txt2detection/attack_flow.py,sha256=1Ns98ZEoiN8kH-iSo7d6zYtplm11QkhPQAvSZsW4WXQ,8853
+txt2detection/bundler.py,sha256=eHyr6jlnd4ZvynHkyy5Hposkp_XqEAxEwGzlViSq1xU,13319
+txt2detection/credential_checker.py,sha256=NuKk7WlDshtdpGecxY1exoi4fUHCygunPH2lZ20oEA8,2598
+txt2detection/models.py,sha256=_-sR03FEWI46OUZdL7U0tibNn909B0NU9LWNzopBtiY,12888
+txt2detection/observables.py,sha256=RxgJchvk6_Z2pBxJ6MAGsx00gj8TyRt9W2BTQTb1F9o,6762
+txt2detection/utils.py,sha256=EJ5lMhnghUgW0JbcRmeiDXYwm5GaB6XrG4cUjru-52g,2812
+txt2detection/ai_extractor/__init__.py,sha256=itcwTF0-S80mx-SuSvfrKazvcwsojR-QsBN-UvnSDwE,418
+txt2detection/ai_extractor/anthropic.py,sha256=YOi2rHUeeoRMS4CFG6mX7xUU4q4rw9qNl72R74UN6ZM,420
+txt2detection/ai_extractor/base.py,sha256=2C3d4BoH7I4fnvp6cLxbtjiFVPm4WJLFwnS_lAppHr8,3210
+txt2detection/ai_extractor/deepseek.py,sha256=2XehIYbWXG6Odq68nQX4CNtl5GdmBlAmjLP_lG2eEFo,660
+txt2detection/ai_extractor/gemini.py,sha256=hlcKkiHGzQJ0dQECfIhjx2LfdhZoquAF9POwz61RAhw,557
+txt2detection/ai_extractor/models.py,sha256=xMTvUHoxIflbBA4mkGLTjwf657DVEOxd6gqLpEUciQ4,963
+txt2detection/ai_extractor/openai.py,sha256=ggonpHtckNz9GEJIR0ADMzZWDKi6EWuicP0fsxvkP3A,616
+txt2detection/ai_extractor/openrouter.py,sha256=rL-SnzRhzrCnPJGLxbTlRyxU0NAw42RmSq3ouuo3Iag,658
+txt2detection/ai_extractor/prompts.py,sha256=xI82PelsTidnRzi5wnNbEC4lmkio92YUDd8SZu4CQiE,10961
+txt2detection/ai_extractor/utils.py,sha256=SUxyPhkGp5yDbX_H_E018i93R8IbyLsQ00PIBDecfuc,540
+txt2detection/config/detection_languages.yaml,sha256=dgQUJPxhDRJ_IiFEFOiH0yhEer3SkFSIhY4pS3BsX2c,287
+txt2detection-1.0.9.dist-info/METADATA,sha256=UHkUnaL9wEt78RNw0EmQenodg2qxZ3gsTDkmVC2W7IE,15869
+txt2detection-1.0.9.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+txt2detection-1.0.9.dist-info/entry_points.txt,sha256=ep_rLlS2r1-kKE7S3iKf3SVwbCU9-FZhU9zUebitw7A,62
+txt2detection-1.0.9.dist-info/licenses/LICENSE,sha256=BK8Ppqlc4pdgnNzIxnxde0taoQ1BgicdyqmBvMiNYgY,11364
+txt2detection-1.0.9.dist-info/RECORD,,

txt2detection-1.0.8.dist-info/RECORD

@@ -1,22 +0,0 @@
-txt2detection/__init__.py,sha256=Fc460P0q_eb2u3Xc89z-fwl-4ai3jrPqPNVwJQYNkNQ,89
-txt2detection/__main__.py,sha256=R9TgWWGzA8rxF39rZr2MNOrQubhItdRAgP2nd8Tfb78,9337
-txt2detection/bundler.py,sha256=VaU7pv4NYR2gQD2anzMw2CnOWHphWVJaeD8nrkHBFPg,11416
-txt2detection/credential_checker.py,sha256=YoOe1ABjNfAJIcNE6PRAZtvznTybUKHNBB57DPQhZsU,2564
-txt2detection/models.py,sha256=uOWRShMnVUOEPtKusAdthk3bFnh5T6HJkuBEEkedDHo,12508
-txt2detection/observables.py,sha256=NNnwF_gOsPmAbfgk5fj1rcluMsShZOHssAGy2VJgvmo,6763
-txt2detection/utils.py,sha256=rLBFzpSepksXkONnqWkRqiMr8R4LTp4j8OrashFVUPc,2741
-txt2detection/ai_extractor/__init__.py,sha256=itcwTF0-S80mx-SuSvfrKazvcwsojR-QsBN-UvnSDwE,418
-txt2detection/ai_extractor/anthropic.py,sha256=YOi2rHUeeoRMS4CFG6mX7xUU4q4rw9qNl72R74UN6ZM,420
-txt2detection/ai_extractor/base.py,sha256=urZe_kpYu3BwXyKJsQ0GQIEtTasUQYp4dFzuz34Hai8,2336
-txt2detection/ai_extractor/deepseek.py,sha256=2XehIYbWXG6Odq68nQX4CNtl5GdmBlAmjLP_lG2eEFo,660
-txt2detection/ai_extractor/gemini.py,sha256=hlcKkiHGzQJ0dQECfIhjx2LfdhZoquAF9POwz61RAhw,557
-txt2detection/ai_extractor/openai.py,sha256=e5Of3i-T2CvUSx1T_v7wHOuewHK2IoImxZXfXeZc3Ds,625
-txt2detection/ai_extractor/openrouter.py,sha256=-KcdcyKPpaeiGfvqJB4L7vMmcXTDhml3Mr0T6kwANZA,645
-txt2detection/ai_extractor/prompts.py,sha256=ACYFWUafdHXHBXz7fq_RSooA4PJ-mBdaBzqsOOSFpVg,5918
-txt2detection/ai_extractor/utils.py,sha256=SUxyPhkGp5yDbX_H_E018i93R8IbyLsQ00PIBDecfuc,540
-txt2detection/config/detection_languages.yaml,sha256=dgQUJPxhDRJ_IiFEFOiH0yhEer3SkFSIhY4pS3BsX2c,287
-txt2detection-1.0.8.dist-info/METADATA,sha256=NVfK0XlFBnmwCZXSl5aGFNSuRW6plQSLr4hTK_gqqYA,14520
-txt2detection-1.0.8.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-txt2detection-1.0.8.dist-info/entry_points.txt,sha256=ep_rLlS2r1-kKE7S3iKf3SVwbCU9-FZhU9zUebitw7A,62
-txt2detection-1.0.8.dist-info/licenses/LICENSE,sha256=BK8Ppqlc4pdgnNzIxnxde0taoQ1BgicdyqmBvMiNYgY,11364
-txt2detection-1.0.8.dist-info/RECORD,,