PyPI - txt2detection - Versions diffs - 1.0.8__tar.gz → 1.0.10__tar.gz - Mend

txt2detection 1.0.8tar.gz → 1.0.10tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of txt2detection might be problematic. Click here for more details.

Files changed (63) hide show

{txt2detection-1.0.8 → txt2detection-1.0.10}/.github/workflows/run-tests.yml RENAMED Viewed

@@ -33,6 +33,10 @@ jobs:
         run: |
             echo > .env
             echo "INPUT_TOKEN_LIMIT=1000"  >> .env
+            echo "CTIBUTLER_BASE_URL=https://api.ctibutler.com/" >> .env
+            echo "CTIBUTLER_API_KEY=${{ secrets.CTIBUTLER_API_KEY }}" >> .env
+            echo "VULMATCH_BASE_URL=https://api.vulmatch.com/" >> .env
+            echo "VULMATCH_API_KEY=${{ secrets.VULMATCH_API_KEY }}" >> .env
       - name: Run Tests
         id: run_tests

{txt2detection-1.0.8 → txt2detection-1.0.10}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: txt2detection
-Version: 1.0.8
+Version: 1.0.10
 Summary: A command line tool that takes a txt file containing threat intelligence and turns it into a detection rule.
 Project-URL: Homepage, https://github.com/muchdogesec/txt2detection
 Project-URL: Issues, https://github.com/muchdogesec/txt2detection/issues
@@ -72,12 +72,6 @@ txt2detection allows a user to enter some threat intelligence as a file to consi
 2. Based on the user input, AI prompts structured and sent to produce an intelligence rule
 3. Rules converted into STIX objects
-## tl;dr
-[![txt2detection](https://img.youtube.com/vi/uJWXYKyu3Xg/0.jpg)](https://www.youtube.com/watch?v=uJWXYKyu3Xg)
-[Watch the demo](https://www.youtube.com/watch?v=uJWXYKyu3Xg).
 ## Usage
 ### Setup
@@ -162,12 +156,14 @@ Use this mode to generate a set of rules from an input text file;
 * `--license` (optional): [License of the rule according the SPDX ID specification](https://spdx.org/licenses/). Will be added to the rule.
 * `--reference_urls` (optional): A list of URLs to be added as `references` in the Sigma Rule property and in the `external_references` property of the Indicator and Report STIX object created. e.g `"https://www.google.com/" "https://www.facebook.com/"`
 * `--external_refs` (optional): txt2detection will automatically populate the `external_references` of the report object it creates for the input. You can use this value to add additional objects to `external_references`. Note, you can only add `source_name` and `external_id` values currently. Pass as `source_name=external_id`. e.g. `--external_refs txt2stix=demo1 source=id` would create the following objects under the `external_references` property: `{"source_name":"txt2stix","external_id":"demo1"},{"source_name":"source","external_id":"id"}`
-* `ai_provider` (required): defines the `provider:model` to be used to generate the rule. Select one option. Currently supports:
+* `--ai_provider` (required): defines the `provider:model` to be used to generate the rule. Select one option. Currently supports:
     * Provider (env var required `OPENROUTER_API_KEY`): `openrouter:`, providers/models `openai/gpt-4o`, `deepseek/deepseek-chat` ([More here](https://openrouter.ai/models))
     * Provider (env var required `OPENAI_API_KEY`): `openai:`, models e.g.: `gpt-4o`, `gpt-4o-mini`, `gpt-4-turbo`, `gpt-4` ([More here](https://platform.openai.com/docs/models))
     * Provider (env var required `ANTHROPIC_API_KEY`): `anthropic:`, models e.g.: `claude-3-5-sonnet-latest`, `claude-3-5-haiku-latest`, `claude-3-opus-latest` ([More here](https://docs.anthropic.com/en/docs/about-claude/models))
     * Provider (env var required `GOOGLE_API_KEY`): `gemini:models/`, models: `gemini-1.5-pro-latest`, `gemini-1.5-flash-latest` ([More here](https://ai.google.dev/gemini-api/docs/models/gemini))
     * Provider (env var required `DEEPSEEK_API_KEY`): `deepseek:`, models `deepseek-chat` ([More here](https://api-docs.deepseek.com/quick_start/pricing))
+* `--ai_create_attack_flow` (boolean): passing this flag will also prompt the AI model (the same entered for `--ai_provider`, default `false`) to generate an [Attack Flow](https://center-for-threat-informed-defense.github.io/attack-flow/) for the MITRE ATT&CK tags to define the logical order in which they are being described. Note, Sigma currently supports ATT&CK Enterprise only.
+* `--ai_create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate a [MITRE ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK tags. Note, Sigma currently supports ATT&CK Enterprise only. You don't need to pass this if `--ai_create_attack_flow` is set to `true` (as this mode relies on this setting being true)
 Note, in this mode, the following values will be automatically assigned to the rule
@@ -194,6 +190,8 @@ Note, in this mode you should be aware of a few things;
 * `--external_refs` (optional): txt2detection will automatically populate the `external_references` of the report object it creates for the input. You can use this value to add additional objects to `external_references`. Note, you can only add `source_name` and `external_id` values currently. Pass as `source_name=external_id`. e.g. `--external_refs txt2stix=demo1 source=id` would create the following objects under the `external_references` property: `{"source_name":"txt2stix","external_id":"demo1"},{"source_name":"source","external_id":"id"}`
 * `status` (optional): either `stable`, `test`, `experimental`, `deprecated`, `unsupported`. If passed, will overwrite any existing `status` recorded in the rule
 * `level` (optional): either `informational`, `low`, `medium`, `high`, `critical`. If passed, will overwrite any existing `level` recorded in the rule
+* `--ai_create_attack_flow` (boolean): passing this flag will also prompt the AI model (the same entered for `--ai_provider`, default `false`) to generate an [Attack Flow](https://center-for-threat-informed-defense.github.io/attack-flow/) for the MITRE ATT&CK tags to define the logical order in which they are being described. Note, Sigma currently supports ATT&CK Enterprise only.
+* `--ai_create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate a [MITRE ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK tags. Note, Sigma currently supports ATT&CK Enterprise only. You don't need to pass this if `--ai_create_attack_flow` is set to `true` (as this mode relies on this setting being true)
 ### A note on observable extraction

{txt2detection-1.0.8 → txt2detection-1.0.10}/README.md RENAMED Viewed

@@ -31,12 +31,6 @@ txt2detection allows a user to enter some threat intelligence as a file to consi
 2. Based on the user input, AI prompts structured and sent to produce an intelligence rule
 3. Rules converted into STIX objects
-## tl;dr
-[![txt2detection](https://img.youtube.com/vi/uJWXYKyu3Xg/0.jpg)](https://www.youtube.com/watch?v=uJWXYKyu3Xg)
-[Watch the demo](https://www.youtube.com/watch?v=uJWXYKyu3Xg).
 ## Usage
 ### Setup
@@ -121,12 +115,14 @@ Use this mode to generate a set of rules from an input text file;
 * `--license` (optional): [License of the rule according the SPDX ID specification](https://spdx.org/licenses/). Will be added to the rule.
 * `--reference_urls` (optional): A list of URLs to be added as `references` in the Sigma Rule property and in the `external_references` property of the Indicator and Report STIX object created. e.g `"https://www.google.com/" "https://www.facebook.com/"`
 * `--external_refs` (optional): txt2detection will automatically populate the `external_references` of the report object it creates for the input. You can use this value to add additional objects to `external_references`. Note, you can only add `source_name` and `external_id` values currently. Pass as `source_name=external_id`. e.g. `--external_refs txt2stix=demo1 source=id` would create the following objects under the `external_references` property: `{"source_name":"txt2stix","external_id":"demo1"},{"source_name":"source","external_id":"id"}`
-* `ai_provider` (required): defines the `provider:model` to be used to generate the rule. Select one option. Currently supports:
+* `--ai_provider` (required): defines the `provider:model` to be used to generate the rule. Select one option. Currently supports:
     * Provider (env var required `OPENROUTER_API_KEY`): `openrouter:`, providers/models `openai/gpt-4o`, `deepseek/deepseek-chat` ([More here](https://openrouter.ai/models))
     * Provider (env var required `OPENAI_API_KEY`): `openai:`, models e.g.: `gpt-4o`, `gpt-4o-mini`, `gpt-4-turbo`, `gpt-4` ([More here](https://platform.openai.com/docs/models))
     * Provider (env var required `ANTHROPIC_API_KEY`): `anthropic:`, models e.g.: `claude-3-5-sonnet-latest`, `claude-3-5-haiku-latest`, `claude-3-opus-latest` ([More here](https://docs.anthropic.com/en/docs/about-claude/models))
     * Provider (env var required `GOOGLE_API_KEY`): `gemini:models/`, models: `gemini-1.5-pro-latest`, `gemini-1.5-flash-latest` ([More here](https://ai.google.dev/gemini-api/docs/models/gemini))
     * Provider (env var required `DEEPSEEK_API_KEY`): `deepseek:`, models `deepseek-chat` ([More here](https://api-docs.deepseek.com/quick_start/pricing))
+* `--ai_create_attack_flow` (boolean): passing this flag will also prompt the AI model (the same entered for `--ai_provider`, default `false`) to generate an [Attack Flow](https://center-for-threat-informed-defense.github.io/attack-flow/) for the MITRE ATT&CK tags to define the logical order in which they are being described. Note, Sigma currently supports ATT&CK Enterprise only.
+* `--ai_create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate a [MITRE ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK tags. Note, Sigma currently supports ATT&CK Enterprise only. You don't need to pass this if `--ai_create_attack_flow` is set to `true` (as this mode relies on this setting being true)
 Note, in this mode, the following values will be automatically assigned to the rule
@@ -153,6 +149,8 @@ Note, in this mode you should be aware of a few things;
 * `--external_refs` (optional): txt2detection will automatically populate the `external_references` of the report object it creates for the input. You can use this value to add additional objects to `external_references`. Note, you can only add `source_name` and `external_id` values currently. Pass as `source_name=external_id`. e.g. `--external_refs txt2stix=demo1 source=id` would create the following objects under the `external_references` property: `{"source_name":"txt2stix","external_id":"demo1"},{"source_name":"source","external_id":"id"}`
 * `status` (optional): either `stable`, `test`, `experimental`, `deprecated`, `unsupported`. If passed, will overwrite any existing `status` recorded in the rule
 * `level` (optional): either `informational`, `low`, `medium`, `high`, `critical`. If passed, will overwrite any existing `level` recorded in the rule
+* `--ai_create_attack_flow` (boolean): passing this flag will also prompt the AI model (the same entered for `--ai_provider`, default `false`) to generate an [Attack Flow](https://center-for-threat-informed-defense.github.io/attack-flow/) for the MITRE ATT&CK tags to define the logical order in which they are being described. Note, Sigma currently supports ATT&CK Enterprise only.
+* `--ai_create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate a [MITRE ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK tags. Note, Sigma currently supports ATT&CK Enterprise only. You don't need to pass this if `--ai_create_attack_flow` is set to `true` (as this mode relies on this setting being true)
 ### A note on observable extraction

{txt2detection-1.0.8 → txt2detection-1.0.10}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "txt2detection"
-version = "1.0.8"
+version = "1.0.10"
 authors = [
   { name = "dogesec" }
 ]

txt2detection-1.0.10/tests/files/sigma-rule-attack-enterprise.yml ADDED Viewed

@@ -0,0 +1,27 @@
+title: Attack Navigator Enterprise
+id: a18e76d1-f152-4b87-a552-d46f41afd637
+status: test
+description: Build an Attack Enterprise Navigator layer
+references:
+    - https://www.dogesec.com
+author: dogesec
+date: 2020-01-01
+modified: 2020-01-02
+tags:
+    - tlp.clear
+    - attack.t1547
+    - attack.t1671
+    - attack.t1025
+    - attack.command-and-control
+    - attack.t1661 # will fail is mobile
+logsource:
+    product: okta
+    service: okta
+detection:
+    selection:
+        eventtype:
+            - policy.lifecycle.update
+            - policy.lifecycle.delete
+    condition: selection
+level: low
+license: MIT

txt2detection-1.0.10/tests/files/sigma-rule-attack-flow.yml ADDED Viewed

@@ -0,0 +1,25 @@
+title: Attack Flow demo
+id: 7894eba6-b0e5-48d9-be52-26bf5a556e45
+status: test
+description: Build an Attack Flow from a Sigma Rule
+references:
+    - https://www.dogesec.com
+author: dogesec
+date: 2020-01-01
+modified: 2020-01-02
+tags:
+    - tlp.clear
+    - attack.t1547
+    - attack.t1671
+    - attack.t1025
+logsource:
+    product: okta
+    service: okta
+detection:
+    selection:
+        eventtype:
+            - policy.lifecycle.update
+            - policy.lifecycle.delete
+    condition: selection
+level: low
+license: MIT

{txt2detection-1.0.8 → txt2detection-1.0.10}/tests/files/sigma-rule-custom-tags.yml RENAMED Viewed

@@ -11,7 +11,7 @@ modified: 2022-10-09
 tags:
     - tlp.red
     - attack.t1547
-    - attack.command_and_control
+    - attack.command-and-control
     - cve.2024-56520
     - detection.xyz
 logsource:

{txt2detection-1.0.8 → txt2detection-1.0.10}/tests/files/sigma-rule-master.yml RENAMED Viewed

@@ -11,7 +11,7 @@ modified: 2022-10-09
 tags:
     - tlp.red
     - attack.t1547
-    - attack.command_and_control
+    - attack.command-and-control
     - cve.2024-56520
 logsource:
     product: okta

{txt2detection-1.0.8 → txt2detection-1.0.10}/tests/files/sigma-rule-no-description.yml RENAMED Viewed

@@ -10,7 +10,6 @@ modified: 2022-10-09
 tags:
     - tlp.red
     - attack.t1547
-    - attack.command_and_control
     - cve.2024-56520
 logsource:
     product: okta

{txt2detection-1.0.8 → txt2detection-1.0.10}/tests/files/sigma-rule-no-level.yml RENAMED Viewed

@@ -11,7 +11,6 @@ modified: 2022-10-09
 tags:
     - tlp.red
     - attack.t1547
-    - attack.command_and_control
     - cve.2024-56520
 logsource:
     product: okta

{txt2detection-1.0.8 → txt2detection-1.0.10}/tests/files/sigma-rule-no-license.yml RENAMED Viewed

@@ -11,7 +11,6 @@ modified: 2022-10-09
 tags:
     - tlp.red
     - attack.t1547
-    - attack.command_and_control
     - cve.2024-56520
 logsource:
     product: okta

{txt2detection-1.0.8 → txt2detection-1.0.10}/tests/files/sigma-rule-no-status.yml RENAMED Viewed

@@ -10,7 +10,6 @@ modified: 2022-10-09
 tags:
     - tlp.red
     - attack.t1547
-    - attack.command_and_control
     - cve.2024-56520
 logsource:
     product: okta

{txt2detection-1.0.8 → txt2detection-1.0.10}/tests/files/sigma-rule-observables.yml RENAMED Viewed

@@ -11,7 +11,6 @@ modified: 2022-10-09
 tags:
     - tlp.red
     - attack.t1547
-    - attack.command_and_control
     - cve.2024-56520
 logsource:
     product: okta

{txt2detection-1.0.8 → txt2detection-1.0.10}/tests/manual-tests/README.md RENAMED Viewed

@@ -445,4 +445,33 @@ python3 txt2detection.py sigma \
   --name "Overwrite status" \
   --status unsupported \
   --report_id d2d01afa-dc55-4a80-8d62-15d154450112
-```
+```
+## Attack Flow
+```shell
+python3 txt2detection.py sigma \
+  --sigma_file tests/files/sigma-rule-attack-flow.yml \
+  --name "Create ATT&CK Flow" \
+  --report_id 330e2030-1dc2-45e6-be13-9342b102621b \
+  --ai_provider openai:gpt-5 \
+  --ai_create_attack_flow
+```
+## Attack Navigator
+### Enterprise
+```shell
+python3 txt2detection.py sigma \
+  --sigma_file tests/files/sigma-rule-attack-enterprise.yml \
+  --name "Attack Navigator Enterprise" \
+  --report_id a18e76d1-f152-4b87-a552-d46f41afd637 \
+  --ai_provider openai:gpt-5 \
+  --ai_create_attack_navigator_layer
+```
+### Mobile / ICS
+Not currently supported by Sigma.

txt2detection-1.0.10/tests/src/conftest.py ADDED Viewed

@@ -0,0 +1,18 @@
+import pytest
+from txt2detection.bundler import Bundler
+from datetime import datetime
+@pytest.fixture
+def bundler_instance():
+    return Bundler(
+        name="Test Report",
+        identity=None,
+        tlp_level="red",
+        description="This is a test report.",
+        labels=["tlp.red", "test.test-var"],
+        created=datetime(2025, 1, 1),
+        report_id="74e36652-00f5-4dca-bf10-9f02fc996dcc",
+    )

txt2detection 1.0.8__tar.gz → 1.0.10__tar.gz

Potentially problematic release.

txt2detection 1.0.8tar.gz → 1.0.10tar.gz