txt2detection 1.0.8__tar.gz → 1.0.9__tar.gz

{txt2detection-1.0.8 → txt2detection-1.0.9}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: txt2detection
-Version: 1.0.8
+Version: 1.0.9
 Summary: A command line tool that takes a txt file containing threat intelligence and turns it into a detection rule.
 Project-URL: Homepage, https://github.com/muchdogesec/txt2detection
 Project-URL: Issues, https://github.com/muchdogesec/txt2detection/issues
@@ -72,12 +72,6 @@ txt2detection allows a user to enter some threat intelligence as a file to consi
 2. Based on the user input, AI prompts structured and sent to produce an intelligence rule
 3. Rules converted into STIX objects
 
-## tl;dr
-
-[![txt2detection](https://img.youtube.com/vi/uJWXYKyu3Xg/0.jpg)](https://www.youtube.com/watch?v=uJWXYKyu3Xg)
-
-[Watch the demo](https://www.youtube.com/watch?v=uJWXYKyu3Xg).
-
 ## Usage
 
 ### Setup
@@ -162,12 +156,14 @@ Use this mode to generate a set of rules from an input text file;
 * `--license` (optional): [License of the rule according the SPDX ID specification](https://spdx.org/licenses/). Will be added to the rule.
 * `--reference_urls` (optional): A list of URLs to be added as `references` in the Sigma Rule property and in the `external_references` property of the Indicator and Report STIX object created. e.g `"https://www.google.com/" "https://www.facebook.com/"`
 * `--external_refs` (optional): txt2detection will automatically populate the `external_references` of the report object it creates for the input. You can use this value to add additional objects to `external_references`. Note, you can only add `source_name` and `external_id` values currently. Pass as `source_name=external_id`. e.g. `--external_refs txt2stix=demo1 source=id` would create the following objects under the `external_references` property: `{"source_name":"txt2stix","external_id":"demo1"},{"source_name":"source","external_id":"id"}`
-* `ai_provider` (required): defines the `provider:model` to be used to generate the rule. Select one option. Currently supports:
+* `--ai_provider` (required): defines the `provider:model` to be used to generate the rule. Select one option. Currently supports:
     * Provider (env var required `OPENROUTER_API_KEY`): `openrouter:`, providers/models `openai/gpt-4o`, `deepseek/deepseek-chat` ([More here](https://openrouter.ai/models))
     * Provider (env var required `OPENAI_API_KEY`): `openai:`, models e.g.: `gpt-4o`, `gpt-4o-mini`, `gpt-4-turbo`, `gpt-4` ([More here](https://platform.openai.com/docs/models))
     * Provider (env var required `ANTHROPIC_API_KEY`): `anthropic:`, models e.g.: `claude-3-5-sonnet-latest`, `claude-3-5-haiku-latest`, `claude-3-opus-latest` ([More here](https://docs.anthropic.com/en/docs/about-claude/models))
     * Provider (env var required `GOOGLE_API_KEY`): `gemini:models/`, models: `gemini-1.5-pro-latest`, `gemini-1.5-flash-latest` ([More here](https://ai.google.dev/gemini-api/docs/models/gemini))
     * Provider (env var required `DEEPSEEK_API_KEY`): `deepseek:`, models `deepseek-chat` ([More here](https://api-docs.deepseek.com/quick_start/pricing))
+* `--ai_create_attack_flow` (boolean): passing this flag will also prompt the AI model (the same entered for `--ai_provider`, default `false`) to generate an [Attack Flow](https://center-for-threat-informed-defense.github.io/attack-flow/) for the MITRE ATT&CK tags to define the logical order in which they are being described. Note, Sigma currently supports ATT&CK Enterprise only.
+* `--ai_create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate a [MITRE ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK tags. Note, Sigma currently supports ATT&CK Enterprise only. You don't need to pass this if `--ai_create_attack_flow` is set to `true` (as this mode relies on this setting being true)
 
 Note, in this mode, the following values will be automatically assigned to the rule
 
@@ -194,6 +190,8 @@ Note, in this mode you should be aware of a few things;
 * `--external_refs` (optional): txt2detection will automatically populate the `external_references` of the report object it creates for the input. You can use this value to add additional objects to `external_references`. Note, you can only add `source_name` and `external_id` values currently. Pass as `source_name=external_id`. e.g. `--external_refs txt2stix=demo1 source=id` would create the following objects under the `external_references` property: `{"source_name":"txt2stix","external_id":"demo1"},{"source_name":"source","external_id":"id"}`
 * `status` (optional): either `stable`, `test`, `experimental`, `deprecated`, `unsupported`. If passed, will overwrite any existing `status` recorded in the rule
 * `level` (optional): either `informational`, `low`, `medium`, `high`, `critical`. If passed, will overwrite any existing `level` recorded in the rule
+* `--ai_create_attack_flow` (boolean): passing this flag will also prompt the AI model (the same entered for `--ai_provider`, default `false`) to generate an [Attack Flow](https://center-for-threat-informed-defense.github.io/attack-flow/) for the MITRE ATT&CK tags to define the logical order in which they are being described. Note, Sigma currently supports ATT&CK Enterprise only.
+* `--ai_create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate a [MITRE ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK tags. Note, Sigma currently supports ATT&CK Enterprise only. You don't need to pass this if `--ai_create_attack_flow` is set to `true` (as this mode relies on this setting being true)
 
 ### A note on observable extraction
 

{txt2detection-1.0.8 → txt2detection-1.0.9}/README.md

@@ -31,12 +31,6 @@ txt2detection allows a user to enter some threat intelligence as a file to consi
 2. Based on the user input, AI prompts structured and sent to produce an intelligence rule
 3. Rules converted into STIX objects
 
-## tl;dr
-
-[![txt2detection](https://img.youtube.com/vi/uJWXYKyu3Xg/0.jpg)](https://www.youtube.com/watch?v=uJWXYKyu3Xg)
-
-[Watch the demo](https://www.youtube.com/watch?v=uJWXYKyu3Xg).
-
 ## Usage
 
 ### Setup
@@ -121,12 +115,14 @@ Use this mode to generate a set of rules from an input text file;
 * `--license` (optional): [License of the rule according the SPDX ID specification](https://spdx.org/licenses/). Will be added to the rule.
 * `--reference_urls` (optional): A list of URLs to be added as `references` in the Sigma Rule property and in the `external_references` property of the Indicator and Report STIX object created. e.g `"https://www.google.com/" "https://www.facebook.com/"`
 * `--external_refs` (optional): txt2detection will automatically populate the `external_references` of the report object it creates for the input. You can use this value to add additional objects to `external_references`. Note, you can only add `source_name` and `external_id` values currently. Pass as `source_name=external_id`. e.g. `--external_refs txt2stix=demo1 source=id` would create the following objects under the `external_references` property: `{"source_name":"txt2stix","external_id":"demo1"},{"source_name":"source","external_id":"id"}`
-* `ai_provider` (required): defines the `provider:model` to be used to generate the rule. Select one option. Currently supports:
+* `--ai_provider` (required): defines the `provider:model` to be used to generate the rule. Select one option. Currently supports:
     * Provider (env var required `OPENROUTER_API_KEY`): `openrouter:`, providers/models `openai/gpt-4o`, `deepseek/deepseek-chat` ([More here](https://openrouter.ai/models))
     * Provider (env var required `OPENAI_API_KEY`): `openai:`, models e.g.: `gpt-4o`, `gpt-4o-mini`, `gpt-4-turbo`, `gpt-4` ([More here](https://platform.openai.com/docs/models))
     * Provider (env var required `ANTHROPIC_API_KEY`): `anthropic:`, models e.g.: `claude-3-5-sonnet-latest`, `claude-3-5-haiku-latest`, `claude-3-opus-latest` ([More here](https://docs.anthropic.com/en/docs/about-claude/models))
     * Provider (env var required `GOOGLE_API_KEY`): `gemini:models/`, models: `gemini-1.5-pro-latest`, `gemini-1.5-flash-latest` ([More here](https://ai.google.dev/gemini-api/docs/models/gemini))
     * Provider (env var required `DEEPSEEK_API_KEY`): `deepseek:`, models `deepseek-chat` ([More here](https://api-docs.deepseek.com/quick_start/pricing))
+* `--ai_create_attack_flow` (boolean): passing this flag will also prompt the AI model (the same entered for `--ai_provider`, default `false`) to generate an [Attack Flow](https://center-for-threat-informed-defense.github.io/attack-flow/) for the MITRE ATT&CK tags to define the logical order in which they are being described. Note, Sigma currently supports ATT&CK Enterprise only.
+* `--ai_create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate a [MITRE ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK tags. Note, Sigma currently supports ATT&CK Enterprise only. You don't need to pass this if `--ai_create_attack_flow` is set to `true` (as this mode relies on this setting being true)
 
 Note, in this mode, the following values will be automatically assigned to the rule
 
@@ -153,6 +149,8 @@ Note, in this mode you should be aware of a few things;
 * `--external_refs` (optional): txt2detection will automatically populate the `external_references` of the report object it creates for the input. You can use this value to add additional objects to `external_references`. Note, you can only add `source_name` and `external_id` values currently. Pass as `source_name=external_id`. e.g. `--external_refs txt2stix=demo1 source=id` would create the following objects under the `external_references` property: `{"source_name":"txt2stix","external_id":"demo1"},{"source_name":"source","external_id":"id"}`
 * `status` (optional): either `stable`, `test`, `experimental`, `deprecated`, `unsupported`. If passed, will overwrite any existing `status` recorded in the rule
 * `level` (optional): either `informational`, `low`, `medium`, `high`, `critical`. If passed, will overwrite any existing `level` recorded in the rule
+* `--ai_create_attack_flow` (boolean): passing this flag will also prompt the AI model (the same entered for `--ai_provider`, default `false`) to generate an [Attack Flow](https://center-for-threat-informed-defense.github.io/attack-flow/) for the MITRE ATT&CK tags to define the logical order in which they are being described. Note, Sigma currently supports ATT&CK Enterprise only.
+* `--ai_create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate a [MITRE ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK tags. Note, Sigma currently supports ATT&CK Enterprise only. You don't need to pass this if `--ai_create_attack_flow` is set to `true` (as this mode relies on this setting being true)
 
 ### A note on observable extraction
 

{txt2detection-1.0.8 → txt2detection-1.0.9}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "txt2detection"
-version = "1.0.8"
+version = "1.0.9"
 authors = [
   { name = "dogesec" }
 ]

txt2detection-1.0.9/tests/files/sigma-rule-attack-enterprise.yml

@@ -0,0 +1,27 @@
+title: Attack Navigator Enterprise
+id: a18e76d1-f152-4b87-a552-d46f41afd637
+status: test
+description: Build an Attack Enterprise Navigator layer
+references:
+    - https://www.dogesec.com
+author: dogesec
+date: 2020-01-01
+modified: 2020-01-02
+tags:
+    - tlp.clear
+    - attack.t1547
+    - attack.t1671
+    - attack.t1025
+    - attack.command-and-control
+    - attack.t1661 # will fail is mobile
+logsource:
+    product: okta
+    service: okta
+detection:
+    selection:
+        eventtype:
+            - policy.lifecycle.update
+            - policy.lifecycle.delete
+    condition: selection
+level: low
+license: MIT

txt2detection-1.0.9/tests/files/sigma-rule-attack-flow.yml

@@ -0,0 +1,25 @@
+title: Attack Flow demo
+id: 7894eba6-b0e5-48d9-be52-26bf5a556e45
+status: test
+description: Build an Attack Flow from a Sigma Rule
+references:
+    - https://www.dogesec.com
+author: dogesec
+date: 2020-01-01
+modified: 2020-01-02
+tags:
+    - tlp.clear
+    - attack.t1547
+    - attack.t1671
+    - attack.t1025
+logsource:
+    product: okta
+    service: okta
+detection:
+    selection:
+        eventtype:
+            - policy.lifecycle.update
+            - policy.lifecycle.delete
+    condition: selection
+level: low
+license: MIT

{txt2detection-1.0.8 → txt2detection-1.0.9}/tests/files/sigma-rule-custom-tags.yml

@@ -11,7 +11,7 @@ modified: 2022-10-09
 tags:
     - tlp.red
     - attack.t1547
-    - attack.command_and_control
+    - attack.command-and-control
     - cve.2024-56520
     - detection.xyz
 logsource:

{txt2detection-1.0.8 → txt2detection-1.0.9}/tests/files/sigma-rule-master.yml

@@ -11,7 +11,7 @@ modified: 2022-10-09
 tags:
     - tlp.red
     - attack.t1547
-    - attack.command_and_control
+    - attack.command-and-control
     - cve.2024-56520
 logsource:
     product: okta

{txt2detection-1.0.8 → txt2detection-1.0.9}/tests/files/sigma-rule-no-description.yml

@@ -10,7 +10,6 @@ modified: 2022-10-09
 tags:
     - tlp.red
     - attack.t1547
-    - attack.command_and_control
     - cve.2024-56520
 logsource:
     product: okta

{txt2detection-1.0.8 → txt2detection-1.0.9}/tests/files/sigma-rule-no-level.yml

@@ -11,7 +11,6 @@ modified: 2022-10-09
 tags:
     - tlp.red
     - attack.t1547
-    - attack.command_and_control
     - cve.2024-56520
 logsource:
     product: okta

{txt2detection-1.0.8 → txt2detection-1.0.9}/tests/files/sigma-rule-no-license.yml

@@ -11,7 +11,6 @@ modified: 2022-10-09
 tags:
     - tlp.red
     - attack.t1547
-    - attack.command_and_control
     - cve.2024-56520
 logsource:
     product: okta

{txt2detection-1.0.8 → txt2detection-1.0.9}/tests/files/sigma-rule-no-status.yml

@@ -10,7 +10,6 @@ modified: 2022-10-09
 tags:
     - tlp.red
     - attack.t1547
-    - attack.command_and_control
     - cve.2024-56520
 logsource:
     product: okta

{txt2detection-1.0.8 → txt2detection-1.0.9}/tests/files/sigma-rule-observables.yml

@@ -11,7 +11,6 @@ modified: 2022-10-09
 tags:
     - tlp.red
     - attack.t1547
-    - attack.command_and_control
     - cve.2024-56520
 logsource:
     product: okta

{txt2detection-1.0.8 → txt2detection-1.0.9}/tests/manual-tests/README.md

@@ -445,4 +445,33 @@ python3 txt2detection.py sigma \
   --name "Overwrite status" \
   --status unsupported \
   --report_id d2d01afa-dc55-4a80-8d62-15d154450112
-```
+```
+
+
+## Attack Flow
+
+```shell
+python3 txt2detection.py sigma \
+  --sigma_file tests/files/sigma-rule-attack-flow.yml \
+  --name "Create ATT&CK Flow" \
+  --report_id 330e2030-1dc2-45e6-be13-9342b102621b \
+  --ai_provider openai:gpt-5 \
+  --ai_create_attack_flow
+```
+
+## Attack Navigator
+
+### Enterprise
+
+```shell
+python3 txt2detection.py sigma \
+  --sigma_file tests/files/sigma-rule-attack-enterprise.yml \
+  --name "Attack Navigator Enterprise" \
+  --report_id a18e76d1-f152-4b87-a552-d46f41afd637 \
+  --ai_provider openai:gpt-5 \
+  --ai_create_attack_navigator_layer
+```
+
+### Mobile / ICS
+
+Not currently supported by Sigma.

{txt2detection-1.0.8 → txt2detection-1.0.9}/tests/src/test_bundler.py

@@ -28,17 +28,6 @@ def dummy_detection():
     return detection
 
 
-@pytest.fixture
-def bundler_instance():
-    return Bundler(
-        name="Test Report",
-        identity=None,
-        tlp_level="red",
-        description="This is a test report.",
-        labels=["tlp.red", "test.test-var"],
-        created=datetime(2025, 1, 1),
-        report_id="74e36652-00f5-4dca-bf10-9f02fc996dcc",
-    )
 
 
 def test_bundler_initialization(bundler_instance):
@@ -284,3 +273,13 @@ def test_bundle_detections__creates_log_source(dummy_detection, bundler_instance
             ],
         },
     ]
+
+def test_get_attack_objects(bundler_instance):
+    retval = bundler_instance.get_attack_objects(['T1190', 'T1547'])
+    print({r['id'] for r in retval})
+    assert {r['id'] for r in retval} == {'attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf', 'attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c'}
+
+def test_get_cve_objects(bundler_instance):
+    cves = ['CVE-2025-1234', 'CVE-2024-1234']
+    retval = bundler_instance.get_cve_objects(cves)
+    assert {r['name'] for r in retval} == set(cves)

txt2detection-1.0.9/txt2detection/__main__.py

@@ -0,0 +1,347 @@
+import argparse
+from datetime import UTC, datetime
+
+from dataclasses import dataclass
+import io
+import json
+import os
+from pathlib import Path
+import logging
+import re
+import sys
+import uuid
+from stix2 import Identity
+import yaml
+
+from txt2detection import attack_flow, credential_checker
+from txt2detection.ai_extractor.base import BaseAIExtractor
+from txt2detection.models import (
+    TAG_PATTERN,
+    DetectionContainer,
+    Level,
+    SigmaRuleDetection,
+)
+from txt2detection.utils import validate_token_count
+
+
+def configureLogging():
+    # Configure logging
+    stream_handler = logging.StreamHandler()  # Log to stdout and stderr
+    stream_handler.setLevel(logging.INFO)
+    logging.basicConfig(
+        level=logging.DEBUG,  # Set the desired logging level
+        format=f"%(asctime)s [%(levelname)s] %(message)s",
+        handlers=[stream_handler],
+        datefmt="%d-%b-%y %H:%M:%S",
+    )
+
+    return logging.root
+
+
+configureLogging()
+
+
+def setLogFile(logger, file: Path):
+    file.parent.mkdir(parents=True, exist_ok=True)
+    logger.info(f"Saving log to `{file.absolute()}`")
+    handler = logging.FileHandler(file, "w")
+    handler.formatter = logging.Formatter(
+        fmt="%(levelname)s %(asctime)s - %(message)s", datefmt="%d-%b-%y %H:%M:%S"
+    )
+    handler.setLevel(logging.DEBUG)
+    logger.addHandler(handler)
+    logger.info("=====================txt2detection======================")
+
+
+from .bundler import Bundler
+import shutil
+
+
+from .utils import STATUSES, as_date, make_identity, valid_licenses, parse_model
+
+
+def parse_identity(str):
+    return Identity(**json.loads(str))
+
+
+@dataclass
+class Args:
+    input_file: str
+    input_text: str
+    name: str
+    tlp_level: str
+    labels: list[str]
+    created: datetime
+    use_identity: Identity
+    ai_provider: BaseAIExtractor
+    report_id: uuid.UUID
+    external_refs: dict[str, str]
+    reference_urls: list[str]
+
+
+def parse_created(value):
+    """Convert the created timestamp to a datetime object."""
+    try:
+        return datetime.strptime(value, "%Y-%m-%dT%H:%M:%S").replace(tzinfo=UTC)
+    except ValueError:
+        raise argparse.ArgumentTypeError(
+            "Invalid date format. Use YYYY-MM-DDTHH:MM:SS."
+        )
+
+
+def parse_ref(value):
+    m = re.compile(r"(.+?)=(.+)").match(value)
+    if not m:
+        raise argparse.ArgumentTypeError("must be in format key=value")
+    return dict(source_name=m.group(1), external_id=m.group(2))
+
+
+def parse_label(label: str):
+    if not TAG_PATTERN.match(label):
+        raise argparse.ArgumentTypeError(
+            "Invalid label format. Must follow sigma tag format {namespace}.{label}"
+        )
+    namespace, _, _ = label.partition(".")
+    if namespace in ["tlp"]:
+        raise argparse.ArgumentTypeError(f"Unsupported tag namespace `{namespace}`")
+    return label
+
+
+def parse_args():
+    parser = argparse.ArgumentParser(
+        description="Convert text file to detection format."
+    )
+    mode = parser.add_subparsers(
+        title="process-mode", dest="mode", description="mode to use"
+    )
+    file = mode.add_parser("file", help="process a file input using ai")
+    text = mode.add_parser("text", help="process a text argument using ai")
+    sigma = mode.add_parser("sigma", help="process a sigma file without ai")
+    check_credentials = mode.add_parser(
+        "check-credentials",
+        help="show status of external services with respect to credentials",
+    )
+
+    for mode_parser in [file, text, sigma]:
+        mode_parser.add_argument(
+            "--report_id", type=uuid.UUID, help="report_id to use for generated report"
+        )
+        mode_parser.add_argument(
+            "--name",
+            required=True,
+            help="Name of file, max 72 chars. Will be used in the STIX Report Object created.",
+        )
+        mode_parser.add_argument(
+            "--tlp_level",
+            choices=["clear", "green", "amber", "amber_strict", "red"],
+            help="Options are clear, green, amber, amber_strict, red. Default is clear if not passed.",
+        )
+        mode_parser.add_argument(
+            "--labels",
+            type=parse_label,
+            action="extend",
+            nargs="+",
+            help="Comma-separated list of labels. Case-insensitive (will be converted to lower-case). Allowed a-z, 0-9.",
+        )
+        mode_parser.add_argument(
+            "--created",
+            type=parse_created,
+            help="Explicitly set created time in format YYYY-MM-DDTHH:MM:SS.sssZ. Default is current time.",
+        )
+        mode_parser.add_argument(
+            "--use_identity",
+            type=parse_identity,
+            help="Pass a full STIX 2.1 identity object (properly escaped). Validated by the STIX2 library. Default is SIEM Rules identity.",
+        )
+        mode_parser.add_argument(
+            "--ai_provider",
+            required=False,
+            type=parse_model,
+            help="(required): defines the `provider:model` to be used. Select one option.",
+            metavar="provider[:model]",
+        )
+        mode_parser.add_argument(
+            "--external_refs",
+            type=parse_ref,
+            help="pass additional `external_references` entry (or entries) to the report object created. e.g --external_ref author=dogesec link=https://dkjjadhdaj.net",
+            default=[],
+            metavar="{source_name}={external_id}",
+            action="extend",
+            nargs="+",
+        )
+        mode_parser.add_argument(
+            "--reference_urls",
+            help="pass additional `external_references` url entry (or entries) to the report object created.",
+            default=[],
+            metavar="{url}",
+            action="extend",
+            nargs="+",
+        )
+        mode_parser.add_argument(
+            "--license",
+            help="Valid SPDX license for the rule",
+            default=None,
+            metavar="[LICENSE]",
+            choices=valid_licenses(),
+        )
+        mode_parser.add_argument(
+            "--ai_create_attack_navigator_layer",
+            help="Create navigator layer",
+            action="store_true",
+            default=False,
+        )
+        mode_parser.add_argument(
+            "--ai_create_attack_flow",
+            help="Create attack flow",
+            action="store_true",
+            default=False,
+        )
+
+    file.add_argument(
+        "--input_file",
+        help="The file to be converted. Must be .txt",
+        type=lambda x: Path(x).read_text(),
+    )
+    text.add_argument("--input_text", help="The text to be converted")
+    sigma.add_argument(
+        "--sigma_file",
+        help="The sigma file to be converted. Must be .yml",
+        type=lambda x: Path(x).read_text(),
+    )
+    sigma.add_argument(
+        "--status",
+        help="If passed, will overwrite any existing `status` recorded in the rule",
+        choices=STATUSES,
+    )
+    sigma.add_argument(
+        "--level",
+        help="If passed, will overwrite any existing `level` recorded in the rule",
+        choices=Level._member_names_,
+    )
+
+    args: Args = parser.parse_args()
+    if args.mode == "check-credentials":
+        statuses = credential_checker.check_statuses(test_llms=True)
+        credential_checker.format_statuses(statuses)
+        sys.exit(0)
+
+    if args.mode != "sigma":
+        assert args.ai_provider, "--ai_provider is required in file or txt mode"
+
+    if args.ai_create_attack_navigator_layer or args.ai_create_attack_flow:
+        assert (
+            args.ai_provider
+        ), "--ai_provider is required when --ai_create_attack_navigator_layer/--ai_create_attack_flow is passed"
+
+    if args.mode == "file":
+        args.input_text = args.input_file
+
+    args.input_text = getattr(args, "input_text", "")
+    if not args.report_id:
+        args.report_id = Bundler.generate_report_id(
+            args.use_identity.id if args.use_identity else None, args.created, args.name
+        )
+
+    return args
+
+
+def run_txt2detection(
+    name,
+    identity,
+    tlp_level,
+    input_text: str,
+    labels: list[str],
+    report_id: str | uuid.UUID,
+    ai_provider: BaseAIExtractor,
+    ai_create_attack_flow=False,
+    ai_create_attack_navigator_layer=False,
+    **kwargs,
+) -> Bundler:
+    if (
+        kwargs.get("sigma_file") != "sigma_file"
+        or ai_create_attack_flow
+        or ai_create_attack_navigator_layer
+    ):
+        validate_token_count(
+            int(os.getenv("INPUT_TOKEN_LIMIT", 0)), input_text, ai_provider
+        )
+
+    if sigma := kwargs.get("sigma_file"):
+        detection = get_sigma_detections(sigma)
+        if not identity and detection.author:
+            identity = make_identity(detection.author)
+        kwargs.update(
+            reference_urls=kwargs.setdefault("reference_urls", [])
+            + detection.references
+        )
+        if not kwargs.get("created"):
+            # only consider rule.date and rule.modified if user does not pass --created
+            kwargs.update(
+                created=detection.date,
+                modified=detection.modified,
+            )
+        detection.level = kwargs.get("level", detection.level)
+        detection.status = kwargs.get("status", detection.status)
+        detection.date = as_date(kwargs.get("created"))
+        detection.modified = as_date(kwargs.get("modified"))
+        detection.references = kwargs["reference_urls"]
+        detection.detection_id = str(report_id).removeprefix("report--")
+        bundler = Bundler(
+            name or detection.title,
+            identity,
+            tlp_level or detection.tlp_level or "clear",
+            detection.description,
+            (labels or []) + detection.tags,
+            report_id=report_id,
+            **kwargs,
+        )
+        detections = DetectionContainer(success=True, detections=[])
+        detections.detections.append(detection)
+    else:
+        bundler = Bundler(
+            name, identity, tlp_level, input_text, labels, report_id=report_id, **kwargs
+        )
+        detections = ai_provider.get_detections(input_text)
+    bundler.bundle_detections(detections)
+
+    if ai_create_attack_flow or ai_create_attack_navigator_layer:
+        bundler.data.attack_flow, bundler.data.navigator_layer = (
+            attack_flow.extract_attack_flow_and_navigator(
+                bundler,
+                bundler.report.description,
+                ai_create_attack_flow,
+                ai_create_attack_navigator_layer,
+                ai_provider,
+            )
+        )
+    return bundler
+
+
+def get_sigma_detections(sigma: str) -> SigmaRuleDetection:
+    obj = yaml.safe_load(io.StringIO(sigma))
+    return SigmaRuleDetection.model_validate(obj)
+
+
+def main(args: Args):
+
+    setLogFile(logging.root, Path(f"logs/log-{args.report_id}.log"))
+    logging.info(f"starting argument: {json.dumps(sys.argv[1:])}")
+    kwargs = args.__dict__
+    kwargs["identity"] = args.use_identity
+    bundler = run_txt2detection(**kwargs)
+
+    output_dir = Path("./output") / str(bundler.bundle.id)
+    shutil.rmtree(output_dir, ignore_errors=True)
+    rules_dir = output_dir / "rules"
+    rules_dir.mkdir(exist_ok=True, parents=True)
+
+    output_path = output_dir / "bundle.json"
+    data_path = output_dir / f"data.json"
+    output_path.write_text(bundler.to_json())
+    data_path.write_text(bundler.data.model_dump_json(indent=4))
+    for obj in bundler.bundle["objects"]:
+        if obj["type"] != "indicator" or obj["pattern_type"] != "sigma":
+            continue
+        name = obj["id"].replace("indicator", "rule") + ".yml"
+        (rules_dir / name).write_text(obj["pattern"])
+    logging.info(f"Writing bundle output to `{output_path}`")