txt2stix 1.0.1.post1__py3-none-any.whl → 1.0.2__py3-none-any.whl

txt2stix/ai_extractor/__init__.py

@@ -1,4 +1,5 @@
 import logging
+import warnings
 
 import dotenv
 
@@ -12,4 +13,4 @@ for path in ["openai", "anthropic", "gemini", "deepseek", "openrouter"]:
     try:
         __import__(__package__ + "." + path)
     except Exception as e:
-        logging.warning("%s not supported, please install missing modules", path, exc_info=True)
+        pass

txt2stix/ai_extractor/base.py

@@ -14,7 +14,7 @@ from llama_index.core.utils import get_tokenizer
 _ai_extractor_registry: dict[str, 'Type[BaseAIExtractor]'] = {}
 class BaseAIExtractor():
     system_prompt = DEFAULT_SYSTEM_PROMPT
-    
+
     extraction_template = DEFAULT_EXTRACTION_TEMPL
 
     relationship_template = DEFAULT_RELATIONSHIP_TEMPL
@@ -28,7 +28,7 @@ class BaseAIExtractor():
             verbose=True,
             llm=self.llm,
         )
-    
+
     def _get_relationship_program(self):
         return LLMTextCompletionProgram.from_defaults(
             output_parser=ParserWithLogging(RelationshipList),
@@ -36,7 +36,7 @@ class BaseAIExtractor():
             verbose=True,
             llm=self.llm,
         )
-    
+
     def _get_content_checker_program(self):
         return LLMTextCompletionProgram.from_defaults(
             output_parser=ParserWithLogging(DescribesIncident),
@@ -44,10 +44,10 @@ class BaseAIExtractor():
             verbose=True,
             llm=self.llm,
         )
-    
+
     def check_content(self, text) -> DescribesIncident:
         return self._get_content_checker_program()(context_str=text)
-    
+
     def _get_attack_flow_program(self):
         return LLMTextCompletionProgram.from_defaults(
             output_parser=ParserWithLogging(AttackFlowList),
@@ -55,24 +55,29 @@ class BaseAIExtractor():
             verbose=True,
             llm=self.llm,
         )
-    
-    def extract_attack_flow(self, input_text, extractions, relationships) -> AttackFlowList:
-        return self._get_attack_flow_program()(document=input_text, extractions=extractions, relationships=relationships)
+
+    def extract_attack_flow(self, input_text, techniques) -> AttackFlowList:
+        extracted_techniques = []
+        for t in techniques.values():
+            extracted_techniques.append(
+                dict(id=t['id'], name=t['name'], possible_tactics=list(t['possible_tactics'].keys()))
+            )
+        return self._get_attack_flow_program()(document=input_text, extracted_techniques=extracted_techniques)
 
     def extract_relationships(self, input_text, extractions, relationship_types: list[str]) -> RelationshipList:
         return self._get_relationship_program()(relationship_types=relationship_types, input_file=input_text, extractions=extractions)
-    
+
     def extract_objects(self, input_text, extractors) -> ExtractionList:
         extraction_list = self._get_extraction_program()(extractors=get_extractors_str(extractors), input_file=input_text)
         return extraction_list.model_dump().get('extractions', [])
-    
+
     def __init__(self, *args, **kwargs) -> None:
         pass
 
     def count_tokens(self, input_text):
         logging.info("unsupported model `%s`, estimating using llama-index's default tokenizer", self.extractor_name)
         return len(get_tokenizer()(input_text))
-    
+
     def __init_subclass__(cls, /, provider, register=True, **kwargs):
         super().__init_subclass__(**kwargs)
         if register:
@@ -82,7 +87,6 @@ class BaseAIExtractor():
     @property
     def extractor_name(self):
         return f"{self.provider}:{self.llm.model}"
-    
 
     def __hash__(self):
-        return hash(self.extractor_name)
+        return hash(self.extractor_name)

txt2stix/ai_extractor/prompts.py

@@ -128,43 +128,111 @@ DEFAULT_CONTENT_CHECKER_WITH_SUMMARY_TEMPL = PromptTemplate("""
 </summary>
 """)
 
+
+
 ATTACK_FLOW_PROMPT_TEMPL = ChatPromptTemplate([
-    ChatMessage.from_str("""You are a cyber security threat intelligence analyst.
-Your job is to review report that describe a cyber security incidents.
-Examples include malware analysis, APT group reports, data breaches and vulnerabilities.""", MessageRole.SYSTEM),
-    ChatMessage.from_str("Hi, What <document> would you like me to process for you? the message below must contain the document and the document only", MessageRole.ASSISTANT),
+    ChatMessage.from_str("""You are a cybersecurity threat intelligence analyst.
+
+Your task is to analyze structured cybersecurity incident reports (e.g., malware analysis, APTs, data breaches, vulnerabilities) and extract and organize MITRE ATT&CK techniques as part of an attack flow analysis. This analysis helps defenders understand adversary behavior using the MITRE Attack Flow model maintained by the MITRE Center for Threat-Informed Defense.""", MessageRole.SYSTEM),
+
+    ChatMessage.from_str("Hello. Please provide the document for analysis. Only include the full document text in your response.", MessageRole.ASSISTANT),
+
     ChatMessage.from_str("{document}", MessageRole.USER),
-    ChatMessage.from_str("What are the objects that have been extracted (<extractions>) from the document above?", MessageRole.ASSISTANT),
-    ChatMessage.from_str("{extractions}", MessageRole.USER),
-    ChatMessage.from_str("What are the relationships that have been extracted (<relationships>) between the documents?", MessageRole.USER),
-    ChatMessage.from_str("{relationships}", MessageRole.USER),
-    ChatMessage.from_str("What should I do with all the data that have been provided?", MessageRole.ASSISTANT),
-    ChatMessage.from_str("""Consider all the MITRE ATT&CK Objects extracted from the report and the relationships they have to other objects.
 
-Now I need you to logically define the order of ATT&CK Tactics/Techniques as they are executed in the incident described in the report.
+    ChatMessage.from_str("What ATT&CK techniques and related metadata were extracted from this document?", MessageRole.ASSISTANT),
 
-It is possible that the Techniques extracted are not linked to the relevant MITRE ATT&CK Tactic. You should also assign the correct Tactic to a Technique where a Technique belongs to many ATT&CK Tactics in the ATT&CK Matrix if that can correctly be inferred.
+    ChatMessage.from_str("<extracted_techniques>\n\n{extracted_techniques}\n\n</extracted_techniques>", MessageRole.USER),
 
-You should also provide a short overview about how this technique is described in the report as the name, and a longer version in description.
+    ChatMessage.from_str("Let's begin with tactic selection. What should I do with the techniques and possible tactics?", MessageRole.ASSISTANT),
 
-IMPORTANT: only include the ATT&CK IDs extracted already, do not add any new extractions.
+    # PART 1: Tactic Selection Phase
+    ChatMessage.from_str("""
+PART 1: TACTIC SELECTION
 
-You should deliver a response in JSON as follows
+For each of the technique in `<extracted_techniques>`, return [technique_id, tactic_name], where
+- technique id = `technique.id`
+- tactic_name = choice from `technique.possible_tactics`, where choice is selected based on the **most contextually appropriate** tactic name for each technique based on how it's used in the document.
 
-[
+📌 Output only the tactic assignments in this format:
+<code>
 {
-   "position": "<ORDER OF OBJECTS STARTING AT 0",
-   "attack_tactic_id": "<ID>",
-   "attack_technique_id": "<ID>",
-   "name": "<NAME>",
-   "description": "<DESC>"
-},
+  "tactic_selection": [
+    ["Txxxx", "impact"],
+    ["Tyyyy", "discovery"],
+    ...
+  ]
+}
+</code>
+
+⚠️ Constraints:
+- Use **only** the `possible_tactics` provided with each technique.
+- Do **not** invent or infer any technique or tactic name beyond what’s given in <extracted_techniques>.
+- Ensure **every** technique in `<extracted_techniques>` appears in `tactic_selection`, even if uncertain — choose the best fit.
+- Technique IDs in `tactic_selection` must match exactly from <extracted_techniques> (e.g., `T1059` must match `T1059` and not `T1059.005`, `T1001.001` must match `T1001.001` and not `T1001`).
+- Must include every technique in `<extracted_techniques>`
+""", MessageRole.USER),
+
+    ChatMessage.from_str("Thanks. Now let's continue with the attack flow. How should I proceed?", MessageRole.ASSISTANT),
+
+    # PART 2: Attack Flow Construction Phase
+    ChatMessage.from_str("""
+PART 2: ATTACK FLOW CONSTRUCTION
+
+Using the `<extracted_techniques>` and the incident details in the document, construct a sequence of MITRE ATT&CK techniques that represent the adversary’s logical progression through the attack.
+
+For each technique:
+- Use the `technique.id` exactly as provided
+- Assign:
+  - `name`: a short, context-based phrase describing how the technique is used
+  - `description`: a longer explanation of how the technique operates in this specific incident, based only on the document
+  - `position`: the step in the logical or chronological attack sequence (starting at 0)
+
+⚠️ Constraints:
+- Use **only** technique IDs provided in `<extracted_techniques>` — do **not** invent or infer new ones
+- Ensure all included technique IDs exactly match `technique.id` from `<extracted_techniques>` (e.g., `T1059` must match `T1059` and not `T1059.005`, `T1001.001` must match `T1001.001` and not `T1001`).
+
+📤 Output Format:
+<code>
 {
-   "position": "<ORDER OF OBJECTS STARTING AT 0",
-   "attack_tactic_id": "<ID>",
-   "attack_technique_id": "<ID>",
-   "name": "<NAME>",
-   "description": "<DESC>"
+  "items": [
+    {
+      "position": 0,
+      "attack_technique_id": "Txxxx",
+      "name": "Short contextual name",
+      "description": "Detailed contextual explanation"
+    },
+    ...
+  ],
+  "success": true
 }
-]""", MessageRole.USER)
-])
+</code>
+
+Your goal is to tell the story of how the adversary moved through the attack using the extracted ATT&CK techniques, in the correct sequence, with clear context for defenders.
+""", MessageRole.USER),
+    # PART 3: Combination phase
+    ChatMessage.from_str("""
+📤 Final Output Format:
+<code>
+{
+  "tactic_selection": [...],  // Use your previous output
+  "items": [
+    {
+      "position": 0,
+      "attack_technique_id": "Txxxx",
+      "name": "Short contextual name",
+      "description": "Detailed contextual explanation"
+    },
+    ...
+  ],
+  "success": true
+}
+</code>
+
+⚠️ Constraints:
+- All `attack_technique_id` values in `items` must come from `<extracted_techniques>`
+- The `position` field should reflect the **chronological or logical** execution order of the attack
+- Do **not** introduce new technique IDs
+
+✅ Your goal is to build a realistic, document-based attack flow using MITRE ATT&CK technique–tactic pairs.
+""", MessageRole.USER)
+])

txt2stix/ai_extractor/utils.py

@@ -38,16 +38,23 @@ class DescribesIncident(BaseModel):
 
 class AttackFlowItem(BaseModel):
     position : int = Field(description="order of object starting at 0")
-    attack_tactic_id : str
     attack_technique_id : str
     name: str
     description: str
 
 class AttackFlowList(BaseModel):
-    matrix : str = Field(description="one of ics, mobile and enterprise")
+    tactic_selection: list[tuple[str, str]] = Field(description="attack technique id to attack tactic id mapping using possible_tactics")
+    # additional_tactic_mapping: list[tuple[str, str]] = Field(description="the rest of tactic_mapping")
     items : list[AttackFlowItem]
     success: bool = Field(description="determines if there's any valid flow in <extractions>")
 
+    def model_post_init(self, context):
+        return super().model_post_init(context)
+    
+    @property
+    def tactic_mapping(self):
+        return dict(self.tactic_selection)
+
 class ParserWithLogging(PydanticOutputParser):
     def parse(self, text: str):
         f = io.StringIO()

txt2stix/attack_flow.py

@@ -1,7 +1,10 @@
+import json
 import logging
 import uuid
 from stix2 import Relationship
+from txt2stix import txt2stixBundler
 
+from txt2stix.ai_extractor.base import BaseAIExtractor
 from txt2stix.common import UUID_NAMESPACE
 from txt2stix.retriever import STIXObjectRetriever
 from stix2extensions.attack_action import AttackAction, AttackFlow
@@ -9,33 +12,27 @@ from stix2extensions._extensions import attack_flow_ExtensionDefinitionSMO
 from .utils import AttackFlowList
 
 
-def parse_flow(report, flow: AttackFlowList):
+def parse_flow(report, flow: AttackFlowList, techniques, tactics):
     logging.info(f"flow.success = {flow.success}")
     if not flow.success:
         return []
-    attack_objects = STIXObjectRetriever().get_attack_objects(
-        flow.matrix,
-        [item.attack_tactic_id for item in flow.items]
-        + [item.attack_technique_id for item in flow.items],
-    )
-    attack_objects = {
-        obj["external_references"][0]["external_id"]: obj for obj in attack_objects
-    }
     flow_objects = [report, attack_flow_ExtensionDefinitionSMO]
     last_action = None
     for i, item in enumerate(flow.items):
         try:
-            tactic_obj = attack_objects[item.attack_tactic_id]
-            technique_obj = attack_objects[item.attack_technique_id]
+            technique = techniques[item.attack_technique_id]
+            tactic_id = technique['possible_tactics'][flow.tactic_mapping[item.attack_technique_id]]
+            technique_obj = technique["stix_obj"]
+            tactic_obj = tactics[technique["domain"]][tactic_id]
             action_obj = AttackAction(
                 **{
                     "id": flow_id(
-                        report["id"], item.attack_technique_id, item.attack_tactic_id
+                        report["id"], item.attack_technique_id, tactic_id
                     ),
                     "effect_refs": [f"attack-action--{str(uuid.uuid4())}"],
                     "technique_id": item.attack_technique_id,
                     "technique_ref": technique_obj["id"],
-                    "tactic_id": item.attack_tactic_id,
+                    "tactic_id": tactic_id,
                     "tactic_ref": tactic_obj["id"],
                     "name": item.name,
                     "description": item.description,
@@ -99,3 +96,113 @@ def flow_id(report_id, technique_id, tactic_id):
             f"{report_id}+{technique_id}+{tactic_id}",
         )
     )
+
+
+def get_all_tactics():
+    tactics = {
+        "enterprise-attack": None,
+        "mobile-attack": None,
+        "ics-attack": None,
+    }
+    for k in tactics.keys():
+        matrix = k.replace("attack", "").strip("-")
+        all_tactics = STIXObjectRetriever().get_attack_tactics(matrix)
+        tactics[k] = all_tactics
+    return tactics
+
+
+def get_techniques_from_extracted_objects(objects: dict, tactics: dict):
+    techniques = {}
+    for obj in objects:
+        if (
+            obj["type"] == "attack-pattern"
+            and obj.get("external_references", [{"source_name": None}])[0][
+                "source_name"
+            ]
+            == "mitre-attack"
+        ):
+            domain = obj["x_mitre_domains"][0]
+            technique = dict(
+                domain=domain,
+                name=obj["name"],
+                possible_tactics={},
+                id=obj["external_references"][0]["external_id"],
+                platforms=[
+                    platform
+                    for platform in obj["x_mitre_platforms"]
+                    if platform != "None"
+                ],
+                stix_obj=obj,
+            )
+            for phase in obj["kill_chain_phases"]:
+                if not set(phase["kill_chain_name"].split("-")).issuperset(
+                    ["mitre", "attack"]
+                ):
+                    continue
+                tactic_name = phase["phase_name"]
+                tactic_obj = tactics[domain][tactic_name]
+                tactic_id = tactic_obj["external_references"][0]["external_id"]
+                technique["possible_tactics"][tactic_name] = tactic_id
+            techniques[technique["id"]] = technique
+    return techniques
+
+
+def create_navigator_layer(report, summary, flow: AttackFlowList, techniques):
+    domains = {}
+    for technique in techniques.values():
+        domain_techniques = domains.setdefault(technique["domain"], [])
+        technique_id = technique["id"]
+        if technique_id not in flow.tactic_mapping:
+            continue
+        domain_techniques.append(
+            dict(techniqueID=technique_id, tactic=flow.tactic_mapping[technique_id])
+        )
+
+    retval = []
+
+    for domain, domain_techniques in domains.items():
+        retval.append(
+            {
+                "version": "4.5",
+                "name": report.name,
+                "domain": domain,
+                "description": summary,
+                "techniques": domain_techniques,
+                "gradient": {
+                    "colors": ["#ffffff", "#ff6666"],
+                    "minValue": 0,
+                    "maxValue": 100,
+                },
+                "legendItems": [],
+                "metadata": [],
+                "layout": {"layout": "side"},
+            }
+        )
+    return retval
+
+
+def extract_attack_flow_and_navigator(
+    bundler: txt2stixBundler,
+    preprocessed_text,
+    ai_create_attack_flow,
+    ai_create_attack_navigator_layer,
+    ai_settings_relationships,
+):
+    ex: BaseAIExtractor = ai_settings_relationships
+    tactics = get_all_tactics()
+    techniques = get_techniques_from_extracted_objects(bundler.bundle.objects, tactics)
+    logged_techniques = [
+            {k: v for k, v in t.items() if k != "stix_obj"}
+            for t in techniques.values()
+        ]
+    logging.debug(f"parsed techniques: {json.dumps(logged_techniques, indent=4)}")
+
+    flow = ex.extract_attack_flow(preprocessed_text, techniques)
+    navigator = None
+    if ai_create_attack_flow:
+        logging.info("creating attack-flow bundle")
+        bundler.flow_objects = parse_flow(bundler.report, flow, techniques, tactics)
+
+    if ai_create_attack_navigator_layer:
+        navigator = create_navigator_layer(bundler.report, bundler.summary, flow, techniques)
+    return flow, navigator

txt2stix/bundler.py

@@ -194,6 +194,7 @@ class txt2stixBundler:
         self.all_extractors = extractors
         self.identity = identity or self.default_identity
         self.tlp_level = TLP_LEVEL.get(tlp_level)
+        self.summary = ""
         if report_id:
             self.uuid = report_id
         else:
@@ -415,6 +416,7 @@ class txt2stixBundler:
         )
 
     def add_summary(self, summary, ai_summary_provider):
+        self.summary = summary
         summary_note_obj = Note(
             type="note",
             spec_version="2.1",

txt2stix/extractions.py

@@ -31,8 +31,9 @@ class Extractor(NamedDict):
         self.extraction_key = key
         self.slug = key
         test_cases = test_cases or dict()
-        self.prompt_negative_examples = test_cases.get('test_negative_examples') or []
-        self.prompt_positive_examples = test_cases.get('test_positive_examples') or []
+        
+        self.prompt_negative_examples = remove_empty(test_cases.get('test_negative_examples') or [])
+        self.prompt_positive_examples = remove_empty(test_cases.get('test_positive_examples') or [])
         if self.file and not Path(self.file).is_absolute() and include_path:
             self.file = Path(include_path) / self.file
 
@@ -44,6 +45,9 @@ class Extractor(NamedDict):
             for line in file.read_text().splitlines():
                 self.lookups.add(line.strip())
 
+def remove_empty(iterable: list):
+    return [it for it in iterable if it]
+
 def parse_extraction_config(include_path: Path):
     config = {}
     test_cases = load_test_cases_config(include_path)

txt2stix/includes/lookups/_generate_lookups.py

@@ -1,3 +1,5 @@
+## IMPORTANT: if using CTI Butler database locally in arangodb (i.e is not app.ctibutler.com in .env) you need to follow these steps to import the data needed to populate these lookups: https://github.com/muchdogesec/stix2arango/blob/main/utilities/arango_cti_processor/README.md (use `--database ctibutler_database` in the s2a script or change it in this script)
+
 import os
 from arango import ArangoClient
 

txt2stix/retriever.py

@@ -22,6 +22,15 @@ class STIXObjectRetriever:
         endpoint = urljoin(self.api_root, f"v1/attack-{matrix}/objects/{attack_id}/")
         return self._retrieve_objects(endpoint)
     
+    def get_attack_tactics(self, matrix):
+        endpoint = urljoin(self.api_root, f"v1/attack-{matrix}/objects/?attack_type=Tactic")
+        tactics = self._retrieve_objects(endpoint)
+        retval = {}
+        for tac in tactics:
+            retval[tac['x_mitre_shortname']] = tac
+            retval[tac['external_references'][0]['external_id']] = tac
+        return retval
+    
     def get_attack_objects(self, matrix, attack_ids):
         endpoint = urljoin(self.api_root, f"v1/attack-{matrix}/objects/?attack_id={','.join(attack_ids)}")
         return self._retrieve_objects(endpoint)

txt2stix/txt2stix.py

@@ -1,4 +1,6 @@
 import argparse, dotenv
+import contextlib
+import shutil
 from datetime import datetime
 import glob
 import uuid
@@ -11,7 +13,7 @@ import sys, os
 from pydantic import BaseModel
 
 from txt2stix.ai_extractor.utils import DescribesIncident
-from txt2stix.attack_flow import parse_flow
+from txt2stix import attack_flow
 
 
 from .utils import RELATIONSHIP_TYPES, Txt2StixData, remove_links
@@ -38,7 +40,7 @@ def newLogger(name: str) -> logging.Logger:
         level=logging.DEBUG,  # Set the desired logging level
         format=f"%(asctime)s [{name}] [%(levelname)s] %(message)s",
         handlers=[stream_handler],
-        datefmt='%d-%b-%y %H:%M:%S'
+        datefmt='%d-%b-%y %H:%M:%S',
     )
 
     return logging.root
@@ -127,31 +129,130 @@ def parse_bool(value: str):
     value = value.lower()
     return value in ["yes", "y", "true", "1"]
 
+
 def parse_args():
-    EXTRACTORS_PATH = INCLUDES_PATH/"extractions"
+    EXTRACTORS_PATH = INCLUDES_PATH / "extractions"
     all_extractors = extractions.parse_extraction_config(INCLUDES_PATH)
-    
+
     parser = argparse.ArgumentParser(description="File Conversion Tool")
 
-    inf_arg  = parser.add_argument("--input_file", "--input-file", required=True, help="The file to be converted. Must be .txt", type=Path)
-    parser.add_argument("--ai_content_check_provider", required=False, type=parse_model, help="Use an AI model to check wether the content of the file contains threat intelligence. Paticularly useful to weed out vendor marketing.")
-    parser.add_argument("--always_extract", default=True, type=parse_bool, help="Whether to always extract or not depending on output of ai_content_check_provider. Default, extracts even when content_check returns describes_incident=False")
-    name_arg = parser.add_argument("--name", required=True, help="Name of the file, max 124 chars", default="stix-out")
-    parser.add_argument("--created", required=False, default=datetime.now(), help="Allow user to optionally pass --created time in input, which will hardcode the time used in created times")
-    parser.add_argument("--ai_settings_extractions", required=False, type=parse_model, help="(required if AI extraction enabled): passed in format provider:model e.g. openai:gpt4o. Can pass more than one value to get extractions from multiple providers.", metavar="provider[:model]", nargs='+')
-    parser.add_argument("--ai_settings_relationships", required=False, type=parse_model, help="(required if AI relationship enabled): passed in format `provider:model`. Can only pass one model at this time.", metavar="provider[:model]")
+    inf_arg = parser.add_argument(
+        "--input_file",
+        "--input-file",
+        required=True,
+        help="The file to be converted. Must be .txt",
+        type=Path,
+    )
+    parser.add_argument(
+        "--ai_content_check_provider",
+        required=False,
+        type=parse_model,
+        help="Use an AI model to check wether the content of the file contains threat intelligence. Paticularly useful to weed out vendor marketing.",
+    )
+    parser.add_argument(
+        "--ai_extract_if_no_incidence",
+        default=True,
+        type=parse_bool,
+        help="if content check decides the report is not related to cyber security intelligence (e.g. vendor marketing), then you can use this setting to decide wether or not script should proceed. Setting to `false` will stop processing. It is designed to save AI tokens processing unknown content at scale in an automated way.",
+    )
+    name_arg = parser.add_argument(
+        "--name",
+        required=True,
+        help="Name of the file, max 124 chars",
+        default="stix-out",
+    )
+    parser.add_argument(
+        "--created",
+        required=False,
+        default=datetime.now(),
+        help="Allow user to optionally pass --created time in input, which will hardcode the time used in created times",
+    )
+    parser.add_argument(
+        "--ai_settings_extractions",
+        required=False,
+        type=parse_model,
+        help="(required if AI extraction enabled): passed in format provider:model e.g. openai:gpt4o. Can pass more than one value to get extractions from multiple providers.",
+        metavar="provider[:model]",
+        nargs="+",
+    )
+    parser.add_argument(
+        "--ai_settings_relationships",
+        required=False,
+        type=parse_model,
+        help="(required if AI relationship enabled): passed in format `provider:model`. Can only pass one model at this time.",
+        metavar="provider[:model]",
+    )
     parser.add_argument("--labels", type=parse_labels)
-    rmode_arg = parser.add_argument("--relationship_mode", choices=["ai", "standard"], required=True)
-    parser.add_argument("--report_id", type=uuid.UUID, required=False, help="id to use instead of automatically generated `{name}+{created}`", metavar="VALID_UUID")
-    parser.add_argument("--confidence", type=range_type(0,100), default=None, help="value between 0-100. Default if not passed is null.", metavar="[0-100]")
-    parser.add_argument("--tlp_level", "--tlp-level", choices=TLP_LEVEL.levels().keys(), default="clear", help="TLP level, default is clear")
-    extractions_arg = parser.add_argument("--use_extractions", "--use-extractions", default={}, type=functools.partial(parse_extractors_globbed, "extractor", all_extractors),  help="Specify extraction types from the default/local extractions .yaml file", metavar="EXTRACTION1,EXTRACTION2")
-    parser.add_argument("--use_identity", "--use-identity", help="Specify an identity file id (e.g., {\"type\":\"identity\",\"name\":\"demo\",\"identity_class\":\"system\"})", metavar="[stix2 identity json]", type=parse_stix)
-    parser.add_argument("--external_refs", type=parse_ref, help="pass additional `external_references` entry (or entries) to the report object created. e.g --external_ref author=dogesec link=https://dkjjadhdaj.net", default=[], metavar="{source_name}={external_id}", action="extend", nargs='+')
-    parser.add_argument('--ignore_image_refs', default=True, type=parse_bool)
-    parser.add_argument('--ignore_link_refs', default=True, type=parse_bool)
-    parser.add_argument("--ignore_extraction_boundary", default=False, type=parse_bool, help="default if not passed is `false`, but if set to `true` will ignore boundary capture logic for extractions")
-    aflow_arg = parser.add_argument('--ai_create_attack_flow', default=False, action='store_true', help="create attack flow for attack objects in report/bundle")
+    rmode_arg = parser.add_argument(
+        "--relationship_mode", choices=["ai", "standard"], required=True
+    )
+    parser.add_argument(
+        "--report_id",
+        type=uuid.UUID,
+        required=False,
+        help="id to use instead of automatically generated `{name}+{created}`",
+        metavar="VALID_UUID",
+    )
+    parser.add_argument(
+        "--confidence",
+        type=range_type(0, 100),
+        default=None,
+        help="value between 0-100. Default if not passed is null.",
+        metavar="[0-100]",
+    )
+    parser.add_argument(
+        "--tlp_level",
+        "--tlp-level",
+        choices=TLP_LEVEL.levels().keys(),
+        default="clear",
+        help="TLP level, default is clear",
+    )
+    extractions_arg = parser.add_argument(
+        "--use_extractions",
+        "--use-extractions",
+        default={},
+        type=functools.partial(parse_extractors_globbed, "extractor", all_extractors),
+        help="Specify extraction types from the default/local extractions .yaml file",
+        metavar="EXTRACTION1,EXTRACTION2",
+    )
+    parser.add_argument(
+        "--use_identity",
+        "--use-identity",
+        help='Specify an identity file id (e.g., {"type":"identity","name":"demo","identity_class":"system"})',
+        metavar="[stix2 identity json]",
+        type=parse_stix,
+    )
+    parser.add_argument(
+        "--external_refs",
+        type=parse_ref,
+        help="pass additional `external_references` entry (or entries) to the report object created. e.g --external_ref author=dogesec link=https://dkjjadhdaj.net",
+        default=[],
+        metavar="{source_name}={external_id}",
+        action="extend",
+        nargs="+",
+    )
+    parser.add_argument("--ignore_image_refs", default=True, type=parse_bool)
+    parser.add_argument("--ignore_link_refs", default=True, type=parse_bool)
+    parser.add_argument(
+        "--ignore_extraction_boundary",
+        default=False,
+        type=parse_bool,
+        help="default if not passed is `false`, but if set to `true` will ignore boundary capture logic for extractions",
+    )
+    aflow_arg = parser.add_argument(
+        "--ai_create_attack_flow",
+        default=False,
+        action="store_true",
+        help="create attack flow for attack objects in report/bundle",
+    )
+
+    anav_arg = parser.add_argument(
+        "--ai_create_attack_navigator_layer",
+        default=False,
+        action="store_true",
+        help="create attack flow for attack objects in report/bundle",
+    )
+
 
     args = parser.parse_args()
     if not args.input_file.exists():
@@ -159,18 +260,31 @@ def parse_args():
     if len(args.name) > 124:
         raise argparse.ArgumentError(name_arg, "max 124 characters")
 
-    if args.relationship_mode == 'ai' and not args.ai_settings_relationships:
-        raise argparse.ArgumentError(rmode_arg, "relationship_mode is set to AI, --ai_settings_relationships is required")
+    if args.relationship_mode == "ai" and not args.ai_settings_relationships:
+        raise argparse.ArgumentError(
+            rmode_arg,
+            "relationship_mode is set to AI, --ai_settings_relationships is required",
+        )
 
     if args.ai_create_attack_flow and not args.ai_settings_relationships:
-        raise argparse.ArgumentError(aflow_arg, "--ai_create_attack_flow requires --ai_settings_relationships")
-    #### process --use-extractions 
-    if args.use_extractions.get('ai') and not args.ai_settings_extractions:
-        raise argparse.ArgumentError(extractions_arg, "ai based extractors are passed, --ai_settings_extractions is required")
+        raise argparse.ArgumentError(
+            aflow_arg, "--ai_settings_relationships must be set"
+        )
+    if args.ai_create_attack_navigator_layer and not args.ai_settings_relationships:
+        raise argparse.ArgumentError(
+            anav_arg, "--ai_settings_relationships must be set"
+        )
+    #### process --use-extractions
+    if args.use_extractions.get("ai") and not args.ai_settings_extractions:
+        raise argparse.ArgumentError(
+            extractions_arg,
+            "ai based extractors are passed, --ai_settings_extractions is required",
+        )
 
-    args.all_extractors  = all_extractors
+    args.all_extractors = all_extractors
     return args
 
+
 REQUIRED_ENV_VARIABLES = [
     "INPUT_TOKEN_LIMIT",
     "CTIBUTLER_BASE_URL",
@@ -243,21 +357,22 @@ def validate_token_count(max_tokens, input, extractors: list[BaseAIExtractor]):
         token_count = _count_token(extractor, input)
         if  token_count > max_tokens:
             raise FatalException(f"{extractor.extractor_name}: input_file token count ({token_count}) exceeds INPUT_TOKEN_LIMIT ({max_tokens})")
-    
+
 
 @functools.lru_cache
 def _count_token(extractor: BaseAIExtractor, input: str):
     return extractor.count_tokens(input)
-        
+
 def run_txt2stix(bundler: txt2stixBundler, preprocessed_text: str, extractors_map: dict,
                 ai_content_check_provider=None,
                 ai_create_attack_flow=None,
+                ai_create_attack_navigator_layer=None,
                 input_token_limit=10,
                 ai_settings_extractions=None,
                 ai_settings_relationships=None,
                 relationship_mode="standard",
                 ignore_extraction_boundary=False,
-                always_extract=False, # continue even if ai_content_check fails
+                ai_extract_if_no_incidence=True, # continue even if ai_content_check fails
 
                 **kwargs
         ) -> Txt2StixData:
@@ -276,7 +391,7 @@ def run_txt2stix(bundler: txt2stixBundler, preprocessed_text: str, extractors_ma
             bundler.report.labels.append(f'txt2stix:{classification}'.lower())
         bundler.add_summary(retval.content_check.summary, model.extractor_name)
 
-    if should_extract or always_extract:
+    if should_extract or ai_extract_if_no_incidence:
         if extractors_map.get("ai"):
             validate_token_count(input_token_limit, preprocessed_text, ai_settings_extractions)
         if relationship_mode == "ai":
@@ -285,15 +400,13 @@ def run_txt2stix(bundler: txt2stixBundler, preprocessed_text: str, extractors_ma
         retval.extractions = extract_all(bundler, extractors_map, preprocessed_text, ai_extractors=ai_settings_extractions, ignore_extraction_boundary=ignore_extraction_boundary)
         if relationship_mode == "ai" and sum(map(lambda x: len(x), retval.extractions.values())):
             retval.relationships = extract_relationships_with_ai(bundler, preprocessed_text, retval.extractions, ai_settings_relationships)
-            
-        if ai_create_attack_flow:
-            logging.info("creating attack-flow bundle")
-            ex: BaseAIExtractor = ai_settings_relationships
-            retval.attack_flow = ex.extract_attack_flow(preprocessed_text, retval.extractions, retval.relationships)
-            bundler.flow_objects = parse_flow(bundler.report, retval.attack_flow)
-
+        
+        if ai_create_attack_flow or ai_create_attack_navigator_layer:
+            retval.attack_flow, retval.navigator_layer = attack_flow.extract_attack_flow_and_navigator(bundler, preprocessed_text, ai_create_attack_flow, ai_create_attack_navigator_layer, ai_settings_relationships)
     return retval
 
+
+
 def main():
     dotenv.load_dotenv()
     logger = newLogger("txt2stix")
@@ -320,13 +433,20 @@ def main():
 
         ## write outputs
         out = bundler.to_json()
-        output_path = Path("./output")/f"{bundler.bundle.id}.json"
-        output_path.parent.mkdir(exist_ok=True)
+        output_dir = Path("./output")/str(job_id)
+        with contextlib.suppress(BaseException):
+            shutil.rmtree(output_dir)
+        output_dir.mkdir(exist_ok=True, parents=True)
+        output_path = output_dir/f"{bundler.bundle.id}.json"
         output_path.write_text(out)
         logger.info(f"Wrote bundle output to `{output_path}`")
-        data_path = Path(str(output_path).replace('bundle--', 'data--'))
+        data_path = output_dir/"data.json"
         data_path.write_text(data.model_dump_json(indent=4))
         logger.info(f"Wrote data output to `{data_path}`")
+        for nav_layer in data.navigator_layer or []:
+            nav_path = output_dir/f"navigator-{nav_layer['domain']}.json"
+            nav_path.write_text(json.dumps(nav_layer, indent=4))
+            logger.info(f"Wrote navigator output to `{nav_path}`")
     except argparse.ArgumentError as e:
         logger.exception(e, exc_info=True)
     except:

txt2stix/utils.py

@@ -51,6 +51,7 @@ class Txt2StixData(BaseModel):
     extractions: dict = Field(default=None)
     relationships: list[dict] = Field(default_factory=list)
     attack_flow: AttackFlowList = Field(default=None)
+    navigator_layer: list = Field(default=None)
 
 
 def remove_links(input_text: str, remove_images: bool, remove_anchors: bool):

{txt2stix-1.0.1.post1.dist-info → txt2stix-1.0.2.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: txt2stix
-Version: 1.0.1.post1
+Version: 1.0.2
 Summary: txt2stix is a Python script that is designed to identify and extract IoCs and TTPs from text files, identify the relationships between them, convert them to STIX 2.1 objects, and output as a STIX 2.1 bundle.
 Project-URL: Homepage, https://github.com/muchdogesec/txt2stix
 Project-URL: Issues, https://github.com/muchdogesec/txt2stix/issues
@@ -26,15 +26,19 @@ Requires-Dist: stix2extensions
 Requires-Dist: tld>=0.13
 Requires-Dist: tldextract>=5.1.2
 Requires-Dist: validators>=0.28.3
-Provides-Extra: full
-Requires-Dist: llama-index-llms-anthropic>=0.7.2; extra == 'full'
-Requires-Dist: llama-index-llms-deepseek>=0.1.2; extra == 'full'
-Requires-Dist: llama-index-llms-gemini>=0.5.0; extra == 'full'
-Requires-Dist: llama-index-llms-openrouter>=0.3.2; extra == 'full'
+Provides-Extra: anthropic
+Requires-Dist: llama-index-llms-anthropic>=0.7.2; extra == 'anthropic'
+Provides-Extra: deepseek
+Requires-Dist: llama-index-llms-deepseek>=0.1.2; extra == 'deepseek'
+Provides-Extra: gemini
+Requires-Dist: llama-index-llms-gemini>=0.5.0; extra == 'gemini'
+Provides-Extra: openrouter
+Requires-Dist: llama-index-llms-openrouter>=0.3.2; extra == 'openrouter'
 Provides-Extra: tests
 Requires-Dist: pytest; extra == 'tests'
 Requires-Dist: pytest-cov; extra == 'tests'
 Requires-Dist: pytest-subtests; extra == 'tests'
+Requires-Dist: python-dateutil; extra == 'tests'
 Requires-Dist: requests; extra == 'tests'
 Description-Content-Type: text/markdown
 
@@ -86,7 +90,13 @@ cd txt2stix
 python3 -m venv txt2stix-venv
 source txt2stix-venv/bin/activate
 # install requirements
-pip3 install .
+pip3 install txt2stix
+```
+
+Note, by default txt2stix will install OpenAI to use as the AI provider. You can also use Anthropic, Gemini, OpenRouter or Deepseek. You need to install these manually if you plan to use them as follows (remove those that don't apply)
+
+```shell
+pip3 install txt2stix[deepseek,gemini,anthropic,openrouter]
 ```
 
 ### Set variables
@@ -114,39 +124,39 @@ The following arguments are available:
 
 #### Input settings
 
-* `--input_file` (REQUIRED): the file to be converted. Must be `.txt`
+* `--input_file` (`path/to/file.txt`, required): the file to be converted. Must be `.txt`
 
 #### STIX Report generation settings
 
 
-* `--name` (REQUIRED): name of file, max 72 chars. Will be used in the STIX Report Object created.
-* `--report_id` (OPTIONAL): Sometimes it is required to control the id of the `report` object generated. You can therefore pass a valid UUIDv4 in this field to be assigned to the report. e.g. passing `2611965-930e-43db-8b95-30a1e119d7e2` would create a STIX object id `report--2611965-930e-43db-8b95-30a1e119d7e2`. If this argument is not passed, the UUID will be randomly generated.
-* `--tlp_level` (OPTIONAL): Options are `clear`, `green`, `amber`, `amber_strict`, `red`. Default if not passed, is `clear`.
-* `--confidence` (OPTIONAL): value between 0-100. Default if not passed is null.
+* `--name` (text, required): name of file, max 72 chars. Will be used in the STIX Report Object created.
+* `--report_id` (UUIDv4, default is random UUIDv4): Sometimes it is required to control the id of the `report` object generated. You can therefore pass a valid UUIDv4 in this field to be assigned to the report. e.g. passing `2611965-930e-43db-8b95-30a1e119d7e2` would create a STIX object id `report--2611965-930e-43db-8b95-30a1e119d7e2`. If this argument is not passed, the UUID will be randomly generated.
+* `--tlp_level` (dictionary, default, `clear`): Options are `clear`, `green`, `amber`, `amber_strict`, `red`.
+* `--confidence` (value between 0-100): If not passed, report will be assigned no confidence score value
 * `--labels` (OPTIONAL): comma seperated list of labels. Case-insensitive (will all be converted to lower-case). Allowed `a-z`, `0-9`. e.g.`label1,label2` would create 2 labels.
-* `--created` (OPTIONAL): by default all object `created` times will take the time the script was run. If you want to explicitly set these times you can do so using this flag. Pass the value in the format `YYYY-MM-DDTHH:MM:SS.sssZ` e.g. `2020-01-01T00:00:00.000Z`
-* `--use_identity` (OPTIONAL): can pass a full STIX 2.1 identity object (make sure to properly escape). Will be validated by the STIX2 library.
+* `--created` (datetime, optional): by default all object `created` times will take the time the script was run. If you want to explicitly set these times you can do so using this flag. Pass the value in the format `YYYY-MM-DDTHH:MM:SS.sssZ` e.g. `2020-01-01T00:00:00.000Z`
+* `--use_identity` (stix identity, optional, default txt2stix identity): can pass a full STIX 2.1 identity object (make sure to properly escape). Will be validated by the STIX2 library.
 * `--external_refs` (OPTIONAL): txt2stix will automatically populate the `external_references` of the report object it creates for the input. You can use this value to add additional objects to `external_references`. Note, you can only add `source_name` and `external_id` values currently. Pass as `source_name=external_id`. e.g. `--external_refs txt2stix=demo1 source=id` would create the following objects under the `external_references` property: `{"source_name":"txt2stix","external_id":"demo1"},{"source_name":"source","external_id":"id"}`
 
 #### Output settings
 
 How the extractions are performed
 
-* `--use_extractions` (REQUIRED): if you only want to use certain extraction types, you can pass their slug found in either `includes/ai/config.yaml`, `includes/lookup/config.yaml` `includes/pattern/config.yaml` (e.g. `pattern_ipv4_address_only`). Default if not passed, no extractions applied. You can also pass a catch all wildcard `*` which will match all extraction paths (e.g. `'pattern_*'` would run all extractions starting with `pattern_` -- make sure to use quotes when using a wildcard)
+* `--use_extractions` (dictionary, required): if you only want to use certain extraction types, you can pass their slug found in either `includes/ai/config.yaml`, `includes/lookup/config.yaml` `includes/pattern/config.yaml` (e.g. `pattern_ipv4_address_only`). Default if not passed, no extractions applied. You can also pass a catch all wildcard `*` which will match all extraction paths (e.g. `'pattern_*'` would run all extractions starting with `pattern_` -- make sure to use quotes when using a wildcard)
 	* Important: if using any AI extractions (`ai_*`), you must set an AI API key in your `.env` file
 	* Important: if you are using any MITRE ATT&CK, CAPEC, CWE, ATLAS or Location extractions you must set `CTIBUTLER` or NVD CPE or CVE extractions you must set `VULMATCH` settings in your `.env` file
-* `--relationship_mode` (REQUIRED): either.
+* `--relationship_mode` (dictionary, required): either.
 	* `ai`: AI provider must be enabled. extractions performed by either regex or AI for extractions user selected. Rich relationships created from AI provider from extractions.
 	* `standard`: extractions performed by either regex or AI (AI provider must be enabled) for extractions user selected. Basic relationships created from extractions back to master Report object generated.
-* `--ignore_extraction_boundary` (OPTIONAL, default `false`, not compatible with AI extractions): in some cases the same string will create multiple extractions depending on extractions set (e.g. `https://www.google.com/file.txt` could create a url, url with file, domain, subdomain, and file). The default behaviour is for txt2stix to take the longest extraction and ignore everything else (e.g. only extract url with file, and ignore url, file, domain, subdomain, and file). If you want to override this behaviour and get all extractions in the output, set this flag to `true`.
-* `--ignore_image_refs` (default `true`): images references in documents don't usually need extracting. e.g. `<img src="https://example.com/image.png" alt="something">` you would not want domain or file extractions extracting `example.com` and `image.png`. Hence these are ignored by default (they are removed from text sent to extraction). Note, only the `img src` is ignored, all other values e.g. `alt` are considered. If you want extractions to consider this data, set it to `false`
-* `--ignore_link_refs` (default `true`): link references in documents don't usually need extracting e.g. `<a href="https://example.com/link.html" title="something">Bad Actor</a>` you would only want `Bad actor` to be considered for extraction. Hence these part of the link are ignored by default (they are removed from text sent to extraction). Note, only the `a href` is ignored, all other values e.g. `title` are considered. Setting this to `false` will also include everything inside the link tag (e.g. `example.com` would extract as a domain)
+* `--ignore_extraction_boundary` (boolean, default `false`, not compatible with AI extractions): in some cases the same string will create multiple extractions depending on extractions set (e.g. `https://www.google.com/file.txt` could create a url, url with file, domain, subdomain, and file). The default behaviour is for txt2stix to take the longest extraction and ignore everything else (e.g. only extract url with file, and ignore url, file, domain, subdomain, and file). If you want to override this behaviour and get all extractions in the output, set this flag to `true`.
+* `--ignore_image_refs` (boolean, default `true`): images references in documents don't usually need extracting. e.g. `<img src="https://example.com/image.png" alt="something">` you would not want domain or file extractions extracting `example.com` and `image.png`. Hence these are ignored by default (they are removed from text sent to extraction). Note, only the `img src` is ignored, all other values e.g. `alt` are considered. If you want extractions to consider this data, set it to `false`
+* `--ignore_link_refs` (boolean, default `true`): link references in documents don't usually need extracting e.g. `<a href="https://example.com/link.html" title="something">Bad Actor</a>` you would only want `Bad actor` to be considered for extraction. Hence these part of the link are ignored by default (they are removed from text sent to extraction). Note, only the `a href` is ignored, all other values e.g. `title` are considered. Setting this to `false` will also include everything inside the link tag (e.g. `example.com` would extract as a domain)
 
 #### AI settings
 
 If any AI extractions, or AI relationship mode is set, you must set the following accordingly
 
-* `--ai_settings_extractions`:
+* `--ai_settings_extractions` (`model:provider`, required if one or more AI extractions set):
 	* defines the `provider:model` to be used for extractions. You can supply more than one provider. Seperate with a space (e.g. `openrouter:openai/gpt-4o` `openrouter:deepseek/deepseek-chat`) If more than one provider passed, txt2stix will take extractions from all models, de-dupelicate them, and them package them in the output. Currently supports:
 		* Provider (env var required `OPENROUTER_API_KEY`): `openrouter:`, providers/models `openai/gpt-4o`, `deepseek/deepseek-chat` ([More here](https://openrouter.ai/models))
 		* Provider (env var required `OPENAI_API_KEY`): `openai:`, models e.g.: `gpt-4o`, `gpt-4o-mini`, `gpt-4-turbo`, `gpt-4` ([More here](https://platform.openai.com/docs/models))
@@ -154,11 +164,16 @@ If any AI extractions, or AI relationship mode is set, you must set the followin
 		* Provider (env var required `GOOGLE_API_KEY`): `gemini:models/`, models: `gemini-1.5-pro-latest`, `gemini-1.5-flash-latest` ([More here](https://ai.google.dev/gemini-api/docs/models/gemini))
 		* Provider (env var required `DEEPSEEK_API_KEY`): `deepseek:`, models `deepseek-chat` ([More here](https://api-docs.deepseek.com/quick_start/pricing))
 	* See `tests/manual-tests/cases-ai-extraction-type.md` for some examples
-* `--ai_settings_relationships`:
+* `--ai_settings_relationships` (`model:provider`, required if AI relationship mode set):
 	* similar to `ai_settings_extractions` but defines the model used to generate relationships. Only one model can be provided. Passed in same format as `ai_settings_extractions`
 	* See `tests/manual-tests/cases-ai-relationships.md` for some examples
-* `--ai_content_check_provider`: Passing this flag will get the AI to try and classify the text in the input to 1) determine if it is talking about threat intelligence, and 2) what type of threat intelligence it is talking about. For context, we use this to filter out non-threat intel posts in Obstracts and Stixify. You pass `provider:model` with this flag to determine the AI model you wish to use to perform the check.
-* `--ai_create_attack_flow`: passing this flag will also prompt the AI model (the same entered for `--ai_settings_relationships`) to generate an [Attack Flow](https://center-for-threat-informed-defense.github.io/attack-flow/) for the MITRE ATT&CK extractions to define the logical order in which they are being described. You must pass `--ai_settings_relationships` for this to work.
+
+#### Other AI related settings
+
+* `--ai_content_check_provider` (`model:provider`, required if passed): Passing this flag will get the AI to try and classify the text in the input to 1) determine if it is talking about threat intelligence, and 2) what type of threat intelligence it is talking about. For context, we use this to filter out non-threat intel posts in Obstracts and Stixify. You pass `provider:model` with this flag to determine the AI model you wish to use to perform the check. It will also create a summary of the content passed (and store this into a STIX Note).
+* `--ai_extract_if_no_incidence` (boolean, default `true`, will only work if `ai_content_check_provider` set) if content check decides the report is not related to cyber security intelligence (e.g. vendor marketing), then you can use this setting to decide wether or not script should proceed. Setting to `false` will stop processing. It is designed to save AI tokens processing unknown content at scale in an automated way.
+* `--ai_create_attack_flow` (boolean): passing this flag will also prompt the AI model (the same entered for `--ai_settings_relationships`, default `false`) to generate an [Attack Flow](https://center-for-threat-informed-defense.github.io/attack-flow/) for the MITRE ATT&CK extractions to define the logical order in which they are being described. You must pass `--ai_settings_relationships` for this to work.
+* `--ai_create_attack_navigator_layer` (boolean, default `false`): passing this flag will generate [MITRE ATT&CK Navigator layers](https://mitre-attack.github.io/attack-navigator/) for MITRE ATT&CK extractions. For each ATT&CK domain (Enterprise, ICS, Mobile) txt2stix will generate a layer. You must pass `--ai_settings_relationships` for this to work because the AI is tasked with linking extracted Techniques to the correct Tactic. Known issues with `openai:gpt-3.5` (avoid using this model if possible when using ATT&CK Navigator).
 
 ## Adding new extractions
 

{txt2stix-1.0.1.post1.dist-info → txt2stix-1.0.2.dist-info}/RECORD

@@ -1,23 +1,23 @@
 txt2stix/__init__.py,sha256=Sm_VT913IFuAZ6dJEdVz3baPwC5VYtHySVfBAOUG92w,803
-txt2stix/attack_flow.py,sha256=WWlukuQYrGW1SJ1DnhfROYC5Ck4WYqNifgmtiuyDg7E,4177
-txt2stix/bundler.py,sha256=EVTcVgZyVMwb6XjNQ3Gyj7zm44UErXo9wbVr2JGsjQQ,16797
+txt2stix/attack_flow.py,sha256=DLDaNXB_gxuqdEb_A1VQO_nu69MG23nolTx7-JESrKI,7889
+txt2stix/bundler.py,sha256=kqUNW9_jktuMyWSkoAa-ydZY-L5gzSSkthb7OdhUiKo,16854
 txt2stix/common.py,sha256=ISnGNKqJPE1EcfhL-x_4G18mcwt1urmorkW-ru9kV-0,585
-txt2stix/extractions.py,sha256=ExynKWSeuWOC0q6i4SuU1NkeNw7uoOm6xu0YtJRVaiE,2058
+txt2stix/extractions.py,sha256=_tlsqYHhfAoV-PJzxRHysrX47uxCsMlSg7PQWxww1u0,2171
 txt2stix/indicator.py,sha256=c6S0xx0K8JM-PT_Qd1PlN_ZlDXdnEwiRS8529iUp3yg,30774
 txt2stix/lookups.py,sha256=h42YVtYUkWZm6ZPv2h5hHDHDzDs3yBqrT_T7pj2MDZI,2301
-txt2stix/retriever.py,sha256=zU8L00RSh9N5J0NpAo3CM3IHsuZsNVjJGohRisXcMRs,5167
+txt2stix/retriever.py,sha256=auKlk6JlRE9en-oiQ5KICMW0IwmU8R558o0K5UmEQZc,5550
 txt2stix/stix.py,sha256=9nXD9a2dCY4uaatl-mlIA1k3srwQBhGW-tUSho3iYe0,30
-txt2stix/txt2stix.py,sha256=Vt9CUsSEO1bw5SS7vlsVxktFz1nW8M_G4-RN6idOTA0,16444
-txt2stix/utils.py,sha256=P66yq-SphsQu2S9At6BfYpavfghXsZqh4h6W13HUEoI,3256
-txt2stix/ai_extractor/__init__.py,sha256=RcXh30ZcIA3Fva2bOPH4EtWq6ffWhGE39C_II8ElAx0,417
+txt2stix/txt2stix.py,sha256=HYXN9dKzakoqdqJ4wSthwGdFIxOm6KTegiQlVmfp0eQ,18169
+txt2stix/utils.py,sha256=n6mh4t9ZRJ7iT4Jvp9ai_dfCXjgXNcRtF_zXO7nkpnk,3304
+txt2stix/ai_extractor/__init__.py,sha256=5Tf6Co9THzytBdFEVhD-7vvT05TT3nSpltnAV1sfdoM,349
 txt2stix/ai_extractor/anthropic.py,sha256=mdz-8CB-BSCEqnK5l35DRZURVPUf508ef2b48XMxmuk,441
-txt2stix/ai_extractor/base.py,sha256=MAtnKvWUmWZgnzwDM0i2n-WrRWq69du4KVcapNMIsEg,3523
+txt2stix/ai_extractor/base.py,sha256=mHu6xtWu78aDHnb2ePXR0UCBbROS-jH0kPRgQxfIwhI,3685
 txt2stix/ai_extractor/deepseek.py,sha256=2XehIYbWXG6Odq68nQX4CNtl5GdmBlAmjLP_lG2eEFo,660
 txt2stix/ai_extractor/gemini.py,sha256=yJC7knYzl-TScyCBd-MTpUf-NT6znC25E7vXxNMqjLU,578
 txt2stix/ai_extractor/openai.py,sha256=DtllzeVhZw1231hj35vn1U8V2MMzm8wM7mqKLBkxazQ,489
 txt2stix/ai_extractor/openrouter.py,sha256=hAA6mTOMcpA28XYsOCvuJH7WMJqXCxfqZGJf_VrDsIk,628
-txt2stix/ai_extractor/prompts.py,sha256=3PewwmNptHEvsG1r1Yk5rs3oaEX5Jf3BRFyGaHru6r0,8137
-txt2stix/ai_extractor/utils.py,sha256=mnGIDiDa8ecwyRqDuYcKBIOiXfeQsivKxe93CfGW660,4440
+txt2stix/ai_extractor/prompts.py,sha256=NtqtVyPPtShPlVZ5SrFmo-LCkfpANIIi4H9rjqaxqDo,10559
+txt2stix/ai_extractor/utils.py,sha256=xPVtp_lI7254MvkXPt9YY_Vter0uiPLKMGcv5poXVKs,4763
 txt2stix/pattern/__init__.py,sha256=K9ofaP2AOikvzb48VSBpJZijckdqufZxSzr_kbRypLY,491
 txt2stix/pattern/extractors/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 txt2stix/pattern/extractors/base_extractor.py,sha256=ly80rp-L40g7DbhrGiCvhPWI95-ZFMtAQUEC-fH6Y-o,6130
@@ -81,7 +81,7 @@ txt2stix/includes/helpers/stix_relationship_types.txt,sha256=PQytANVSrWepdK_SLEZ
 txt2stix/includes/helpers/tlds.txt,sha256=Va_awj-FQiKgs5ace6C0kC5xxAHIl9yAIBhvT08Q7Q0,9551
 txt2stix/includes/helpers/windows_registry_key_prefix.txt,sha256=J5gU4FsqmOVYt6cVRgwCG7odYEWk-UPLpuCiDwpzBfg,145
 txt2stix/includes/lookups/_README.md,sha256=OGkyqCcqAOPI-JLE81zAmyg4sHW5apJNhDFcvHUW1nc,338
-txt2stix/includes/lookups/_generate_lookups.py,sha256=MEVIy1Xb67bdBOoTJ3BKBf8xpQHYHSOGyQOKH0Ru0bU,9025
+txt2stix/includes/lookups/_generate_lookups.py,sha256=ex12zxiFnKYHgsXfcDX4OL-KyrjAXSlvzeYVUzUD2lE,9390
 txt2stix/includes/lookups/attack_pattern.txt,sha256=4ARDLG-cwUqk6_TO_JAY6hNJg6KRbAaIr-Or5nML6io,15
 txt2stix/includes/lookups/campaign.txt,sha256=N66XO0H3Rx-3Tvo7wwHDouckIT0tGlGVyCDKxDs1KnM,11
 txt2stix/includes/lookups/country_iso3166_alpha2.txt,sha256=LMM7j50NoBv7BlK64mpmE3Dbef9_tNBUNbuTXOEIvCo,746
@@ -112,8 +112,8 @@ txt2stix/includes/lookups/threat_actor.txt,sha256=QfDO9maQuqKBgW_Sdd7VGv1SHZ9Ra-
 txt2stix/includes/lookups/tld.txt,sha256=-MEgJea2NMG_KDsnc4BVvI8eRk5Dm93L-t8SGYx5wMo,8598
 txt2stix/includes/lookups/tool.txt,sha256=HGKG6JpUE26w6ezzSxOjBkp15UpSaB7N-mZ_NU_3G7A,6
 txt2stix/includes/tests/test_cases.yaml,sha256=QD1FdIunpPkOpsn6wJRqs2vil_hv8OSVaqUp4a96aZg,22247
-txt2stix-1.0.1.post1.dist-info/METADATA,sha256=6Ur9HhKpq_CevkNsxiXoyLYego6_X1xXf0aAv5He3tM,13011
-txt2stix-1.0.1.post1.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-txt2stix-1.0.1.post1.dist-info/entry_points.txt,sha256=x6QPtt65hWeomw4IpJ_wQUesBl1M4WOLODbhOKyWMFg,55
-txt2stix-1.0.1.post1.dist-info/licenses/LICENSE,sha256=BK8Ppqlc4pdgnNzIxnxde0taoQ1BgicdyqmBvMiNYgY,11364
-txt2stix-1.0.1.post1.dist-info/RECORD,,
+txt2stix-1.0.2.dist-info/METADATA,sha256=-qdpBMRkkfhkAvFlAK8ya9Dj8ZYnXH0rt-NJSH8bqnw,14887
+txt2stix-1.0.2.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+txt2stix-1.0.2.dist-info/entry_points.txt,sha256=x6QPtt65hWeomw4IpJ_wQUesBl1M4WOLODbhOKyWMFg,55
+txt2stix-1.0.2.dist-info/licenses/LICENSE,sha256=BK8Ppqlc4pdgnNzIxnxde0taoQ1BgicdyqmBvMiNYgY,11364
+txt2stix-1.0.2.dist-info/RECORD,,