txt2stix 1.1.15__py3-none-any.whl → 1.2.1__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. txt2stix/includes/extractions/ai/config.yaml +17 -1
  2. txt2stix/includes/extractions/lookup/config.yaml +17 -2
  3. txt2stix/indicator.py +32 -28
  4. txt2stix/retriever.py +8 -2
  5. {txt2stix-1.1.15.dist-info → txt2stix-1.2.1.dist-info}/METADATA +1 -1
  6. {txt2stix-1.1.15.dist-info → txt2stix-1.2.1.dist-info}/RECORD +9 -9
  7. {txt2stix-1.1.15.dist-info → txt2stix-1.2.1.dist-info}/WHEEL +0 -0
  8. {txt2stix-1.1.15.dist-info → txt2stix-1.2.1.dist-info}/entry_points.txt +0 -0
  9. {txt2stix-1.1.15.dist-info → txt2stix-1.2.1.dist-info}/licenses/LICENSE +0 -0
txt2stix/includes/extractions/ai/config.yaml CHANGED
@@ -778,7 +778,23 @@ ai_country:
778
778
  type: ai
779
779
  dogesec_web: true
780
780
  name: 'Country'
781
- description: 'Will extract countries, turn into two digit country codes, and import location object from CTI Butler.'
781
+ description: 'Will extract countries, turn into two digit country codes, and import location (and all related regions and subregions) object from CTI Butler.'
782
+ notes: 'lookup_country_alpha2 legacy extraction also exists if you cannot use AI'
783
+ created: 2020-01-01
784
+ modified: 2020-01-01
785
+ created_by: dogesec
786
+ version: 1.0.0
787
+ prompt_base: 'Extract all countries described in the text, including countries printed as IS0-3166 Alpha2 and Alpha3 codes.'
788
+ prompt_helper: 'If you are unsure, you can read more about the standard here: https://www.iso.org/iso-3166-country-codes.html'
789
+ prompt_conversion: 'Convert all country extractions to their corresponding IS0-3166 Alpha2 codes.'
790
+ test_cases: ai_country
791
+ stix_mapping: ctibutler-location-with-regions
792
+
793
+ ai_country_only:
794
+ type: ai
795
+ dogesec_web: true
796
+ name: 'Country only'
797
+ description: 'Will extract countries, turn into two digit country codes, and import location (without regions and subregions) object from CTI Butler.'
782
798
  notes: 'lookup_country_alpha2 legacy extraction also exists if you cannot use AI'
783
799
  created: 2020-01-01
784
800
  modified: 2020-01-01
txt2stix/includes/extractions/lookup/config.yaml CHANGED
@@ -5,8 +5,23 @@
5
5
  lookup_country_alpha2:
6
6
  type: lookup
7
7
  dogesec_web: false
8
- name: 'Country Alpha2'
9
- description: 'Extracts countries using ISO 3166-1 alpha2 codes'
8
+ name: 'Country Alpha2 (with regions)'
9
+ description: 'Extracts countries using ISO 3166-1 alpha2 codes (will create relationships to regions and subregions).'
10
+ notes: 'RECOMMENDED FOR BETTER ACCURACY: Use ai_country. This extractor is very dumb e.g the words `is` and `in` will result in extractions for Iceland and India'
11
+ file: 'lookups/country_iso3166_alpha2.txt'
12
+ created: 2020-01-01
13
+ modified: 2020-01-01
14
+ created_by: dogesec
15
+ version: 1.0.0
16
+ test_cases: generic_country_alpha2
17
+ stix_mapping: ctibutler-location-with-regions
18
+
19
+
20
+ lookup_country_alpha2_country_only:
21
+ type: lookup
22
+ dogesec_web: false
23
+ name: 'Country Alpha2 (without regions)'
24
+ description: 'Extracts countries using ISO 3166-1 alpha2 codes (will not create relationships).'
10
25
  notes: 'RECOMMENDED FOR BETTER ACCURACY: Use ai_country. This extractor is very dumb e.g the words `is` and `in` will result in extractions for Iceland and India'
11
26
  file: 'lookups/country_iso3166_alpha2.txt'
12
27
  created: 2020-01-01
txt2stix/indicator.py CHANGED
@@ -106,7 +106,10 @@ def _build_observables(
106
106
  ):
107
107
  retrieved_objects = retrieve_stix_objects(stix_mapping, extracted_value)
108
108
  if retrieved_objects:
109
- return retrieved_objects, [sdo["id"] for sdo in retrieved_objects]
109
+ relatable = [sdo["id"] for sdo in retrieved_objects]
110
+ if 'location' in stix_mapping:
111
+ relatable = [retrieved_objects[0]['id']]
112
+ return retrieved_objects, relatable
110
113
  if retrieved_objects == []:
111
114
  logger.warning(
112
115
  f"could not find `{stix_mapping}` with id=`{extracted_value}` in remote"
@@ -623,7 +626,7 @@ def _build_observables(
623
626
  extracted_value = extracted_value.replace("-", "").replace(" ", "")
624
627
 
625
628
  country_code, bank_code = get_iban_details(extracted_value)
626
- location = retrieve_stix_objects("location", country_code)[0]
629
+ location = retrieve_stix_objects("ctibutler-location", country_code)[0]
627
630
  stix_objects.append(location)
628
631
 
629
632
  bank_acc = dict_to_stix2(
@@ -683,17 +686,18 @@ def _build_observables(
683
686
  f"txt2stix+{extracted_value}",
684
687
  )
685
688
  )
689
+ _date = datetime(2020, 1, 1, tzinfo=UTC)
686
690
 
687
691
  if stix_mapping == "attack-pattern":
688
692
  stix_objects = [
689
693
  dict_to_stix2(
690
694
  {
691
695
  "type": "attack-pattern",
692
- # "id": stix_mapping + "--" + _id_part,
696
+ "id": stix_mapping + "--" + _id_part,
693
697
  "spec_version": "2.1",
694
698
  "created_by_ref": indicator["created_by_ref"],
695
- "created": indicator["created"],
696
- "modified": indicator["modified"],
699
+ "created": _date,
700
+ "modified": _date,
697
701
  "name": extracted_value,
698
702
  "external_references": indicator["external_references"],
699
703
  }
@@ -705,11 +709,11 @@ def _build_observables(
705
709
  dict_to_stix2(
706
710
  {
707
711
  "type": "campaign",
708
- # "id": stix_mapping + "--" + _id_part,
712
+ "id": stix_mapping + "--" + _id_part,
709
713
  "spec_version": "2.1",
710
714
  "created_by_ref": indicator["created_by_ref"],
711
- "created": indicator["created"],
712
- "modified": indicator["modified"],
715
+ "created": _date,
716
+ "modified": _date,
713
717
  "name": extracted_value,
714
718
  "object_marking_refs": indicator["object_marking_refs"],
715
719
  "external_references": indicator["external_references"],
@@ -722,11 +726,11 @@ def _build_observables(
722
726
  dict_to_stix2(
723
727
  {
724
728
  "type": "course-of-action",
725
- # "id": stix_mapping + "--" + _id_part,
729
+ "id": stix_mapping + "--" + _id_part,
726
730
  "spec_version": "2.1",
727
731
  "created_by_ref": indicator["created_by_ref"],
728
- "created": indicator["created"],
729
- "modified": indicator["modified"],
732
+ "created": _date,
733
+ "modified": _date,
730
734
  "name": extracted_value,
731
735
  "object_marking_refs": indicator["object_marking_refs"],
732
736
  "external_references": indicator["external_references"],
@@ -739,11 +743,11 @@ def _build_observables(
739
743
  dict_to_stix2(
740
744
  {
741
745
  "type": "infrastructure",
742
- # "id": stix_mapping + "--" + _id_part,
746
+ "id": stix_mapping + "--" + _id_part,
743
747
  "spec_version": "2.1",
744
748
  "created_by_ref": indicator["created_by_ref"],
745
- "created": indicator["created"],
746
- "modified": indicator["modified"],
749
+ "created": _date,
750
+ "modified": _date,
747
751
  "name": extracted_value,
748
752
  "infrastructure_types": ["unknown"],
749
753
  "object_marking_refs": indicator["object_marking_refs"],
@@ -757,11 +761,11 @@ def _build_observables(
757
761
  dict_to_stix2(
758
762
  {
759
763
  "type": "intrusion-set",
760
- # "id": stix_mapping + "--" + _id_part,
764
+ "id": stix_mapping + "--" + _id_part,
761
765
  "spec_version": "2.1",
762
766
  "created_by_ref": indicator["created_by_ref"],
763
- "created": indicator["created"],
764
- "modified": indicator["modified"],
767
+ "created": _date,
768
+ "modified": _date,
765
769
  "name": extracted_value,
766
770
  "object_marking_refs": indicator["object_marking_refs"],
767
771
  "external_references": indicator["external_references"],
@@ -774,11 +778,11 @@ def _build_observables(
774
778
  dict_to_stix2(
775
779
  {
776
780
  "type": "malware",
777
- # "id": stix_mapping + "--" + _id_part,
781
+ "id": stix_mapping + "--" + _id_part,
778
782
  "spec_version": "2.1",
779
783
  "created_by_ref": indicator["created_by_ref"],
780
- "created": indicator["created"],
781
- "modified": indicator["modified"],
784
+ "created": _date,
785
+ "modified": _date,
782
786
  "name": extracted_value,
783
787
  "malware_types": ["unknown"],
784
788
  "is_family": True,
@@ -793,11 +797,11 @@ def _build_observables(
793
797
  dict_to_stix2(
794
798
  {
795
799
  "type": "threat-actor",
796
- # "id": stix_mapping + "--" + _id_part,
800
+ "id": stix_mapping + "--" + _id_part,
797
801
  "spec_version": "2.1",
798
802
  "created_by_ref": indicator["created_by_ref"],
799
- "created": indicator["created"],
800
- "modified": indicator["modified"],
803
+ "created": _date,
804
+ "modified": _date,
801
805
  "name": extracted_value,
802
806
  "threat_actor_types": "unknown",
803
807
  "object_marking_refs": indicator["object_marking_refs"],
@@ -811,11 +815,11 @@ def _build_observables(
811
815
  dict_to_stix2(
812
816
  {
813
817
  "type": "tool",
814
- # "id": stix_mapping + "--" + _id_part,
818
+ "id": stix_mapping + "--" + _id_part,
815
819
  "spec_version": "2.1",
816
820
  "created_by_ref": indicator["created_by_ref"],
817
- "created": indicator["created"],
818
- "modified": indicator["modified"],
821
+ "created": _date,
822
+ "modified": _date,
819
823
  "name": extracted_value,
820
824
  "tool_types": "unknown",
821
825
  "object_marking_refs": indicator["object_marking_refs"],
@@ -831,8 +835,8 @@ def _build_observables(
831
835
  "type": "identity",
832
836
  "spec_version": "2.1",
833
837
  "created_by_ref": indicator["created_by_ref"],
834
- "created": datetime(2020, 1, 1, tzinfo=UTC),
835
- "modified": datetime(2020, 1, 1, tzinfo=UTC),
838
+ "created": _date,
839
+ "modified": _date,
836
840
  "id": "identity--" + _id_part,
837
841
  "name": extracted_value,
838
842
  "identity_class": "unspecified",
txt2stix/retriever.py CHANGED
@@ -69,6 +69,10 @@ class STIXObjectRetriever:
69
69
  return self._retrieve_objects(
70
70
  urljoin(self.api_root, f"v1/location/objects/?alpha2_code={id}")
71
71
  )
72
+
73
+ def get_location_bundle(self, id):
74
+ endpoint = urljoin(self.api_root, f"v1/location/objects/{id}/bundle/?types=location,relationship")
75
+ return self._retrieve_objects(endpoint, key="objects")
72
76
 
73
77
  def get_objects_by_name(self, name, type):
74
78
  return self._retrieve_objects(
@@ -122,6 +126,10 @@ def _retrieve_stix_objects(host, knowledge_base, filter_value):
122
126
  return retreiver.retrieve_object_by_id(filter_value, "cpe")
123
127
  case "location":
124
128
  return retreiver.get_location_objects(filter_value)
129
+ case "location-with-regions":
130
+ locations = retreiver.get_location_bundle(filter_value)
131
+ locations.sort(key=lambda x: int(x.get('country') == filter_value), reverse=True)
132
+ return locations
125
133
 
126
134
  ### ATT&CK by Name
127
135
  case "mitre-attack-enterprise-name":
@@ -162,8 +170,6 @@ def _retrieve_stix_objects(host, knowledge_base, filter_value):
162
170
 
163
171
  def retrieve_stix_objects(stix_mapping: str, filter_value, host=None):
164
172
  knowledge_base = stix_mapping
165
- if stix_mapping in ["location"]:
166
- host = "ctibutler"
167
173
  if not host:
168
174
  host, _, knowledge_base = stix_mapping.partition("-")
169
175
  try:
{txt2stix-1.1.15.dist-info → txt2stix-1.2.1.dist-info}/METADATA RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: txt2stix
3
- Version: 1.1.15
3
+ Version: 1.2.1
4
4
  Summary: txt2stix is a Python script that is designed to identify and extract IoCs and TTPs from text files, identify the relationships between them, convert them to STIX 2.1 objects, and output as a STIX 2.1 bundle.
5
5
  Project-URL: Homepage, https://github.com/muchdogesec/txt2stix
6
6
  Project-URL: Issues, https://github.com/muchdogesec/txt2stix/issues
{txt2stix-1.1.15.dist-info → txt2stix-1.2.1.dist-info}/RECORD RENAMED
@@ -4,9 +4,9 @@ txt2stix/bundler.py,sha256=GmpWW9ek4iFZdEIyjVSpd9RnmyeNsZJOpnax5Tt0uT0,16748
4
4
  txt2stix/common.py,sha256=ISnGNKqJPE1EcfhL-x_4G18mcwt1urmorkW-ru9kV-0,585
5
5
  txt2stix/credential_checker.py,sha256=eWDP-jY3-jm8zI0JMoUcyoQZ_JqPNfCIr_HAO8nVYz0,3044
6
6
  txt2stix/extractions.py,sha256=_tlsqYHhfAoV-PJzxRHysrX47uxCsMlSg7PQWxww1u0,2171
7
- txt2stix/indicator.py,sha256=EYh3mmgdq-8_5uQrHX5OkQG1sgiO1jQjRCqJaHqyF8k,30770
7
+ txt2stix/indicator.py,sha256=WTj5YIcq37XrjVregfGXvIm2mDuI20gc6IT1-0WcOn8,30629
8
8
  txt2stix/lookups.py,sha256=h42YVtYUkWZm6ZPv2h5hHDHDzDs3yBqrT_T7pj2MDZI,2301
9
- txt2stix/retriever.py,sha256=sMNhnEYk3l5W44qZsWaDQtJYoHXA1oYIPM6wDqiUHSg,6642
9
+ txt2stix/retriever.py,sha256=CwcCVER1sAPHeMojcIgdWMEJ5596tyYDf5HAJXiBdOM,7021
10
10
  txt2stix/stix.py,sha256=9nXD9a2dCY4uaatl-mlIA1k3srwQBhGW-tUSho3iYe0,30
11
11
  txt2stix/txt2stix.py,sha256=eUL0pynQXruJRDvqs-LQ-dspDITx5tFDnTPEgCRQApk,23348
12
12
  txt2stix/utils.py,sha256=Le0VYx8n8UNpcjqwpx7Avb06qIS9_hId8yP8_PquBUs,3333
@@ -74,8 +74,8 @@ txt2stix/pattern/extractors/url/url_extractor.py,sha256=-SH1WvxbViaRZ1on8lRlzNAc
74
74
  txt2stix/pattern/extractors/url/url_file_extractor.py,sha256=_VDu_BX3Ys9SKhZlscZPp9xSOKCxNKKvJ2gbe7Nvuv0,881
75
75
  txt2stix/pattern/extractors/url/url_path_extractor.py,sha256=FNKcMZRnJpcZZF44T8DHsDWzhBqPq5a23h7T7l2osac,2459
76
76
  txt2stix/includes/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
77
- txt2stix/includes/extractions/ai/config.yaml,sha256=wvuezRfzG7tVfEIPgU1mxm4d_a4D7FW5E6ldn0Ci4G8,43734
78
- txt2stix/includes/extractions/lookup/config.yaml,sha256=m97Rzst-Fq3sMI7KV0mEuOqlbI1-0fU6UoicqDY1vng,12494
77
+ txt2stix/includes/extractions/ai/config.yaml,sha256=G2tYApzY8sXNazXEQ5Iz4-ttlLuZpq2Cogh_M6JMGC4,44598
78
+ txt2stix/includes/extractions/lookup/config.yaml,sha256=STMOoFhaBFq5Od6SwM8w1MTbJTGv57A2ola6IrFVlEk,13160
79
79
  txt2stix/includes/extractions/pattern/config.yaml,sha256=92buge3fYegXIN1TSjLKq4PdIbKAGvDAc4CoQpR38sA,20196
80
80
  txt2stix/includes/helpers/mimetype_filename_extension_list.csv,sha256=kgozjMyp7y87CqRcoedfDwNXSLKrDgC9r9YKDYK0EbY,27593
81
81
  txt2stix/includes/helpers/stix_relationship_types.txt,sha256=PQytANVSrWepdK_SLEZtfiTe1eoxj6YMGUZslO_C1oc,505
@@ -114,8 +114,8 @@ txt2stix/includes/lookups/threat_actor.txt,sha256=QfDO9maQuqKBgW_Sdd7VGv1SHZ9Ra-
114
114
  txt2stix/includes/lookups/tld.txt,sha256=-MEgJea2NMG_KDsnc4BVvI8eRk5Dm93L-t8SGYx5wMo,8598
115
115
  txt2stix/includes/lookups/tool.txt,sha256=HGKG6JpUE26w6ezzSxOjBkp15UpSaB7N-mZ_NU_3G7A,6
116
116
  txt2stix/includes/tests/test_cases.yaml,sha256=vErA3c5fySeWvJ5yJ8dCTEo3ufRATASAjaF4gj4Az1M,22424
117
- txt2stix-1.1.15.dist-info/METADATA,sha256=T0fs62OPjEKhNiV4qpfZMArmA66PlYQHQh21t0QeW78,15032
118
- txt2stix-1.1.15.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
119
- txt2stix-1.1.15.dist-info/entry_points.txt,sha256=x6QPtt65hWeomw4IpJ_wQUesBl1M4WOLODbhOKyWMFg,55
120
- txt2stix-1.1.15.dist-info/licenses/LICENSE,sha256=BK8Ppqlc4pdgnNzIxnxde0taoQ1BgicdyqmBvMiNYgY,11364
121
- txt2stix-1.1.15.dist-info/RECORD,,
117
+ txt2stix-1.2.1.dist-info/METADATA,sha256=VVAo2wu_82WMorGzQ9GunxNn1jksDMyL3zarumW8L_M,15031
118
+ txt2stix-1.2.1.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
119
+ txt2stix-1.2.1.dist-info/entry_points.txt,sha256=x6QPtt65hWeomw4IpJ_wQUesBl1M4WOLODbhOKyWMFg,55
120
+ txt2stix-1.2.1.dist-info/licenses/LICENSE,sha256=BK8Ppqlc4pdgnNzIxnxde0taoQ1BgicdyqmBvMiNYgY,11364
121
+ txt2stix-1.2.1.dist-info/RECORD,,