txt2stix 1.1.15__tar.gz → 1.2.0__tar.gz

{txt2stix-1.1.15 → txt2stix-1.2.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: txt2stix
-Version: 1.1.15
+Version: 1.2.0
 Summary: txt2stix is a Python script that is designed to identify and extract IoCs and TTPs from text files, identify the relationships between them, convert them to STIX 2.1 objects, and output as a STIX 2.1 bundle.
 Project-URL: Homepage, https://github.com/muchdogesec/txt2stix
 Project-URL: Issues, https://github.com/muchdogesec/txt2stix/issues

{txt2stix-1.1.15 → txt2stix-1.2.0}/includes/extractions/ai/config.yaml

@@ -778,7 +778,23 @@ ai_country:
   type: ai
   dogesec_web: true
   name: 'Country'
-  description: 'Will extract countries, turn into two digit country codes, and import location object from CTI Butler.'
+  description: 'Will extract countries, turn into two digit country codes, and import location (and all related regions and subregions) object from CTI Butler.'
+  notes: 'lookup_country_alpha2 legacy extraction also exists if you cannot use AI'
+  created: 2020-01-01
+  modified: 2020-01-01
+  created_by: dogesec
+  version: 1.0.0
+  prompt_base: 'Extract all countries described in the text, including countries printed as IS0-3166 Alpha2 and Alpha3 codes.'
+  prompt_helper: 'If you are unsure, you can read more about the standard here: https://www.iso.org/iso-3166-country-codes.html'
+  prompt_conversion: 'Convert all country extractions to their corresponding IS0-3166 Alpha2 codes.'
+  test_cases: ai_country
+  stix_mapping: ctibutler-location-with-regions
+
+ai_country_only:
+  type: ai
+  dogesec_web: true
+  name: 'Country only'
+  description: 'Will extract countries, turn into two digit country codes, and import location (without regions and subregions) object from CTI Butler.'
   notes: 'lookup_country_alpha2 legacy extraction also exists if you cannot use AI'
   created: 2020-01-01
   modified: 2020-01-01

{txt2stix-1.1.15 → txt2stix-1.2.0}/includes/extractions/lookup/config.yaml

@@ -5,8 +5,23 @@
 lookup_country_alpha2:
   type: lookup
   dogesec_web: false
-  name: 'Country Alpha2'
-  description: 'Extracts countries using ISO 3166-1 alpha2 codes'
+  name: 'Country Alpha2 (with regions)'
+  description: 'Extracts countries using ISO 3166-1 alpha2 codes (will create relationships to regions and subregions).'
+  notes: 'RECOMMENDED FOR BETTER ACCURACY: Use ai_country. This extractor is very dumb e.g the words `is` and `in` will result in extractions for Iceland and India'
+  file: 'lookups/country_iso3166_alpha2.txt'
+  created: 2020-01-01
+  modified:  2020-01-01
+  created_by: dogesec
+  version: 1.0.0
+  test_cases: generic_country_alpha2
+  stix_mapping: ctibutler-location-with-regions
+
+
+lookup_country_alpha2_country_only:
+  type: lookup
+  dogesec_web: false
+  name: 'Country Alpha2 (without regions)'
+  description: 'Extracts countries using ISO 3166-1 alpha2 codes (will not create relationships).'
   notes: 'RECOMMENDED FOR BETTER ACCURACY: Use ai_country. This extractor is very dumb e.g the words `is` and `in` will result in extractions for Iceland and India'
   file: 'lookups/country_iso3166_alpha2.txt'
   created: 2020-01-01

{txt2stix-1.1.15 → txt2stix-1.2.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "txt2stix"
-version = "1.1.15"
+version = "1.2.0"
 authors = [{ name = "dogesec" }]
 maintainers = [{ name = "dogesec" }]
 description = "txt2stix is a Python script that is designed to identify and extract IoCs and TTPs from text files, identify the relationships between them, convert them to STIX 2.1 objects, and output as a STIX 2.1 bundle."

{txt2stix-1.1.15 → txt2stix-1.2.0}/requirements.txt

@@ -6,7 +6,7 @@
 #
 aiohappyeyeballs==2.6.1
     # via aiohttp
-aiohttp==3.12.15
+aiohttp==3.13.3
     # via llama-index-core
 aiosignal==1.4.0
     # via aiohttp
@@ -121,7 +121,7 @@ llama-index-workflows==1.3.0
     # via llama-index-core
 markupsafe==3.0.2
     # via jinja2
-marshmallow==3.26.1
+marshmallow==3.26.2
     # via dataclasses-json
 mistune==3.1.3
     # via txt2stix (pyproject.toml)
@@ -274,7 +274,7 @@ tzdata==2025.2
     # via arrow
 uri-template==1.3.0
     # via jsonschema
-urllib3==2.6.0
+urllib3==2.6.3
     # via requests
 validators==0.35.0
     # via txt2stix (pyproject.toml)

{txt2stix-1.1.15 → txt2stix-1.2.0}/tests/manual-tests/cases-extraction-type-ai.md

@@ -738,7 +738,7 @@ python3 txt2stix.py \
 python3 txt2stix.py \
 	--relationship_mode standard \
 	--input_file tests/data/extraction_types/ai_country.txt \
-	--name 'ai_country_alpha2' \
+	--name 'ai_country' \
 	--tlp_level clear \
 	--confidence 100 \
 	--use_extractions ai_country \
@@ -746,6 +746,22 @@ python3 txt2stix.py \
 	--report_id 256f89fe-ad21-4604-9d6d-b8b5335f4657
 ```
 
+Check regions are imported.
+
+#### ai_country_only
+
+```shell
+python3 txt2stix.py \
+	--relationship_mode standard \
+	--input_file tests/data/extraction_types/ai_country.txt \
+	--name 'ai_country_only' \
+	--tlp_level clear \
+	--confidence 100 \
+	--use_extractions ai_country_only \
+	--ai_settings_extractions openai:gpt-5 \
+	--report_id 7adbbed0-0d22-43e0-9894-1adb6a708461
+```
+
 #### ai_mitre_attack_enterprise
 
 ```shell

{txt2stix-1.1.15 → txt2stix-1.2.0}/tests/src/test_retriever.py

@@ -89,6 +89,19 @@ def f():
             "NG",
             ("location--6dbe266a-c149-5ba3-8b39-74f1b5063312",),
         ),
+        (
+            "ctibutler-location-with-regions",
+            "NG",
+            [
+                "location--6dbe266a-c149-5ba3-8b39-74f1b5063312",
+                "location--097ca10f-e203-53c0-8f9d-2634ac58bc1b",
+                "location--48451447-0bc6-517a-aff5-a779d3a24a21",
+                "location--ccb963ba-9370-5eeb-80e3-c8d8738275ed",
+                "relationship--28b54976-c9a6-586c-9378-18556f917d3c",
+                "relationship--3cb6677e-c141-56c0-ba3e-6f9d03fa8487",
+                "relationship--769ac179-c26b-5ca0-abde-d61667962b82",
+            ],
+        ),
         (
             "ctibutler-mitre-atlas-id",
             "AML.T0050",
@@ -134,5 +147,5 @@ def f():
 def test_retrieve_objects(stix_mapping, kb_id, expected_ids, f):
     objects = retrieve_stix_objects(stix_mapping, kb_id)
     assert objects != None
-    object_ids = {obj["id"] for obj in objects}
+    object_ids = {x['id'] for x in objects}
     assert object_ids == set(expected_ids)

{txt2stix-1.1.15 → txt2stix-1.2.0}/txt2stix/indicator.py

@@ -106,7 +106,10 @@ def _build_observables(
 ):
     retrieved_objects = retrieve_stix_objects(stix_mapping, extracted_value)
     if retrieved_objects:
-        return retrieved_objects, [sdo["id"] for sdo in retrieved_objects]
+        relatable = [sdo["id"] for sdo in retrieved_objects]
+        if 'location' in stix_mapping:
+            relatable = [retrieved_objects[0]['id']]
+        return retrieved_objects, relatable
     if retrieved_objects == []:
         logger.warning(
             f"could not find `{stix_mapping}` with id=`{extracted_value}` in remote"
@@ -623,7 +626,7 @@ def _build_observables(
         extracted_value = extracted_value.replace("-", "").replace(" ", "")
 
         country_code, bank_code = get_iban_details(extracted_value)
-        location = retrieve_stix_objects("location", country_code)[0]
+        location = retrieve_stix_objects("ctibutler-location", country_code)[0]
         stix_objects.append(location)
 
         bank_acc = dict_to_stix2(

{txt2stix-1.1.15 → txt2stix-1.2.0}/txt2stix/retriever.py

@@ -69,6 +69,10 @@ class STIXObjectRetriever:
         return self._retrieve_objects(
             urljoin(self.api_root, f"v1/location/objects/?alpha2_code={id}")
         )
+    
+    def get_location_bundle(self, id):
+        endpoint = urljoin(self.api_root, f"v1/location/objects/{id}/bundle/?types=location,relationship")
+        return self._retrieve_objects(endpoint, key="objects")
 
     def get_objects_by_name(self, name, type):
         return self._retrieve_objects(
@@ -122,6 +126,10 @@ def _retrieve_stix_objects(host, knowledge_base, filter_value):
             return retreiver.retrieve_object_by_id(filter_value, "cpe")
         case "location":
             return retreiver.get_location_objects(filter_value)
+        case "location-with-regions":
+            locations = retreiver.get_location_bundle(filter_value)
+            locations.sort(key=lambda x: int(x.get('country') == filter_value), reverse=True)
+            return locations
 
         ### ATT&CK by Name
         case "mitre-attack-enterprise-name":
@@ -162,8 +170,6 @@ def _retrieve_stix_objects(host, knowledge_base, filter_value):
 
 def retrieve_stix_objects(stix_mapping: str, filter_value, host=None):
     knowledge_base = stix_mapping
-    if stix_mapping in ["location"]:
-        host = "ctibutler"
     if not host:
         host, _, knowledge_base = stix_mapping.partition("-")
     try: