txt2stix 1.1.15__tar.gz → 1.2.1__tar.gz

{txt2stix-1.1.15 → txt2stix-1.2.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: txt2stix
-Version: 1.1.15
+Version: 1.2.1
 Summary: txt2stix is a Python script that is designed to identify and extract IoCs and TTPs from text files, identify the relationships between them, convert them to STIX 2.1 objects, and output as a STIX 2.1 bundle.
 Project-URL: Homepage, https://github.com/muchdogesec/txt2stix
 Project-URL: Issues, https://github.com/muchdogesec/txt2stix/issues

{txt2stix-1.1.15 → txt2stix-1.2.1}/docs/stix-mapping.md

@@ -1251,10 +1251,10 @@ Objects created:
 {
     "type": "attack-pattern",
     "spec_version": "2.1",
-    "id": "campaign--<GENERATED BY STIX2 LIBRARY>",
+    "id": "campaign--<UUIDV5>",
     "created_by_ref": "identity--<DEFAULT OR CUSTOM IDENTITY OBJECT ID>",
-    "created": "<REPORT CREATED PROPERTY VALUE>",
-    "modified": "<REPORT MODIFIED PROPERTY VALUE>",
+    "created": "2020-01-01T00:00:00.000Z",
+    "modified": "2020-01-01T00:00:00.000Z",
     "name": "<EXTRACTED VALUE>",
     "object_marking_refs": [
         "marking-definition--<TLP LEVEL SET>",
@@ -1273,6 +1273,8 @@ Objects created:
 }
 ```
 
+UUIDv5 is generated using namespace `f92e15d9-6afc-5ae2-bb3e-85a1fd83a3b5` and `txt2stix+<extracted_value>`
+
 ### stix-mapping: `campaign`
 
 Objects created:
@@ -1283,10 +1285,10 @@ Objects created:
 {
     "type": "campaign",
     "spec_version": "2.1",
-    "id": "campaign--<GENERATED BY STIX2 LIBRARY>",
+    "id": "campaign--<UUIDV5>",
     "created_by_ref": "identity--<DEFAULT OR CUSTOM IDENTITY OBJECT ID>",
-    "created": "<REPORT CREATED PROPERTY VALUE>",
-    "modified": "<REPORT MODIFIED PROPERTY VALUE>",
+    "created": "2020-01-01T00:00:00.000Z",
+    "modified": "2020-01-01T00:00:00.000Z",
     "name": "<EXTRACTED VALUE>",
     "object_marking_refs": [
         "marking-definition--<TLP LEVEL SET>",
@@ -1305,6 +1307,8 @@ Objects created:
 }
 ```
 
+UUIDv5 is generated using namespace `f92e15d9-6afc-5ae2-bb3e-85a1fd83a3b5` and `txt2stix+<extracted_value>`
+
 ### stix-mapping: `course-of-action`
 
 Objects created:
@@ -1315,10 +1319,10 @@ Objects created:
 {
     "type": "course-of-action",
     "spec_version": "2.1",
-    "id": "course-of-action--<GENERATED BY STIX2 LIBRARY>",
+    "id": "course-of-action--<UUIDV5>",
     "created_by_ref": "identity--<DEFAULT OR CUSTOM IDENTITY OBJECT ID>",
-    "created": "<REPORT CREATED PROPERTY VALUE>",
-    "modified": "<REPORT MODIFIED PROPERTY VALUE>",
+    "created": "2020-01-01T00:00:00.000Z",
+    "modified": "2020-01-01T00:00:00.000Z",
     "name": "<EXTRACTED VALUE>",
     "object_marking_refs": [
         "marking-definition--<TLP LEVEL SET>",
@@ -1337,6 +1341,8 @@ Objects created:
 }
 ```
 
+UUIDv5 is generated using namespace `f92e15d9-6afc-5ae2-bb3e-85a1fd83a3b5` and `txt2stix+<extracted_value>`
+
 ### stix-mapping: `infrastructure`
 
 Objects created:
@@ -1347,10 +1353,10 @@ Objects created:
 {
     "type":"infrastructure",
     "spec_version": "2.1",
-    "id":"infrastructure--<GENERATED BY STIX2 LIBRARY>",
+    "id":"infrastructure--<UUIDV5>",
     "created_by_ref": "identity--<DEFAULT OR CUSTOM IDENTITY OBJECT ID>",
-    "created": "<REPORT CREATED PROPERTY VALUE>",
-    "modified": "<REPORT MODIFIED PROPERTY VALUE>",
+    "created": "2020-01-01T00:00:00.000Z",
+    "modified": "2020-01-01T00:00:00.000Z",
     "name": "<EXTRACTED VALUE>",
     "infrastructure_types": ["unknown"],
     "object_marking_refs": [
@@ -1370,6 +1376,8 @@ Objects created:
 }
 ```
 
+UUIDv5 is generated using namespace `f92e15d9-6afc-5ae2-bb3e-85a1fd83a3b5` and `txt2stix+<extracted_value>`
+
 ### stix-mapping: `intrusion-set`
 
 Objects created:
@@ -1380,10 +1388,10 @@ Objects created:
 {
     "type": "intrusion-set",
     "spec_version": "2.1",
-    "id": "intrusion-set--<GENERATED BY STIX2 LIBRARY>",
+    "id": "intrusion-set--<UUIDV5>",
     "created_by_ref": "identity--<DEFAULT OR CUSTOM IDENTITY OBJECT ID>",
-    "created": "<REPORT CREATED PROPERTY VALUE>",
-    "modified": "<REPORT MODIFIED PROPERTY VALUE>",
+    "created": "2020-01-01T00:00:00.000Z",
+    "modified": "2020-01-01T00:00:00.000Z",
     "name": "<EXTRACTED VALUE>",
     "object_marking_refs": [
         "marking-definition--<TLP LEVEL SET>",
@@ -1402,6 +1410,8 @@ Objects created:
 }
 ```
 
+UUIDv5 is generated using namespace `f92e15d9-6afc-5ae2-bb3e-85a1fd83a3b5` and `txt2stix+<extracted_value>`
+
 ### stix-mapping: `malware`
 
 Objects created:
@@ -1412,10 +1422,10 @@ Objects created:
 {
     "type": "malware",
     "spec_version": "2.1",
-    "id": "malware--<GENERATED BY STIX2 LIBRARY>",
+    "id": "malware--<UUIDV5>",
     "created_by_ref": "identity--<DEFAULT OR CUSTOM IDENTITY OBJECT ID>",
-    "created": "<REPORT CREATED PROPERTY VALUE>",
-    "modified": "<REPORT MODIFIED PROPERTY VALUE>",
+    "created": "2020-01-01T00:00:00.000Z",
+    "modified": "2020-01-01T00:00:00.000Z",
     "name": "<EXTRACTED VALUE>",
     "malware_types": ["unknown"],
     "is_family": true,
@@ -1436,6 +1446,8 @@ Objects created:
 }
 ```
 
+UUIDv5 is generated using namespace `f92e15d9-6afc-5ae2-bb3e-85a1fd83a3b5` and `txt2stix+<extracted_value>`
+
 ### stix-mapping: `threat-actor`
 
 Objects created:
@@ -1446,10 +1458,10 @@ Objects created:
 {
     "type": "threat-actor",
     "spec_version": "2.1",
-    "id": "threat-actor--<GENERATED BY STIX2 LIBRARY>",
+    "id": "threat-actor--<UUIDV5>",
     "created_by_ref": "identity--<DEFAULT OR CUSTOM IDENTITY OBJECT ID>",
-    "created": "<REPORT CREATED PROPERTY VALUE>",
-    "modified": "<REPORT MODIFIED PROPERTY VALUE>",
+    "created": "2020-01-01T00:00:00.000Z",
+    "modified": "2020-01-01T00:00:00.000Z",
     "name": "<EXTRACTED VALUE>",
     "threat_actor_types": "unknown",
     "object_marking_refs": [
@@ -1469,6 +1481,8 @@ Objects created:
 }
 ```
 
+UUIDv5 is generated using namespace `f92e15d9-6afc-5ae2-bb3e-85a1fd83a3b5` and `txt2stix+<extracted_value>`
+
 ### stix-mapping: `tool`
 
 Objects created:
@@ -1479,10 +1493,10 @@ Objects created:
 {
     "type": "tool",
     "spec_version": "2.1",
-    "id": "tool--<GENERATED BY STIX2 LIBRARY>",
+    "id": "tool--<UUIDV5>",
     "created_by_ref": "identity--<DEFAULT OR CUSTOM IDENTITY OBJECT ID>",
-    "created": "<REPORT CREATED PROPERTY VALUE>",
-    "modified": "<REPORT MODIFIED PROPERTY VALUE>",
+    "created": "2020-01-01T00:00:00.000Z",
+    "modified": "2020-01-01T00:00:00.000Z",
     "name": "<EXTRACTED VALUE>",
     "tool_types": "unknown",
     "object_marking_refs": [
@@ -1502,6 +1516,8 @@ Objects created:
 }
 ```
 
+UUIDv5 is generated using namespace `f92e15d9-6afc-5ae2-bb3e-85a1fd83a3b5` and `txt2stix+<extracted_value>`
+
 ### stix-mapping: `identity`
 
 Objects created:
@@ -1512,10 +1528,10 @@ Objects created:
 {
     "type": "identity",
     "spec_version": "2.1",
-    "id": "identity--<GENERATED BY STIX2 LIBRARY>",
+    "id": "identity--<UUIDV5>",
     "created_by_ref": "identity--<DEFAULT OR CUSTOM IDENTITY OBJECT ID>",
-    "created": "<REPORT CREATED PROPERTY VALUE>",
-    "modified": "<REPORT MODIFIED PROPERTY VALUE>",
+    "created": "2020-01-01T00:00:00.000Z",
+    "modified": "2020-01-01T00:00:00.000Z",
     "name": "<EXTRACTED VALUE>",
     "identity_class": "unspecified",
     "object_marking_refs": [
@@ -1535,6 +1551,8 @@ Objects created:
 }
 ```
 
+UUIDv5 is generated using namespace `f92e15d9-6afc-5ae2-bb3e-85a1fd83a3b5` and `txt2stix+<extracted_value>`
+
 ## STIX Mapping (remotely created objects)
 
 Some objects created for extractions do not need to be generated by txt2stix, they can be looked up from an external databases.

{txt2stix-1.1.15 → txt2stix-1.2.1}/includes/extractions/ai/config.yaml

@@ -778,7 +778,23 @@ ai_country:
   type: ai
   dogesec_web: true
   name: 'Country'
-  description: 'Will extract countries, turn into two digit country codes, and import location object from CTI Butler.'
+  description: 'Will extract countries, turn into two digit country codes, and import location (and all related regions and subregions) object from CTI Butler.'
+  notes: 'lookup_country_alpha2 legacy extraction also exists if you cannot use AI'
+  created: 2020-01-01
+  modified: 2020-01-01
+  created_by: dogesec
+  version: 1.0.0
+  prompt_base: 'Extract all countries described in the text, including countries printed as IS0-3166 Alpha2 and Alpha3 codes.'
+  prompt_helper: 'If you are unsure, you can read more about the standard here: https://www.iso.org/iso-3166-country-codes.html'
+  prompt_conversion: 'Convert all country extractions to their corresponding IS0-3166 Alpha2 codes.'
+  test_cases: ai_country
+  stix_mapping: ctibutler-location-with-regions
+
+ai_country_only:
+  type: ai
+  dogesec_web: true
+  name: 'Country only'
+  description: 'Will extract countries, turn into two digit country codes, and import location (without regions and subregions) object from CTI Butler.'
   notes: 'lookup_country_alpha2 legacy extraction also exists if you cannot use AI'
   created: 2020-01-01
   modified: 2020-01-01

{txt2stix-1.1.15 → txt2stix-1.2.1}/includes/extractions/lookup/config.yaml

@@ -5,8 +5,23 @@
 lookup_country_alpha2:
   type: lookup
   dogesec_web: false
-  name: 'Country Alpha2'
-  description: 'Extracts countries using ISO 3166-1 alpha2 codes'
+  name: 'Country Alpha2 (with regions)'
+  description: 'Extracts countries using ISO 3166-1 alpha2 codes (will create relationships to regions and subregions).'
+  notes: 'RECOMMENDED FOR BETTER ACCURACY: Use ai_country. This extractor is very dumb e.g the words `is` and `in` will result in extractions for Iceland and India'
+  file: 'lookups/country_iso3166_alpha2.txt'
+  created: 2020-01-01
+  modified:  2020-01-01
+  created_by: dogesec
+  version: 1.0.0
+  test_cases: generic_country_alpha2
+  stix_mapping: ctibutler-location-with-regions
+
+
+lookup_country_alpha2_country_only:
+  type: lookup
+  dogesec_web: false
+  name: 'Country Alpha2 (without regions)'
+  description: 'Extracts countries using ISO 3166-1 alpha2 codes (will not create relationships).'
   notes: 'RECOMMENDED FOR BETTER ACCURACY: Use ai_country. This extractor is very dumb e.g the words `is` and `in` will result in extractions for Iceland and India'
   file: 'lookups/country_iso3166_alpha2.txt'
   created: 2020-01-01

{txt2stix-1.1.15 → txt2stix-1.2.1}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "txt2stix"
-version = "1.1.15"
+version = "1.2.1"
 authors = [{ name = "dogesec" }]
 maintainers = [{ name = "dogesec" }]
 description = "txt2stix is a Python script that is designed to identify and extract IoCs and TTPs from text files, identify the relationships between them, convert them to STIX 2.1 objects, and output as a STIX 2.1 bundle."

{txt2stix-1.1.15 → txt2stix-1.2.1}/requirements.txt

@@ -6,7 +6,7 @@
 #
 aiohappyeyeballs==2.6.1
     # via aiohttp
-aiohttp==3.12.15
+aiohttp==3.13.3
     # via llama-index-core
 aiosignal==1.4.0
     # via aiohttp
@@ -121,7 +121,7 @@ llama-index-workflows==1.3.0
     # via llama-index-core
 markupsafe==3.0.2
     # via jinja2
-marshmallow==3.26.1
+marshmallow==3.26.2
     # via dataclasses-json
 mistune==3.1.3
     # via txt2stix (pyproject.toml)
@@ -274,7 +274,7 @@ tzdata==2025.2
     # via arrow
 uri-template==1.3.0
     # via jsonschema
-urllib3==2.6.0
+urllib3==2.6.3
     # via requests
 validators==0.35.0
     # via txt2stix (pyproject.toml)

{txt2stix-1.1.15 → txt2stix-1.2.1}/tests/manual-tests/cases-extraction-type-ai.md

@@ -738,7 +738,7 @@ python3 txt2stix.py \
 python3 txt2stix.py \
 	--relationship_mode standard \
 	--input_file tests/data/extraction_types/ai_country.txt \
-	--name 'ai_country_alpha2' \
+	--name 'ai_country' \
 	--tlp_level clear \
 	--confidence 100 \
 	--use_extractions ai_country \
@@ -746,6 +746,22 @@ python3 txt2stix.py \
 	--report_id 256f89fe-ad21-4604-9d6d-b8b5335f4657
 ```
 
+Check regions are imported.
+
+#### ai_country_only
+
+```shell
+python3 txt2stix.py \
+	--relationship_mode standard \
+	--input_file tests/data/extraction_types/ai_country.txt \
+	--name 'ai_country_only' \
+	--tlp_level clear \
+	--confidence 100 \
+	--use_extractions ai_country_only \
+	--ai_settings_extractions openai:gpt-5 \
+	--report_id 7adbbed0-0d22-43e0-9894-1adb6a708461
+```
+
 #### ai_mitre_attack_enterprise
 
 ```shell

{txt2stix-1.1.15 → txt2stix-1.2.1}/tests/src/test_indicator.py

@@ -396,6 +396,27 @@ all_extractors = get_all_extractors()
             {"identity--2e0aadad-9b58-5c8c-bef6-4c258b35f319"},
             id="identity-ii",
         ),
+
+        ## generic sdo extracts (course-of-action, threat-actor, tool)
+        pytest.param(
+            "EvilTool v2.0",
+            "lookup_tool",
+            {
+                "tool--1b13ef4f-7bd5-563a-9ca1-00ebdb7071a8",
+            },
+            {"tool--1b13ef4f-7bd5-563a-9ca1-00ebdb7071a8"},
+            id="generic tool",
+        ),
+
+        pytest.param(
+            "EvilActor",
+            "lookup_threat_actor",
+            {
+                "threat-actor--4c4be570-b34e-556e-a8e0-5cb290668770",
+            },
+            {"threat-actor--4c4be570-b34e-556e-a8e0-5cb290668770"},
+            id="generic threat-actor",
+        ),
     ],
 )
 def test_build_observables(value, extractor_name, expected_objects, expected_rels):

{txt2stix-1.1.15 → txt2stix-1.2.1}/tests/src/test_retriever.py

@@ -89,6 +89,19 @@ def f():
             "NG",
             ("location--6dbe266a-c149-5ba3-8b39-74f1b5063312",),
         ),
+        (
+            "ctibutler-location-with-regions",
+            "NG",
+            [
+                "location--6dbe266a-c149-5ba3-8b39-74f1b5063312",
+                "location--097ca10f-e203-53c0-8f9d-2634ac58bc1b",
+                "location--48451447-0bc6-517a-aff5-a779d3a24a21",
+                "location--ccb963ba-9370-5eeb-80e3-c8d8738275ed",
+                "relationship--28b54976-c9a6-586c-9378-18556f917d3c",
+                "relationship--3cb6677e-c141-56c0-ba3e-6f9d03fa8487",
+                "relationship--769ac179-c26b-5ca0-abde-d61667962b82",
+            ],
+        ),
         (
             "ctibutler-mitre-atlas-id",
             "AML.T0050",
@@ -134,5 +147,5 @@ def f():
 def test_retrieve_objects(stix_mapping, kb_id, expected_ids, f):
     objects = retrieve_stix_objects(stix_mapping, kb_id)
     assert objects != None
-    object_ids = {obj["id"] for obj in objects}
+    object_ids = {x['id'] for x in objects}
     assert object_ids == set(expected_ids)

{txt2stix-1.1.15 → txt2stix-1.2.1}/txt2stix/indicator.py

@@ -106,7 +106,10 @@ def _build_observables(
 ):
     retrieved_objects = retrieve_stix_objects(stix_mapping, extracted_value)
     if retrieved_objects:
-        return retrieved_objects, [sdo["id"] for sdo in retrieved_objects]
+        relatable = [sdo["id"] for sdo in retrieved_objects]
+        if 'location' in stix_mapping:
+            relatable = [retrieved_objects[0]['id']]
+        return retrieved_objects, relatable
     if retrieved_objects == []:
         logger.warning(
             f"could not find `{stix_mapping}` with id=`{extracted_value}` in remote"
@@ -623,7 +626,7 @@ def _build_observables(
         extracted_value = extracted_value.replace("-", "").replace(" ", "")
 
         country_code, bank_code = get_iban_details(extracted_value)
-        location = retrieve_stix_objects("location", country_code)[0]
+        location = retrieve_stix_objects("ctibutler-location", country_code)[0]
         stix_objects.append(location)
 
         bank_acc = dict_to_stix2(
@@ -683,17 +686,18 @@ def _build_observables(
             f"txt2stix+{extracted_value}",
         )
     )
+    _date = datetime(2020, 1, 1, tzinfo=UTC)
 
     if stix_mapping == "attack-pattern":
         stix_objects = [
             dict_to_stix2(
                 {
                     "type": "attack-pattern",
-                    # "id": stix_mapping + "--" + _id_part,
+                    "id": stix_mapping + "--" + _id_part,
                     "spec_version": "2.1",
                     "created_by_ref": indicator["created_by_ref"],
-                    "created": indicator["created"],
-                    "modified": indicator["modified"],
+                    "created": _date,
+                    "modified": _date,
                     "name": extracted_value,
                     "external_references": indicator["external_references"],
                 }
@@ -705,11 +709,11 @@ def _build_observables(
             dict_to_stix2(
                 {
                     "type": "campaign",
-                    # "id": stix_mapping + "--" + _id_part,
+                    "id": stix_mapping + "--" + _id_part,
                     "spec_version": "2.1",
                     "created_by_ref": indicator["created_by_ref"],
-                    "created": indicator["created"],
-                    "modified": indicator["modified"],
+                    "created": _date,
+                    "modified": _date,
                     "name": extracted_value,
                     "object_marking_refs": indicator["object_marking_refs"],
                     "external_references": indicator["external_references"],
@@ -722,11 +726,11 @@ def _build_observables(
             dict_to_stix2(
                 {
                     "type": "course-of-action",
-                    # "id": stix_mapping + "--" + _id_part,
+                    "id": stix_mapping + "--" + _id_part,
                     "spec_version": "2.1",
                     "created_by_ref": indicator["created_by_ref"],
-                    "created": indicator["created"],
-                    "modified": indicator["modified"],
+                    "created": _date,
+                    "modified": _date,
                     "name": extracted_value,
                     "object_marking_refs": indicator["object_marking_refs"],
                     "external_references": indicator["external_references"],
@@ -739,11 +743,11 @@ def _build_observables(
             dict_to_stix2(
                 {
                     "type": "infrastructure",
-                    # "id": stix_mapping + "--" + _id_part,
+                    "id": stix_mapping + "--" + _id_part,
                     "spec_version": "2.1",
                     "created_by_ref": indicator["created_by_ref"],
-                    "created": indicator["created"],
-                    "modified": indicator["modified"],
+                    "created": _date,
+                    "modified": _date,
                     "name": extracted_value,
                     "infrastructure_types": ["unknown"],
                     "object_marking_refs": indicator["object_marking_refs"],
@@ -757,11 +761,11 @@ def _build_observables(
             dict_to_stix2(
                 {
                     "type": "intrusion-set",
-                    # "id": stix_mapping + "--" + _id_part,
+                    "id": stix_mapping + "--" + _id_part,
                     "spec_version": "2.1",
                     "created_by_ref": indicator["created_by_ref"],
-                    "created": indicator["created"],
-                    "modified": indicator["modified"],
+                    "created": _date,
+                    "modified": _date,
                     "name": extracted_value,
                     "object_marking_refs": indicator["object_marking_refs"],
                     "external_references": indicator["external_references"],
@@ -774,11 +778,11 @@ def _build_observables(
             dict_to_stix2(
                 {
                     "type": "malware",
-                    # "id": stix_mapping + "--" + _id_part,
+                    "id": stix_mapping + "--" + _id_part,
                     "spec_version": "2.1",
                     "created_by_ref": indicator["created_by_ref"],
-                    "created": indicator["created"],
-                    "modified": indicator["modified"],
+                    "created": _date,
+                    "modified": _date,
                     "name": extracted_value,
                     "malware_types": ["unknown"],
                     "is_family": True,
@@ -793,11 +797,11 @@ def _build_observables(
             dict_to_stix2(
                 {
                     "type": "threat-actor",
-                    # "id": stix_mapping + "--" + _id_part,
+                    "id": stix_mapping + "--" + _id_part,
                     "spec_version": "2.1",
                     "created_by_ref": indicator["created_by_ref"],
-                    "created": indicator["created"],
-                    "modified": indicator["modified"],
+                    "created": _date,
+                    "modified": _date,
                     "name": extracted_value,
                     "threat_actor_types": "unknown",
                     "object_marking_refs": indicator["object_marking_refs"],
@@ -811,11 +815,11 @@ def _build_observables(
             dict_to_stix2(
                 {
                     "type": "tool",
-                    # "id": stix_mapping + "--" + _id_part,
+                    "id": stix_mapping + "--" + _id_part,
                     "spec_version": "2.1",
                     "created_by_ref": indicator["created_by_ref"],
-                    "created": indicator["created"],
-                    "modified": indicator["modified"],
+                    "created": _date,
+                    "modified": _date,
                     "name": extracted_value,
                     "tool_types": "unknown",
                     "object_marking_refs": indicator["object_marking_refs"],
@@ -831,8 +835,8 @@ def _build_observables(
                     "type": "identity",
                     "spec_version": "2.1",
                     "created_by_ref": indicator["created_by_ref"],
-                    "created": datetime(2020, 1, 1, tzinfo=UTC),
-                    "modified": datetime(2020, 1, 1, tzinfo=UTC),
+                    "created": _date,
+                    "modified": _date,
                     "id": "identity--" + _id_part,
                     "name": extracted_value,
                     "identity_class": "unspecified",

{txt2stix-1.1.15 → txt2stix-1.2.1}/txt2stix/retriever.py

@@ -69,6 +69,10 @@ class STIXObjectRetriever:
         return self._retrieve_objects(
             urljoin(self.api_root, f"v1/location/objects/?alpha2_code={id}")
         )
+    
+    def get_location_bundle(self, id):
+        endpoint = urljoin(self.api_root, f"v1/location/objects/{id}/bundle/?types=location,relationship")
+        return self._retrieve_objects(endpoint, key="objects")
 
     def get_objects_by_name(self, name, type):
         return self._retrieve_objects(
@@ -122,6 +126,10 @@ def _retrieve_stix_objects(host, knowledge_base, filter_value):
             return retreiver.retrieve_object_by_id(filter_value, "cpe")
         case "location":
             return retreiver.get_location_objects(filter_value)
+        case "location-with-regions":
+            locations = retreiver.get_location_bundle(filter_value)
+            locations.sort(key=lambda x: int(x.get('country') == filter_value), reverse=True)
+            return locations
 
         ### ATT&CK by Name
         case "mitre-attack-enterprise-name":
@@ -162,8 +170,6 @@ def _retrieve_stix_objects(host, knowledge_base, filter_value):
 
 def retrieve_stix_objects(stix_mapping: str, filter_value, host=None):
     knowledge_base = stix_mapping
-    if stix_mapping in ["location"]:
-        host = "ctibutler"
     if not host:
         host, _, knowledge_base = stix_mapping.partition("-")
     try: