PyPI - txt2stix - Versions diffs - 1.2.0__tar.gz → 1.2.2__tar.gz - Mend

txt2stix 1.2.0tar.gz → 1.2.2tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (264) hide show

{txt2stix-1.2.0 → txt2stix-1.2.2}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: txt2stix
-Version: 1.2.0
+Version: 1.2.2
 Summary: txt2stix is a Python script that is designed to identify and extract IoCs and TTPs from text files, identify the relationships between them, convert them to STIX 2.1 objects, and output as a STIX 2.1 bundle.
 Project-URL: Homepage, https://github.com/muchdogesec/txt2stix
 Project-URL: Issues, https://github.com/muchdogesec/txt2stix/issues

{txt2stix-1.2.0 → txt2stix-1.2.2}/docs/stix-mapping.md RENAMED Viewed

@@ -1251,10 +1251,10 @@ Objects created:
 {
     "type": "attack-pattern",
     "spec_version": "2.1",
-    "id": "campaign--<GENERATED BY STIX2 LIBRARY>",
+    "id": "campaign--<UUIDV5>",
     "created_by_ref": "identity--<DEFAULT OR CUSTOM IDENTITY OBJECT ID>",
-    "created": "<REPORT CREATED PROPERTY VALUE>",
-    "modified": "<REPORT MODIFIED PROPERTY VALUE>",
+    "created": "2020-01-01T00:00:00.000Z",
+    "modified": "2020-01-01T00:00:00.000Z",
     "name": "<EXTRACTED VALUE>",
     "object_marking_refs": [
         "marking-definition--<TLP LEVEL SET>",
@@ -1273,6 +1273,8 @@ Objects created:
 }
 ```
+UUIDv5 is generated using namespace `f92e15d9-6afc-5ae2-bb3e-85a1fd83a3b5` and `txt2stix+<extracted_value>`
 ### stix-mapping: `campaign`
 Objects created:
@@ -1283,10 +1285,10 @@ Objects created:
 {
     "type": "campaign",
     "spec_version": "2.1",
-    "id": "campaign--<GENERATED BY STIX2 LIBRARY>",
+    "id": "campaign--<UUIDV5>",
     "created_by_ref": "identity--<DEFAULT OR CUSTOM IDENTITY OBJECT ID>",
-    "created": "<REPORT CREATED PROPERTY VALUE>",
-    "modified": "<REPORT MODIFIED PROPERTY VALUE>",
+    "created": "2020-01-01T00:00:00.000Z",
+    "modified": "2020-01-01T00:00:00.000Z",
     "name": "<EXTRACTED VALUE>",
     "object_marking_refs": [
         "marking-definition--<TLP LEVEL SET>",
@@ -1305,6 +1307,8 @@ Objects created:
 }
 ```
+UUIDv5 is generated using namespace `f92e15d9-6afc-5ae2-bb3e-85a1fd83a3b5` and `txt2stix+<extracted_value>`
 ### stix-mapping: `course-of-action`
 Objects created:
@@ -1315,10 +1319,10 @@ Objects created:
 {
     "type": "course-of-action",
     "spec_version": "2.1",
-    "id": "course-of-action--<GENERATED BY STIX2 LIBRARY>",
+    "id": "course-of-action--<UUIDV5>",
     "created_by_ref": "identity--<DEFAULT OR CUSTOM IDENTITY OBJECT ID>",
-    "created": "<REPORT CREATED PROPERTY VALUE>",
-    "modified": "<REPORT MODIFIED PROPERTY VALUE>",
+    "created": "2020-01-01T00:00:00.000Z",
+    "modified": "2020-01-01T00:00:00.000Z",
     "name": "<EXTRACTED VALUE>",
     "object_marking_refs": [
         "marking-definition--<TLP LEVEL SET>",
@@ -1337,6 +1341,8 @@ Objects created:
 }
 ```
+UUIDv5 is generated using namespace `f92e15d9-6afc-5ae2-bb3e-85a1fd83a3b5` and `txt2stix+<extracted_value>`
 ### stix-mapping: `infrastructure`
 Objects created:
@@ -1347,10 +1353,10 @@ Objects created:
 {
     "type":"infrastructure",
     "spec_version": "2.1",
-    "id":"infrastructure--<GENERATED BY STIX2 LIBRARY>",
+    "id":"infrastructure--<UUIDV5>",
     "created_by_ref": "identity--<DEFAULT OR CUSTOM IDENTITY OBJECT ID>",
-    "created": "<REPORT CREATED PROPERTY VALUE>",
-    "modified": "<REPORT MODIFIED PROPERTY VALUE>",
+    "created": "2020-01-01T00:00:00.000Z",
+    "modified": "2020-01-01T00:00:00.000Z",
     "name": "<EXTRACTED VALUE>",
     "infrastructure_types": ["unknown"],
     "object_marking_refs": [
@@ -1370,6 +1376,8 @@ Objects created:
 }
 ```
+UUIDv5 is generated using namespace `f92e15d9-6afc-5ae2-bb3e-85a1fd83a3b5` and `txt2stix+<extracted_value>`
 ### stix-mapping: `intrusion-set`
 Objects created:
@@ -1380,10 +1388,10 @@ Objects created:
 {
     "type": "intrusion-set",
     "spec_version": "2.1",
-    "id": "intrusion-set--<GENERATED BY STIX2 LIBRARY>",
+    "id": "intrusion-set--<UUIDV5>",
     "created_by_ref": "identity--<DEFAULT OR CUSTOM IDENTITY OBJECT ID>",
-    "created": "<REPORT CREATED PROPERTY VALUE>",
-    "modified": "<REPORT MODIFIED PROPERTY VALUE>",
+    "created": "2020-01-01T00:00:00.000Z",
+    "modified": "2020-01-01T00:00:00.000Z",
     "name": "<EXTRACTED VALUE>",
     "object_marking_refs": [
         "marking-definition--<TLP LEVEL SET>",
@@ -1402,6 +1410,8 @@ Objects created:
 }
 ```
+UUIDv5 is generated using namespace `f92e15d9-6afc-5ae2-bb3e-85a1fd83a3b5` and `txt2stix+<extracted_value>`
 ### stix-mapping: `malware`
 Objects created:
@@ -1412,10 +1422,10 @@ Objects created:
 {
     "type": "malware",
     "spec_version": "2.1",
-    "id": "malware--<GENERATED BY STIX2 LIBRARY>",
+    "id": "malware--<UUIDV5>",
     "created_by_ref": "identity--<DEFAULT OR CUSTOM IDENTITY OBJECT ID>",
-    "created": "<REPORT CREATED PROPERTY VALUE>",
-    "modified": "<REPORT MODIFIED PROPERTY VALUE>",
+    "created": "2020-01-01T00:00:00.000Z",
+    "modified": "2020-01-01T00:00:00.000Z",
     "name": "<EXTRACTED VALUE>",
     "malware_types": ["unknown"],
     "is_family": true,
@@ -1436,6 +1446,8 @@ Objects created:
 }
 ```
+UUIDv5 is generated using namespace `f92e15d9-6afc-5ae2-bb3e-85a1fd83a3b5` and `txt2stix+<extracted_value>`
 ### stix-mapping: `threat-actor`
 Objects created:
@@ -1446,10 +1458,10 @@ Objects created:
 {
     "type": "threat-actor",
     "spec_version": "2.1",
-    "id": "threat-actor--<GENERATED BY STIX2 LIBRARY>",
+    "id": "threat-actor--<UUIDV5>",
     "created_by_ref": "identity--<DEFAULT OR CUSTOM IDENTITY OBJECT ID>",
-    "created": "<REPORT CREATED PROPERTY VALUE>",
-    "modified": "<REPORT MODIFIED PROPERTY VALUE>",
+    "created": "2020-01-01T00:00:00.000Z",
+    "modified": "2020-01-01T00:00:00.000Z",
     "name": "<EXTRACTED VALUE>",
     "threat_actor_types": "unknown",
     "object_marking_refs": [
@@ -1469,6 +1481,8 @@ Objects created:
 }
 ```
+UUIDv5 is generated using namespace `f92e15d9-6afc-5ae2-bb3e-85a1fd83a3b5` and `txt2stix+<extracted_value>`
 ### stix-mapping: `tool`
 Objects created:
@@ -1479,10 +1493,10 @@ Objects created:
 {
     "type": "tool",
     "spec_version": "2.1",
-    "id": "tool--<GENERATED BY STIX2 LIBRARY>",
+    "id": "tool--<UUIDV5>",
     "created_by_ref": "identity--<DEFAULT OR CUSTOM IDENTITY OBJECT ID>",
-    "created": "<REPORT CREATED PROPERTY VALUE>",
-    "modified": "<REPORT MODIFIED PROPERTY VALUE>",
+    "created": "2020-01-01T00:00:00.000Z",
+    "modified": "2020-01-01T00:00:00.000Z",
     "name": "<EXTRACTED VALUE>",
     "tool_types": "unknown",
     "object_marking_refs": [
@@ -1502,6 +1516,8 @@ Objects created:
 }
 ```
+UUIDv5 is generated using namespace `f92e15d9-6afc-5ae2-bb3e-85a1fd83a3b5` and `txt2stix+<extracted_value>`
 ### stix-mapping: `identity`
 Objects created:
@@ -1512,10 +1528,10 @@ Objects created:
 {
     "type": "identity",
     "spec_version": "2.1",
-    "id": "identity--<GENERATED BY STIX2 LIBRARY>",
+    "id": "identity--<UUIDV5>",
     "created_by_ref": "identity--<DEFAULT OR CUSTOM IDENTITY OBJECT ID>",
-    "created": "<REPORT CREATED PROPERTY VALUE>",
-    "modified": "<REPORT MODIFIED PROPERTY VALUE>",
+    "created": "2020-01-01T00:00:00.000Z",
+    "modified": "2020-01-01T00:00:00.000Z",
     "name": "<EXTRACTED VALUE>",
     "identity_class": "unspecified",
     "object_marking_refs": [
@@ -1535,6 +1551,8 @@ Objects created:
 }
 ```
+UUIDv5 is generated using namespace `f92e15d9-6afc-5ae2-bb3e-85a1fd83a3b5` and `txt2stix+<extracted_value>`
 ## STIX Mapping (remotely created objects)
 Some objects created for extractions do not need to be generated by txt2stix, they can be looked up from an external databases.

{txt2stix-1.2.0 → txt2stix-1.2.2}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "txt2stix"
-version = "1.2.0"
+version = "1.2.2"
 authors = [{ name = "dogesec" }]
 maintainers = [{ name = "dogesec" }]
 description = "txt2stix is a Python script that is designed to identify and extract IoCs and TTPs from text files, identify the relationships between them, convert them to STIX 2.1 objects, and output as a STIX 2.1 bundle."

{txt2stix-1.2.0 → txt2stix-1.2.2}/tests/src/test_indicator.py RENAMED Viewed

@@ -396,6 +396,27 @@ all_extractors = get_all_extractors()
             {"identity--2e0aadad-9b58-5c8c-bef6-4c258b35f319"},
             id="identity-ii",
         ),
+        ## generic sdo extracts (course-of-action, threat-actor, tool)
+        pytest.param(
+            "EvilTool v2.0",
+            "lookup_tool",
+            {
+                "tool--1b13ef4f-7bd5-563a-9ca1-00ebdb7071a8",
+            },
+            {"tool--1b13ef4f-7bd5-563a-9ca1-00ebdb7071a8"},
+            id="generic tool",
+        ),
+        pytest.param(
+            "EvilActor",
+            "lookup_threat_actor",
+            {
+                "threat-actor--4c4be570-b34e-556e-a8e0-5cb290668770",
+            },
+            {"threat-actor--4c4be570-b34e-556e-a8e0-5cb290668770"},
+            id="generic threat-actor",
+        ),
     ],
 )
 def test_build_observables(value, extractor_name, expected_objects, expected_rels):

{txt2stix-1.2.0 → txt2stix-1.2.2}/txt2stix/indicator.py RENAMED Viewed

@@ -686,17 +686,18 @@ def _build_observables(
             f"txt2stix+{extracted_value}",
         )
     )
+    _date = datetime(2020, 1, 1, tzinfo=UTC)
     if stix_mapping == "attack-pattern":
         stix_objects = [
             dict_to_stix2(
                 {
                     "type": "attack-pattern",
-                    # "id": stix_mapping + "--" + _id_part,
+                    "id": stix_mapping + "--" + _id_part,
                     "spec_version": "2.1",
                     "created_by_ref": indicator["created_by_ref"],
-                    "created": indicator["created"],
-                    "modified": indicator["modified"],
+                    "created": _date,
+                    "modified": _date,
                     "name": extracted_value,
                     "external_references": indicator["external_references"],
                 }
@@ -708,11 +709,11 @@ def _build_observables(
             dict_to_stix2(
                 {
                     "type": "campaign",
-                    # "id": stix_mapping + "--" + _id_part,
+                    "id": stix_mapping + "--" + _id_part,
                     "spec_version": "2.1",
                     "created_by_ref": indicator["created_by_ref"],
-                    "created": indicator["created"],
-                    "modified": indicator["modified"],
+                    "created": _date,
+                    "modified": _date,
                     "name": extracted_value,
                     "object_marking_refs": indicator["object_marking_refs"],
                     "external_references": indicator["external_references"],
@@ -725,11 +726,11 @@ def _build_observables(
             dict_to_stix2(
                 {
                     "type": "course-of-action",
-                    # "id": stix_mapping + "--" + _id_part,
+                    "id": stix_mapping + "--" + _id_part,
                     "spec_version": "2.1",
                     "created_by_ref": indicator["created_by_ref"],
-                    "created": indicator["created"],
-                    "modified": indicator["modified"],
+                    "created": _date,
+                    "modified": _date,
                     "name": extracted_value,
                     "object_marking_refs": indicator["object_marking_refs"],
                     "external_references": indicator["external_references"],
@@ -742,11 +743,11 @@ def _build_observables(
             dict_to_stix2(
                 {
                     "type": "infrastructure",
-                    # "id": stix_mapping + "--" + _id_part,
+                    "id": stix_mapping + "--" + _id_part,
                     "spec_version": "2.1",
                     "created_by_ref": indicator["created_by_ref"],
-                    "created": indicator["created"],
-                    "modified": indicator["modified"],
+                    "created": _date,
+                    "modified": _date,
                     "name": extracted_value,
                     "infrastructure_types": ["unknown"],
                     "object_marking_refs": indicator["object_marking_refs"],
@@ -760,11 +761,11 @@ def _build_observables(
             dict_to_stix2(
                 {
                     "type": "intrusion-set",
-                    # "id": stix_mapping + "--" + _id_part,
+                    "id": stix_mapping + "--" + _id_part,
                     "spec_version": "2.1",
                     "created_by_ref": indicator["created_by_ref"],
-                    "created": indicator["created"],
-                    "modified": indicator["modified"],
+                    "created": _date,
+                    "modified": _date,
                     "name": extracted_value,
                     "object_marking_refs": indicator["object_marking_refs"],
                     "external_references": indicator["external_references"],
@@ -777,11 +778,11 @@ def _build_observables(
             dict_to_stix2(
                 {
                     "type": "malware",
-                    # "id": stix_mapping + "--" + _id_part,
+                    "id": stix_mapping + "--" + _id_part,
                     "spec_version": "2.1",
                     "created_by_ref": indicator["created_by_ref"],
-                    "created": indicator["created"],
-                    "modified": indicator["modified"],
+                    "created": _date,
+                    "modified": _date,
                     "name": extracted_value,
                     "malware_types": ["unknown"],
                     "is_family": True,
@@ -796,11 +797,11 @@ def _build_observables(
             dict_to_stix2(
                 {
                     "type": "threat-actor",
-                    # "id": stix_mapping + "--" + _id_part,
+                    "id": stix_mapping + "--" + _id_part,
                     "spec_version": "2.1",
                     "created_by_ref": indicator["created_by_ref"],
-                    "created": indicator["created"],
-                    "modified": indicator["modified"],
+                    "created": _date,
+                    "modified": _date,
                     "name": extracted_value,
                     "threat_actor_types": "unknown",
                     "object_marking_refs": indicator["object_marking_refs"],
@@ -814,11 +815,11 @@ def _build_observables(
             dict_to_stix2(
                 {
                     "type": "tool",
-                    # "id": stix_mapping + "--" + _id_part,
+                    "id": stix_mapping + "--" + _id_part,
                     "spec_version": "2.1",
                     "created_by_ref": indicator["created_by_ref"],
-                    "created": indicator["created"],
-                    "modified": indicator["modified"],
+                    "created": _date,
+                    "modified": _date,
                     "name": extracted_value,
                     "tool_types": "unknown",
                     "object_marking_refs": indicator["object_marking_refs"],
@@ -834,8 +835,8 @@ def _build_observables(
                     "type": "identity",
                     "spec_version": "2.1",
                     "created_by_ref": indicator["created_by_ref"],
-                    "created": datetime(2020, 1, 1, tzinfo=UTC),
-                    "modified": datetime(2020, 1, 1, tzinfo=UTC),
+                    "created": _date,
+                    "modified": _date,
                     "id": "identity--" + _id_part,
                     "name": extracted_value,
                     "identity_class": "unspecified",

{txt2stix-1.2.0 → txt2stix-1.2.2}/txt2stix/txt2stix.py RENAMED Viewed

@@ -461,17 +461,21 @@ def run_txt2stix(
     # First, perform extraction-phase (LLM and extractor calls). This does not
     # modify the provided bundler so the results can be saved and replayed.
     # skip extraction phase if txt2stix_data is passed
-    txt2stix_data = txt2stix_data or extraction_phase(
-        preprocessed_text,
-        extractors_map,
-        ai_content_check_provider=ai_content_check_provider,
-        input_token_limit=input_token_limit,
-        ai_settings_extractions=ai_settings_extractions,
-        ai_settings_relationships=ai_settings_relationships,
-        relationship_mode=relationship_mode,
-        ignore_extraction_boundary=ignore_extraction_boundary,
-        ai_extract_if_no_incidence=ai_extract_if_no_incidence,
-    )
+    if not txt2stix_data:
+        logging.info("=== Extraction Phase ===")
+        txt2stix_data = extraction_phase(
+            preprocessed_text,
+            extractors_map,
+            ai_content_check_provider=ai_content_check_provider,
+            input_token_limit=input_token_limit,
+            ai_settings_extractions=ai_settings_extractions,
+            ai_settings_relationships=ai_settings_relationships,
+            relationship_mode=relationship_mode,
+            ignore_extraction_boundary=ignore_extraction_boundary,
+            ai_extract_if_no_incidence=ai_extract_if_no_incidence,
+        )
+    else:
+        logging.info("=== Skipping Extraction Phase (replaying saved data) ===")
     # Then, process the extracted data into the bundler (no LLM calls).
     processing_phase(