adding better demos

muchdogesec · Feb 13, 2025 · bae34c3 · bae34c3
1 parent 5e0bd0b
commit bae34c3
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -115,7 +115,8 @@ If any AI extractions, or AI relationship mode is set, you must set the followin
 * `--ai_settings_relationships`:
 	* similar to `ai_settings_extractions` but defines the model used to generate relationships. Only one model can be provided. Passed in same format as `ai_settings_extractions`
 	* See `tests/manual-tests/cases-ai-relationships.md` for some examples
-* `--ai_check_content`: Passing this flag will get the AI to try and classify the text in the input to 1) determine if it is talking about threat intelligence, and 2) what type of threat intelligence it is talking about. For context, we use this to filter out non-threat intel posts in Obstracts and Stixify.
+* `--ai_check_content`: Passing this flag will get the AI to try and classify the text in the input to 1) determine if it is talking about threat intelligence, and 2) what type of threat intelligence it is talking about. For context, we use this to filter out non-threat intel posts in Obstracts and Stixify. You pass `provider:model` with this flag to determine the AI model you wish to use to perform the check.
+* `--create_attack_flow`: passing this flag will also prompt the AI model (the same entered for `--ai_settings_relationships`) to generate an [Attack Flow](https://center-for-threat-informed-defense.github.io/attack-flow/) for the MITRE ATT&CK extractions to define the logical order in which they are being described. You must pass `--ai_settings_relationships` for this to work.
 
 ## Adding new extractions
 

diff --git a/tests/data/manually_generated_reports/attack_flow_demo.txt b/tests/data/manually_generated_reports/attack_flow_demo.txt
@@ -0,0 +1,7 @@
+Victims receive spear phishing emails with  malicious zip files attached.
+
+Due to password protection, the zip files are able to bypass some AV detections.
+
+The zip files are extracted and usually contain a malicious document, such as a .doc, .pdf, or .xls.
+
+The extracted files contain malicious macros.
diff --git a/tests/manual-tests/cases-standard-tests.md b/tests/manual-tests/cases-standard-tests.md
@@ -378,4 +378,17 @@ python3 txt2stix.py \
     --report_id 4fa18f2d-278b-4fd4-8470-62a8807d35ad
 ```
 
+### attack flow demo
 
+```shell
+python3 txt2stix.py \
+    --relationship_mode standard \
+    --ai_settings_relationships openai:gpt-4o \
+    --input_file tests/data/manually_generated_reports/mitre_attack_enterprise_ai_demo.txt \
+    --name 'Test MITRE ATT&CK Flow demo' \
+    --tlp_level clear \
+    --confidence 100 \
+    --use_extractions 'ai_mitre_attack_enterprise' \
+    --create_attack_flow \
+    --report_id c0fef67c-720b-4184-a62e-ea465b4d89b5
+```