🧪Use
Start analyzing reports!
Before running trs
, you must set your OpenAI API key via environment variable:
export OPENAI_API_KEY="sk-...."
Start the application
$ python main.py --chat
2023-10-14 16:24:00.645 | INFO | trs.vectordb:get_or_create_collection:36 - Using collection: trs
2023-10-14 16:24:00.649 | SUCCESS | trs.vectordb:__init__:33 - Loaded database
commands:
* !summ <url> - summarize a threat report
* !detect <url> - identify detections in threat report
* !custom <name> <url> - run custom prompt against URL
* !exit|!quit - exit application
ready to chat!
💀 >> _
Commands
!summ
Generate summary of URL, extract MITRE ATT&CK TTPs, and generate Mermaid.js mindmap
URL
!detect
Identify threat detection opportunities within URL content
URL
!custom
Process URL content with custom prompt
prompt_name, URL
Workflow
URLs provided to the !command
go through the following workflow:
Retrieve URL and parse to text content
Split the full text into smaller chunks
Store chunked text and their embeddings in vector database with source URL metadata
Send full text content with specified prompt template (the command) to OpenAI and return response
Custom Prompts
Custom prompt templates can be saved to the prompts/
directory as text files with the .txt
extension. The !custom
command will look for prompts by file basename in that directory, add the URL's text content to the template, and send it to the LLM for processing.
Custom prompts must include the format string {document}
so the URL text content can be added.
Retrieval-Augmented-Generation
Before you can use the RAG chat functionality, you first must process a URL with one of the commands above so the vector database has some context to use for your questions.
Any input that is not a !command
will be processed for RAG/QnA over the data stored in the vector database.
You currently can't ask the LLM questions outside of your context. If the answer is not available in the context, you won't get an answer.
**example
💀 >> Summarize the LemurLoot malware functionality
2023-10-14 14:51:51.140 | INFO | trs.vectordb:query:84 - Querying database for: Summarize the LemurLoot malware functionality
2023-10-14 14:51:51.840 | INFO | trs.vectordb:query:90 - Found 3 results
2023-10-14 14:51:51.841 | INFO | trs.llm:qna:98 - sending qna prompt
2023-10-14 14:51:51.841 | INFO | trs.llm:_call_openai:41 - Calling OpenAI
2023-10-14 14:51:51.854 | INFO | trs.llm:_call_openai:59 - token count: 2443
🤖 >>
The LemurLoot malware has several functionalities. It uses the header field “X-siLock-Step1’ to receive commands from the operator, with two well-defined commands: -1 and -2.
Command “-1” retrieves Azure system settings from MOVEit Transfer and performs SQL queries to retrieve files. Command “-2” deletes a user account with the LoginName and
RealName set to "Health Check Service". If any other values are received, the web shell opens a specified file and retrieves it. If no values are specified, it creates the
“Health Check Service” admin user and creates an active session.
Last updated