Upload 32 files

.gitattributes

@@ -33,3 +33,5 @@ saved_model/**/* filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
 *tfevents* filter=lfs diff=lfs merge=lfs -text
+data/chroma.sqlite3 filter=lfs diff=lfs merge=lfs -text
+docs/EngageHandbook-v1.0.pdf filter=lfs diff=lfs merge=lfs -text

Home.py

@@ -0,0 +1,12 @@
+import streamlit as st
+
+st.set_page_config(
+    page_title="Adversary Engagement Ontology",
+    page_icon='🕷',
+    layout='wide'
+)
+st.header("Adversary Engagement Ontology")
+
+st.write("Adversary Engagement Ontology (AEO) is a candidate ontology to the Unified Cyber Ontology (UCO), a community effort for the ontological standardization of cyber domain concepts and objects under a unifying framework, and is part of the Cyber Domain Ontology (CDO). Community efforts and development has always been manual labor intensive in regards to ontology changes, ontology example generation for adopters, documentation generation. Large Language Models (LLMs) have been shown to be capable of automating many tasks or aiding in human expert decision-making. We demonstrate how foundational LLMs such as ChatGPT and GPT4 can assist in ontology example generation, ontology development, and overall be used in automation tooling for structured but tedious tasks. This space can be used to create an example of how to setup the AEO instance. It uses the power of OpenAI's ChatGPT. The generator currently uses strictly prewritten rules of AEO, discussion on an automation process is still early . he generator currently is bounded by prompt size limits.")
+
+st.write("There are different pages in this space which you can use to generate examples, personas, honey tokens, and also create an auto engagement strategy")

aeo_ex_generator/aeo_example_generator.py

@@ -0,0 +1,417 @@
+import os
+import openai
+import json
+import rdflib
+
+
+class ExampleGenerator:
+    def __init__(self):
+        self.ontologies = {}
+        self.ontology_files = []
+        self.rules = {}
+        self.description = None
+    def add_ontology(self, onto):
+        if onto in self.ontology_files:
+            raise ValueError("Ontology file already exists.")
+        else:
+            onto_data = self.get_ontology_file(onto)
+            if onto_data:
+                self.ontology_files.append(onto)
+                self.ontologies[onto] = self.get_ontology_file(onto)
+                self.rules[onto] = self.generate_rules(onto)
+            else:
+                raise ValueError("Ontology file error.")
+    def get_ontology_file(self,filename):
+        text = ""
+        if os.path.isfile(filename):
+            with open(filename,'r') as f:
+                text = f.read()
+            f.close()
+            return text
+        else:
+            raise ValueError("Invalid filename.")
+    def ChatGPTTextSplitter(self,text):
+        """Splits text in smaller subblocks to feed to the LLM"""
+        prompt = f"""The total length of content that I want to send you is too large to send in only one piece.
+
+    For sending you that content, I will follow this rule:
+
+    [START PART 1/10]
+    this is the content of the part 1 out of 10 in total
+    [END PART 1/10]
+
+    Then you just answer: "Instructions Sent."
+
+    And when I tell you "ALL PARTS SENT", then you can continue processing the data and answering my requests.
+        """
+        if type(text) == str:
+            textsize = 12000
+            blocksize = int(len(text) / textsize)
+            if blocksize > 0:
+                yield prompt
+
+                for b in range(1,blocksize+1):
+                    if b < blocksize+1:
+                        prompt = f"""Do not answer yet. This is just another part of the text I want to send you. Just receive and acknowledge as "Part {b}/{blocksize} received" and wait for the next part.
+                [START PART {b}/{blocksize}]
+                {text[(b-1)*textsize:b*textsize]}
+                [END PART {b}/{blocksize}]
+                Remember not answering yet. Just acknowledge you received this part with the message "Part {b}/{blocksize} received" and wait for the next part.
+                        """
+                        yield prompt
+                    else:
+                        prompt = f"""
+                [START PART {b}/{blocksize}]
+                {text[(b-1)*textsize:b*textsize]}
+                [END PART {b}/{blocksize}]
+                ALL PARTS SENT. Now you can continue processing the request.
+                        """
+                        yield prompt
+            else:
+                yield text
+        elif type(text) == list:
+            yield prompt
+
+            for n,block in enumerate(text):
+                if n+1 < len(text):
+                    prompt = f"""Do not answer yet. This is just another part of the text I want to send you. Just receive and acknowledge as "Part {n+1}/{len(text)} received" and wait for the next part.
+            [START PART {n+1}/{len(text)}]
+            {text[n]}
+            [END PART {n+1}/{len(text)}]
+            Remember not answering yet. Just acknowledge you received this part with the message "Part {n+1}/{len(text)} received" and wait for the next part.
+                    """
+                    yield prompt
+                else:
+                    prompt = f"""
+            [START PART {n+1}/{len(text)}]
+            {text[n]}
+            [END PART {n+1}/{len(text)}]
+            ALL PARTS SENT. Now you can continue processing the request.
+                    """
+                yield prompt
+
+    def send_ontology(self):
+        ontology = ""
+        if len(self.ontologies) > 0:
+            for k,v in self.ontologies.items():
+                ontology+=v+"\n"
+            print("Sending Ontology in Parts")
+            for i in self.ChatGPTTextSplitter(ontology):
+                print(self.llm_api(i))
+        else:
+            raise ValueError("No loaded ontology to send.")
+    def llm_api(self,prompt,model="gpt-3.5-turbo"):
+        messages = [{
+            "role":"user",
+            "content":prompt
+        }]
+        res = openai.ChatCompletion.create(model=model,messages=messages,temperature=0)
+        return res.choices[0].message['content']
+    
+    def generate_rule(self,onto=None):
+        """Raw rule string of AEO."""
+        v = """These are the components that construct the plan: 
+Fake personas - first and last name
+People can have one of the following DeceptionRoles:
+        adversary
+        defender
+Identities can take one of the following DeceptionActions:
+        engagement:Access - subject is an identity, predicate is an object
+        engagement:Alert - subject is an identity, predicate is a human identity
+        engagement:Beacon - subject is non-human identities, services, or tools, predicate can be a server, service, tool or an identity
+        engagement:Deploy - subject is human or agent, the predicate must be a DeceptionObject
+        engagement:Obfuscate
+        engagement:Respond
+There can be one or more DeceptionObjects:
+        engagement:Honeypot
+        engagement:Honeytoken
+        engagement:Breadcrumb
+        engagement:BreadcrumbTrail - this is a set of breadcrumbs
+        engagement:LureObject
+        engagement:HoneyObject
+        engagement:Decoy
+        engagement:DataSource
+A defender that performs an a DeceptionAction has at least one of the following DefenderObjectives
+            objective:Reconnaissance
+            objective:Affect
+            objective:Collect
+            objective:Detect
+            objective:Direct
+            objective:Disrupt
+            objective:Elicit
+            objective:Expose
+            objective:Motivate
+            objective:Plan
+            objective:Prepare
+            objective:Prevent
+            objective:Reassure
+            objective:Analyze
+            objective:Deny
+            objective:ElicitBehavior
+            objective:Lure
+            objective:TimeSink
+            objective:Track
+            objective:Trap
+An adversary that performs an a DeceptionAction has at least one of the following AdversaryObjectives
+            objective:CommandAndControl
+            objective:CredentialAccess
+            objective:DevelopResource
+            objective:Discover
+            objective:EscalatePrivilege
+            objective:Evade
+            objective:Execute
+            objective:Exfilitrate
+            objective:GainInitialAccess
+            objective:Impact
+            objective:MoveLaterally
+            objective:Persist
+            objective:Reconnaissance
+Generate the plan in the following structure:
+print "Use one engagement:Narrative"
+print "Use one engagement:Storyline"
+print "Use the following people:"
+    Enumerate each person's name and DeceptionRole
+    
+Each planned event is centered around a DeceptionAction taken by some identity or person with a DeceptionRole onto a DeceptionObject or Object. Enumerate each planned events where each planned event has a short description and number starting with "Planned Event 1". Describe which person deploys a DeceptionObject, what DeceptionAction they used and what the DefenderObjective or AdversaryObjective of the action or deployed DeceptionObject. The last planned event should conclude that an defender has been alerted that the DeceptionObject was accessed by the adversary.
+
+Remember to use only given DefenderObjectives, AdversaryObjectives, DeceptionObjects, DeceptionActions, and DeceptionRoles. Do not use any other objectives, objects, actions, or roles other than what is provided. If a person uses an action not from DeceptionActions, then the action is "uco-core:Action" with the name of action.
+        """
+        return v
+    def generate_json_rule(self,onto=None):
+        """Raw rule string of AEO."""
+        v = """Remember make a json-ld format example that only uses classes and properties terms from Adversary Engagement Ontology, Unified Cyber Ontology. 
+
+Each engagement:Narrative has property:
+    engagement:hasStoryline connects to an engagement:Storyline
+Each engagement:Storyline has property:
+    engagement:hasEvent connects to a uco-types:Thread
+Each uco-types:Thread has properties:
+    co:element contains all engagement:PlannedEvents
+    co:item contains all uco-types:ThreadItem one each for each engagement:PlannedEvent.
+    co:size
+    uco-types:threadOriginItem is the uco-types:ThreadItem for the first engagement:PlannedEvent
+    uco-types:threadTerminalItem is the uco-types:ThreadItem for the last engagement:PlannedEvent
+Each co:size has properties:
+    @type as xsd:nonNegativeInteger
+    @value which is the number of uco-types:ThreadItem
+Each uco-types:ThreadItem has property:
+    co:itemContent is the engagement:PlannedEvent
+    optional uco-types:threadNextItem is the next uco-types:ThreadItem for the next engagement:PlannedEvent if there is one,
+    optional uco-types:threadPreviousItem is the previous uco-types:ThreadItem for the previous engagement:PlannedEvent if there is one
+Each engagement:PlannedEvent has property:
+    engagement:eventContext connects to one engagement action has property @type one of the following:
+        engagement:Access
+        engagement:Alert
+        engagement:Beacon
+        engagement:Deploy
+        engagement:Obfuscate
+        engagement:Respond
+Each engagement action has properties:
+    @type is the action
+    uco-core:performer
+    uco-core:object connects to one of the following engagement deception object denoted as "EDO" objects:
+        engagement:Honeypot
+        engagement:Honeytoken
+        engagement:Breadcrumb
+        engagement:BreadcrumbTrail
+        engagement:LureObject
+        engagement:HoneyObject
+        engagement:Decoy
+        engagement:DataSource
+Each "EDO" object has properties:
+    engagement:hasCharacterization connects to a uco-core:UcoObject
+    objective:hasObjective with @type objective:Objective and @id with one of the following instances:
+            objective:CommandAndControl
+            objective:CredentialAccess
+            objective:DevelopResource
+            objective:Discover
+            objective:EscalatePrivilege
+            objective:Evade
+            objective:Execute
+            objective:Exfilitrate
+            objective:GainInitialAccess
+            objective:Impact
+            objective:MoveLaterally
+            objective:Persist
+            objective:Reconnaissance
+            objective:Affect
+            objective:Collect
+            objective:Detect
+            objective:Direct
+            objective:Disrupt
+            objective:Elicit
+            objective:Expose
+            objective:Motivate
+            objective:Plan
+            objective:Prepare
+            objective:Prevent
+            objective:Reassure
+            objective:Analyze
+            objective:Deny
+            objective:ElicitBehavior
+            objective:Lure
+            objective:TimeSink
+            objective:Track
+            objective:Trap
+        uco-core:name is the objective
+All people have property:
+    @type is uco-identity:Person
+    uco-core:hasFacet that connects to one of the following: 
+        uco-identity:SimpleNameFacet which has the property:
+            uco-identity:familyName
+            uco-identity:givenName
+Each uco-core:Role has properties:
+        @id is the role
+        uco-core:name is the role
+Each uco-core:Role there is a uco-core:Relationship with properties:
+    uco-core:kindofRelationship is "has_Role"
+    uco-core:source connects to the person who has the role
+    uco-core:target connects to uco-core:Role
+Each engagement:BreadcrumbTrail has property:
+    engagement:hasBreadcrumb connects to uco-types:Thread
+        This uco-types:Thread has property:
+            co:element contains all engagement:Breadcrumb that belong to this engagement:BreadcrumbTrail
+            co:item contains all uco-types:ThreadItem one each for each engagement:Breadcrumb
+            co:size
+            uco-types:threadOriginItem is the uco-types:ThreadItem for the first engagement:Breadcrumb belonging to this engagement:BreadcrumbTrail
+            uco-types:threadTerminalItem is the uco-types:ThreadItem for the last engagement:Breadcrumb belonging to this engagement:BreadcrumbTrail
+Each engagement:Breadcrumb has the properties:
+    engagement:hasCharacterization which connects to a uco-core:UcoObject with the property:
+        uco-core:description which describes the object characterizing the breadcrumb
+All classes must include property:
+    @type is the class
+    @id is a unique identifier
+    
+If namespace "engagement" prefix is used then https://ontology.adversaryengagement.org/ae/engagement#
+If namespace "objective" prefix is used then https://ontology.adversaryengagement.org/ae/objective#
+If namespace "role" prefix is used then https://ontology.adversaryengagement.org/ae/role#
+If namespace "identity" prefix is used then https://ontology.adversaryengagement.org/ae/identity#
+If namespace "uco-core" prefix is used then https://ontology.unifiedcyberontology.org/uco/core#
+If namespace "uco-types" prefix is used then https://ontology.unifiedcyberontology.org/uco/types#
+If namespace "uco-role" prefix is used then https://ontology.unifiedcyberontology.org/uco/role#
+        """
+        return v
+    
+    def generate_continue(self):
+        v = """
+        continue
+        """
+        return v
+    
+    def raw_prompt(self,description,jsn=True):
+        def run(val,jsn):
+            if jsn:
+                prompt = f"""Give me a full json-ld format example for the following scenario:
+                {description}
+
+                {"".join(val)}
+                """
+            else:
+                prompt = f"""
+                {"".join(val)}
+                {description}
+                """
+            for i in self.ChatGPTTextSplitter(prompt):
+                res = self.llm_api(i)
+            return res
+        
+        if not jsn:
+            res_val =  run(self.generate_rule(),jsn)
+            return res_val
+        else:
+            res_val =  run(self.generate_json_rule(),jsn)
+            try:
+                val = json.loads(res_val)
+                return val
+            except:
+                #the response was cut off, prompt for the continuation.
+                data = []
+                data.append(res_val)
+                while True:
+                    res = self.llm_api(self.generate_continue())
+                    data.append(res)
+                    try:
+                        full = "".join(data)
+                        return json.loads(full)
+                    except:
+                        pass
+
+            return None
+    
+    def get_ns(self,string):
+        return string.split(":")[0]
+    
+    
+    def auto_generate(self,planSize:int=3,keywords:str="",nkeywords:str=""):
+        p = f"Generate a deception plan with {planSize} PlannedEvents."
+        if keywords:
+            p+= f"The plan must include specifically {keywords}."
+        if nkeywords:
+            p+= f"Do not include {nkeywords}."
+        #deception plan description
+        e = self.prompt(p,jsn=False)
+        self.description = e
+        #deception plan converted into json
+        w = self.prompt(e,jsn=True)
+        self.json = w
+        return self.json
+    
+    def generate_personas(self):
+        if not self.description:
+            raise ValueError("Run auto_generate() or prompt() before attempting to generate persona profiles.")
+        description =f"""{self.description}
+        Generate a believable, detailed, and professional description of each person as if they had a LinkedIn profile with the following configurations:
+            Name
+            Occupation and occupation job title
+            Gender
+            Random configuration from the big five personality traits that fits their occupation and 1 of the 16 Myer-Briggs personality classifications. Do not disclose their configuration or their personality type, write as if they wrote an introduction about themselves and their accomplishments.
+            Education history including graduation year, school, degree
+            Job history with at least 10 active years
+            Rewards that highlight the factitious character's strength
+            A schedule of their activities and active behaviors at work
+
+"""
+        w = self.prompt(description,jsn=False)
+        self.persona_descriptions = w
+        return w
+
+    
+    def prompt(self,description,jsn=True):
+        if not self.description:
+            self.description = description
+        if not jsn:
+            res = self.raw_prompt(description,jsn=jsn)
+        else:
+            res = self.raw_prompt(description)
+
+            #include only relevent namespaces
+            prefixes = []
+
+            def is_nested(LIST):
+                if type(LIST) == list:
+                    for JSON in LIST:
+                        for key in JSON.keys():
+                            if type(JSON[key]) == dict:
+                                is_nested(JSON[key])
+                        if '@type' in JSON.keys():
+                            prefixes.append(self.get_ns(JSON['@type']))
+                else:
+                    JSON = LIST
+                    for key in JSON.keys():
+                        if type(JSON[key]) == dict:
+                            is_nested(JSON[key])
+                    if '@type' in JSON.keys():
+                        prefixes.append(self.get_ns(JSON['@type']))
+
+
+            is_nested(res['@graph'])
+            prefixes = set(prefixes)
+
+            new_prefixes = {}
+            for prefix in prefixes:
+                if prefix in res['@context']:
+                    new_prefixes[prefix] = res['@context'][prefix]
+
+            res['@context'] = new_prefixes
+
+        return res

aeo_example_generator.py

@@ -0,0 +1,417 @@
+import os
+import openai
+import json
+import rdflib
+
+
+class ExampleGenerator:
+    def __init__(self):
+        self.ontologies = {}
+        self.ontology_files = []
+        self.rules = {}
+        self.description = None
+    def add_ontology(self, onto):
+        if onto in self.ontology_files:
+            raise ValueError("Ontology file already exists.")
+        else:
+            onto_data = self.get_ontology_file(onto)
+            if onto_data:
+                self.ontology_files.append(onto)
+                self.ontologies[onto] = self.get_ontology_file(onto)
+                self.rules[onto] = self.generate_rules(onto)
+            else:
+                raise ValueError("Ontology file error.")
+    def get_ontology_file(self,filename):
+        text = ""
+        if os.path.isfile(filename):
+            with open(filename,'r') as f:
+                text = f.read()
+            f.close()
+            return text
+        else:
+            raise ValueError("Invalid filename.")
+    def ChatGPTTextSplitter(self,text):
+        """Splits text in smaller subblocks to feed to the LLM"""
+        prompt = f"""The total length of content that I want to send you is too large to send in only one piece.
+
+    For sending you that content, I will follow this rule:
+
+    [START PART 1/10]
+    this is the content of the part 1 out of 10 in total
+    [END PART 1/10]
+
+    Then you just answer: "Instructions Sent."
+
+    And when I tell you "ALL PARTS SENT", then you can continue processing the data and answering my requests.
+        """
+        if type(text) == str:
+            textsize = 12000
+            blocksize = int(len(text) / textsize)
+            if blocksize > 0:
+                yield prompt
+
+                for b in range(1,blocksize+1):
+                    if b < blocksize+1:
+                        prompt = f"""Do not answer yet. This is just another part of the text I want to send you. Just receive and acknowledge as "Part {b}/{blocksize} received" and wait for the next part.
+                [START PART {b}/{blocksize}]
+                {text[(b-1)*textsize:b*textsize]}
+                [END PART {b}/{blocksize}]
+                Remember not answering yet. Just acknowledge you received this part with the message "Part {b}/{blocksize} received" and wait for the next part.
+                        """
+                        yield prompt
+                    else:
+                        prompt = f"""
+                [START PART {b}/{blocksize}]
+                {text[(b-1)*textsize:b*textsize]}
+                [END PART {b}/{blocksize}]
+                ALL PARTS SENT. Now you can continue processing the request.
+                        """
+                        yield prompt
+            else:
+                yield text
+        elif type(text) == list:
+            yield prompt
+
+            for n,block in enumerate(text):
+                if n+1 < len(text):
+                    prompt = f"""Do not answer yet. This is just another part of the text I want to send you. Just receive and acknowledge as "Part {n+1}/{len(text)} received" and wait for the next part.
+            [START PART {n+1}/{len(text)}]
+            {text[n]}
+            [END PART {n+1}/{len(text)}]
+            Remember not answering yet. Just acknowledge you received this part with the message "Part {n+1}/{len(text)} received" and wait for the next part.
+                    """
+                    yield prompt
+                else:
+                    prompt = f"""
+            [START PART {n+1}/{len(text)}]
+            {text[n]}
+            [END PART {n+1}/{len(text)}]
+            ALL PARTS SENT. Now you can continue processing the request.
+                    """
+                yield prompt
+
+    def send_ontology(self):
+        ontology = ""
+        if len(self.ontologies) > 0:
+            for k,v in self.ontologies.items():
+                ontology+=v+"\n"
+            print("Sending Ontology in Parts")
+            for i in self.ChatGPTTextSplitter(ontology):
+                print(self.llm_api(i))
+        else:
+            raise ValueError("No loaded ontology to send.")
+    def llm_api(self,prompt,model="gpt-3.5-turbo"):
+        messages = [{
+            "role":"user",
+            "content":prompt
+        }]
+        res = openai.ChatCompletion.create(model=model,messages=messages,temperature=0)
+        return res.choices[0].message['content']
+    
+    def generate_rule(self,onto=None):
+        """Raw rule string of AEO."""
+        v = """These are the components that construct the plan: 
+Fake personas - first and last name
+People can have one of the following DeceptionRoles:
+        adversary
+        defender
+Identities can take one of the following DeceptionActions:
+        engagement:Access - subject is an identity, predicate is an object
+        engagement:Alert - subject is an identity, predicate is a human identity
+        engagement:Beacon - subject is non-human identities, services, or tools, predicate can be a server, service, tool or an identity
+        engagement:Deploy - subject is human or agent, the predicate must be a DeceptionObject
+        engagement:Obfuscate
+        engagement:Respond
+There can be one or more DeceptionObjects:
+        engagement:Honeypot
+        engagement:Honeytoken
+        engagement:Breadcrumb
+        engagement:BreadcrumbTrail - this is a set of breadcrumbs
+        engagement:LureObject
+        engagement:HoneyObject
+        engagement:Decoy
+        engagement:DataSource
+A defender that performs an a DeceptionAction has at least one of the following DefenderObjectives
+            objective:Reconnaissance
+            objective:Affect
+            objective:Collect
+            objective:Detect
+            objective:Direct
+            objective:Disrupt
+            objective:Elicit
+            objective:Expose
+            objective:Motivate
+            objective:Plan
+            objective:Prepare
+            objective:Prevent
+            objective:Reassure
+            objective:Analyze
+            objective:Deny
+            objective:ElicitBehavior
+            objective:Lure
+            objective:TimeSink
+            objective:Track
+            objective:Trap
+An adversary that performs an a DeceptionAction has at least one of the following AdversaryObjectives
+            objective:CommandAndControl
+            objective:CredentialAccess
+            objective:DevelopResource
+            objective:Discover
+            objective:EscalatePrivilege
+            objective:Evade
+            objective:Execute
+            objective:Exfilitrate
+            objective:GainInitialAccess
+            objective:Impact
+            objective:MoveLaterally
+            objective:Persist
+            objective:Reconnaissance
+Generate the plan in the following structure:
+print "Use one engagement:Narrative"
+print "Use one engagement:Storyline"
+print "Use the following people:"
+    Enumerate each person's name and DeceptionRole
+    
+Each planned event is centered around a DeceptionAction taken by some identity or person with a DeceptionRole onto a DeceptionObject or Object. Enumerate each planned events where each planned event has a short description and number starting with "Planned Event 1". Describe which person deploys a DeceptionObject, what DeceptionAction they used and what the DefenderObjective or AdversaryObjective of the action or deployed DeceptionObject. The last planned event should conclude that an defender has been alerted that the DeceptionObject was accessed by the adversary.
+
+Remember to use only given DefenderObjectives, AdversaryObjectives, DeceptionObjects, DeceptionActions, and DeceptionRoles. Do not use any other objectives, objects, actions, or roles other than what is provided. If a person uses an action not from DeceptionActions, then the action is "uco-core:Action" with the name of action.
+        """
+        return v
+    def generate_json_rule(self,onto=None):
+        """Raw rule string of AEO."""
+        v = """Remember make a json-ld format example that only uses classes and properties terms from Adversary Engagement Ontology, Unified Cyber Ontology. 
+
+Each engagement:Narrative has property:
+    engagement:hasStoryline connects to an engagement:Storyline
+Each engagement:Storyline has property:
+    engagement:hasEvent connects to a uco-types:Thread
+Each uco-types:Thread has properties:
+    co:element contains all engagement:PlannedEvents
+    co:item contains all uco-types:ThreadItem one each for each engagement:PlannedEvent.
+    co:size
+    uco-types:threadOriginItem is the uco-types:ThreadItem for the first engagement:PlannedEvent
+    uco-types:threadTerminalItem is the uco-types:ThreadItem for the last engagement:PlannedEvent
+Each co:size has properties:
+    @type as xsd:nonNegativeInteger
+    @value which is the number of uco-types:ThreadItem
+Each uco-types:ThreadItem has property:
+    co:itemContent is the engagement:PlannedEvent
+    optional uco-types:threadNextItem is the next uco-types:ThreadItem for the next engagement:PlannedEvent if there is one,
+    optional uco-types:threadPreviousItem is the previous uco-types:ThreadItem for the previous engagement:PlannedEvent if there is one
+Each engagement:PlannedEvent has property:
+    engagement:eventContext connects to one engagement action has property @type one of the following:
+        engagement:Access
+        engagement:Alert
+        engagement:Beacon
+        engagement:Deploy
+        engagement:Obfuscate
+        engagement:Respond
+Each engagement action has properties:
+    @type is the action
+    uco-core:performer
+    uco-core:object connects to one of the following engagement deception object denoted as "EDO" objects:
+        engagement:Honeypot
+        engagement:Honeytoken
+        engagement:Breadcrumb
+        engagement:BreadcrumbTrail
+        engagement:LureObject
+        engagement:HoneyObject
+        engagement:Decoy
+        engagement:DataSource
+Each "EDO" object has properties:
+    engagement:hasCharacterization connects to a uco-core:UcoObject
+    objective:hasObjective with @type objective:Objective and @id with one of the following instances:
+            objective:CommandAndControl
+            objective:CredentialAccess
+            objective:DevelopResource
+            objective:Discover
+            objective:EscalatePrivilege
+            objective:Evade
+            objective:Execute
+            objective:Exfilitrate
+            objective:GainInitialAccess
+            objective:Impact
+            objective:MoveLaterally
+            objective:Persist
+            objective:Reconnaissance
+            objective:Affect
+            objective:Collect
+            objective:Detect
+            objective:Direct
+            objective:Disrupt
+            objective:Elicit
+            objective:Expose
+            objective:Motivate
+            objective:Plan
+            objective:Prepare
+            objective:Prevent
+            objective:Reassure
+            objective:Analyze
+            objective:Deny
+            objective:ElicitBehavior
+            objective:Lure
+            objective:TimeSink
+            objective:Track
+            objective:Trap
+        uco-core:name is the objective
+All people have property:
+    @type is uco-identity:Person
+    uco-core:hasFacet that connects to one of the following: 
+        uco-identity:SimpleNameFacet which has the property:
+            uco-identity:familyName
+            uco-identity:givenName
+Each uco-core:Role has properties:
+        @id is the role
+        uco-core:name is the role
+Each uco-core:Role there is a uco-core:Relationship with properties:
+    uco-core:kindofRelationship is "has_Role"
+    uco-core:source connects to the person who has the role
+    uco-core:target connects to uco-core:Role
+Each engagement:BreadcrumbTrail has property:
+    engagement:hasBreadcrumb connects to uco-types:Thread
+        This uco-types:Thread has property:
+            co:element contains all engagement:Breadcrumb that belong to this engagement:BreadcrumbTrail
+            co:item contains all uco-types:ThreadItem one each for each engagement:Breadcrumb
+            co:size
+            uco-types:threadOriginItem is the uco-types:ThreadItem for the first engagement:Breadcrumb belonging to this engagement:BreadcrumbTrail
+            uco-types:threadTerminalItem is the uco-types:ThreadItem for the last engagement:Breadcrumb belonging to this engagement:BreadcrumbTrail
+Each engagement:Breadcrumb has the properties:
+    engagement:hasCharacterization which connects to a uco-core:UcoObject with the property:
+        uco-core:description which describes the object characterizing the breadcrumb
+All classes must include property:
+    @type is the class
+    @id is a unique identifier
+    
+If namespace "engagement" prefix is used then https://ontology.adversaryengagement.org/ae/engagement#
+If namespace "objective" prefix is used then https://ontology.adversaryengagement.org/ae/objective#
+If namespace "role" prefix is used then https://ontology.adversaryengagement.org/ae/role#
+If namespace "identity" prefix is used then https://ontology.adversaryengagement.org/ae/identity#
+If namespace "uco-core" prefix is used then https://ontology.unifiedcyberontology.org/uco/core#
+If namespace "uco-types" prefix is used then https://ontology.unifiedcyberontology.org/uco/types#
+If namespace "uco-role" prefix is used then https://ontology.unifiedcyberontology.org/uco/role#
+        """
+        return v
+    
+    def generate_continue(self):
+        v = """
+        continue
+        """
+        return v
+    
+    def raw_prompt(self,description,jsn=True):
+        def run(val,jsn):
+            if jsn:
+                prompt = f"""Give me a full json-ld format example for the following scenario:
+                {description}
+
+                {"".join(val)}
+                """
+            else:
+                prompt = f"""
+                {"".join(val)}
+                {description}
+                """
+            for i in self.ChatGPTTextSplitter(prompt):
+                res = self.llm_api(i)
+            return res
+        
+        if not jsn:
+            res_val =  run(self.generate_rule(),jsn)
+            return res_val
+        else:
+            res_val =  run(self.generate_json_rule(),jsn)
+            try:
+                val = json.loads(res_val)
+                return val
+            except:
+                #the response was cut off, prompt for the continuation.
+                data = []
+                data.append(res_val)
+                while True:
+                    res = self.llm_api(self.generate_continue())
+                    data.append(res)
+                    try:
+                        full = "".join(data)
+                        return json.loads(full)
+                    except:
+                        pass
+
+            return None
+    
+    def get_ns(self,string):
+        return string.split(":")[0]
+    
+    
+    def auto_generate(self,planSize:int=3,keywords:str="",nkeywords:str=""):
+        p = f"Generate a deception plan with {planSize} PlannedEvents."
+        if keywords:
+            p+= f"The plan must include specifically {keywords}."
+        if nkeywords:
+            p+= f"Do not include {nkeywords}."
+        #deception plan description
+        e = self.prompt(p,jsn=False)
+        self.description = e
+        #deception plan converted into json
+        w = self.prompt(e,jsn=True)
+        self.json = w
+        return self.json
+    
+    def generate_personas(self):
+        if not self.description:
+            raise ValueError("Run auto_generate() or prompt() before attempting to generate persona profiles.")
+        description =f"""{self.description}
+        Generate a believable, detailed, and professional description of each person as if they had a LinkedIn profile with the following configurations:
+            Name
+            Occupation and occupation job title
+            Gender
+            Random configuration from the big five personality traits that fits their occupation and 1 of the 16 Myer-Briggs personality classifications. Do not disclose their configuration or their personality type, write as if they wrote an introduction about themselves and their accomplishments.
+            Education history including graduation year, school, degree
+            Job history with at least 10 active years
+            Rewards that highlight the factitious character's strength
+            A schedule of their activities and active behaviors at work
+
+"""
+        w = self.prompt(description,jsn=False)
+        self.persona_descriptions = w
+        return w
+
+    
+    def prompt(self,description,jsn=True):
+        if not self.description:
+            self.description = description
+        if not jsn:
+            res = self.raw_prompt(description,jsn=jsn)
+        else:
+            res = self.raw_prompt(description)
+
+            #include only relevent namespaces
+            prefixes = []
+
+            def is_nested(LIST):
+                if type(LIST) == list:
+                    for JSON in LIST:
+                        for key in JSON.keys():
+                            if type(JSON[key]) == dict:
+                                is_nested(JSON[key])
+                        if '@type' in JSON.keys():
+                            prefixes.append(self.get_ns(JSON['@type']))
+                else:
+                    JSON = LIST
+                    for key in JSON.keys():
+                        if type(JSON[key]) == dict:
+                            is_nested(JSON[key])
+                    if '@type' in JSON.keys():
+                        prefixes.append(self.get_ns(JSON['@type']))
+
+
+            is_nested(res['@graph'])
+            prefixes = set(prefixes)
+
+            new_prefixes = {}
+            for prefix in prefixes:
+                if prefix in res['@context']:
+                    new_prefixes[prefix] = res['@context'][prefix]
+
+            res['@context'] = new_prefixes
+
+        return res

data/chroma.sqlite3

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:81687fffb098ff3950a4143bb89be8c7d051bc24c4ba95a667ad3901ec6d66b5
+size 2187264

data/d1a96671-aee8-491c-a591-df54be606f81/data_level0.bin

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f18abd8c514282db82706e52b0a33ed659cd534e925a6f149deb7af9ce34bd8e
+size 6284000

data/d1a96671-aee8-491c-a591-df54be606f81/header.bin

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:effaa959ce2b30070fdafc2fe82096fc46e4ee7561b75920dd3ce43d09679b21
+size 100

data/d1a96671-aee8-491c-a591-df54be606f81/length.bin

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f51030a50f6bee470c5fc6702c6e43fe48a4bb732a4ed0cd0752b6a994ef47d7
+size 4000

data/d1a96671-aee8-491c-a591-df54be606f81/link_lists.bin

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+size 0

docs/EngageHandbook-v1.0.pdf

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b48dfb9833d4b8152effe2bc39abcf73ad72ca02e1a72636e09c3d1d05b6857b
+size 1886870

docs/SmallBusinessExample.md

@@ -0,0 +1,1089 @@
+# Small Business Example
+
+
+```python
+# This software was produced for the U.S. Government under contract FA8702-23-C-0001,
+# and is subject to the Rights in Data-General Clause 52.227-14, Alt. IV (DEC 2007)
+# ©2023 The MITRE Corporation. Published under the Linux Foundation’s Cyber Domain Ontology project’s Apache 2 license.
+# Released under MITRE PRS 18-4297.
+```
+
+After checking out the specific class instantiation tutorial examples such as `Honeypot`, `FluidDeception` and `Breadcrumb`, we believe enumerating through an application example can help our audience understand how AEO can represent and support a deception operation.
+
+# Premise
+
+- You are part of a small business called <b> MineralRUs Inc.</b>, which is a small, yet critical mining company in New Hampshire specializing in rare earth elements.
+- Your main clients are from particular sectors of technology and defense industries, and are considered to be critical infrastructure. Therefore, your business and its operation is essential to the integrity of supply chains enabling those critical infrastructure.
+- MineralRUs Inc. maintains paper-based record of their key intellectual property and operational procedures, which are stored in a physical safe. This fact is known by only a select few in the company.
+- Your business has a small, unorganized computer network with only generic security infrastructure, and the company does not have the resources to employ an in-house information security team. Instead, a very small team is tasked with maintaining Operational Technology (OT) systems on the network.
+
+Your company has recently received an advisory from federal authorities, warning businesses in your industry about the rapidly growing threat of cyber espionage by state-sponsored Advanced Persistent Threats (APTs). In response, your company decides to engage an external cybersecurity provider to assist with timely incident response and prevention. The external provider recommends the employment of active adversary engagement plans, and asks you to develop a high-level deception and denial strategy.
+
+## Preplanning & Indentifying Assets
+
+To get started with the planning of this adversary engagement operation, we begin with an existing tool, namely the <b> Fact&Fiction/(D&D) matrix </b>. The original matrix uses Deception & Denial (D&D) technique types as the row header (for more details, see [Heckman, K. E., et al. (2015), Denial and deception in cyber defense.](https://www.researchgate.net/publication/275270540_Denial_and_Deception_in_Cyber_Defense)
+
+The <b> row header </b> outlines two types of methods that concurrently facilitate adversary engagement: <b>misleading-type methods used to reveal specific information to an adversary and ambiguity-type methods for concealing or denying information from an adversary </b>. The ambiguity-type methods for denial can be used to safe-guard assets through confusion and obfuscation, thus impeding an adversary's efforts to obtain a clear view of relevant resources and access paths. On the other hand, the misleading-type methods aim to induce a desired (mis)perception of the cyber ecosystem through the controlled revelation of real or fabricated information to an adversary.
+
+
+The <b> column header </b> refers to the <b> value of information </b> an adversary gains from some revealed event. In this specific method, fact is used to describe the asset information and fiction specifically implies the intended (mis)perception of such information. 
+
+
+[remove?] Generally speaking, we do not specify actual values, but comparative concepts such as high-value, low-value or no-value in relationship with the deception operation and the expectation of value an adversary justifies for expending resources for. Extension to numerical values can be done, but is not within the scope of this example. 
+
+|| Deception Operation Mislead-type Methods (Revealing) | Denial Operation Ambiguity-type Methods (Concealing) |
+|---| --- | --- |
+|Fact | Network in New Hampshire, business runs a mine in New Hampshire | Business relationships with a specific strategic partner, types of minerals mined given to the strategic partner, process of mineral mining that is essential to the strategic partner, amounts of mined minerals for the strategic partner, company safe location, passcodes, locations of IP keys|
+|Fiction | low-value IP is stored on the network, contained within falsified, obfuscated files | Most important IP is located in <i> this </i> specific encrypted volume |
+
+1. The fiction under the Deception Operation column refers to presenting to an adversary that there is low-value intellectual property on the network such as referencing perhaps other types of non-confidential mineral mining processes and outdated contracts with public partners.
+
+2. The fact under Deception Operation refers to bits of factual but so called friendly information that can help bring realism to the deception operation and allow adversaries to validate some mutual information to minimize inconsistencies in the perception.
+
+3. The fiction under the Denial Operation refers to giving the adversary the perception that it is in the defender's interest for the network to conceal the location of the IP.
+
+4. The fact under the Denial Operation refers to the information or assets the strategic partner would like to conceal such as their business relationships and exact details about the mining process and contracted amounts of minerals provided by MineralRUs.
+
+By enumerating the assets of the business such as the intellectual property located in the safe and business operation details, we directly identify what information we would like to deny an adversary. Building on this analysis, we then decide on the appropriate adversary engagement tools and techniques for our deception and denial needs. 
+
+At this point, we would like to raise a reminder that the AE ontology specializes in the characterization of deception and denial operations, but asset evaluation and risk profiling are outside the scope of this work. Such concepts and processes fall within the purview of the soon-to-come UCO Risk and Cyber Threat Intelligence (CTI) subontologies.
+
+
+
+## From the Narrative to a Graph
+
+The Adversary Engagement Ontology provides the structure needed to transform your abstract deception operation plan into graph representation. The degree of how detailed your `Narrative` depends on how extensively refined do you want your preoperation planning to be. 
+
+
+### The Mapping Process
+
+- 1. Start with a basic more or less static structure. Outline the sequence of planned events for the deception operation. Then comes the following iterative process:
+    - 2.a Select deception techniques and objects according to the intended fiction (cf. Fact&Fiction matrix)
+    - 2.b Evaluate the refinements: Does it deliver your desired fiction in the most feasible, effective and efficient manner?
+    - 2.c If not, repeat 2.a and 2.b until satisfied.
+
+### Diagram representation
+
+![SmallBusinessNarrativeExample.drawio.png](SmallBusinessNarrativeExample.drawio.png)
+
+In this diagram, the `Narrative` has very little `PlannedEvent(s)` within the `Storyline`. That's okay! Not all deception operations need to consider adversaries with straightforward access to the contents and artifacts of a network. Deception operations typically use just a subset of all the deception tools and tricks, particularly since the employment of each additional component comes with additional cost in terms of resources, risk, and operational integrity. In our example scenario of a small business, extremely complex forms of deception are deemed infeasible within their scope of available resources and risk models. 
+
+- The class [`engagement:Honeypot`](https://aeontology.sail-lab.org/docs/class-engagementhoneypot.html) in this use case is used with the specific objective `objective:Direct` to lure an adversary away from the real assets of the network to this fictitious staged location. 
+
+- Staged files are instantiated under the general [`engagement:LureObject`](https://aeontology.sail-lab.org/docs/class-engagementlureobject.html) class, though these can be fully real, partially real or completely facticious files. Furthermore, these `LureObject(s)` are associated with the objective `objective:Exfiltrate` which implies that these files are intended to be taken by an adversary off the network. (More complex representations may include instances associated with attack patterns for an adversary with the same objective.)
+
+- The method which we plan to be notified whether these files were removed from the network is through a canary token, however one can have other `DataSource(s)` such as a network monitor.
+
+## Building the JSON-LD:
+
+1. As with all `Narrative(s)`, we start with instantiating an [`engagement:Narrative`](https://aeontology.sail-lab.org/docs/class-engagementnarrative.html) class which is often referred to as a deception campaign and is the collection of all storylines . We also specify a large-scale operational objective to the Narrative object. This instance of an [`engagement:Narrative`](https://aeontology.sail-lab.org/docs/class-engagementnarrative.html) only has one instance of a [`engagement:Storyline`](https://aeontology.sail-lab.org/docs/class-engagementstoryline.html) attached since we have only developed one plan so far. However, we can model this with multiple `Storyline(s)` if we wanted to separate each falsified file as its own `Storyline`.
+2. An objective can be attached to describe large-scale operational objectives. Explicit objectives are considered individual, so please remember that!
+
+
+```python
+{
+  "@id": "kb:narrative1",
+  "@type": "engagement:Narrative",
+  "engagement:hasStoryline": [
+    {
+      "@id": "kb:storyline1",
+      "@type": "engagement:Storyline",
+      "uco-core:name": "ProtectTheFilesNarrative"
+    }
+  ],
+  "objective:hasObjective": [
+    {
+      "@id": "kb:objective1",
+      "@type": "objective:Objective",
+      "uco-core:name": "ProtectTheFiles"
+    }
+  ],
+  "uco-core:description": "Grand objective is to lure adversaries or insiders on the network away from details of the mining operations, location and passcode of the safe containing intellectual property."
+}
+```
+
+
+
+
+    {'@id': 'kb:narrative1',
+     '@type': 'engagement:Narrative',
+     'engagement:hasStoryline': [{'@id': 'kb:storyline1',
+       '@type': 'engagement:Storyline',
+       'uco-core:name': 'ProtectTheFilesNarrative'}],
+     'objective:hasObjective': [{'@id': 'kb:objective1',
+       '@type': 'objective:Objective',
+       'uco-core:name': 'ProtectTheFiles'}],
+     'uco-core:description': 'Grand objective is to lure adversaries or insiders on the network away from details of the mining operations, location and passcode of the safe containing intellectual property.'}
+
+
+
+3. Next, to populate the sequence of `PlannedEvent(s)`for a our instance of [`engagement:Storyline`](https://aeontology.sail-lab.org/docs/class-engagementstoryline.html), we add an event, let's call it `kb:Event1`.
+4. Each instance of [`PlannedEvent`](https://aeontology.sail-lab.org/docs/class-engagementplannedevent.html) is designed to have an action class e.g. `engagement:Deploy` by the [`engagement:eventContext`](https://aeontology.sail-lab.org/docs/prop-engagementeventcontext.html) property. By design, action concepts like `Deploy` can support properties such as `performers`, `object`, `environment` etc because of its parent class `uco-action:Action`.
+5. In this explicit case, the `object` that is `Deploy`(ed) is an instance of a [`engagement:Honeypot`](https://aeontology.sail-lab.org/docs/class-engagementhoneypot.html) with the specific objective of `objective:Direct`, implying the honeypot is used to direct adversaries to or away from other assets on the network.
+
+
+```python
+{
+  "@id": "kb:Event1",
+  "@type": "engagement:PlannedEvent",
+  "engagement:eventContext": [
+    {
+      "@id": "kb:deploy1",
+      "@type": "engagement:Deploy",
+      "uco-action:object": [
+        {
+          "@id": "kb:honeypot1",
+          "@type": "engagement:Honeypot",
+          "uco-core:description": "Fake production server to contain the fabricated files.",
+          "objective:hasObjective": [
+            {
+              "@id": "objective:Direct"
+            } 
+            ]
+
+        }]
+}]
+}
+```
+
+
+
+
+    {'@id': 'kb:Event1',
+     '@type': 'engagement:PlannedEvent',
+     'engagement:eventContext': [{'@id': 'kb:deploy1',
+       '@type': 'engagement:Deploy',
+       'uco-action:object': [{'@id': 'kb:honeypot1',
+         '@type': 'engagement:Honeypot',
+         'uco-core:description': 'Fake production server to contain the fabricated files.',
+         'objective:hasObjective': [{'@id': 'objective:Direct'}]}]}]}
+
+
+
+6. Besides an instance of a [`engagement:Honeypot`](https://aeontology.sail-lab.org/docs/class-engagementhoneypot.html) and the CanaryTokenAlert `dataSource`, two deception objects namely the obfuscated, falsified files were deployed during the first `PlannedEvent`. Both files `kb:obffile1` and `kb:obffile2` are an instances of a [`engagement:LureObject`](https://aeontology.sail-lab.org/docs/class-engagementlureobject.html) with the explicit objective `objective:Exfiltrate` of being exfilitrated from the network by adversaries. The first file being false information on the mining procedures used by the business and the second file refers to false passcodes in case the adversary happens to be an insider.
+
+
+```python
+{
+  "@id": "kb:obffile1",
+  "@type": "engagement:LureObject",
+  "uco-core:name": "mining-procedure.pdf",
+  "uco-core:description": "Fake file of mining procedures.",
+  "objective:hasObjective": [
+    {
+      "@id": "objective:Exfilitrate"
+    } 
+    ]
+},
+{
+  "@id": "kb:obffile2",
+  "@type": "engagement:LureObject",
+  "uco-core:name": "backup-safe-passcode.pdf",
+  "uco-core:description": "Fake file of safe passcode and physical location of the safe.",
+  "objective:hasObjective": [
+    {
+      "@id": "objective:Exfiltrate"
+    } 
+    ]
+}
+```
+
+
+
+
+    {'@id': 'kb:obffile2',
+     '@type': 'engagement:LureObject',
+     'uco-core:name': 'backup-safe-passcode.pdf',
+     'uco-core:description': 'Fake file of safe passcode and physical location of the safe.',
+     'objective:hasObjective': [{'@id': 'objective:Exfiltrate'}]}
+
+
+
+7. We also know who is going to `Deploy` the deception objects so we should also include that through the `performer` property.
+8. We also attach an objective the `Deploy` action.
+
+
+```python
+{"uco-action:performer": [
+{
+  "@id": "kb:person1",
+  "@type": "uco-identity:Person",
+  "uco-core:hasFacet": [
+    {
+      "@id": "kb:RichardRocky",
+      "@type": "identity:SimpleNameFacet",
+      "uco-identity:familyName": "Richard",
+      "uco-identity:givenName": "Rocky"
+    }
+  ]
+}
+],
+"objective:hasObjective": [
+{
+  "@id": "objective:Deploy"
+}
+]
+}
+```
+
+
+
+
+    {'uco-action:performer': [{'@id': 'kb:person1',
+       '@type': 'uco-identity:Person',
+       'uco-core:hasFacet': [{'@id': 'kb:RichardRocky',
+         '@type': 'identity:SimpleNameFacet',
+         'uco-identity:familyName': 'Richard',
+         'uco-identity:givenName': 'Rocky'}]}],
+     'objective:hasObjective': [{'@id': 'objective:Deploy'}]}
+
+
+
+9. The first instance of [`PlannedEvent`](https://aeontology.sail-lab.org/docs/class-engagementplannedevent.html) describes the deployment of the deception objects onto the network. Now we continue to what we expect to happen in the next `PlannedEvent` called `kb:Event2`. We left the property [`eventContext`](https://aeontology.sail-lab.org/docs/prop-engagementeventcontext.html) with `...` because this needs to be expanded, but we will get to that in the next step. 
+
+
+```python
+{
+      "@id": "kb:Event2",
+      "@type": "engagement:PlannedEvent",
+      "engagement:eventContext": [...],
+      "uco-core:name": "adv-exfiltrates-Obfuscated-files"
+    }
+    
+```
+
+10. The first thing we expect is an action that is partially-observable, but not entirely. In this case, we do not actually know if a file is exfiltrated until we are alerted by our `dataSource` that it recieved a signal from the obfuscated file through the canarytoken. We include an instance of `Alert` to represent the relationship between the CanaryTokenAlert system and the obfuscated files which we are able to deduce.
+
+
+```python
+ {
+          "@id": "kb:alert0",
+          "@type": "engagement:Alert",
+          "uco-action:performer": [            
+                {
+                  "@id": "kb:obffile1"
+                },
+                {
+                  "@id": "kb:obffile2"
+                },
+                {
+                  "@id": "kb:file1",
+                  "@type": "uco-observable:File",
+                  "uco-core:name": "backup-safe-passcode.pdf",
+                  "uco-core:hasFacet": [
+                    {
+                      "@id": "kb:filefacet1",
+                      "@type": "uco-observable:FileFacet",
+                      "observable:filename": "backup-safe-passcode.pdf"
+                    }
+                  ]
+                },
+                {
+                  "@id": "kb:file2",
+                  "@type": "uco-observable:File",
+                  "uco-core:name": "mining-procedure.pdf",
+                  "uco-core:hasFacet": [
+                    {
+                      "@id": "kb:filefacet1",
+                      "@type": "uco-observable:FileFacet",
+                      "observable:filename": "mining-procedure.pdf"
+                    }
+                  ]
+                }
+          ],
+          "uco-action:object": [            
+            {
+              "@id": "kb:DataSource1",
+              "@type": "engagement:DataSource",
+              "uco-core:name": "CanaryTokenAlert"
+            }
+          ]
+ }
+```
+
+11. The second thing we expect is to be alerted by some data source. Then, the action class we will use to describe this is an instance of [`Alert`](https://aeontology.sail-lab.org/docs/class-engagementalert.html). The `performer` for this instance of [`Alert`](https://aeontology.sail-lab.org/docs/class-engagementalert.html) is not going to be a person or identity, but rather an [`engagement:DataSource`](https://aeontology.sail-lab.org/docs/class-engagementdatasource.html) we call CanaryTokenAlert.
+12. The `object` property of `Alert` would be an identity such as a person such as our deployer, Richard Rocky.
+13. The attached objective to this action is `objective:Detect` because the usage of an alert is to inform a defender or identity of an event.
+
+
+```python
+{
+  "@id": "kb:alert1",
+  "@type": "engagement:Alert",
+  "engagement:alertContext": [...],
+  "uco-action:object": [
+    {
+      "@id": "kb:person1"
+    }
+  ],
+  "uco-action:performer": [
+    {
+      "@id": "kb:DataSource1",
+      "@type": "engagement:DataSource",
+      "uco-core:name": "CanaryTokenAlert"
+    }
+  ]
+}
+
+```
+
+14. We now expand the property `alertContext` to describe what this explicit alert implies about an occurence. By design, we expect to see another action such as `Access` since the alert informed us that one of the falsified files were accessed. 
+15. Unified Cyber Ontology (UCO) explicitly has a class called `uco-observable:File` which we use to instantiate the UCO object itself with an attached facet `uco-observable:FileFacet`. We reference the `kb:obffile1` instance with the property `object`.
+
+`kb:obffile1`
+
+
+```python
+{
+"engagement:alertContext": [
+{
+  "@id": "kb:access1",
+  "@type": "engagement:Access",
+  "uco-action:object": [
+    {
+      "@id": "kb:obffile1",
+    },
+    {
+      "@id": "kb:file1",
+      "@type": "uco-observable:File",
+      "uco-core:name": "backup-safe-passcode.pdf",
+      "uco-core:hasFacet": [
+        {
+          "@id": "kb:filefacet1",
+          "@type": "uco-observable:FileFacet",
+          "observable:filename": "backup-safe-passcode.pdf"
+        }
+      ]
+    }
+  ],
+  "uco-action:performer": [...]
+}
+]
+}
+```
+
+16. We then repeat the process for `kb:obffile2`. Additionally, we expect the `performer` of the `Access` action to be a specific person, namely Mary Moroe. This is because she is the only other person that is aware of the physical safe and has a privilege user account that would have user account access to view this file.
+
+`kb:obffile2`
+
+
+```python
+{
+"engagement:alertContext": [
+{
+  "@id": "kb:access1",
+  "@type": "engagement:Access",
+  "uco-action:object": [
+    {
+      "@id": "kb:obffile2"
+    },
+    {
+      "@id": "kb:file2",
+      "@type": "uco-observable:File",
+      "uco-core:name": "mining-procedure.pdf",
+      "uco-core:hasFacet": [
+        {
+          "@id": "kb:filefacet1",
+          "@type": "uco-observable:FileFacet",
+          "observable:filename": "mining-procedure.pdf"
+        }
+      ]
+    }
+  ],
+  "uco-action:performer": [
+        {
+          "@id": "kb:person2",
+          "@type": "uco-identity:Person",
+          "uco-core:hasFacet": [
+            {
+              "@id": "kb:MaryMoroe",
+              "@type": "identity:SimpleNameFacet",
+              "uco-identity:familyName": "Mary",
+              "uco-identity:givenName": "Moroe"
+            }
+          ]
+        }
+  ]
+}
+]
+}
+```
+
+17. Now that the [`PlannedEvent`](https://aeontology.sail-lab.org/docs/class-engagementplannedevent.html) is complete, we now need to ensure that the `PlannedEvent(s)` can be used as a sequence of events tied to the [`engagement:Storyline`](https://aeontology.sail-lab.org/docs/class-engagementstoryline.html). To do this, UCO has a specific class called `uco-types:Thread` which has the structure for supporting the concepts of sequential relationships.
+
+18. Our explicit instance of [`engagement:Storyline`](https://aeontology.sail-lab.org/docs/class-engagementstoryline.html) uses a property called `hasEvent` to instantiate an instance of `uco-types:Thread`. The important properties of `uco-types:Thread` for our use case are: `co:element`, `co:item`, `co:size`, `uco-types:threadOriginItem`, `uco-types:threadTerminalItem`. We outline the necessary properties and will expand them separately.
+
+
+```python
+ {
+  "@id": "kb:storyline1",
+  "@type": "engagement:Storyline",
+      "engagement:hasEvent": [
+        {
+          "@id": "kb:eventthread1",
+          "@type": "uco-types:Thread",
+          "co:element": [...],
+          "co:item": [...],
+          "co:size": {...},
+          "uco-types:threadOriginItem": [...],
+          "uco-types:threadTerminalItem": [...]
+        }
+      ]
+ }
+```
+
+
+
+
+    {'@id': 'kb:storyline1',
+     '@type': 'engagement:Storyline',
+     'engagement:hasEvent': [Ellipsis]}
+
+
+
+`co:element` refers to the elements of the `Thread` so in our case, they reference our instantiated `PlannedEvent(s)`: `kb:Event1` and `kb:Event2`
+
+
+```python
+ {"co:element": [
+    {
+      "@id": "kb:Event1"
+    },
+    {
+      "@id": "kb:Event2"
+    }
+  ] }
+```
+
+
+
+
+    {'co:element': [{'@id': 'kb:Event1'}, {'@id': 'kb:Event2'}]}
+
+
+
+`co:item` refers to the event as a thread item itself.
+
+
+```python
+ {
+
+  "co:item": [
+    {
+      "@id": "kb:event-thread-item1"
+    },
+    {
+      "@id": "kb:event-thread-item2"
+    }
+  ]}
+```
+
+
+
+
+    {'co:item': [{'@id': 'kb:event-thread-item1'},
+      {'@id': 'kb:event-thread-item2'}]}
+
+
+
+`co:size` refers to the number of thread items in the thread.
+
+
+```python
+{  "co:size": {
+    "@type": "xsd:nonNegativeInteger",
+    "@value": "2"
+  }}
+```
+
+
+
+
+    {'co:size': {'@type': 'xsd:nonNegativeInteger', '@value': '2'}}
+
+
+
+`uco-types:threadOriginItem` refers to the first thread item or source thread item.
+
+
+```python
+{  "uco-types:threadOriginItem": [
+    {
+      "@id": "kb:event-thread-item1"
+    }
+  ]}
+```
+
+
+
+
+    {'uco-types:threadOriginItem': [{'@id': 'kb:event-thread-item1'}]}
+
+
+
+`uco-types:threadTerminalItem` refers to the last thread item which terminates the sequence of thread items.
+
+
+```python
+ {
+  "uco-types:threadTerminalItem": [
+    {
+      "@id": "kb:event-thread-item2"
+    }
+  ]
+    }
+```
+
+
+
+
+    {'uco-types:threadTerminalItem': [{'@id': 'kb:event-thread-item2'}]}
+
+
+
+19. Finally, in the home stretch, we need to use `uco-types:ThreadItem` to create the chain of threads using the `uco-types:threadNextItem` property and `uco-types:threadPreviousItem` property. `kb:Event1` only uses the `threadNextItem` and `kb:Event2` only uses the `threadPreviousItem`.
+
+`kb:Event1`
+
+
+```python
+{
+      "@id": "kb:event-thread-item1",
+      "@type": "uco-types:ThreadItem",
+      "co:itemContent": {
+        "@id": "kb:Event1"
+      },
+      "uco-types:threadNextItem": [
+        {
+          "@id": "kb:event-thread-item2"
+        }
+      ]
+    }
+```
+
+
+
+
+    {'@id': 'kb:event-thread-item1',
+     '@type': 'uco-types:ThreadItem',
+     'co:itemContent': {'@id': 'kb:Event1'},
+     'uco-types:threadNextItem': [{'@id': 'kb:event-thread-item2'}]}
+
+
+
+`kb:Event2`
+
+
+```python
+{
+  "@id": "kb:event-thread-item2",
+  "@type": "uco-types:ThreadItem",
+  "co:itemContent": {
+    "@id": "kb:Event2"
+  },
+  "uco-types:threadPreviousItem": [
+    {
+      "@id": "kb:event-thread-item1"
+    }
+  ]
+}
+
+```
+
+
+
+
+    {'@id': 'kb:event-thread-item2',
+     '@type': 'uco-types:ThreadItem',
+     'co:itemContent': {'@id': 'kb:Event2'},
+     'uco-types:threadPreviousItem': [{'@id': 'kb:event-thread-item1'}]}
+
+
+
+And voila! Your adversary engagement plan is now fully represented in a standardized knowledge graph using the AE ontology. 
+
+# Querying a Graph
+
+Now that we have a fully functional example which we can insert into a graph database, let's test some queries. We'll work with logistics for the narrative which can help in the development of more variance and variety of deception techniques used within the `Narrative`
+
+
+```python
+import rdflib
+g = rdflib.Graph()
+narrative_example = "SmallBusinessExample.jsonld"
+g.parse(narrative_example)
+```
+
+
+
+
+    <Graph identifier=N3f6735a044f846e19ecfecb90e0d2179 (<class 'rdflib.graph.Graph'>)>
+
+
+
+## [Q] How many deception objects were instantiated with the objective `engagement:Exfiltrate`?
+
+It may be useful to know how many deception objects were deployed with the objective to be exfiltrated. For our example, it is relatively easy to deploy more obfuscated files on a network than scale up the number of highly functional honeypots on a network, therefore perhaps in a revision of the deception plan, more falsified files are placed on the network for more visibility.
+
+
+```python
+query = """
+PREFIX co: <http://purl.org/co/>
+PREFIX kb: <http://example.org/kb/>
+PREFIX engagement: <https://ontology.adversaryengagement.org/ae/engagement/>
+PREFIX objective: <https://ontology.adversaryengagement.org/ae/objective/>
+
+
+SELECT (COUNT(DISTINCT ?s)  as ?count)
+
+WHERE {
+ ?s objective:hasObjective ?o .
+ ?s ?p objective:Exfiltrate .
+}
+"""
+for row in g.query(query):
+    print(row)
+```
+
+    (rdflib.term.Literal('2', datatype=rdflib.term.URIRef('http://www.w3.org/2001/XMLSchema#integer')),)
+    
+
+## [Q] What are the distinct objectives used during planned events that deployed objects?
+
+It may also be useful to know whether or not our deception operation uses a wide variety of techniques based on their objective. If we know specific characteristics of an adversary such as their attack pattern preferences, we may wish to diversify our plan or simulate a network environment that caters to their preferences for false sense of security.
+
+
+```python
+query = """
+PREFIX co: <http://purl.org/co/>
+PREFIX kb: <http://example.org/kb/>
+PREFIX engagement: <https://ontology.adversaryengagement.org/ae/engagement/>
+PREFIX objective: <https://ontology.adversaryengagement.org/ae/objective/>
+
+
+SELECT DISTINCT ?obj 
+
+WHERE {
+?allevents engagement:eventContext ?action .
+?action ?p engagement:Deploy .
+?event ?y ?action .
+?event engagement:eventContext ?action .
+?action ?has ?object .
+?object objective:hasObjective ?obj .
+}
+"""
+for row in g.query(query):
+    print(row)
+```
+
+    (rdflib.term.URIRef('https://ontology.adversaryengagement.org/ae/objective/Direct'),)
+    (rdflib.term.URIRef('https://ontology.adversaryengagement.org/ae/objective/Exfilitrate'),)
+    
+
+### Full JSON-LD Format
+
+
+```python
+{
+  "@context": {
+    "co": "http://purl.org/co/",
+    "engagement": "https://ontology.adversaryengagement.org/ae/engagement/",
+    "objective": "https://ontology.adversaryengagement.org/ae/objective/",
+    "role": "https://ontology.adversaryengagement.org/ae/role/",
+    "kb": "http://example.org/kb/",
+    "rdfs": "http://www.w3.org/2000/01/rdf-schema#",
+    "uco-action": "https://ontology.unifiedcyberontology.org/uco/action/",
+    "uco-core": "https://ontology.unifiedcyberontology.org/uco/core/",
+    "uco-identity": "https://ontology.unifiedcyberontology.org/uco/identity/",
+    "uco-observable": "https://ontology.unifiedcyberontology.org/uco/observable/",
+    "uco-types": "https://ontology.unifiedcyberontology.org/uco/types/",
+    "xsd": "http://www.w3.org/2001/XMLSchema#"
+  },
+  "@graph": [
+    {
+      "@id": "kb:narrative1",
+      "@type": "engagement:Narrative",
+      "engagement:hasStoryline": [
+        {
+          "@id": "kb:storyline1",
+          "@type": "engagement:Storyline",
+          "uco-core:name": "ProtectTheFilesNarrative"
+        }
+      ],
+      "objective:hasObjective": [
+        {
+          "@id": "kb:objective1",
+          "@type": "objective:Objective",
+          "uco-core:name": "ProtectTheFiles"
+        }
+      ],
+      "uco-core:description": "Grand objective is to lure adversaries or insiders on the network away from details of the mining operations, location and passcode of the safe containing intellectual property."
+    },
+    {
+      "@id": "kb:Event1",
+      "@type": "engagement:PlannedEvent",
+      "engagement:eventContext": [
+        {
+          "@id": "kb:deploy1",
+          "@type": "engagement:Deploy",
+          "uco-action:object": [
+            {
+              "@id": "kb:honeypot1",
+              "@type": "engagement:Honeypot",
+              "uco-core:description": "Fake production server to contain the fabricated files.",
+              "objective:hasObjective": [
+                {
+                  "@id": "objective:Direct"
+                } 
+                ]
+                
+            },
+            {
+              "@id": "kb:obffile1",
+              "@type": "engagement:LureObject",
+              "uco-core:name": "mining-procedure.pdf",
+              "uco-core:description": "ADO file of mining procedures.",
+              "objective:hasObjective": [
+                {
+                  "@id": "objective:Exfiltrate"
+                } 
+                ]
+            },
+            {
+              "@id": "kb:obffile2",
+              "@type": "engagement:LureObject",
+              "uco-core:name": "backup-safe-passcode.pdf",
+              "uco-core:description": "ADO file of safe passcode and physical location of the safe.",
+              "objective:hasObjective": [
+                {
+                  "@id": "objective:Exfiltrate"
+                } 
+                ]
+            }
+          ],
+          "uco-action:performer": [
+            {
+              "@id": "kb:person1",
+              "@type": "uco-identity:Person",
+              "uco-core:hasFacet": [
+                {
+                  "@id": "kb:RichardRocky",
+                  "@type": "identity:SimpleNameFacet",
+                  "uco-identity:familyName": "Richard",
+                  "uco-identity:givenName": "Rocky"
+                }
+              ]
+            }
+          ]
+        }
+      ],
+      "objective:hasObjective": [
+        {
+          "@id": "objective:Deploy"
+        }
+      ],
+      "uco-core:name": "def-deploy-deception-objects"
+    },
+    {
+      "@id": "kb:Event2",
+      "@type": "engagement:PlannedEvent",
+      "engagement:eventContext": [
+ {
+          "@id": "kb:alert0",
+          "@type": "engagement:Alert",
+          "uco-action:performer": [            
+                {
+                  "@id": "kb:obffile1"
+                },
+                {
+                  "@id": "kb:obffile2"
+                },
+                {
+                  "@id": "kb:file1",
+                  "@type": "uco-observable:File",
+                  "uco-core:name": "backup-safe-passcode.pdf",
+                  "uco-core:hasFacet": [
+                    {
+                      "@id": "kb:filefacet1",
+                      "@type": "uco-observable:FileFacet",
+                      "observable:filename": "backup-safe-passcode.pdf"
+                    }
+                  ]
+                },
+                {
+                  "@id": "kb:file2",
+                  "@type": "uco-observable:File",
+                  "uco-core:name": "mining-procedure.pdf",
+                  "uco-core:hasFacet": [
+                    {
+                      "@id": "kb:filefacet1",
+                      "@type": "uco-observable:FileFacet",
+                      "observable:filename": "mining-procedure.pdf"
+                    }
+                  ]
+                }
+          ],
+          "uco-action:object": [            
+            {
+              "@id": "kb:DataSource1",
+              "@type": "engagement:DataSource",
+              "uco-core:name": "CanaryTokenAlert"
+            }
+          ]
+ },
+          
+          
+        {
+          "@id": "kb:alert1",
+          "@type": "engagement:Alert",
+          "engagement:alertContext": [
+            {
+              "@id": "kb:access1",
+              "@type": "engagement:Access",
+              "uco-action:object": [
+                {
+                  "@id": "kb:obffile1"
+                },
+                {
+                  "@id": "kb:obffile2"
+                },
+                {
+                  "@id": "kb:file1",
+                  "@type": "uco-observable:File",
+                  "uco-core:name": "backup-safe-passcode.pdf",
+                  "uco-core:hasFacet": [
+                    {
+                      "@id": "kb:filefacet1",
+                      "@type": "uco-observable:FileFacet",
+                      "observable:filename": "backup-safe-passcode.pdf"
+                    }
+                  ]
+                },
+                {
+                  "@id": "kb:file2",
+                  "@type": "uco-observable:File",
+                  "uco-core:name": "mining-procedure.pdf",
+                  "uco-core:hasFacet": [
+                    {
+                      "@id": "kb:filefacet1",
+                      "@type": "uco-observable:FileFacet",
+                      "observable:filename": "mining-procedure.pdf"
+                    }
+                  ]
+                }
+              ],
+              "uco-action:performer": [
+                    {
+                      "@id": "kb:person2",
+                      "@type": "uco-identity:Person",
+                      "uco-core:hasFacet": [
+                        {
+                          "@id": "kb:MaryMoroe",
+                          "@type": "identity:SimpleNameFacet",
+                          "uco-identity:familyName": "Mary",
+                          "uco-identity:givenName": "Moroe"
+                        }
+                      ]
+                    }
+              ]
+            }
+          ],
+          "uco-action:object": [
+            {
+              "@id": "kb:person1"
+            }
+          ],
+          "uco-action:performer": [
+            {
+              "@id": "kb:DataSource1",
+              "@type": "engagement:DataSource",
+              "uco-core:name": "CanaryTokenAlert"
+            }
+          ]
+        }
+      ],
+      "objective:hasObjective": [
+        {
+          "@id": "objective:Detect"
+        }
+      ],
+      "uco-core:name": "adv-exfiltrates-Obfuscated-files"
+    },
+    
+    {
+      "@id": "kb:storyline1",
+      "@type": "engagement:Storyline",
+      "engagement:hasEvent": [
+        {
+          "@id": "kb:eventthread1",
+          "@type": "uco-types:Thread",
+          "co:element": [
+            {
+              "@id": "kb:Event1"
+            },
+            {
+              "@id": "kb:Event2"
+            }
+          ],
+          "co:item": [
+            {
+              "@id": "kb:event-thread-item1"
+            },
+            {
+              "@id": "kb:event-thread-item2"
+            }
+          ],
+          "co:size": {
+            "@type": "xsd:nonNegativeInteger",
+            "@value": "2"
+          },
+          "uco-types:threadOriginItem": [
+            {
+              "@id": "kb:event-thread-item1"
+            }
+          ],
+          "uco-types:threadTerminalItem": [
+            {
+              "@id": "kb:event-thread-item2"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@id": "kb:event-thread-item1",
+      "@type": "uco-types:ThreadItem",
+      "co:itemContent": {
+        "@id": "kb:Event1"
+      },
+      "uco-types:threadNextItem": [
+        {
+          "@id": "kb:event-thread-item2"
+        }
+      ]
+    },
+    {
+      "@id": "kb:event-thread-item2",
+      "@type": "uco-types:ThreadItem",
+      "co:itemContent": {
+        "@id": "kb:Event2"
+      },
+      "uco-types:threadPreviousItem": [
+        {
+          "@id": "kb:event-thread-item1"
+        }
+      ]
+    }
+  ]
+}
+
+```
+
+
+
+
+    {'@context': {'co': 'http://purl.org/co/',
+      'engagement': 'https://ontology.adversaryengagement.org/ae/engagement/',
+      'objective': 'https://ontology.adversaryengagement.org/ae/objective/',
+      'role': 'https://ontology.adversaryengagement.org/ae/role/',
+      'kb': 'http://example.org/kb/',
+      'rdfs': 'http://www.w3.org/2000/01/rdf-schema#',
+      'uco-action': 'https://ontology.unifiedcyberontology.org/uco/action/',
+      'uco-core': 'https://ontology.unifiedcyberontology.org/uco/core/',
+      'uco-identity': 'https://ontology.unifiedcyberontology.org/uco/identity/',
+      'uco-observable': 'https://ontology.unifiedcyberontology.org/uco/observable/',
+      'uco-types': 'https://ontology.unifiedcyberontology.org/uco/types/',
+      'xsd': 'http://www.w3.org/2001/XMLSchema#'},
+     '@graph': [{'@id': 'kb:narrative1',
+       '@type': 'engagement:Narrative',
+       'engagement:hasStoryline': [{'@id': 'kb:storyline1',
+         '@type': 'engagement:Storyline',
+         'uco-core:name': 'ProtectTheFilesNarrative'}],
+       'objective:hasObjective': [{'@id': 'kb:objective1',
+         '@type': 'objective:Objective',
+         'uco-core:name': 'ProtectTheFiles'}],
+       'uco-core:description': 'Grand objective is to lure adversaries or insiders on the network away from details of the mining operations, location and passcode of the safe containing intellectual property.'},
+      {'@id': 'kb:Event1',
+       '@type': 'engagement:PlannedEvent',
+       'engagement:eventContext': [{'@id': 'kb:deploy1',
+         '@type': 'engagement:Deploy',
+         'uco-action:object': [{'@id': 'kb:honeypot1',
+           '@type': 'engagement:Honeypot',
+           'uco-core:description': 'Fake production server to contain the fabricated files.',
+           'objective:hasObjective': [{'@id': 'objective:Direct'}]},
+          {'@id': 'kb:obffile1',
+           '@type': 'engagement:LureObject',
+           'uco-core:name': 'mining-procedure.pdf',
+           'uco-core:description': 'ADO file of mining procedures.',
+           'objective:hasObjective': [{'@id': 'objective:exfiltrate'}]},
+          {'@id': 'kb:obffile2',
+           '@type': 'engagement:LureObject',
+           'uco-core:name': 'backup-safe-passcode.pdf',
+           'uco-core:description': 'ADO file of safe passcode and physical location of the safe.',
+           'objective:hasObjective': [{'@id': 'objective:exfiltrate'}]}],
+         'uco-action:performer': [{'@id': 'kb:person1',
+           '@type': 'uco-identity:Person',
+           'uco-core:hasFacet': [{'@id': 'kb:RichardRocky',
+             '@type': 'identity:SimpleNameFacet',
+             'uco-identity:familyName': 'Richard',
+             'uco-identity:givenName': 'Rocky'}]}]}],
+       'objective:hasObjective': [{'@id': 'objective:Deploy'}],
+       'uco-core:name': 'def-deploy-deception-objects'},
+      {'@id': 'kb:Event2',
+       '@type': 'engagement:PlannedEvent',
+       'engagement:eventContext': [{'@id': 'kb:alert1',
+         '@type': 'engagement:Alert',
+         'engagement:alertContext': [{'@id': 'kb:access1',
+           '@type': 'engagement:Access',
+           'uco-action:object': [{'@id': 'kb:obffile1'},
+            {'@id': 'kb:obffile2'},
+            {'@id': 'kb:file1',
+             '@type': 'uco-observable:File',
+             'uco-core:name': 'backup-safe-passcode.pdf',
+             'uco-core:hasFacet': [{'@id': 'kb:filefacet1',
+               '@type': 'uco-observable:FileFacet',
+               'observable:filename': 'backup-safe-passcode.pdf'}]},
+            {'@id': 'kb:file2',
+             '@type': 'uco-observable:File',
+             'uco-core:name': 'mining-procedure.pdf',
+             'uco-core:hasFacet': [{'@id': 'kb:filefacet1',
+               '@type': 'uco-observable:FileFacet',
+               'observable:filename': 'mining-procedure.pdf'}]}],
+           'uco-action:performer': [{'@id': 'kb:person2',
+             '@type': 'uco-identity:Person',
+             'uco-core:hasFacet': [{'@id': 'kb:MaryMoroe',
+               '@type': 'identity:SimpleNameFacet',
+               'uco-identity:familyName': 'Mary',
+               'uco-identity:givenName': 'Moroe'}]}]}],
+         'uco-action:object': [{'@id': 'kb:person1'}],
+         'uco-action:performer': [{'@id': 'kb:DataSource1',
+           '@type': 'engagement:DataSource',
+           'uco-core:name': 'CanaryTokenAlert'}]}],
+       'objective:hasObjective': [{'@id': 'objective:Detect'}],
+       'uco-core:name': 'adv-exfiltrates-Obfuscated-files'},
+      {'@id': 'kb:storyline1',
+       '@type': 'engagement:Storyline',
+       'engagement:hasEvent': [{'@id': 'kb:eventthread1',
+         '@type': 'uco-types:Thread',
+         'co:element': [{'@id': 'kb:Event1'}, {'@id': 'kb:Event2'}],
+         'co:item': [{'@id': 'kb:event-thread-item1'},
+          {'@id': 'kb:event-thread-item2'}],
+         'co:size': {'@type': 'xsd:nonNegativeInteger', '@value': '2'},
+         'uco-types:threadOriginItem': [{'@id': 'kb:event-thread-item1'}],
+         'uco-types:threadTerminalItem': [{'@id': 'kb:event-thread-item2'}]}]},
+      {'@id': 'kb:event-thread-item1',
+       '@type': 'uco-types:ThreadItem',
+       'co:itemContent': {'@id': 'kb:Event1'},
+       'uco-types:threadNextItem': [{'@id': 'kb:event-thread-item2'}]},
+      {'@id': 'kb:event-thread-item2',
+       '@type': 'uco-types:ThreadItem',
+       'co:itemContent': {'@id': 'kb:Event2'},
+       'uco-types:threadPreviousItem': [{'@id': 'kb:event-thread-item1'}]}]}
+
+
+
+Note: Objectives are considered individual and, as such, will not be found under any classes in the documentation. For more details on the AE Ontology Documentation, please [click here](https://aeontology.sail-lab.org/docs/index.html). The UCO Documentation can be accessed from this [link.](https://unifiedcyberontology.org/releases/0.7.0/docs/index.html)
+
+
+The aforementioned examples are based on the latest release of AE Ontology version 0.1.8. It should be noted that the AE Ontology will continue to incorporate additive improvements, which may involve the inclusion of new classes and the removal of old concepts, potentially affecting the existing examples. We recommend checking the [latest release](https://aeontology.sail-lab.org/release/) news on [AE ontology website](https://aeontology.sail-lab.org/) to ensure you have access to the most up-to-date information. Additionally, supplementary examples can be found in the GitHub [`examples`](https://github.com/UNHSAILLab/Adversary-Engagement-Ontology/tree/main/examples) directory. Lastly, if you have any inquiries, please do not hesitate to contact us through this [contact form](https://aeontology.sail-lab.org/contact/).
+

docs/aeo_example_generator.py

@@ -0,0 +1,300 @@
+import os
+import openai
+import json
+import rdflib
+
+
+class ExampleGenerator:
+    def __init__(self):
+        self.ontologies = {}
+        self.ontology_files = []
+        self.rules = {}
+    def add_ontology(self, onto):
+        if onto in self.ontology_files:
+            raise ValueError("Ontology file already exists.")
+        else:
+            onto_data = self.get_ontology_file(onto)
+            if onto_data:
+                self.ontology_files.append(onto)
+                self.ontologies[onto] = self.get_ontology_file(onto)
+                self.rules[onto] = self.generate_rules(onto)
+            else:
+                raise ValueError("Ontology file error.")
+    def get_ontology_file(self,filename):
+        text = ""
+        if os.path.isfile(filename):
+            with open(filename,'r') as f:
+                text = f.read()
+            f.close()
+            return text
+        else:
+            raise ValueError("Invalid filename.")
+    def ChatGPTTextSplitter(self,text):
+        """Splits text in smaller subblocks to feed to the LLM"""
+        prompt = f"""The total length of content that I want to send you is too large to send in only one piece.
+
+    For sending you that content, I will follow this rule:
+
+    [START PART 1/10]
+    this is the content of the part 1 out of 10 in total
+    [END PART 1/10]
+
+    Then you just answer: "Instructions Sent."
+
+    And when I tell you "ALL PARTS SENT", then you can continue processing the data and answering my requests.
+        """
+        if type(text) == str:
+            textsize = 12000
+            blocksize = int(len(text) / textsize)
+            if blocksize > 0:
+                yield prompt
+
+                for b in range(1,blocksize+1):
+                    if b < blocksize+1:
+                        prompt = f"""Do not answer yet. This is just another part of the text I want to send you. Just receive and acknowledge as "Part {b}/{blocksize} received" and wait for the next part.
+                [START PART {b}/{blocksize}]
+                {text[(b-1)*textsize:b*textsize]}
+                [END PART {b}/{blocksize}]
+                Remember not answering yet. Just acknowledge you received this part with the message "Part {b}/{blocksize} received" and wait for the next part.
+                        """
+                        yield prompt
+                    else:
+                        prompt = f"""
+                [START PART {b}/{blocksize}]
+                {text[(b-1)*textsize:b*textsize]}
+                [END PART {b}/{blocksize}]
+                ALL PARTS SENT. Now you can continue processing the request.
+                        """
+                        yield prompt
+            else:
+                yield text
+        elif type(text) == list:
+            yield prompt
+
+            for n,block in enumerate(text):
+                if n+1 < len(text):
+                    prompt = f"""Do not answer yet. This is just another part of the text I want to send you. Just receive and acknowledge as "Part {n+1}/{len(text)} received" and wait for the next part.
+            [START PART {n+1}/{len(text)}]
+            {text[n]}
+            [END PART {n+1}/{len(text)}]
+            Remember not answering yet. Just acknowledge you received this part with the message "Part {n+1}/{len(text)} received" and wait for the next part.
+                    """
+                    yield prompt
+                else:
+                    prompt = f"""
+            [START PART {n+1}/{len(text)}]
+            {text[n]}
+            [END PART {n+1}/{len(text)}]
+            ALL PARTS SENT. Now you can continue processing the request.
+                    """
+                yield prompt
+
+    def send_ontology(self):
+        ontology = ""
+        if len(self.ontologies) > 0:
+            for k,v in self.ontologies.items():
+                ontology+=v+"\n"
+            print("Sending Ontology in Parts")
+            for i in self.ChatGPTTextSplitter(ontology):
+                print(self.llm_api(i))
+        else:
+            raise ValueError("No loaded ontology to send.")
+    def llm_api(self,prompt,model="gpt-3.5-turbo"):
+        messages = [{
+            "role":"user",
+            "content":prompt
+        }]
+        res = openai.ChatCompletion.create(model=model,messages=messages,temperature=0)
+        return res.choices[0].message['content']
+    
+    def generate_rule(self,onto=None):
+        """Raw rule string of AEO."""
+        v = """Remember make a json-ld format example that only uses classes and properties terms from Adversary Engagement Ontology, Unified Cyber Ontology. 
+
+Each engagement:Narrative has property:
+    engagement:hasStoryline connects to an engagement:Storyline
+Each engagement:Storyline has property:
+    engagement:hasEvent connects to a uco-types:Thread
+Each uco-types:Thread has properties:
+    co:element contains all engagement:PlannedEvents
+    co:item contains all uco-types:ThreadItem one each for each engagement:PlannedEvent.
+    co:size
+    uco-types:threadOriginItem is the uco-types:ThreadItem for the first engagement:PlannedEvent
+    uco-types:threadTerminalItem is the uco-types:ThreadItem for the last engagement:PlannedEvent
+Each co:size has properties:
+    @type as xsd:nonNegativeInteger
+    @value which is the number of uco-types:ThreadItem
+Each uco-types:ThreadItem has property:
+    co:itemContent is the engagement:PlannedEvent
+    optional uco-types:threadNextItem is the next uco-types:ThreadItem for the next engagement:PlannedEvent if there is one,
+    optional uco-types:threadPreviousItem is the previous uco-types:ThreadItem for the previous engagement:PlannedEvent if there is one
+Each engagement:PlannedEvent has property:
+    engagement:eventContext connects to one engagement action has property @type one of the following:
+        engagement:Access
+        engagement:Alert
+        engagement:Beacon
+        engagement:Deploy
+        engagement:Obfuscate
+        engagement:Respond
+Each engagement action has properties:
+    @type is the action
+    uco-core:performer
+    uco-core:object connects to one of the following engagement deception object denoted as "EDO" objects:
+        engagement:Honeypot
+        engagement:Honeytoken
+        engagement:Breadcrumb
+        engagement:BreadcrumbTrail
+        engagement:LureObject
+        engagement:HoneyObject
+        engagement:Decoy
+        engagement:DataSource
+Each "EDO" object has properties:
+    engagement:hasCharacterization connects to a uco-core:UcoObject
+    objective:hasObjective with @type objective:Objective and @id with one of the following instances:
+            objective:CommandAndControl
+            objective:CredentialAccess
+            objective:DevelopResource
+            objective:Discover
+            objective:EscalatePrivilege
+            objective:Evade
+            objective:Execute
+            objective:Exfilitrate
+            objective:GainInitialAccess
+            objective:Impact
+            objective:MoveLaterally
+            objective:Persist
+            objective:Reconnaissance
+            objective:Affect
+            objective:Collect
+            objective:Detect
+            objective:Direct
+            objective:Disrupt
+            objective:Elicit
+            objective:Expose
+            objective:Motivate
+            objective:Plan
+            objective:Prepare
+            objective:Prevent
+            objective:Reassure
+            objective:Analyze
+            objective:Deny
+            objective:ElicitBehavior
+            objective:Lure
+            objective:TimeSink
+            objective:Track
+            objective:Trap
+        uco-core:name is the objective
+All people have property:
+    @type is uco-identity:Person
+    uco-core:hasFacet that connects to one of the following: 
+        uco-identity:SimpleNameFacet which has the property:
+            uco-identity:familyName
+            uco-identity:givenName
+Each uco-core:Role has properties:
+        @id is the role
+        uco-core:name is the role
+Each uco-core:Role there is a uco-core:Relationship with properties:
+    uco-core:kindofRelationship is "has_Role"
+    uco-core:source connects to the person who has the role
+    uco-core:target connects to uco-core:Role
+Each engagement:BreadcrumbTrail has property:
+    engagement:hasBreadcrumb connects to uco-types:Thread
+        This uco-types:Thread has property:
+            co:element contains all engagement:Breadcrumb that belong to this engagement:BreadcrumbTrail
+            co:item contains all uco-types:ThreadItem one each for each engagement:Breadcrumb
+            co:size
+            uco-types:threadOriginItem is the uco-types:ThreadItem for the first engagement:Breadcrumb belonging to this engagement:BreadcrumbTrail
+            uco-types:threadTerminalItem is the uco-types:ThreadItem for the last engagement:Breadcrumb belonging to this engagement:BreadcrumbTrail
+Each engagement:Breadcrumb has the properties:
+    engagement:hasCharacterization which connects to a uco-core:UcoObject with the property:
+        uco-core:description which describes the object characterizing the breadcrumb
+All classes must include property:
+    @type is the class
+    @id is a unique identifier
+    
+If namespace "engagement" prefix is used then https://ontology.adversaryengagement.org/ae/engagement#
+If namespace "objective" prefix is used then https://ontology.adversaryengagement.org/ae/objective#
+If namespace "role" prefix is used then https://ontology.adversaryengagement.org/ae/role#
+If namespace "identity" prefix is used then https://ontology.adversaryengagement.org/ae/identity#
+If namespace "uco-core" prefix is used then https://ontology.unifiedcyberontology.org/uco/core#
+If namespace "uco-types" prefix is used then https://ontology.unifiedcyberontology.org/uco/types#
+If namespace "uco-role" prefix is used then https://ontology.unifiedcyberontology.org/uco/role#
+        """
+        return v
+    
+    def generate_continue(self):
+        v = """
+        continue
+        """
+        return v
+    
+    def raw_prompt(self,description):
+        
+        def run(val):
+            prompt = f"""Give me a full json-ld format example for the following scenario:
+            {description}
+
+            {"".join(val)}
+            """
+            for i in self.ChatGPTTextSplitter(prompt):
+                res = self.llm_api(i)
+            return res
+#             return json.loads(res)
+        res_val =  run(self.generate_rule())
+        #res_val =  run(self.generate_rules())
+        try:
+            val = json.loads(res_val)
+            return val
+        except:
+            #the response was cut off, prompt for the continuation.
+            data = []
+            data.append(res_val)
+            while True:
+                res = self.llm_api(self.generate_continue())
+                data.append(res)
+                try:
+                    full = "".join(data)
+                    return json.loads(full)
+                except:
+                    pass
+                     
+        return None
+    
+    def get_ns(self,string):
+        return string.split(":")[0]
+
+    
+    def prompt(self,description):
+        res = self.raw_prompt(description)
+        
+        #include only relevent namespaces
+        prefixes = []
+
+        def is_nested(LIST):
+            if type(LIST) == list:
+                for JSON in LIST:
+                    for key in JSON.keys():
+                        if type(JSON[key]) == dict:
+                            is_nested(JSON[key])
+                    if '@type' in JSON.keys():
+                        prefixes.append(self.get_ns(JSON['@type']))
+            else:
+                JSON = LIST
+                for key in JSON.keys():
+                    if type(JSON[key]) == dict:
+                        is_nested(JSON[key])
+                if '@type' in JSON.keys():
+                    prefixes.append(self.get_ns(JSON['@type']))
+                    
+        
+        is_nested(res['@graph'])
+        prefixes = set(prefixes)
+        
+        new_prefixes = {}
+        for prefix in prefixes:
+            if prefix in res['@context']:
+                new_prefixes[prefix] = res['@context'][prefix]
+        
+        res['@context'] = new_prefixes
+ 
+        return res

lureGeneration/LureGenerator.py

@@ -0,0 +1,144 @@
+import os
+import openai
+import json
+import rdflib
+
+class LureObject:
+    def __init__(self):
+        self.lure_name = ""
+        self.type = "" #honeytoken, honeypot
+        self.content = ""
+        
+
+class LureGenerator:
+    def __init__(self):
+        self.lure = []
+
+    def ChatGPTTextSplitter(self,text):
+        """Splits text in smaller subblocks to feed to the LLM"""
+        prompt = f"""The total length of content that I want to send you is too large to send in only one piece.
+
+    For sending you that content, I will follow this rule:
+
+    [START PART 1/10]
+    this is the content of the part 1 out of 10 in total
+    [END PART 1/10]
+
+    Then you just answer: "Instructions Sent."
+
+    And when I tell you "ALL PARTS SENT", then you can continue processing the data and answering my requests.
+        """
+        if type(text) == str:
+            textsize = 12000
+            blocksize = int(len(text) / textsize)
+            if blocksize > 0:
+                yield prompt
+
+                for b in range(1,blocksize+1):
+                    if b < blocksize+1:
+                        prompt = f"""Do not answer yet. This is just another part of the text I want to send you. Just receive and acknowledge as "Part {b}/{blocksize} received" and wait for the next part.
+                [START PART {b}/{blocksize}]
+                {text[(b-1)*textsize:b*textsize]}
+                [END PART {b}/{blocksize}]
+                Remember not answering yet. Just acknowledge you received this part with the message "Part {b}/{blocksize} received" and wait for the next part.
+                        """
+                        yield prompt
+                    else:
+                        prompt = f"""
+                [START PART {b}/{blocksize}]
+                {text[(b-1)*textsize:b*textsize]}
+                [END PART {b}/{blocksize}]
+                ALL PARTS SENT. Now you can continue processing the request.
+                        """
+                        yield prompt
+            else:
+                yield text
+        elif type(text) == list:
+            yield prompt
+
+            for n,block in enumerate(text):
+                if n+1 < len(text):
+                    prompt = f"""Do not answer yet. This is just another part of the text I want to send you. Just receive and acknowledge as "Part {n+1}/{len(text)} received" and wait for the next part.
+            [START PART {n+1}/{len(text)}]
+            {text[n]}
+            [END PART {n+1}/{len(text)}]
+            Remember not answering yet. Just acknowledge you received this part with the message "Part {n+1}/{len(text)} received" and wait for the next part.
+                    """
+                    yield prompt
+                else:
+                    prompt = f"""
+            [START PART {n+1}/{len(text)}]
+            {text[n]}
+            [END PART {n+1}/{len(text)}]
+            ALL PARTS SENT. Now you can continue processing the request.
+                    """
+                yield prompt
+
+
+    def llm_api(self,prompt,model="gpt-3.5-turbo"):
+        messages = [{
+            "role":"user",
+            "content":prompt
+        }]
+        res = openai.ChatCompletion.create(model=model,messages=messages,temperature=0)
+        return res.choices[0].message['content']
+    
+    def generate_rule(self,deceptionObject,role):
+        v = f"""Generate examples of {deceptionObject} that would be perceived valuable by an adversary about a person who has the role {role} and lure them to a specific location on the network. Generate json-format objects from the examples and return a json-format object containing all json-format objects.
+        """
+        return v
+    def generate_rule2(self,deceptionObject,role,jsn):
+        v = f"""Generate the detailed contents of an example of what an adversary would see if they accessed this {deceptionObject}: {jsn}
+        """
+        return v
+    
+    def generate_continue(self):
+        v = """
+        continue
+        """
+        return v
+    
+    def raw_prompt(self,LureType,Role):
+        def run(val):
+            prompt = "".join(val)
+            for i in self.ChatGPTTextSplitter(prompt):
+                res = self.llm_api(i)
+            return res
+        res_val =  run(self.generate_rule(LureType,Role))
+        return res_val
+    def raw_content(self,LureType,Role,jsn):
+        def run(val):
+            prompt = "".join(val)
+            for i in self.ChatGPTTextSplitter(prompt):
+                res = self.llm_api(i)
+            return res
+        res_val =  run(self.generate_rule2(LureType,Role,jsn))
+        return res_val
+
+
+    
+    def generate(self,LureType,Role:str = ""):
+        
+        assert LureType in ['honeytoken','honeypot','honeyfile']
+        res = self.raw_prompt(LureType,Role)
+        
+        self.sketch = res
+        
+        try:
+            jsn = json.loads(res)
+        except:
+            raise ValueError("Failed to parse json-format.")
+            
+        key = list(jsn.keys())
+        if len(key) == 1:
+            for n,example in enumerate(list(jsn[key[0]])):
+                lure = LureObject()
+                lure.json = example
+                lure.lure_name = key[0]+"_"+str(n)
+                lure.content = self.raw_content(LureType,Role,example)
+                lure.type = LureType
+                lure.userRole = Role
+        
+                self.lure.append(lure)
+
+        return self.lure

pages/1_AEO_Example_Generator.py

@@ -0,0 +1,76 @@
+import streamlit as st
+import openai
+
+
+
+
+st.title('AEO Example Generator')
+
+about = ''' Adversary Engagement Ontology (AEO) is a candidate ontology to the Unified Cyber Ontology (UCO), a community effort for the ontological standardization of cyber domain concepts and objects under a unifying framework, and is part of the Cyber Domain Ontology (CDO). Community efforts and development has always been manual labor intensive in regards to ontology changes, ontology example generation for adopters, documentation generation. Large Language Models (LLMs) have been shown to be capable of automating many tasks or aiding in human expert decision-making. We demonstrate how foundational LLMs such as ChatGPT and GPT4 can assist in ontology example generation, ontology development, and overall be used in automation tooling for structured but tedious tasks.
+This space can be used to create an example of how to setup the AEO instance. It uses the power of OpenAI's ChatGPT. 
+The generator currently uses strictly prewritten rules of AEO, discussion on an automation process is still early .
+he generator currently is bounded by prompt size limits. 
+
+There are some known work arounds but none are functionally implemented yet.
+
+Official GitHub: https://github.com/UNHSAILLab/Adversary-Engagement-Ontology 
+'''
+st.markdown(about)
+
+openai_key = st.text_input("Enter your OpenAI key", type="password")
+openai.api_key =  openai_key 
+
+
+
+
+from aeo_ex_generator.aeo_example_generator import ExampleGenerator
+ex = ExampleGenerator() 
+
+
+
+# Prompt Examples
+st.subheader("Prompts Examples")
+with st.expander("Example-1"):
+    st.write("""
+Use one engagement:Narrative
+Use one engagement:Storyline
+Use the following people:
+    Bob Smith is a defender role
+    Mary Jane is an adversary role
+Use three planned events:
+    Planned Event one - Bob Smith deploys a honeyobject enviroment and a honeytoken file containing fake user credentials called "user-creds.dmp". The objective is to direct and elicit.  He also deploys a honeypot with the objective to detect and trap.
+    Planned Event two - The honeypot beacons to the dataTarget called CanaryTokenAlert, the performer is the honeypot, the object is the CanaryTokenAlert.
+    Planned Event three - CanaryTokenAlert dataSource alerts Bob Smith that the second honeypot was accessed. The performer is the CanaryTokenAlert, the object is Bob Smith
+    """)
+with st.expander("Example-2"):
+    st.write("""
+    Use one engagement:Narrative
+    Use one engagement:Storyline
+    Use the following people:
+        John White is a defender role
+    Use three planned events:
+        Planned Event one - John White deploys a breadcrumbtrail consisting of four breadcrumbs. The objective is to direct. He also deploys a honeypot with the objective to trap.
+        Planned Event two - The honeypot beacons to the dataTarget called CommandControlCenter, the performer is the honeypot, the object is the CommandControlCenter.
+        Planned Event three - CommandControlCenter dataSource alerts John White that the honeypot was accessed. The performer is the CommandControlCenter, the object is John White
+        """)
+    
+
+st.subheader("Write a prompt to generate the example.")
+user_input = st.text_area("Enter your description here ", "", height=200)
+
+# call your function
+# result = foo(user_input)
+if user_input:
+    e = ex.prompt(user_input, jsn=True)
+    result = e['@context']
+    # display result
+    st.subheader('Prefix namespaces mentioned in the example:')
+    st.text_area("", e['@context'], height=200)
+    #st.json(e['@context'])
+    st.subheader('Full example:')
+    try:
+        st.json(e)
+    except:
+        st.text_area("", e, height=400)
+    
+

pages/2_Auto_Generate_Plan_and_Personas.py

@@ -0,0 +1,43 @@
+from aeo_ex_generator.aeo_example_generator import ExampleGenerator
+
+import openai
+import os
+import streamlit as st
+
+import streamlit as st 
+
+st.subheader("This space will autognerate the plans and the personas")
+
+OpenAI_Key = st.text_input(" Please enter your OpenAI key here to continue")
+# only continue if the key is given
+if OpenAI_Key:
+    st.write("Please wait, it will take a while to generate. ")
+    os.environ['OPENAI_API_KEY'] = OpenAI_Key
+    openai.api_key =os.environ['OPENAI_API_KEY'] 
+
+    
+
+    ex = ExampleGenerator() #declare the instance
+    e = ex.auto_generate()
+    
+    st.write(ex.description) #the description is cached in this variable 
+ 
+    st.subheader('Prefix Namespaces')
+    st.write(e['@context']) #here are the prefix namespaces mentioned in the example
+
+
+
+    result = [i for i in e['@graph']]
+    st.subheader('Full example:')
+    try:
+        st.json(result)
+    except:
+        st.text_area("", result, height=400)
+
+    if result:
+        st.subheader("Auto generate specific plan")
+        keywords = st.text_area("Enter keywords to keep in the plan","breadcrumbtrail")
+        nkeywords= st.text_area("You can pass keywords to exclude from the example generation", "honeypot")
+        personas = ex.generate_personas() 
+        st.subheader("Person based on the existing description provided in the deception plan")
+        st.write( ex.persona_descriptions)

pages/3_Lure_Generation.py

@@ -0,0 +1,29 @@
+from lureGeneration.LureGenerator import LureGenerator
+import openai
+import os
+import streamlit as st
+
+import streamlit as st 
+
+st.subheader("In this example you can Lure based on AEO ")
+
+OpenAI_Key = st.text_input(" Please enter your OpenAI key here to continue")
+# only continue if the key is given
+if OpenAI_Key:
+    os.environ['OPENAI_API_KEY'] = OpenAI_Key
+    openai.api_key =os.environ['OPENAI_API_KEY'] 
+
+    # ['honeytoken','honeypot','honeyfile']
+    honey_type = st.text_area(" Please enter one of the type: ['honeytoken','honeypot','honeyfile'] ","honeyfile", height=50)
+    # Description
+    description = st.text_area("Please enter the description. ", "CEO of a critical mining company", height=50)
+    ex = LureGenerator() #declare the instance
+    e = ex.generate(honey_type,description)
+
+    response =  ex.lure[0].content 
+    json_ld = ex.lure[0].json 
+    st.subheader('Content')
+    st.write(response)
+
+    st.subheader('JSON-LD Description')
+    st.write(json_ld)

pages/4_AutoEngage.py

@@ -0,0 +1,77 @@
+import os
+import sys
+#from dotenv import load_dotenv
+from langchain.document_loaders import PyPDFLoader
+from langchain.document_loaders import UnstructuredMarkdownLoader
+from langchain.document_loaders import TextLoader
+from langchain.embeddings import OpenAIEmbeddings
+from langchain.vectorstores import Chroma
+from langchain.chat_models import ChatOpenAI
+from langchain.chains import ConversationalRetrievalChain
+from langchain.text_splitter import CharacterTextSplitter
+from langchain.agents.agent_toolkits import create_retriever_tool
+from langchain.agents.agent_toolkits import create_conversational_retrieval_agent
+from langchain.chat_models import ChatOpenAI
+
+import streamlit as st 
+
+st.write("""In this space you need to provide the description of the engagement 
+         and it will automatically generate the deception strategy and itemized 
+         action along with the JSON-LD description.""")
+
+
+OpenAI_Key = st.text_input(" Please enter your OpenAI key here to continue")
+# only continue if the key is given
+if OpenAI_Key:
+    os.environ['OPENAI_API_KEY'] = OpenAI_Key
+    vectordb = Chroma(persist_directory="./data", embedding_function=OpenAIEmbeddings())
+
+    retriever = vectordb.as_retriever()
+
+    tool = create_retriever_tool(
+        retriever,
+        "search_AEO",
+        "Searches and returns documents regarding adversary engagement."
+    )
+    tools = [tool]
+        
+
+    llm = ChatOpenAI(model_name="gpt-4", temperature = 0)
+    agent_executor = create_conversational_retrieval_agent(llm, tools, verbose=True)
+    # result = agent_executor({"input": "What is the point of the engagement matrix?"})
+
+    # Creating High Level Deception and denial strategy
+    example= """ You are part of a small business called MineralRUs Inc., which is a small, yet critical mining company in New Hampshire specializing in rare earth elements.
+		Your main clients are from particular sectors of technology and defense industries, and are considered to be critical infrastructure. Therefore, your business and its operation is essential to the integrity of supply chains enabling those critical infrastructure.
+		MineralRUs Inc. maintains paper-based record of their key intellectual property and operational procedures, which are stored in a physical safe. This fact is known by only a select few in the company.
+		Your business has a small, unorganized computer network with only generic security infrastructure, and the company does not have the resources to employ an in-house information security team. Instead, a very small team is tasked with maintaining Operational Technology (OT) systems on the network.
+        Your company has recently received an advisory from federal authorities, warning businesses in your industry about the rapidly growing threat of cyber espionage by state-sponsored Advanced Persistent Threats (APTs). In response, your company decides to engage an external cybersecurity provider to assist with timely incident response and prevention. The external provider recommends the employment of active adversary engagement plans, and asks you to develop a high-level deception and denial strategy.
+        """
+    user_input = st.text_area("Enter your engagement strategy: ", example, height=400)
+    prompt_1 = user_input + "### Instruction: You are an expert in Mitre's Attack Framework. Please create a high-level deception and denial strategy for the given scenario."
+    
+    st.subheader('High Level Deception and Denial Strategy ')
+    result = agent_executor({"input":prompt_1 })
+    
+    st.write(result['output'])
+
+    if result:
+        st.subheader('Itemized Action Plan')
+        prompt_2 = """### Instruction: I am giving you the high level deception and denial strategy. 
+        Please create a specific itemized action plan for the below strategy. ### Scenario""" + result['output']
+        result_2 = agent_executor({"input":prompt_2 })
+        
+        st.write(result_2['output'])
+
+        if result_2:
+            st.subheader('JSON-LD Description')
+            prompt_3 = """### Instruction: Please use AEO ontology to map the  plan given below to the JSON-LD description. ### Plan: """ + result_2['output']
+            result_3 = agent_executor({'input': prompt_3}) 
+            
+            st.write(result_3['output'])
+
+
+
+
+
+

requirements.txt

@@ -0,0 +1,10 @@
+rdflib==7.0.0
+openai==0.27.6
+tiktoken 
+chromadb 
+langchain 
+pypdf 
+streamlit 
+unstructured 
+marker
+rdflib