# RAG Pipeline - Security Knowledge Base

Notebook n√†y th·ª±c hi·ªán RAG pipeline ho√†n ch·ªânh v·ªõi th·ª© t·ª± ƒë√∫ng:
1. **LOAD** - Load documents (Sigma, MITRE ATT&CK, OWASP)
2. **SPLIT** - Text splitting
3. **EMBED** - Embedding v√† l∆∞u v√†o ChromaDB
4. **RETRIEVE** - Query v√† Retrieve

## üìã Th·ª© t·ª± ch·∫°y c√°c cells:

### Phase 1: Setup
- **Cell 1**: Imports
- **Cell 2**: Helper Functions

### Phase 2: LOAD Documents
- **Cell 3**: Load Sigma Rules
- **Cell 4**: Load MITRE ATT&CK
- **Cell 5**: Load OWASP Cheatsheets

### Phase 3: SPLIT Text
- **Cell 6**: Text Splitting v√† Combine All Documents
- **Cell 7**: Xem Chunks (Optional)

### Phase 4: EMBED
- **Cell 8**: Setup Embedding Model
- **Cell 9**: Embed v√† l∆∞u v√†o ChromaDB

### Phase 5: RETRIEVE
- **Cell 10**: Basic Retrieval (Balanced Query)
- **Cell 11**: Hybrid Retrieval Setup (BM25 + Reranker)
- **Cell 12**: Hybrid Retrieval + Reranking

**L∆∞u √Ω:** C·∫ßn c√†i ƒë·∫∑t:
- `pip install rank-bm25 flashrank sentence-transformers` cho hybrid retrieval v√† reranking


In [None]:
# ===================================================================
# Phase 1: IMPORTS
# ===================================================================

from langchain_community.document_loaders import DirectoryLoader, TextLoader
from langchain_community.document_loaders import WebBaseLoader, AsyncChromiumLoader
from langchain_core.documents import Document
from langchain_chroma import Chroma
from langchain_community.vectorstores.utils import filter_complex_metadata
from langchain_text_splitters import RecursiveCharacterTextSplitter
try:
    from langchain_huggingface import HuggingFaceEmbeddings
except ImportError:
    from langchain_community.embeddings import HuggingFaceEmbeddings

# Reranker v√† Hybrid Retrieval
try:
    from rank_bm25 import BM25Okapi
except ImportError:
    print("‚ö†Ô∏è rank_bm25 ch∆∞a ƒë∆∞·ª£c c√†i ƒë·∫∑t. Ch·∫°y: pip install rank-bm25")
    BM25Okapi = None

try:
    from sentence_transformers import CrossEncoder
    CROSS_ENCODER_AVAILABLE = True
except ImportError:
    CROSS_ENCODER_AVAILABLE = False
    print("‚ö†Ô∏è sentence-transformers ch∆∞a c√≥ CrossEncoder. S·∫Ω d√πng simple reranking.")
    CrossEncoder = None

try:
    from flashrank import Ranker, RerankRequest
    FLASHRANK_AVAILABLE = True
except ImportError:
    FLASHRANK_AVAILABLE = False


import os
import yaml
import json
import requests
import glob
from bs4 import BeautifulSoup
from urllib.parse import urljoin, urlparse
import time
import numpy as np
from typing import List, Tuple, Dict
from collections import Counter

print("‚úÖ Imports completed")


USER_AGENT environment variable not set, consider setting it to identify your requests.


‚úÖ Imports completed


In [None]:
# ===================================================================
# Phase 1: HELPER FUNCTIONS
# ===================================================================

def parse_chroma_metadata(doc: Document) -> dict:
    """Parse metadata t·ª´ ChromaDB, convert JSON strings v·ªÅ l·∫°i list/dict"""
    metadata = doc.metadata.copy()
    json_fields = ['tags', 'references', 'detection', 'logsource', 'detection_keywords', 'falsepositives']
    
    for field in json_fields:
        if field in metadata and isinstance(metadata[field], str):
            try:
                metadata[field] = json.loads(metadata[field])
            except (json.JSONDecodeError, TypeError):
                pass
    return metadata

def format_doc_for_llm(doc: Document, include_full_rule: bool = False) -> str:
    """Format document v·ªõi metadata ƒë·ªÉ LLM d·ªÖ ƒë·ªçc"""
    metadata = parse_chroma_metadata(doc)
    output = []
    output.append(f"Title: {metadata.get('title', 'N/A')}")
    output.append(f"ID: {metadata.get('id', 'N/A')}")
    output.append(f"Status: {metadata.get('status', 'N/A')}")
    output.append(f"Level: {metadata.get('level', 'N/A')}")
    output.append(f"Description: {metadata.get('description', 'N/A')}")
    if metadata.get('author'):
        output.append(f"Author: {metadata.get('author')}")
    if metadata.get('tags'):
        tags = metadata['tags'] if isinstance(metadata['tags'], list) else []
        output.append(f"Tags: {', '.join(str(t) for t in tags)}")
    if metadata.get('logsource'):
        logsource = metadata['logsource'] if isinstance(metadata['logsource'], dict) else {}
        output.append(f"Log Source: {json.dumps(logsource, ensure_ascii=False)}")
    if metadata.get('detection'):
        detection = metadata['detection'] if isinstance(metadata['detection'], dict) else {}
        if 'keywords' in detection and detection['keywords']:
            keywords = detection['keywords']
            keywords_preview = keywords[:5] if len(keywords) > 5 else keywords
            output.append(f"Detection Keywords: {', '.join(str(k) for k in keywords_preview)}")
            if len(keywords) > 5:
                output.append(f"  (+ {len(keywords)-5} more keywords)")
        if 'condition' in detection:
            output.append(f"Detection Condition: {detection['condition']}")
    if metadata.get('references'):
        refs = metadata['references'] if isinstance(metadata['references'], list) else []
        if refs:
            output.append(f"References: {len(refs)} reference(s)")
            for ref in refs[:3]:
                output.append(f"  - {ref}")
            if len(refs) > 3:
                output.append(f"  ... v√† {len(refs)-3} reference(s) kh√°c")
    output.append(f"\nContent:\n{doc.page_content}")
    if include_full_rule and metadata.get('full_rule'):
        output.append(f"\nFull Rule YAML:\n{metadata['full_rule']}")
    return "\n".join(output)

print("‚úÖ Helper functions defined")


‚úÖ Helper functions defined


## Phase 2: LOAD Documents

### 3.1. Load Sigma Rules


In [None]:
# ===================================================================
# Phase 2: LOAD - Sigma Rules
# ===================================================================

sigma_path = r"D:\MCPLLM\test\sigma\rules\web\webserver_generic"

# Ki·ªÉm tra th∆∞ m·ª•c c√≥ t·ªìn t·∫°i kh√¥ng
if not os.path.exists(sigma_path):
    print(f"Error: Th∆∞ m·ª•c kh√¥ng t·ªìn t·∫°i: {sigma_path}")
    sigma_raw_docs = []
else:
    try:
        sigma_loader = DirectoryLoader(
            path=sigma_path,
            glob="**/*.yml",
            loader_cls=TextLoader,
            loader_kwargs={'encoding': 'utf-8'}
        )
        sigma_raw_docs = sigma_loader.load()
        print(f"‚úÖ ƒê√£ load {len(sigma_raw_docs)} Sigma rule file(s)")
    except Exception as e:
        print(f"‚ùå L·ªói khi load: {e}")
        sigma_raw_docs = []

# Parse YAML v√† t·∫°o processed docs
sigma_docs_processed = []

if sigma_raw_docs:
    print("\nüìù X·ª≠ l√Ω v√† parse YAML...")
    for doc in sigma_raw_docs:
        try:
            parsed_yaml = yaml.safe_load(doc.page_content)
            if parsed_yaml:
                title = parsed_yaml.get('title', 'N/A')
                description = parsed_yaml.get('description', 'N/A')
                level = parsed_yaml.get('level', 'N/A')
                status = parsed_yaml.get('status', 'N/A')
                
                summary_content = f"Sigma Rule: {title}\nStatus: {status} | Level: {level}\nDescription: {description}"
                
                # Extract detection keywords
                detection = parsed_yaml.get('detection', {})
                keywords = detection.get('keywords', []) if isinstance(detection, dict) else []
                if keywords:
                    keywords_preview = keywords[:3] if len(keywords) > 3 else keywords
                    summary_content += f"\nKeywords: {', '.join(str(k) for k in keywords_preview)}"
                    if len(keywords) > 3:
                        summary_content += f" (+{len(keywords)-3} more)"
                
                new_doc = Document(
                    page_content=summary_content,
                    metadata={
                        "source": doc.metadata.get('source'),
                        "source_type": "sigma_rule",
                        "title": parsed_yaml.get('title'),
                        "id": parsed_yaml.get('id'),
                        "status": parsed_yaml.get('status'),
                        "level": parsed_yaml.get('level'),
                        "description": parsed_yaml.get('description'),
                        "author": parsed_yaml.get('author'),
                        "date": str(parsed_yaml.get('date', '')),
                        "modified": str(parsed_yaml.get('modified', '')),
                        "tags": parsed_yaml.get('tags', []),
                        "logsource": parsed_yaml.get('logsource', {}),
                        "detection": parsed_yaml.get('detection', {}),
                        "detection_keywords": keywords,
                        "detection_keywords_count": len(keywords),
                        "references": parsed_yaml.get('references', []),
                        "falsepositives": parsed_yaml.get('falsepositives', []),
                    }
                )
                sigma_docs_processed.append(new_doc)
        except Exception as e:
            print(f"L·ªói khi parse YAML: {e}")
    
    print(f"‚úÖ ƒê√£ x·ª≠ l√Ω {len(sigma_docs_processed)} Sigma document(s)")
else:
    print("‚ö†Ô∏è Kh√¥ng c√≥ Sigma documents n√†o ƒë·ªÉ x·ª≠ l√Ω.")


‚úÖ ƒê√£ load 13 Sigma rule file(s)

üìù X·ª≠ l√Ω v√† parse YAML...
‚úÖ ƒê√£ x·ª≠ l√Ω 13 Sigma document(s)


In [None]:
print(sigma_raw_docs[0])

page_content='title: F5 BIG-IP iControl Rest API Command Execution - Webserver
id: 85254a62-22be-4239-b79c-2ec17e566c37
related:
    - id: b59c98c6-95e8-4d65-93ee-f594dfb96b17
      type: similar
status: test
description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
references:
    - https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
    - https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
    - https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516
author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
date: 2023-11-08
tags:
    - attack.execution
    - attack.t1190
    - attack.initial-access
logsource:
    category: webserver
detection:
    selection:
        cs-method: 'POST'
        cs-uri-query|endswith: '/mgmt/tm/util/bash'
    condition: selection
falsepositives:
  

### 3.2. Load MITRE ATT&CK Techniques


In [None]:
# ===================================================================
# Phase 2: LOAD - MITRE ATT&CK Techniques
# ===================================================================

import requests
from bs4 import BeautifulSoup
import re
import time

def parse_mitre_techniques_from_enterprise_page(base_url="https://attack.mitre.org/techniques/enterprise/"):
    """
    Parse t·∫•t c·∫£ techniques t·ª´ trang enterprise c·ªßa MITRE ATT&CK
    Format: T-ID\nName\nDescription
    """
    mitre_docs = []
    
    try:
        headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'}
        response = requests.get(base_url, headers=headers, timeout=30)
        response.raise_for_status()
        
        soup = BeautifulSoup(response.content, 'html.parser')
        
        # T√¨m t·∫•t c·∫£ technique links
        technique_rows = soup.find_all('tr')
        
        for row in technique_rows:
            cells = row.find_all('td')
            if len(cells) >= 2:
                # Cell ƒë·∫ßu ti√™n ch·ª©a ID v√† link
                first_cell = cells[0]
                link = first_cell.find('a', href=True)
                if link and '/techniques/T' in link['href']:
                    technique_id = link.get_text(strip=True)
                    # Cell th·ª© hai ch·ª©a t√™n
                    technique_name = cells[1].get_text(strip=True) if len(cells) > 1 else "Unknown"
                    
                    # Cell th·ª© ba c√≥ th·ªÉ ch·ª©a description ho·∫∑c l·∫•y t·ª´ tooltip
                    description = ""
                    if len(cells) > 2:
                        description = cells[2].get_text(strip=True)
                    
                    # N·∫øu kh√¥ng c√≥ description t·ª´ cell, l·∫•y t·ª´ tooltip
                    if not description or len(description) < 20:
                        tooltip = first_cell.get('title') or first_cell.get('data-bs-original-title', '')
                        if tooltip:
                            description = tooltip
                    
                    # Format: ID\nName\nDescription
                    if technique_id and technique_name:
                        content = f"{technique_id}\n{technique_name}\n{description}" if description else f"{technique_id}\n{technique_name}"
                        
                        doc = Document(
                            page_content=content,
                            metadata={
                                'source_type': 'mitre_attack',
                                'source_url': urljoin(base_url, link['href']),
                                'technique_id': technique_id,
                                'technique_name': technique_name,
                                'description_length': len(description) if description else 0
                            }
                        )
                        mitre_docs.append(doc)
        
        print(f"‚úÖ ƒê√£ parse {len(mitre_docs)} MITRE ATT&CK techniques t·ª´ trang enterprise")
        
    except Exception as e:
        print(f"‚ùå L·ªói khi parse MITRE techniques: {e}")
        import traceback
        traceback.print_exc()
    
    return mitre_docs

# Load MITRE techniques
print("üì• ƒêang load MITRE ATT&CK techniques...")
mitre_docs = parse_mitre_techniques_from_enterprise_page()

if mitre_docs:
    print(f"‚úÖ ƒê√£ load {len(mitre_docs)} MITRE ATT&CK techniques")
else:
    print("‚ö†Ô∏è Kh√¥ng c√≥ MITRE documents n√†o.")


üì• ƒêang load MITRE ATT&CK techniques...
‚úÖ ƒê√£ parse 216 MITRE ATT&CK techniques t·ª´ trang enterprise
‚úÖ ƒê√£ load 216 MITRE ATT&CK techniques


In [None]:
print(mitre_docs[0])

page_content='T1548
Abuse Elevation Control Mechanism
Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.' metadata={'source_type': 'mitre_attack', 'source_url': 'https://attack.mitre.org/techniques/T1548', 'technique_id': 'T1548', 'technique_name': 'Abuse Elevation Control Mechanism', 'description_length': 500}


In [None]:
### 3.3. Load OWASP Cheatsheets

In [None]:
# Load OWASP Cheatsheets t·ª´ th∆∞ m·ª•c local
# Read in documents using LangChain's loaders
# Take everything in all the sub-folders of our knowledgebase

import os, glob
from langchain_community.document_loaders import DirectoryLoader, TextLoader

# ƒê∆∞·ªùng d·∫´n t·ªõi th∆∞ m·ª•c cheatsheets
cheatsheets_path = r"D:\MCPLLM\test\cheatsheets"

# Ki·ªÉm tra th∆∞ m·ª•c c√≥ t·ªìn t·∫°i kh√¥ng
if not os.path.exists(cheatsheets_path):
    print(f"‚ö†Ô∏è  Th∆∞ m·ª•c kh√¥ng t·ªìn t·∫°i: {cheatsheets_path}")
    print(f"   T·∫°o th∆∞ m·ª•c ho·∫∑c ki·ªÉm tra ƒë∆∞·ªùng d·∫´n")
    owasp_docs = []
else:
    # D√πng raw string ƒë·ªÉ tr√°nh l·ªói escape
    folders = glob.glob(os.path.join(cheatsheets_path, "*"))
    
    # Thi·∫øt l·∫≠p text loader kwargs
    # Th·ª≠ d√πng autodetect n·∫øu c√≥ chardet, n·∫øu kh√¥ng th√¨ d√πng utf-8
    try:
        import chardet
        text_loader_kwargs = {'autodetect_encoding': True}
    except ImportError:
        print("  ‚ö†Ô∏è  Module 'chardet' ch∆∞a ƒë∆∞·ª£c c√†i ƒë·∫∑t. D√πng encoding='utf-8' thay th·∫ø.")
        print("  üí° ƒê·ªÉ c√†i: pip install chardet")
        text_loader_kwargs = {'encoding': 'utf-8'}
    
    owasp_docs = []
    print(f"üìÇ ƒêang load OWASP cheatsheets t·ª´: {cheatsheets_path}")
    
    for folder in folders:
        doc_type = os.path.basename(folder)
        
        try:
            if os.path.isdir(folder):
                loader = DirectoryLoader(
                    folder,
                    glob="**/*.md",  # ‚úÖ lu√¥n d√πng d·∫•u /
                    loader_cls=TextLoader,
                    loader_kwargs=text_loader_kwargs
                )
                folder_docs = loader.load()
                
            elif os.path.isfile(folder) and folder.endswith('.md'):
                loader = TextLoader(folder, **text_loader_kwargs)
                folder_docs = loader.load()
            else:
                continue  # B·ªè qua n·∫øu kh√¥ng ph·∫£i file .md
            
            for doc in folder_docs:
                doc.metadata["doc_type"] = doc_type
                doc.metadata["source_type"] = "owasp_cheatsheet"
                # Th√™m source path v√†o metadata
                if 'source' not in doc.metadata:
                    doc.metadata["source"] = folder
                owasp_docs.append(doc)
            
            if folder_docs:
                print(f"  ‚úÖ Loaded {len(folder_docs)} docs t·ª´: {doc_type}")
        
        except Exception as e:
            print(f"  ‚ö†Ô∏è  L·ªói khi load {folder}: {e}")
            continue
    
    print(f"\n‚úÖ Total OWASP cheatsheet documents loaded: {len(owasp_docs)}")
    
    # Hi·ªÉn th·ªã m·ªôt v√†i documents m·∫´u
    if owasp_docs:
        print(f"\nüìã M·ªôt v√†i documents m·∫´u:")
        for i, doc in enumerate(owasp_docs[:3]):
            doc_type = doc.metadata.get('doc_type', 'N/A')
            source = doc.metadata.get('source', 'N/A')
            if isinstance(source, str):
                source_name = os.path.basename(source)
            else:
                source_name = str(source)
            print(f"  [{i+1}] {doc_type} | {source_name} | {len(doc.page_content)} chars")


üìÇ ƒêang load OWASP cheatsheets t·ª´: D:\MCPLLM\test\cheatsheets
  ‚úÖ Loaded 1 docs t·ª´: Abuse_Case_Cheat_Sheet.md
  ‚úÖ Loaded 1 docs t·ª´: Access_Control_Cheat_Sheet.md
  ‚úÖ Loaded 1 docs t·ª´: AJAX_Security_Cheat_Sheet.md
  ‚úÖ Loaded 1 docs t·ª´: Attack_Surface_Analysis_Cheat_Sheet.md
  ‚úÖ Loaded 1 docs t·ª´: Authentication_Cheat_Sheet.md
  ‚úÖ Loaded 1 docs t·ª´: Authorization_Cheat_Sheet.md
  ‚úÖ Loaded 1 docs t·ª´: Authorization_Testing_Automation_Cheat_Sheet.md
  ‚úÖ Loaded 1 docs t·ª´: Automotive_Security.md
  ‚úÖ Loaded 1 docs t·ª´: Bean_Validation_Cheat_Sheet.md
  ‚úÖ Loaded 1 docs t·ª´: Browser_Extension_Vulnerabilities_Cheat_Sheet.md
  ‚úÖ Loaded 1 docs t·ª´: C-Based_Toolchain_Hardening_Cheat_Sheet.md
  ‚úÖ Loaded 1 docs t·ª´: Choosing_and_Using_Security_Questions_Cheat_Sheet.md
  ‚úÖ Loaded 1 docs t·ª´: CI_CD_Security_Cheat_Sheet.md
  ‚úÖ Loaded 1 docs t·ª´: Clickjacking_Defense_Cheat_Sheet.md
  ‚úÖ Loaded 1 docs t·ª´: Content_Security_Policy_Cheat_Sheet.md
  ‚úÖ Lo

In [None]:
print(owasp_docs[0])

page_content='# Abuse Case Cheat Sheet (Historical)

## Archive Statement

Reviewers have identified that abuse cases are rarely used in practice. Additionally, the material is presented as a "getting started tutorial" which isn't appropriate for the cheat sheet series.

## Introduction

Often when the security level of an application is mentioned in requirements, the following _expressions_ are met:

- _The application must be secure_.
- _The application must defend against all attacks targeting this category of application_.
- _The application must defend against attacks from the OWASP TOP 10_
- ...

These security requirements are too generic, and thus useless for a development team...

In order to build a secure application, from a pragmatic point of view, it is important to identify the attacks which the application must defend against, according to its business and technical context. Abuse cases were a frequently recommended _threat modeling_ technique, and reviewing the [threat 

In [None]:
# Text Splitting v√† Combine All Documents
# T·ªëi ∆∞u cho t·ª´ng lo·∫°i document: Sigma, MITRE, OWASP

# 1. Text splitter cho OWASP (Markdown files - c√≥ th·ªÉ r·∫•t d√†i)
# OWASP cheatsheets th∆∞·ªùng l√† markdown, c·∫ßn split ƒë·ªÉ qu·∫£n l√Ω
owasp_splitter = RecursiveCharacterTextSplitter(
    chunk_size=1000,  # Ph√π h·ª£p cho markdown content
    chunk_overlap=200,
    length_function=len,
    separators=["\n\n## ", "\n\n### ", "\n\n", "\n", ". ", " ", ""]  # ∆Øu ti√™n split theo markdown headers
)

# 2. Text splitter cho MITRE (Format: T1548\nName\nDescription)
# Gi·ªØ nguy√™n technique n·∫øu c√≥ th·ªÉ, ch·ªâ split n·∫øu qu√° d√†i
mitre_splitter = RecursiveCharacterTextSplitter(
    chunk_size=800,  # ƒê·ªß l·ªõn cho h·∫ßu h·∫øt techniques
    chunk_overlap=200,
    length_function=len,
    separators=["\n\n", "\n", ". "]  # ∆Øu ti√™n gi·ªØ nguy√™n format ID\nName\nDescription
)

# Combine t·∫•t c·∫£ documents
all_docs = []

# =================================================================
# 1. SIGMA RULES
# =================================================================
# Sigma rules ƒë√£ ƒë∆∞·ª£c processed, format ng·∫Øn g·ªçn, kh√¥ng c·∫ßn split
if 'sigma_docs_processed' in locals() and sigma_docs_processed:
    for doc in sigma_docs_processed:
        # ƒê·∫£m b·∫£o metadata c√≥ source_type
        if 'source_type' not in doc.metadata:
            doc.metadata['source_type'] = 'sigma_rule'
        all_docs.append(doc)
    print(f"‚úÖ Added {len(sigma_docs_processed)} Sigma rule documents (kh√¥ng split)")

# =================================================================
# 2. MITRE ATT&CK TECHNIQUES
# =================================================================
# Format: T1548\nName\nDescription
# M·ªói technique l√† m·ªôt document ri√™ng, ch·ªâ split n·∫øu description qu√° d√†i
if 'mitre_docs' in locals() and mitre_docs:
    mitre_split = []
    for doc in mitre_docs:
        # ƒê·∫£m b·∫£o metadata c√≥ source_type
        if 'source_type' not in doc.metadata:
            doc.metadata['source_type'] = 'mitre_attack'
        
        # N·∫øu description qu√° d√†i (>2000 chars), split theo paragraph
        if len(doc.page_content) > 2000:
            chunks = mitre_splitter.split_documents([doc])
            # Gi·ªØ metadata cho m·ªói chunk
            for chunk in chunks:
                chunk.metadata['source_type'] = 'mitre_attack'
            mitre_split.extend(chunks)
        else:
            # Gi·ªØ nguy√™n document - m·ªói technique l√† m·ªôt chunk
            mitre_split.append(doc)
    
    all_docs.extend(mitre_split)
    long_docs = sum(1 for doc in mitre_docs if len(doc.page_content) > 2000)
    print(f"‚úÖ Added {len(mitre_split)} MITRE ATT&CK documents (from {len(mitre_docs)} techniques)")
    if long_docs > 0:
        print(f"   - {long_docs} techniques ƒë√£ ƒë∆∞·ª£c split do description qu√° d√†i")

# =================================================================
# 3. OWASP CHEATSHEETS
# =================================================================
# OWASP cheatsheets l√† markdown files, c√≥ th·ªÉ r·∫•t d√†i, c·∫ßn split
if 'owasp_docs' in locals() and owasp_docs:
    owasp_split = []
    for doc in owasp_docs:
        # ƒê·∫£m b·∫£o metadata c√≥ source_type
        if 'source_type' not in doc.metadata:
            doc.metadata['source_type'] = 'owasp_cheatsheet'
        
        # Split OWASP documents (markdown c√≥ th·ªÉ r·∫•t d√†i)
        chunks = owasp_splitter.split_documents([doc])
        # Gi·ªØ metadata cho m·ªói chunk
        for chunk in chunks:
            chunk.metadata['source_type'] = 'owasp_cheatsheet'
            # Gi·ªØ nguy√™n doc_type v√† source t·ª´ document g·ªëc
            if 'doc_type' in doc.metadata:
                chunk.metadata['doc_type'] = doc.metadata['doc_type']
            if 'source' in doc.metadata:
                chunk.metadata['source'] = doc.metadata['source']
        owasp_split.extend(chunks)
    
    all_docs.extend(owasp_split)
    print(f"‚úÖ Added {len(owasp_split)} OWASP cheatsheet document chunks (from {len(owasp_docs)} docs)")

# =================================================================
# T·ªîNG K·∫æT
# =================================================================
print(f"\nüìä T·ªïng c·ªông: {len(all_docs)} documents ƒë·ªÉ embed v√† l∆∞u v√†o ChromaDB")
print(f"\nüí° Chi·∫øn l∆∞·ª£c splitting:")
print(f"   - Sigma rules: Gi·ªØ nguy√™n (kh√¥ng split)")
print(f"   - MITRE techniques: Gi·ªØ nguy√™n, ch·ªâ split n·∫øu >2000 chars")
print(f"   - OWASP cheatsheets: Split theo markdown headers v√† paragraphs")


‚úÖ Added 13 Sigma rule documents (kh√¥ng split)
‚úÖ Added 216 MITRE ATT&CK documents (from 216 techniques)
‚úÖ Added 3332 OWASP cheatsheet document chunks (from 107 docs)

üìä T·ªïng c·ªông: 3561 documents ƒë·ªÉ embed v√† l∆∞u v√†o ChromaDB

üí° Chi·∫øn l∆∞·ª£c splitting:
   - Sigma rules: Gi·ªØ nguy√™n (kh√¥ng split)
   - MITRE techniques: Gi·ªØ nguy√™n, ch·ªâ split n·∫øu >2000 chars
   - OWASP cheatsheets: Split theo markdown headers v√† paragraphs


In [None]:
# Kh·ªüi t·∫°o embedding model (d√πng HuggingFace local)
print("üì• ƒêang t·∫£i embedding model...")
embeddings = HuggingFaceEmbeddings(
    model_name="sentence-transformers/all-MiniLM-L6-v2",
    model_kwargs={'device': 'cpu'},
    encode_kwargs={'normalize_embeddings': True}
)
print("‚úÖ Embedding model ƒë√£ s·∫µn s√†ng")


üì• ƒêang t·∫£i embedding model...
‚úÖ Embedding model ƒë√£ s·∫µn s√†ng


In [None]:
# T·∫°o ƒë∆∞·ªùng d·∫´n l∆∞u ChromaDB
persist_directory = r"D:\MCPLLM\test\chroma_sec_db"
os.makedirs(persist_directory, exist_ok=True)

# Chu·∫©n b·ªã documents v·ªõi metadata t∆∞∆°ng th√≠ch ChromaDB
print(f"üíæ ƒêang t·∫°o/load ChromaDB t·∫°i: {persist_directory}")

# Ki·ªÉm tra all_docs ƒë√£ ƒë∆∞·ª£c t·∫°o ch∆∞a
if 'all_docs' not in locals() or not all_docs:
    print("‚ö†Ô∏è  Ch∆∞a c√≥ all_docs. H√£y ch·∫°y cell 'Text Splitting v√† Combine All Documents' tr∆∞·ªõc.")
    print("    ƒêang d√πng sigma_docs_processed t·∫°m th·ªùi...")
    docs_to_process = sigma_docs_processed if 'sigma_docs_processed' in locals() and sigma_docs_processed else []
else:
    docs_to_process = all_docs

if not docs_to_process:
    print("‚ùå Kh√¥ng c√≥ documents n√†o ƒë·ªÉ embed!")
    vectorstore = None
else:
    print(f"üìù ƒêang chu·∫©n b·ªã {len(docs_to_process)} documents ƒë·ªÉ embed...")
    
    # Convert list/dict trong metadata th√†nh string cho ChromaDB
    docs_for_chroma = []
    for doc in docs_to_process:
        new_metadata = {}
        for key, value in doc.metadata.items():
            if isinstance(value, (list, dict)):
                # Convert list/dict th√†nh JSON string
                new_metadata[key] = json.dumps(value, ensure_ascii=False)
            elif value is None:
                continue  # Skip None values
            else:
                new_metadata[key] = value
        
        # T·∫°o document m·ªõi v·ªõi metadata ƒë√£ x·ª≠ l√Ω
        new_doc = Document(
            page_content=doc.page_content,
            metadata=new_metadata
        )
        docs_for_chroma.append(new_doc)
    
    # Filter complex metadata m·ªôt l·∫ßn n·ªØa ƒë·ªÉ ch·∫Øc ch·∫Øn
    docs_for_chroma = filter_complex_metadata(docs_for_chroma)
    
    print(f"üìä Th·ªëng k√™ documents:")
    if 'all_docs' in locals() and all_docs:
        sigma_count = sum(1 for d in docs_for_chroma if d.metadata.get('source_type') == 'sigma_rule')
        mitre_count = sum(1 for d in docs_for_chroma if d.metadata.get('source_type') == 'mitre_attack')
        owasp_count = sum(1 for d in docs_for_chroma if d.metadata.get('source_type') == 'owasp_cheatsheet')
        print(f"   - Sigma rules: {sigma_count}")
        print(f"   - MITRE ATT&CK: {mitre_count}")
        print(f"   - OWASP cheatsheets: {owasp_count}")
    
    # T·∫°o ChromaDB vector store
    print(f"\nüîÑ ƒêang embed v√† l∆∞u v√†o ChromaDB...")
    vectorstore = Chroma.from_documents(
        documents=docs_for_chroma,
        embedding=embeddings,
        persist_directory=persist_directory,
        collection_name="security_knowledge_base"  # T√™n collection m·ªõi cho t·∫•t c·∫£
    )
    print(f"‚úÖ ƒê√£ l∆∞u {len(docs_for_chroma)} documents v√†o ChromaDB")


üíæ ƒêang t·∫°o/load ChromaDB t·∫°i: D:\MCPLLM\test\chroma_sec_db
üìù ƒêang chu·∫©n b·ªã 3561 documents ƒë·ªÉ embed...
üìä Th·ªëng k√™ documents:
   - Sigma rules: 13
   - MITRE ATT&CK: 216
   - OWASP cheatsheets: 3332

üîÑ ƒêang embed v√† l∆∞u v√†o ChromaDB...
‚úÖ ƒê√£ l∆∞u 3561 documents v√†o ChromaDB


In [None]:
# L·∫•y ra b·ªô s∆∞u t·∫≠p vector t·ª´ vectorstore
collection = vectorstore._collection

# L·∫•y 1 embedding t·ª´ database
sample_embedding = collection.get(limit=1, include=["embeddings"])["embeddings"][0]

# Ki·ªÉm tra s·ªë chi·ªÅu (s·ªë ph·∫ßn t·ª≠ trong vector)
dimensions = len(sample_embedding)
print(f"The vectors have {dimensions:,} dimensions")

NameError: name 'vectorstore' is not defined

In [None]:
# ‚úÖ Test query Chroma vectorstore (similarity / MMR / filter theo metadata)
import os, textwrap, json
from pprint import pprint

from langchain_community.vectorstores import Chroma

def ensure_vectorstore(persist_dir, embeddings, collection="security_knowledge_base"):
    # N·∫øu ƒë√£ c√≥ vectorstore trong RAM th√¨ d√πng l·∫°i
    if 'vectorstore' in globals() and vectorstore is not None:
        return vectorstore
    # Ng∆∞·ª£c l·∫°i, m·ªü t·ª´ ·ªï ƒëƒ©a
    vs = Chroma(
        persist_directory=persist_dir,
        collection_name=collection,
        embedding_function=embeddings
    )
    return vs

def pretty(doc, score=None, idx=None, width=110, preview=400):
    h = []
    if idx is not None:
        h.append(f"[{idx}]")
    if score is not None:
        h.append(f"Score: {score:.4f}")
    title = doc.metadata.get("title") or doc.metadata.get("cheatsheet_name") or doc.metadata.get("id") or "(no title)"
    src_type = doc.metadata.get("source_type")
    h.append(f"Title: {title}")
    if src_type:
        h.append(f"SourceType: {src_type}")
    print(" | ".join(h))
    # ngu·ªìn
    src = doc.metadata.get("source_url") or doc.metadata.get("source")
    if src:
        print("Source:", src)
    # tag/technique/tags t√≥m t·∫Øt
    for key in ("tags","technique_id","technique_name","level","yaml_path"):
        if key in doc.metadata and doc.metadata[key]:
            val = doc.metadata[key]
            if isinstance(val, (list, dict)):
                val = json.dumps(val, ensure_ascii=False)
            print(f"{key}:", val)
    # preview n·ªôi dung
    content = (doc.page_content or "").strip().replace("\r", "")
    preview_text = content[:preview] + ("..." if len(content) > preview else "")
    print(textwrap.fill(preview_text, width=width))
    print("-" * width)

# ====== RUN ======
if 'persist_directory' not in globals():
    persist_directory = r"D:\MCPLLM\test\chroma_sec_db"

if 'embeddings' not in globals():
    raise RuntimeError("Ch∆∞a c√≥ bi·∫øn `embeddings`. H√£y kh·ªüi t·∫°o OpenAI/HF embeddings tr∆∞·ªõc.")

vs = ensure_vectorstore(persist_directory, embeddings, collection="security_knowledge_base")
print("‚úÖ Vectorstore ready.")
print("üì¶ Collection size (approx):", vs._collection.count())  # s·ªë vector (x·∫•p x·ªâ)

# üëâ ƒê·∫∑t c√¢u query b·∫°n mu·ªën test
query = "Detected SQL injection"
k = 5

print("\nüîé Similarity search:")
hits = vs.similarity_search_with_score(query, k=k)
for i, (doc, score) in enumerate(hits, 1):
    pretty(doc, score=score, idx=i)

print("\nüß≠ MMR (ƒëa d·∫°ng ho√° k·∫øt qu·∫£):")
mmr_docs = vs.max_marginal_relevance_search(query, k=min(6, k+1), fetch_k=20, lambda_mult=0.3)
for i, doc in enumerate(mmr_docs, 1):
    pretty(doc, score=None, idx=i)

print("\nüéØ Filter theo metadata (v√≠ d·ª•: ch·ªâ Sigma rules):")
try:
    # Chroma h·ªó tr·ª£ 'where' filter tr√™n metadata
    filtered = vs.similarity_search_with_score(
        query, k=k, filter={"source_type": "sigma_rule"}
    )
    if not filtered:
        print("  (Kh√¥ng c√≥ k·∫øt qu·∫£ kh·ªõp filter {'source_type':'sigma_rule'})")
    else:
        for i, (doc, score) in enumerate(filtered, 1):
            pretty(doc, score=score, idx=i)
except TypeError:
    # M·ªôt s·ªë b·∫£n LangChain c≈© d√πng 'where' thay v√¨ 'filter'
    filtered = vs.similarity_search_with_score(
        query, k=k, where={"source_type": "sigma_rule"}
    )
    for i, (doc, score) in enumerate(filtered, 1):
        pretty(doc, score=score, idx=i)

# (Tu·ª≥ ch·ªçn) üîÅ Re-rank b·∫±ng FlashRank n·∫øu c√≥
try:
    from flashrank import Ranker, RerankRequest
    ranker = Ranker()  # m·∫∑c ƒë·ªãnh d√πng model nh·∫π
    # L·∫•y top 10 t·ª´ similarity ƒë·ªÉ rerank
    base_docs = vs.similarity_search(query, k=10)
    passages = [d.page_content[:1000] for d in base_docs]
    req = RerankRequest(query=query, passages=[{"id": str(i), "text": p} for i, p in enumerate(passages)])
    rr = ranker.rerank(req)
    print("\n‚ö° FlashRank top-5 (reranked):")
    for r in rr[:5]:
        d = base_docs[int(r.document["id"])]
        pretty(d, score=r.relevance_score, idx=r.index)
except Exception as e:
    print("\n(‚ÑπÔ∏è B·ªè qua rerank FlashRank ‚Äî ch∆∞a c√†i ho·∫∑c l·ªói nh·ªè:", e, ")")

print("\n‚úÖ Done. Thay ƒë·ªïi bi·∫øn `query` ƒë·ªÉ th·ª≠ th√™m.")


  vs = Chroma(


‚úÖ Vectorstore ready.
üì¶ Collection size (approx): 3561

üîé Similarity search:
[1] | Score: 0.6761 | Title: (no title) | SourceType: owasp_cheatsheet
Source: D:\MCPLLM\test\cheatsheets\Injection_Prevention_Cheat_Sheet.md
SQL Injection attacks can be divided into the following three classes:  - **Inband:**√Ç¬†data is extracted using
the same channel that is used to inject the SQL code. This is the most straightforward kind of attack, in
which the retrieved data is presented directly in the application web page. - **Out-of-band:**√Ç¬†data is
retrieved using a different channel (e.g., an email with the results of the que...
--------------------------------------------------------------------------------------------------------------
[2] | Score: 0.7689 | Title: (no title) | SourceType: owasp_cheatsheet
Source: D:\MCPLLM\test\cheatsheets\SQL_Injection_Prevention_Cheat_Sheet.md
## What Is a SQL Injection Attack?  Attackers can use SQL injection on an application if it has dynamic
datab

In [None]:
# Hybrid search = Dense (Chroma) + Sparse (BM25) combiner
import sys, subprocess, math
from typing import List, Tuple
from rank_bm25 import BM25Okapi

# N·∫øu rank_bm25 ch∆∞a c√†i th√¨ c√†i (cell s·∫Ω l·ªói n·∫øu kh√¥ng c√≥)
try:
    import rank_bm25  # noqa
except Exception:
    subprocess.check_call([sys.executable, "-m", "pip", "install", "rank-bm25"])
    from rank_bm25 import BM25Okapi  # noqa

# Ki·ªÉm tra ti·ªÅn ƒëi·ªÅu ki·ªán
if 'vs' not in globals() and 'vectorstore' not in globals():
    raise RuntimeError("Ch∆∞a c√≥ vectorstore (vs). H√£y load/kh·ªüi t·∫°o Chroma tr∆∞·ªõc.")

# prefer vs variable
_vs = vs if 'vs' in globals() else vectorstore

if 'docs_for_chroma' not in globals():
    raise RuntimeError("C·∫ßn bi·∫øn `docs_for_chroma` (list of Documents) ƒë·ªÉ x√¢y BM25. H√£y t·∫°o n√≥ khi build Chroma.")

# Chu·∫©n b·ªã corpus cho BM25 (ƒë∆°n gi·∫£n: page_content tokenized)
corpus_texts = [ (d.page_content or "").replace("\n"," ") for d in docs_for_chroma ]
# Tokenize: simple whitespace + lowercase; b·∫°n c√≥ th·ªÉ ƒë∆∞a tokenizer t·ªët h∆°n
tokenized_corpus = [ txt.lower().split() for txt in corpus_texts ]
bm25 = BM25Okapi(tokenized_corpus)

def normalize_scores(d: dict):
    """Min-max normalize in-place for dict key->score"""
    if not d:
        return {}
    vals = list(d.values())
    lo, hi = min(vals), max(vals)
    if lo == hi:
        # all equal -> give 1.0
        return {k: 1.0 for k in d}
    return {k: (v - lo) / (hi - lo) for k, v in d.items()}

def hybrid_search(
    query: str,
    k_dense: int = 10,
    k_sparse: int = 10,
    alpha: float = 0.6
) -> List[Tuple[object, float]]:
    """
    alpha: weight for dense score (0..1). final_score = alpha * dense_norm + (1-alpha) * sparse_norm
    returns list of (Document, combined_score) sorted desc
    """
    # 1) Dense (Chroma) top-k
    dense_hits = _vs.similarity_search_with_score(query, k=k_dense)
    # dense_hits: list of (Document, score). Depending on implementation score may be distance or similarity.
    # We'll assume larger score = more similar (as seen earlier). If you see scores like distances, invert them.
    dense_scores = {}
    for doc, s in dense_hits:
        key = id(doc)  # unique key
        dense_scores[key] = float(s)
    
    # 2) Sparse (BM25)
    qtok = query.lower().split()
    bm25_scores_arr = bm25.get_scores(qtok)  # length = len(corpus)
    sparse_scores = {}
    for idx, sc in enumerate(bm25_scores_arr):
        if sc <= 0:
            continue
        # key mapping must correspond to docs_for_chroma order
        key = id(docs_for_chroma[idx])
        sparse_scores[key] = float(sc)
    
    # 3) Normalize each score map
    dense_norm = normalize_scores(dense_scores)
    sparse_norm = normalize_scores(sparse_scores)
    
    # 4) Merge keys and compute combined score
    keys = set(dense_norm.keys()) | set(sparse_norm.keys())
    combined = {}
    for k in keys:
        dv = dense_norm.get(k, 0.0)
        sv = sparse_norm.get(k, 0.0)
        combined[k] = alpha * dv + (1 - alpha) * sv
    
    # 5) create list of (Document, score) and sort
    results = []
    # map id->doc for lookup
    id2doc = { id(docs_for_chroma[i]) : docs_for_chroma[i] for i in range(len(docs_for_chroma)) }
    for k, sc in sorted(combined.items(), key=lambda x: x[1], reverse=True):
        doc = id2doc.get(k)
        if doc:
            results.append((doc, sc))
    return results

# pretty printer (re-use earlier pretty if exists)
def pretty_result(doc, score, idx=None):
    title = doc.metadata.get("title") or doc.metadata.get("cheatsheet_name") or doc.metadata.get("id") or "(no title)"
    print(f"[{idx}] Score: {score:.4f} | Title: {title} | SourceType: {doc.metadata.get('source_type')}")
    print("  Preview:", (doc.page_content or "")[:300].replace("\n"," "))
    print("-" * 100)

# ===== Example usage =====
q = "Defense XSS Attack"
res = hybrid_search(q, k_dense=10, k_sparse=50, alpha=0.65)

print(f"Hybrid results for query: {q}\nTop {min(10,len(res))}:")
for i, (doc, sc) in enumerate(res[:10], 1):
    pretty_result(doc, sc, idx=i)

# Tweak alpha: alpha closer to 1 => favor dense; closer to 0 => favor BM25
print("\n(ƒêi·ªÅu ch·ªânh alpha ƒë·ªÉ ∆∞u ti√™n dense/sparse)")


Hybrid results for query: Defense XSS Attack
Top 10:
[1] Score: 0.3500 | Title: (no title) | SourceType: owasp_cheatsheet
  Preview: - Cookie Attributes - These change how JavaScript and browsers can interact with cookies. Cookie attributes try to limit the impact of an XSS attack but don‚Äôt prevent the execution of malicious content or address the root cause of the vulnerability. - Content Security Policy - An allowlist that prev
----------------------------------------------------------------------------------------------------
[2] Score: 0.2907 | Title: (no title) | SourceType: owasp_cheatsheet
  Preview: ### Summary  One final note: If deploying interceptors / filters as an XSS defense was a useful approach against XSS attacks, don't you think that it would be incorporated into all commercial Web Application Firewalls (WAFs) and be an approach that OWASP recommends in this cheat sheet?
------------------------------------------------------------------------------------------------

In [None]:
# --- Stable key builders (thay v√¨ d√πng id(doc)) ---
import hashlib, re
from rank_bm25 import BM25Okapi

def doc_key(d):
    """Kh√≥a ·ªïn ƒë·ªãnh t·ª´ metadata + hash 256 k√Ω t·ª± ƒë·∫ßu n·ªôi dung."""
    meta = d.metadata or {}
    src = meta.get("source_url") or meta.get("source") or ""
    title = meta.get("title") or meta.get("cheatsheet_name") or meta.get("id") or ""
    aux = meta.get("yaml_path") or meta.get("technique_id") or meta.get("technique_name") or ""
    head = (d.page_content or "")[:256]
    h = hashlib.md5(head.encode("utf-8","ignore")).hexdigest()[:8]
    return f"{src}|{title}|{aux}|{h}"

def payload_tokenize(text: str):
    text = (text or "").lower()
    return [t for t in re.findall(r"[a-z0-9_]+|[\$\{\}\|\&\;\=\.\:/\\'\"][\$\{\}\|\&\;\=\.\:/\\'\"0-9a-z_]*", text)
            if len(t) > 1 or t in ("'", '"', "/", "=", ".")]

def bm25_build_corpus(docs):
    corpus = []
    keys = []
    for d in docs:
        meta_bits = []
        for k in ("title","tags","yaml_path","technique_id","technique_name","cheatsheet_name"):
            v = d.metadata.get(k)
            if v is None: 
                continue
            if isinstance(v, list):
                v = " ".join(map(str, v))
            elif isinstance(v, dict):
                v = " ".join(f"{ik}:{iv}" for ik, iv in v.items())
            meta_bits.append(str(v))
        blob = " \n ".join([d.page_content or ""] + meta_bits)
        corpus.append(blob)
        keys.append(doc_key(d))
    return corpus, keys

# Build BM25 + key map m·ªôt l·∫ßn
corpus_texts, bm25_keys = bm25_build_corpus(docs_for_chroma)
bm25 = BM25Okapi([payload_tokenize(t) for t in corpus_texts])

# Map stable key -> Document g·ªëc (t·ª´ docs_for_chroma)
key2doc = { doc_key(d): d for d in docs_for_chroma }

def _minmax(d):
    if not d: return {}
    vals = list(d.values()); lo, hi = min(vals), max(vals)
    if hi == lo: return {k: 1.0 for k in d}  # t·∫•t c·∫£ b·∫±ng nhau
    return {k: (v - lo) / (hi - lo) for k, v in d.items()}

def hybrid_search(query: str, k_dense=10, k_sparse=80, alpha=0.60):
    # 1) Dense t·ª´ Chroma (d√πng stable key)
    dense_hits = vs.similarity_search_with_score(query, k=k_dense)
    # n·∫øu th·∫•y score l√† "kho·∫£ng c√°ch" (nh·ªè t·ªët), ƒë·∫£o d·∫•u: s = -float(score)
    dense_scores = {}
    for d, s in dense_hits:
        k = doc_key(d)
        dense_scores[k] = float(s)

    # 2) Sparse t·ª´ BM25 (map theo bm25_keys)
    qtok = payload_tokenize(query)
    sparse_arr = bm25.get_scores(qtok)  # ƒëi·ªÉm cho to√†n corpus
    sparse_scores = { bm25_keys[i]: float(sc) for i, sc in enumerate(sparse_arr) if sc > 0 }

    # 3) Chu·∫©n ho√° & tr·ªôn
    dn, sn = _minmax(dense_scores), _minmax(sparse_scores)
    keys = set(dn) | set(sn)
    combo = {k: alpha*dn.get(k,0.0) + (1-alpha)*sn.get(k,0.0) for k in keys}

    # 4) Tr·∫£ k·∫øt qu·∫£ (Document, score) b·∫±ng key2doc
    results = []
    for k, sc in sorted(combo.items(), key=lambda x: x[1], reverse=True):
        d = key2doc.get(k)
        if d:
            results.append((d, sc))
    return results

def show_results(title, results, top=10, width=110, preview=360):
    import textwrap
    print(f"\n=== {title} (top {top}) ===")
    for i, (doc, sc) in enumerate(results[:top], 1):
        met = doc.metadata
        name = met.get("title") or met.get("cheatsheet_name") or met.get("id") or "(no title)"
        src = met.get("source_url") or met.get("source") or met.get("doc_type")
        print(f"[{i}] score={sc:.4f} | {name} | {met.get('source_type')}")
        if src: print("    src:", src)
        snippet = (doc.page_content or "").replace("\n"," ")[:preview]
        print("    ", textwrap.shorten(snippet, width=width))
    print("-"*width)

# Th·ª≠ l·∫°i
query = "What is Rule Detection of SQL injection?"
dense_hits = vs.similarity_search_with_score(query, k=10)
show_results("Dense-only (Chroma)", dense_hits)

hyb_hits = hybrid_search(query, k_dense=10, k_sparse=80, alpha=0.60)
show_results("Hybrid (Dense+BM25, alpha=0.55)", hyb_hits)



=== Dense-only (Chroma) (top 10) ===
[1] score=0.6764 | (no title) | owasp_cheatsheet
    src: D:\MCPLLM\test\cheatsheets\Injection_Prevention_Cheat_Sheet.md
     ### Query languages The most famous form of injection is SQL Injection where an attacker can modify [...]
[2] score=0.6849 | (no title) | owasp_cheatsheet
    src: D:\MCPLLM\test\cheatsheets\Injection_Prevention_Cheat_Sheet.md
     SQL Injection attacks can be divided into the following three classes: - **Inband:**√Ç data is extracted [...]
[3] score=0.7527 | (no title) | owasp_cheatsheet
    src: D:\MCPLLM\test\cheatsheets\Injection_Prevention_Cheat_Sheet.md
     An SQL injection attack consists of insertion or "injection" of either a partial or complete SQL query [...]
[4] score=0.7770 | SQL Injection Strings In URI | sigma_rule
    src: D:\MCPLLM\test\sigma\rules\web\webserver_generic\web_sql_injection_in_access_logs.yml
     Sigma Rule: SQL Injection Strings In URI Status: test | Level: high Description: Detects potentia

In [None]:
# =============== LLM + RAG HYBRID cho LOG (LangChain + Groq) ===============
# - LLM: ChatGroq (GROQ_API_KEY t·ª´ bi·∫øn m√¥i tr∆∞·ªùng)
# - VectorDB: Chroma (dense) + BM25 (sparse) = Hybrid
# - Pipeline:
#   (1) LLM sinh gi·∫£ thuy·∫øt & c√¢u h·ªèi b·ªï sung
#   (2) T·ª± query retriever (hybrid) theo t·ª´ng c√¢u h·ªèi
#   (3) LLM "Judge" k·∫øt lu·∫≠n attack + MITRE + confidence + ngu·ªìn

import os, sys, subprocess, json, re, hashlib, textwrap

# -------- 0) C√ÄI / IMPORT G√ìI C·∫¶N THI·∫æT --------
def _pip_install(pkgs):
    try:
        subprocess.check_call([sys.executable, "-m", "pip", "install", "-q"] + pkgs)
    except Exception as e:
        print("‚ö†Ô∏è pip install error:", e)

# Th∆∞ vi·ªán LangChain c·∫ßn
try:
    from langchain_groq import ChatGroq
except Exception:
    _pip_install(["langchain-groq"])
    from langchain_groq import ChatGroq

try:
    from langchain_core.messages import SystemMessage, HumanMessage
    from langchain_core.runnables import RunnableLambda
except Exception:
    _pip_install(["langchain-core>=0.2.0"])
    from langchain_core.messages import SystemMessage, HumanMessage
    from langchain_core.runnables import RunnableLambda

try:
    from langchain_community.vectorstores import Chroma
except Exception:
    _pip_install(["langchain-community", "chromadb"])
    from langchain_community.vectorstores import Chroma

try:
    from langchain_huggingface import HuggingFaceEmbeddings
except Exception:
    _pip_install(["langchain-huggingface", "sentence-transformers"])
    from langchain_huggingface import HuggingFaceEmbeddings

# BM25 cho hybrid
try:
    from rank_bm25 import BM25Okapi
except Exception:
    _pip_install(["rank-bm25"])
    from rank_bm25 import BM25Okapi


# -------- 1) THI·∫æT L·∫¨P LLM GROQ --------
# ƒê·∫∑t key v√†o bi·∫øn m√¥i tr∆∞·ªùng tr∆∞·ªõc khi ch·∫°y: os.environ["GROQ_API_KEY"] = "..."
if "GROQ_API_KEY" not in os.environ:
    print("‚ö†Ô∏è  Thi·∫øu GROQ_API_KEY trong bi·∫øn m√¥i tr∆∞·ªùng. ƒê·∫∑t os.environ['GROQ_API_KEY']='<key>' tr∆∞·ªõc khi g·ªçi.")
# Model g·ª£i √Ω: "llama-3.3-70b-versatile" ho·∫∑c "mixtral-8x7b-32768"
llm = ChatGroq(model="llama-3.3-70b-versatile", temperature=0)

# -------- 2) M·ªû / KH·ªûI T·∫†O VECTORSTORE & EMBEDDINGS --------
# Embedding MiniLM (nh∆∞ b·∫°n d√πng)
embeddings = HuggingFaceEmbeddings(
    model_name="sentence-transformers/all-MiniLM-L6-v2",
    encode_kwargs={"normalize_embeddings": True}
)

# Th∆∞ m·ª•c Chroma ƒë√£ persist t·ª´ cell tr∆∞·ªõc c·ªßa b·∫°n
persist_directory = r"D:\MCPLLM\test\chroma_sec_db"

# M·ªü l·∫°i Chroma n·∫øu c√≥, ng∆∞·ª£c l·∫°i b√°o g·ª£i √Ω
try:
    vs = Chroma(
        persist_directory=persist_directory,
        collection_name="security_knowledge_base",
        embedding_function=embeddings
    )
    print("‚úÖ Chroma loaded:", persist_directory, "| Vectors ~", vs._collection.count())
except Exception as e:
    print("‚ö†Ô∏è Kh√¥ng m·ªü ƒë∆∞·ª£c Chroma:", e)
    vs = None

# -------- 3) HYBRID RETRIEVER (Dense Chroma + Sparse BM25) --------
# C·∫ßn danh s√°ch Document g·ªëc ƒë·ªÉ build BM25. N·∫øu b·∫°n v·∫´n gi·ªØ bi·∫øn docs_for_chroma th√¨ d√πng, c√≤n kh√¥ng s·∫Ω build sparse "lazy" t·ª´ DB.

def payload_tokenize(text: str):
    """Tokenizer gi·ªØ k√Ω t·ª± ƒë·∫∑c bi·ªát cho payload SOC."""
    text = (text or "").lower()
    tokens = re.findall(r"[a-z0-9_]+|[\$\{\}\|\&\;\=\.\:/\\'\"][\$\{\}\|\&\;\=\.\:/\\'\"0-9a-z_]*", text)
    return [t for t in tokens if len(t) > 1 or t in ("'", '"', "/", "=", ".")]

def doc_key(d):
    """Key ·ªïn ƒë·ªãnh cho mapping (metadata + hash)."""
    meta = getattr(d, "metadata", {}) or {}
    src = meta.get("source_url") or meta.get("source") or ""
    title = meta.get("title") or meta.get("cheatsheet_name") or meta.get("id") or ""
    aux = meta.get("yaml_path") or meta.get("technique_id") or meta.get("technique_name") or ""
    head = (getattr(d, "page_content", "") or "")[:256]
    h = hashlib.md5(head.encode("utf-8","ignore")).hexdigest()[:8]
    return f"{src}|{title}|{aux}|{h}"

def _minmax(d):
    if not d: return {}
    vals = list(d.values()); lo, hi = min(vals), max(vals)
    if hi == lo: return {k: 1.0 for k in d}
    return {k: (v - lo) / (hi - lo) for k, v in d.items()}

# Build BM25 corpus t·ª´ docs_for_chroma n·∫øu c√≥; n·∫øu kh√¥ng, l·∫•y N m·∫´u t·ª´ DB
if 'docs_for_chroma' in globals() and docs_for_chroma:
    # ƒë√£ c√≥ docs_for_chroma t·ª´ pipeline embed
    sparse_docs = docs_for_chroma
else:
    # fallback: l·∫•y ng·∫´u nhi√™n 2000 docs t·ª´ Chroma (n·∫øu driver h·ªó tr·ª£). N·∫øu kh√¥ng, l·∫•y b·∫±ng similarity v·ªõi v√†i anchor query.
    sparse_docs = []
    if vs is not None:
        try:
            # Chroma kh√¥ng c√≥ API "load all docs" ti√™u chu·∫©n qua LangChain;
            # d∆∞·ªõi ƒë√¢y l√† c√°ch kh·ªüi t·∫°o sparse t·ª´ m·ªôt s·ªë truy v·∫•n anchor ƒë·ªÉ c√≥ corpus ƒë·ªß t·ªët.
            anchors = [
                "sql injection OR 1=1", "xss tag breaking", "command injection ; | &&",
                "F5 iControl bash endpoint", "MITRE T1003 LSASS", "path traversal ../../etc/passwd",
                "confluence cve-2022-26134", "java payload ${@java}", "waf rule xss", "authentication brute force"
            ]
            captured = {}
            for a in anchors:
                for d in vs.similarity_search(a, k=100):
                    k = doc_key(d)
                    if k not in captured:
                        captured[k] = d
            sparse_docs = list(captured.values())
            print(f"‚ÑπÔ∏è BM25 corpus from anchors: {len(sparse_docs)} docs")
        except Exception as e:
            print("‚ö†Ô∏è Kh√¥ng th·ªÉ d·ª±ng corpus BM25 t·ª± ƒë·ªông:", e)
            sparse_docs = []

def bm25_build_corpus(docs):
    corpus, keys = [], []
    for d in docs:
        meta_bits = []
        for k in ("title","tags","yaml_path","technique_id","technique_name","cheatsheet_name","level"):
            v = (d.metadata or {}).get(k)
            if v is None: 
                continue
            if isinstance(v, list):
                v = " ".join(map(str, v))
            elif isinstance(v, dict):
                v = " ".join(f"{ik}:{iv}" for ik, iv in v.items())
            meta_bits.append(str(v))
        blob = " \n ".join([getattr(d, "page_content", "") or ""] + meta_bits)
        corpus.append(blob)
        keys.append(doc_key(d))
    return corpus, keys

bm25, bm25_keys, key2doc = None, [], {}
if sparse_docs:
    corpus_texts, bm25_keys = bm25_build_corpus(sparse_docs)
    bm25 = BM25Okapi([payload_tokenize(t) for t in corpus_texts])
    key2doc = { doc_key(d): d for d in sparse_docs }
    print("‚úÖ BM25 ready on", len(sparse_docs), "docs")
else:
    print("‚ö†Ô∏è BM25 ch∆∞a s·∫µn s√†ng (thi·∫øu corpus). Hybrid s·∫Ω r∆°i v·ªÅ dense-only.")

def hybrid_search(query: str, k_dense=10, k_sparse=80, alpha=0.60):
    """Tr·∫£ list[(Document, score)] theo ƒëi·ªÉm tr·ªôn hybrid. N·∫øu thi·∫øu BM25, tr·∫£ dense-only."""
    # Dense t·ª´ Chroma
    dense_hits = vs.similarity_search_with_score(query, k=k_dense) if vs is not None else []
    dense_scores = {}
    for d, s in dense_hits:
        # n·∫øu score l√† kho·∫£ng c√°ch (nh·ªè t·ªët), c√≥ th·ªÉ ƒë·∫£o d·∫•u: s = -float(s)
        dense_scores[doc_key(d)] = float(s)

    if bm25 is None:
        # Dense-only
        return [(d, s) for d, s in dense_hits]

    # Sparse t·ª´ BM25
    qtok = payload_tokenize(query)
    sparse_arr = bm25.get_scores(qtok)
    sparse_scores = { bm25_keys[i]: float(sc) for i, sc in enumerate(sparse_arr) if sc > 0 }

    # Normalize & tr·ªôn
    dn, sn = _minmax(dense_scores), _minmax(sparse_scores)
    keys = set(dn) | set(sn)
    combo = {k: alpha*dn.get(k,0.0) + (1-alpha)*sn.get(k,0.0) for k in keys}

    # Map key -> doc
    results = []
    # ∆∞u ti√™n l·∫•y doc t·ª´ vs (dense) n·∫øu c√≥, sau ƒë√≥ t·ª´ key2doc (sparse)
    dense_map = { doc_key(d): d for d, _ in dense_hits }
    for k, sc in sorted(combo.items(), key=lambda x: x[1], reverse=True):
        d = dense_map.get(k) or key2doc.get(k)
        if d:
            results.append((d, sc))
    return results


# -------- 4) CHU·ªñI LLM: SINH C√ÇU H·ªéI & JUDGE K·∫æT LU·∫¨N --------
SYSTEM_HYP = """B·∫°n l√† L2 SOC analyst. Nh·∫≠n EVENT (log th√¥) v√†:
1) Sinh t·ªëi ƒëa 5 gi·∫£ thuy·∫øt ki·ªÉu t·∫•n c√¥ng c√≥ th·ªÉ (vd: SQL Injection, XSS, LFI, Command Injection, Brute Force...)
2) V·ªõi m·ªói gi·∫£ thuy·∫øt, sinh 2‚Äì4 c√¢u h·ªèi ng·∫Øn ƒë·ªÉ truy KB nh·∫±m t√¨m b·∫±ng ch·ª©ng.
3) Tr·∫£ JSON: {"hypotheses":[{"name":"...", "mitre":"Txxxx", "questions":["...", "..."]}, ...]}.
Ch·ªâ tr·∫£ JSON h·ª£p l·ªá, kh√¥ng gi·∫£i th√≠ch th√™m.
"""

SYSTEM_JUDGE = """B·∫°n l√† b·ªô ch·∫•m ƒëi·ªÉm b·∫±ng ch·ª©ng. D·ª±a tr√™n CONTEXT (c√°c ƒëo·∫°n KB ƒë√£ truy h·ªìi) v√† EVENT (log th√¥):
- K·∫øt lu·∫≠n {"attack":"...", "mitre":"Txxxx", "confidence":0..1, "rationale":"...", "sources":[...]}
- Ch·ªâ ch·ªçn attack n·∫øu c√≥ b·∫±ng ch·ª©ng r√µ (pattern/rule/step kh·ªõp). N·∫øu kh√¥ng ƒë·ªß b·∫±ng ch·ª©ng, tr·∫£ {"attack":"Unknown", "mitre":"", "confidence":0.0, ...}
Ch·ªâ tr·∫£ JSON h·ª£p l·ªá.
"""

def llm_json(llm, system_prompt, user_content, max_retries=2):
    """G·ªçi LLM mong mu·ªën JSON thu·∫ßn."""
    for _ in range(max_retries+1):
        resp = llm.invoke([SystemMessage(content=system_prompt),
                           HumanMessage(content=user_content)])
        txt = (resp.content or "").strip()
        # T√¨m block JSON
        try:
            # N·∫øu c√≥ text r√°c, b·∫Øt c·∫∑p {} ƒë·∫ßu ti√™n
            start = txt.find("{")
            end = txt.rfind("}")
            if start >= 0 and end > start:
                return json.loads(txt[start:end+1])
        except Exception:
            continue
    raise ValueError("LLM kh√¥ng tr·∫£ JSON h·ª£p l·ªá:\n" + txt)

def retrieve_evidence_for_questions(questions, topk=5, alpha=0.60):
    """Hybrid retrieve cho list c√¢u h·ªèi, tr·∫£ danh s√°ch ƒëo·∫°n b·∫±ng ch·ª©ng (text + metadata)."""
    evid = []
    for q in questions:
        hits = hybrid_search(q, k_dense=topk, k_sparse=80, alpha=alpha)
        for d, sc in hits:
            evid.append({
                "text": d.page_content[:1500],
                "meta": d.metadata,
                "score": float(sc)
            })
    # l·ªçc tr√πng theo source_url + yaml_path
    seen = set(); uniq = []
    for e in evid:
        m = e["meta"] or {}
        sig = (m.get("source_url") or m.get("source") or "") + "|" + str(m.get("yaml_path") or "")
        if sig in seen: 
            continue
        seen.add(sig)
        uniq.append(e)
    return uniq[:20]

def analyze_log(event_text: str, alpha=0.60):
    """Pipeline: sinh c√¢u h·ªèi -> retrieve -> judge -> tr·∫£ k·∫øt qu·∫£ + evidence s·ª≠ d·ª•ng."""
    # 1) Sinh gi·∫£ thuy·∫øt + c√¢u h·ªèi
    hyp_json = llm_json(llm, SYSTEM_HYP, f"EVENT:\n{event_text}")
    hypotheses = hyp_json.get("hypotheses", [])[:5]

    # 2) V·ªõi m·ªói gi·∫£ thuy·∫øt: retrieve b·∫±ng ch·ª©ng
    hyp_results = []
    for hyp in hypotheses:
        qs = hyp.get("questions", [])[:4]
        evid = retrieve_evidence_for_questions(qs, topk=5, alpha=alpha)
        # So·∫°n context cho judge (r√∫t g·ªçn gi·ªØ ngu·ªìn)
        ctx_blocks = []
        for e in evid[:10]:
            meta = e["meta"] or {}
            src = meta.get("source_url") or meta.get("source") or ""
            head = (e["text"] or "")[:600]
            ctx_blocks.append(f"SOURCE: {src}\n{head}")
        ctx = "\n\n---\n\n".join(ctx_blocks)

        # 3) Judge k·∫øt lu·∫≠n
        judge_in = f"CONTEXT:\n{ctx}\n\nEVENT:\n{event_text}\n"
        judge_json = llm_json(llm, SYSTEM_JUDGE, judge_in)
        judge_json["hypothesis"] = hyp.get("name")
        judge_json["hyp_mitre"] = hyp.get("mitre","")
        judge_json["asked"] = qs
        # l∆∞u top ngu·ªìn
        judge_json["top_sources"] = [ (e["meta"].get("source_url") or e["meta"].get("source") or "") for e in evid[:5] ]
        hyp_results.append(judge_json)

    # 4) Ch·ªçn k·∫øt qu·∫£ t·ªët nh·∫•t theo confidence
    best = max(hyp_results, key=lambda x: x.get("confidence", 0.0), default={"attack":"Unknown","confidence":0.0})
    return {
        "event": event_text,
        "results": hyp_results,
        "best": best
    }

# ---------------- DEMO ----------------
demo_log = """What is SQL injection?"""

print("\nüîé Demo analyze_log()...")
try:
    out = analyze_log(demo_log, alpha=0.60)  # alpha: ∆∞u ti√™n dense ~60%, sparse ~40%
    print("\n=== K·∫æT LU·∫¨N ===")
    print(json.dumps(out["best"], ensure_ascii=False, indent=2))
    print("\n=== CHI TI·∫æT (M·ªñI GI·∫¢ THUY·∫æT) ===")
    for i, r in enumerate(out["results"], 1):
        print(f"\n[{i}] hyp={r.get('hypothesis')} -> attack={r.get('attack')} | conf={r.get('confidence')}")
        print("  asked:", r.get("asked"))
        print("  sources:", r.get("top_sources")[:3])
except Exception as e:
    print("‚ö†Ô∏è Demo l·ªói nh·ªè:", e)
    print("Ki·ªÉm tra: GROQ_API_KEY, Chroma persist_directory, v√† d·ªØ li·ªáu ƒë√£ embed.")


INFO:sentence_transformers.SentenceTransformer:Use pytorch device_name: cpu
INFO:sentence_transformers.SentenceTransformer:Load pretrained SentenceTransformer: sentence-transformers/all-MiniLM-L6-v2


‚úÖ Chroma loaded: D:\MCPLLM\test\chroma_sec_db | Vectors ~ 3561
‚ÑπÔ∏è BM25 corpus from anchors: 766 docs
‚úÖ BM25 ready on 766 docs

üîé Demo analyze_log()...


INFO:httpx:HTTP Request: POST https://api.groq.com/openai/v1/chat/completions "HTTP/1.1 200 OK"
INFO:httpx:HTTP Request: POST https://api.groq.com/openai/v1/chat/completions "HTTP/1.1 200 OK"
INFO:httpx:HTTP Request: POST https://api.groq.com/openai/v1/chat/completions "HTTP/1.1 200 OK"
INFO:httpx:HTTP Request: POST https://api.groq.com/openai/v1/chat/completions "HTTP/1.1 200 OK"
INFO:httpx:HTTP Request: POST https://api.groq.com/openai/v1/chat/completions "HTTP/1.1 200 OK"
INFO:httpx:HTTP Request: POST https://api.groq.com/openai/v1/chat/completions "HTTP/1.1 200 OK"



=== K·∫æT LU·∫¨N ===
{
  "attack": "Unknown",
  "mitre": "",
  "confidence": 0.0,
  "rationale": "Kh√¥ng c√≥ b·∫±ng ch·ª©ng r√µ r√†ng v·ªÅ t·∫•n c√¥ng",
  "sources": [],
  "hypothesis": "SQL Injection",
  "hyp_mitre": "T1190",
  "asked": [
    "C√≥ y√™u c·∫ßu HTTP n√†o ch·ª©a k√Ω t·ª± ƒë·∫∑c bi·ªát nh∆∞ ';', '--', ho·∫∑c 'UNION' kh√¥ng?",
    "Li·ªáu c√≥ th·ªÉ x·∫£y ra l·ªói c∆° s·ªü d·ªØ li·ªáu khi nh·∫≠p d·ªØ li·ªáu kh√¥ng?",
    "C√≥ d·∫•u hi·ªáu c·ªßa vi·ªác th·ª±c thi l·ªánh SQL kh√¥ng mong mu·ªën kh√¥ng?"
  ],
  "top_sources": [
    "D:\\MCPLLM\\test\\cheatsheets\\Session_Management_Cheat_Sheet.md",
    "D:\\MCPLLM\\test\\cheatsheets\\REST_Assessment_Cheat_Sheet.md",
    "D:\\MCPLLM\\test\\cheatsheets\\OS_Command_Injection_Defense_Cheat_Sheet.md",
    "D:\\MCPLLM\\test\\cheatsheets\\Cross_Site_Scripting_Prevention_Cheat_Sheet.md",
    "D:\\MCPLLM\\test\\cheatsheets\\Injection_Prevention_Cheat_Sheet.md"
  ]
}

=== CHI TI·∫æT (M·ªñI GI·∫¢ THUY·∫æT) ===

[1] hyp=SQL Injection -> at

In [None]:
# ================= FULL CELL: RAG-HYBRID QA + Log-Analysis (LangChain + Groq) =================
# Copy/paste to√†n b·ªô cell n√†y v√†o Jupyter. Ch·ªânh GROQ_API_KEY v√† persist_directory tr∆∞·ªõc khi ch·∫°y.
import os, sys, subprocess, json, re, hashlib, textwrap, random, time

# --------------------- helper: pip install khi c·∫ßn ---------------------
def _pip_install(pkgs):
    try:
        subprocess.check_call([sys.executable, "-m", "pip", "install", "-q"] + pkgs)
    except Exception as e:
        print("‚ö†Ô∏è pip install error:", e)

# C√°c import ch√≠nh (v·ªõi fallback c√†i ƒë·∫∑t)
try:
    from langchain_groq import ChatGroq
except Exception:
    _pip_install(["langchain-groq"])
    from langchain_groq import ChatGroq

try:
    from langchain_core.messages import SystemMessage, HumanMessage
    from langchain_core.runnables import RunnableLambda
except Exception:
    _pip_install(["langchain-core>=0.2.0"])
    from langchain_core.messages import SystemMessage, HumanMessage
    from langchain_core.runnables import RunnableLambda

try:
    from langchain_community.vectorstores import Chroma
except Exception:
    _pip_install(["langchain-community", "chromadb"])
    from langchain_community.vectorstores import Chroma

try:
    from langchain_huggingface import HuggingFaceEmbeddings
except Exception:
    _pip_install(["langchain-huggingface", "sentence-transformers"])
    from langchain_huggingface import HuggingFaceEmbeddings

try:
    from rank_bm25 import BM25Okapi
except Exception:
    _pip_install(["rank-bm25"])
    from rank_bm25 import BM25Okapi

# --------------------- C·∫•u h√¨nh: GROQ key & Chroma path ---------------------
# ƒê·∫∑t bi·∫øn m√¥i tr∆∞·ªùng tr∆∞·ªõc khi ch·∫°y (ho·∫∑c g√°n tr·ª±c ti·∫øp ·ªü ƒë√¢y)
# V√≠ d·ª•: os.environ["GROQ_API_KEY"] = "sk-...."
if "GROQ_API_KEY" not in os.environ:
    print("‚ö†Ô∏è Thi·∫øu GROQ_API_KEY trong bi·∫øn m√¥i tr∆∞·ªùng. H√£y ƒë·∫∑t: os.environ['GROQ_API_KEY']='<key>' tr∆∞·ªõc khi ch·∫°y.")
# Chroma persist directory (ch·ªânh theo m√¥i tr∆∞·ªùng c·ªßa b·∫°n)
persist_directory = r"D:\MCPLLM\test\chroma_sec_db"  # <-- ch·ªânh ƒë∆∞·ªùng d·∫´n n√†y

# --------------------- Kh·ªüi t·∫°o LLM ---------------------
# Model g·ª£i √Ω: "llama-3.3-70b-versatile" ho·∫∑c adapt theo key/model b·∫°n c√≥
try:
    llm = ChatGroq(model="llama-3.3-70b-versatile", temperature=0)
    print("‚úÖ ChatGroq client initialized.")
except Exception as e:
    print("‚ö†Ô∏è Kh√¥ng kh·ªüi t·∫°o ƒë∆∞·ª£c ChatGroq:", e)
    llm = None

# --------------------- Embeddings + Chroma ---------------------
embeddings = HuggingFaceEmbeddings(
    model_name="sentence-transformers/all-MiniLM-L6-v2",
    encode_kwargs={"normalize_embeddings": True}
)

vs = None
try:
    vs = Chroma(
        persist_directory=persist_directory,
        collection_name="security_knowledge_base",
        embedding_function=embeddings
    )
    # Tries to show approximate count if API exposes it
    try:
        count = vs._collection.count()
    except Exception:
        count = "unknown"
    print("‚úÖ Chroma loaded:", persist_directory, "| vectors:", count)
except Exception as e:
    print("‚ö†Ô∏è Kh√¥ng m·ªü ƒë∆∞·ª£c Chroma:", e)
    vs = None

# --------------------- BM25 corpus builder & tokenizer ---------------------
def payload_tokenize(text: str):
    text = (text or "").lower()
    tokens = re.findall(r"[a-z0-9_]+|[\$\{\}\|\&\;\=\.\:/\\'\"][\$\{\}\|\&\;\=\.\:/\\'\"0-9a-z_]*", text)
    return [t for t in tokens if len(t) > 1 or t in ("'", '"', "/", "=", ".")]

def doc_key(d):
    meta = getattr(d, "metadata", {}) or {}
    src = meta.get("source_url") or meta.get("source") or ""
    title = meta.get("title") or meta.get("cheatsheet_name") or meta.get("id") or ""
    aux = meta.get("yaml_path") or meta.get("technique_id") or meta.get("technique_name") or ""
    head = (getattr(d, "page_content", "") or "")[:256]
    h = hashlib.md5(head.encode("utf-8","ignore")).hexdigest()[:8]
    return f"{src}|{title}|{aux}|{h}"

def _minmax(d):
    if not d: return {}
    vals = list(d.values()); lo, hi = min(vals), max(vals)
    if hi == lo: return {k: 1.0 for k in d}
    return {k: (v - lo) / (hi - lo) for k, v in d.items()}

# Build sparse_docs from Chroma anchors if docs_for_chroma missing
sparse_docs = []
if 'docs_for_chroma' in globals() and docs_for_chroma:
    sparse_docs = docs_for_chroma
else:
    if vs is not None:
        try:
            anchors = [
                "sql injection OR 1=1", "xss tag breaking", "command injection ; | &&",
                "F5 iControl bash endpoint", "MITRE T1003 LSASS", "path traversal ../../etc/passwd",
                "confluence cve-2022-26134", "java payload ${@java}", "waf rule xss", "authentication brute force",
                "sigma rule example", "mitre t1059", "cve exploit example"
            ]
            captured = {}
            for a in anchors:
                try:
                    hits = vs.similarity_search(a, k=100)
                except Exception:
                    hits = []
                for d in hits:
                    k = doc_key(d)
                    if k not in captured:
                        captured[k] = d
            sparse_docs = list(captured.values())
            print(f"‚ÑπÔ∏è BM25 corpus from anchors: {len(sparse_docs)} docs")
        except Exception as e:
            print("‚ö†Ô∏è Kh√¥ng th·ªÉ d·ª±ng corpus BM25 t·ª± ƒë·ªông:", e)
            sparse_docs = []
    else:
        print("‚ö†Ô∏è Chroma kh√¥ng s·∫µn s√†ng, s·∫Ω ch·∫°y dense-only.")

def bm25_build_corpus(docs):
    corpus, keys = [], []
    for d in docs:
        meta_bits = []
        for k in ("title","tags","yaml_path","technique_id","technique_name","cheatsheet_name","level"):
            v = (d.metadata or {}).get(k)
            if v is None:
                continue
            if isinstance(v, list):
                v = " ".join(map(str, v))
            elif isinstance(v, dict):
                v = " ".join(f"{ik}:{iv}" for ik, iv in v.items())
            meta_bits.append(str(v))
        blob = " \n ".join([getattr(d, "page_content", "") or ""] + meta_bits)
        corpus.append(blob)
        keys.append(doc_key(d))
    return corpus, keys

bm25, bm25_keys, key2doc = None, [], {}
if sparse_docs:
    corpus_texts, bm25_keys = bm25_build_corpus(sparse_docs)
    bm25 = BM25Okapi([payload_tokenize(t) for t in corpus_texts])
    key2doc = { doc_key(d): d for d in sparse_docs }
    print("‚úÖ BM25 ready on", len(sparse_docs), "docs")
else:
    print("‚ö†Ô∏è BM25 ch∆∞a s·∫µn s√†ng (thi·∫øu corpus). Hybrid s·∫Ω r∆°i v·ªÅ dense-only.")

# --------------------- Hybrid search ---------------------
def hybrid_search(query: str, k_dense=10, k_sparse=80, alpha=0.60):
    dense_hits = []
    if vs is not None:
        try:
            dense_hits = vs.similarity_search_with_score(query, k=k_dense)
        except Exception as e:
            # fallback: empty
            dense_hits = []
    dense_scores = {}
    for d, s in dense_hits:
        # assume higher score = more relevant; adapt if driver gives distance
        dense_scores[doc_key(d)] = float(s)

    if bm25 is None:
        return [(d, s) for d, s in dense_hits]

    qtok = payload_tokenize(query)
    sparse_arr = bm25.get_scores(qtok)
    sparse_scores = { bm25_keys[i]: float(sc) for i, sc in enumerate(sparse_arr) if sc > 0 }

    dn, sn = _minmax(dense_scores), _minmax(sparse_scores)
    keys = set(dn) | set(sn)
    combo = {k: alpha*dn.get(k,0.0) + (1-alpha)*sn.get(k,0.0) for k in keys}

    results = []
    dense_map = { doc_key(d): d for d, _ in dense_hits }
    for k, sc in sorted(combo.items(), key=lambda x: x[1], reverse=True):
        d = dense_map.get(k) or key2doc.get(k)
        if d:
            results.append((d, sc))
    return results

# --------------------- LLM JSON helpers (gi·ªØ nguy√™n) ---------------------
SYSTEM_HYP = """B·∫°n l√† L2 SOC analyst. Nh·∫≠n EVENT (log th√¥) v√†:
1) Sinh t·ªëi ƒëa 5 gi·∫£ thuy·∫øt ki·ªÉu t·∫•n c√¥ng c√≥ th·ªÉ (vd: SQL Injection, XSS, LFI, Command Injection, Brute Force...)
2) V·ªõi m·ªói gi·∫£ thuy·∫øt, sinh 2‚Äì4 c√¢u h·ªèi ng·∫Øn ƒë·ªÉ truy KB nh·∫±m t√¨m b·∫±ng ch·ª©ng.
3) Tr·∫£ JSON: {"hypotheses":[{"name":"...", "mitre":"Txxxx", "questions":["...", "..."]}, ...]}.
Ch·ªâ tr·∫£ JSON h·ª£p l·ªá, kh√¥ng gi·∫£i th√≠ch th√™m.
"""

SYSTEM_JUDGE = """B·∫°n l√† b·ªô ch·∫•m ƒëi·ªÉm b·∫±ng ch·ª©ng. D·ª±a tr√™n CONTEXT (c√°c ƒëo·∫°n KB ƒë√£ truy h·ªìi) v√† EVENT (log th√¥):
- K·∫øt lu·∫≠n {"attack":"...", "mitre":"Txxxx", "confidence":0..1, "rationale":"...", "sources":[...]}.
- Ch·ªâ ch·ªçn attack n·∫øu c√≥ b·∫±ng ch·ª©ng r√µ (pattern/rule/step kh·ªõp). N·∫øu kh√¥ng ƒë·ªß b·∫±ng ch·ª©ng, tr·∫£ {"attack":"Unknown", "mitre":"", "confidence":0.0, ...}
Ch·ªâ tr·∫£ JSON h·ª£p l·ªá.
"""

def llm_json(llm, system_prompt, user_content, max_retries=2):
    if llm is None:
        raise ValueError("LLM ch∆∞a kh·ªüi t·∫°o.")
    for _ in range(max_retries+1):
        resp = llm.invoke([SystemMessage(content=system_prompt),
                           HumanMessage(content=user_content)])
        txt = (resp.content or "").strip()
        try:
            start = txt.find("{")
            end = txt.rfind("}")
            if start >= 0 and end > start:
                return json.loads(txt[start:end+1])
        except Exception:
            continue
    raise ValueError("LLM kh√¥ng tr·∫£ JSON h·ª£p l·ªá:\n" + txt)

def retrieve_evidence_for_questions(questions, topk=5, alpha=0.60):
    evid = []
    for q in questions:
        hits = hybrid_search(q, k_dense=topk, k_sparse=80, alpha=alpha)
        for d, sc in hits:
            evid.append({
                "text": d.page_content[:1500],
                "meta": d.metadata,
                "score": float(sc)
            })
    seen = set(); uniq = []
    for e in evid:
        m = e["meta"] or {}
        sig = (m.get("source_url") or m.get("source") or "") + "|" + str(m.get("yaml_path") or "")
        if sig in seen:
            continue
        seen.add(sig)
        uniq.append(e)
    return uniq[:20]

def analyze_log(event_text: str, alpha=0.60):
    hyp_json = llm_json(llm, SYSTEM_HYP, f"EVENT:\n{event_text}")
    hypotheses = hyp_json.get("hypotheses", [])[:5]
    hyp_results = []
    for hyp in hypotheses:
        qs = hyp.get("questions", [])[:4]
        evid = retrieve_evidence_for_questions(qs, topk=5, alpha=alpha)
        ctx_blocks = []
        for e in evid[:10]:
            meta = e["meta"] or {}
            src = meta.get("source_url") or meta.get("source") or ""
            head = (e["text"] or "")[:600]
            ctx_blocks.append(f"SOURCE: {src}\n{head}")
        ctx = "\n\n---\n\n".join(ctx_blocks)
        judge_in = f"CONTEXT:\n{ctx}\n\nEVENT:\n{event_text}\n"
        judge_json = llm_json(llm, SYSTEM_JUDGE, judge_in)
        judge_json["hypothesis"] = hyp.get("name")
        judge_json["hyp_mitre"] = hyp.get("mitre","")
        judge_json["asked"] = qs
        judge_json["top_sources"] = [ (e["meta"].get("source_url") or e["meta"].get("source") or "") for e in evid[:5] ]
        hyp_results.append(judge_json)
    best = max(hyp_results, key=lambda x: x.get("confidence", 0.0), default={"attack":"Unknown","confidence":0.0})
    return {
        "event": event_text,
        "results": hyp_results,
        "best": best
    }

# --------------------- RAG-QA prompts & function ---------------------
SYSTEM_PLAN = """B·∫°n l√† tr·ª£ l√Ω an to√†n th√¥ng tin. Nh·∫≠n C√ÇU H·ªéI c·ªßa ng∆∞·ªùi d√πng.
H√£y:
1) Ph√¢n r√£ t·ªëi ƒëa 5 c√¢u h·ªèi con c·∫ßn tra c·ª©u KB ƒë·ªÉ tr·∫£ l·ªùi.
2) Tr·∫£ JSON h·ª£p l·ªá:
{"subquestions": ["...", "...", "..."]}

Ch·ªâ tr·∫£ JSON, kh√¥ng gi·∫£i th√≠ch th√™m.
"""

SYSTEM_WRITE = """B·∫°n l√† tr·ª£ l√Ω an to√†n th√¥ng tin tr·∫£ l·ªùi NG·∫ÆN G·ªåN, CH√çNH X√ÅC v√† c√≥ d·∫´n ngu·ªìn.
D·ª±a tr√™n CONTEXT (c√°c ƒëo·∫°n KB ƒë√£ truy h·ªìi) v√† QUESTION (c√¢u h·ªèi ng∆∞·ªùi d√πng), h√£y:
- Tr·∫£ l·ªùi tr·ª±c ti·∫øp, s√∫c t√≠ch. N·∫øu c√≥ c·∫£nh b√°o/ngo·∫°i l·ªá, n√™u r√µ.
- Khi c√≥ th·ªÉ, n√™u th√™m MITRE ID li√™n quan ho·∫∑c CVE n·∫øu c√¢u h·ªèi d√≠nh t·ªõi l·ªó h·ªïng/chi·∫øn thu·∫≠t.
- Cu·ªëi c√¢u tr·∫£ l·ªùi, th√™m m·ª•c 'Ngu·ªìn:' d·∫°ng danh s√°ch ng·∫Øn g·ªçn (t·ªëi ƒëa 5 d√≤ng) g·ªìm ti√™u ƒë·ªÅ/ng·∫Øn g·ªçn + URL.

Ch·ªâ tr·∫£ n·ªôi dung Markdown (ƒë·ª´ng tr·∫£ JSON).
"""

def qa_answer(user_question: str, alpha=0.60, topk=5):
    # 1) L·∫≠p k·∫ø ho·∫°ch (subquestions)
    try:
        plan = llm_json(llm, SYSTEM_PLAN, f"QUESTION:\n{user_question}")
        subqs = plan.get("subquestions", [])[:5]
    except Exception:
        subqs = [user_question]
    if not subqs:
        subqs = [user_question]

    # 2) Retrieve
    evid = retrieve_evidence_for_questions(subqs, topk=topk, alpha=alpha)

    # 3) Build context
    ctx_blocks, source_urls = [], []
    for e in evid[:12]:
        meta = e.get("meta") or {}
        url = meta.get("source_url") or meta.get("source") or ""
        title = meta.get("title") or meta.get("technique_id") or meta.get("cheatsheet_name") or ""
        head = (e.get("text") or "")[:800]
        ctx_blocks.append(f"SOURCE: {title or url}\nURL: {url}\n{head}")
        if url:
            source_urls.append(url)
    context = "\n\n---\n\n".join(ctx_blocks)

    # 4) Write final answer
    writer_in = f"CONTEXT:\n{context}\n\nQUESTION:\n{user_question}\n"
    if llm is None:
        raise ValueError("LLM ch∆∞a kh·ªüi t·∫°o.")
    resp = llm.invoke([SystemMessage(content=SYSTEM_WRITE),
                       HumanMessage(content=writer_in)])
    answer_md = (resp.content or "").strip()

    # Compact sources
    uniq = []
    seen = set()
    for u in source_urls:
        if u and u not in seen:
            uniq.append(u); seen.add(u)
        if len(uniq) >= 5:
            break

    return {
        "question": user_question,
        "answer_markdown": answer_md,
        "sources": uniq,
        "subquestions": subqs
    }

# --------------------- Simple router (QA vs log analysis) ---------------------
def smart_router(user_input: str) -> str:
    s = (user_input or "").lower()
    payloadish = bool(re.search(r"(\.\./|%[0-9a-f]{2}|;|\||&&|\$\{|\bselect\b|\binsert\b|\bunion\b)", s))
    longish = len(s) > 300
    if payloadish or longish:
        return "log"
    return "qa"

# --------------------- Demo: 2 v√≠ d·ª• (QA + Log) ---------------------
if __name__ == "__main__":
    # Demo QA
    try:
        q = "So s√°nh XSS Reflected v·ªõi Stored, c√°ch ph√°t hi·ªán v√† rule Sigma m·∫´u?"
        print("\nüîé RAG-QA DEMO")
        qa = qa_answer(q, alpha=0.55, topk=6)
        print("\n--- QUESTION ---\n", q)
        print("\n--- ANSWER (markdown) ---\n", qa["answer_markdown"])
        print("\n--- SUBQUESTIONS ---\n", qa["subquestions"])
        print("\n--- SOURCES ---\n", qa["sources"])
    except Exception as e:
        print("‚ö†Ô∏è QA demo l·ªói:", e)

    # Demo Log analysis (s·ª≠ d·ª•ng pipeline c≈©)
    try:
        demo_log = "GET /../../etc.conf HTTP/1.1\nHost: victim\nUser-Agent: test\n"
        print("\n\nüîé LOG-ANALYZE DEMO")
        out = analyze_log(demo_log, alpha=0.60)
        print("\n=== BEST ===\n", json.dumps(out["best"], ensure_ascii=False, indent=2))
        print("\n=== ALL HYPOTHESES ===")
        for r in out["results"]:
            print("-", r.get("hypothesis"), "->", r.get("attack"), "| conf=", r.get("confidence"))
    except Exception as e:
        print("‚ö†Ô∏è Log analyze demo l·ªói:", e)

# ================================================================================================


INFO:sentence_transformers.SentenceTransformer:Use pytorch device_name: cpu
INFO:sentence_transformers.SentenceTransformer:Load pretrained SentenceTransformer: sentence-transformers/all-MiniLM-L6-v2


‚úÖ ChatGroq client initialized.
‚úÖ Chroma loaded: D:\MCPLLM\test\chroma_sec_db | vectors: 3561
‚ÑπÔ∏è BM25 corpus from anchors: 923 docs
‚úÖ BM25 ready on 923 docs

üîé RAG-QA DEMO


INFO:httpx:HTTP Request: POST https://api.groq.com/openai/v1/chat/completions "HTTP/1.1 200 OK"
INFO:httpx:HTTP Request: POST https://api.groq.com/openai/v1/chat/completions "HTTP/1.1 200 OK"



--- QUESTION ---
 So s√°nh XSS Reflected v·ªõi Stored, c√°ch ph√°t hi·ªán v√† rule Sigma m·∫´u?

--- ANSWER (markdown) ---
 XSS Reflected v√† Stored l√† hai lo·∫°i t·∫•n c√¥ng Cross-Site Scripting (XSS) kh√°c nhau:

- **XSS Reflected**: L√† lo·∫°i t·∫•n c√¥ng x·∫£y ra khi ·ª©ng d·ª•ng web nh·∫≠n d·ªØ li·ªáu t·ª´ ng∆∞·ªùi d√πng v√† ph·∫£n √°nh l·∫°i tr√™n trang web m√† kh√¥ng ki·ªÉm tra ho·∫∑c l·ªçc d·ªØ li·ªáu. ƒêi·ªÅu n√†y cho ph√©p k·∫ª t·∫•n c√¥ng ti√™m m√£ ƒë·ªôc v√†o trang web th√¥ng qua c√°c y√™u c·∫ßu HTTP. V√≠ d·ª•, n·∫øu m·ªôt trang web c√≥ m·ªôt bi·ªÉu m·∫´u t√¨m ki·∫øm v√† kh√¥ng ki·ªÉm tra d·ªØ li·ªáu nh·∫≠p v√†o, k·∫ª t·∫•n c√¥ng c√≥ th·ªÉ ti√™m m√£ ƒë·ªôc v√†o tr∆∞·ªùng t√¨m ki·∫øm v√† khi ng∆∞·ªùi d√πng nh·∫•p v√†o li√™n k·∫øt, m√£ ƒë·ªôc s·∫Ω ƒë∆∞·ª£c th·ª±c thi.

- **XSS Stored**: L√† lo·∫°i t·∫•n c√¥ng x·∫£y ra khi d·ªØ li·ªáu t·ª´ ng∆∞·ªùi d√πng ƒë∆∞·ª£c l∆∞u tr·ªØ tr√™n m√°y ch·ªß v√† sau ƒë√≥ ƒë∆∞·ª£c hi·ªÉn th·ªã tr√™n trang web m√† kh√¥ng ƒë∆∞·ª£c ki·ªÉm tra ho·

INFO:httpx:HTTP Request: POST https://api.groq.com/openai/v1/chat/completions "HTTP/1.1 200 OK"
INFO:httpx:HTTP Request: POST https://api.groq.com/openai/v1/chat/completions "HTTP/1.1 200 OK"
INFO:httpx:HTTP Request: POST https://api.groq.com/openai/v1/chat/completions "HTTP/1.1 200 OK"
INFO:httpx:HTTP Request: POST https://api.groq.com/openai/v1/chat/completions "HTTP/1.1 200 OK"
INFO:httpx:HTTP Request: POST https://api.groq.com/openai/v1/chat/completions "HTTP/1.1 200 OK"
INFO:httpx:HTTP Request: POST https://api.groq.com/openai/v1/chat/completions "HTTP/1.1 200 OK"



=== BEST ===
 {
  "attack": "Path Traversal",
  "mitre": "T1083",
  "confidence": 0.8,
  "rationale": "Y√™u c·∫ßu GET ƒë·∫øn ƒë∆∞·ªùng d·∫´n /../../etc.conf cho th·∫•y m·ªôt n·ªó l·ª±c ƒë·ªÉ truy c·∫≠p file h·ªá th·ªëng b·∫±ng c√°ch s·ª≠ d·ª•ng traversal directory, li√™n quan ƒë·∫øn kh√°m ph√° v√† truy c·∫≠p file tr√™n h·ªá th·ªëng m·ª•c ti√™u.",
  "sources": [
    "https://attack.mitre.org/techniques/T1083"
  ],
  "hypothesis": "Path Traversal",
  "hyp_mitre": "T1005",
  "asked": [
    "C√≥ d·∫•u hi·ªáu truy c·∫≠p file h·ªá th·ªëng kh√¥ng?",
    "Li·ªáu y√™u c·∫ßu GET c√≥ th·ªÉ truy c·∫≠p ƒë∆∞·ª£c file ngo√†i th∆∞ m·ª•c g·ªëc kh√¥ng?",
    "C√≥ l·ªói n√†o li√™n quan ƒë·∫øn vi·ªác ki·ªÉm so√°t ƒë∆∞·ªùng d·∫´n kh√¥ng?"
  ],
  "top_sources": [
    "D:\\MCPLLM\\test\\cheatsheets\\DotNet_Security_Cheat_Sheet.md",
    "D:\\MCPLLM\\test\\cheatsheets\\Denial_of_Service_Cheat_Sheet.md",
    "D:\\MCPLLM\\test\\cheatsheets\\Input_Validation_Cheat_Sheet.md",
    "D:\\MCPLLM\\test\\cheatsheets\\P

In [None]:
# --------------------- Generate Splunk Rule (Saved Search) from question/log ---------------------
SYSTEM_SPLUNK_RULE = """B·∫°n l√† SOC engineer + Splunk expert.
Nhi·ªám v·ª•: d·ª±a tr√™n CONTEXT (ƒëo·∫°n KB ƒë√£ truy h·ªìi) v√† INPUT (c√≥ th·ªÉ l√† m·ªôt EVENT log ho·∫∑c c√¢u h·ªèi k·ªπ thu·∫≠t),
h√£y sinh m·ªôt Splunk savedsearch / detection rule g·ªìm:
- title: ng·∫Øn g·ªçn
- description: 1-2 c√¢u (g·ªìm rationale & ƒëi·ªÅu ki·ªán ph√°t hi·ªán)
- spl: c√¢u l·ªánh SPL (ƒë√£ test logic, kh√¥ng d√†i qu√° 5 d√≤ng; d√πng rex, search, stats, transaction, where, eval, mvexpand khi c·∫ßn)
- condition_examples: 2 v√≠ d·ª• payload/log m·∫´u kh·ªõp rule
- severity: one of ["low","medium","high","critical"]
- mitre: list of MITRE ATT&CK ids (n·∫øu c√≥)
- schedule: cron-like ho·∫∑c interval ("*/5 * * * *" or "every 5m")
- alert_actions: list (v√≠ d·ª•: ["email","notable","webhook","runbook"])
- tags: short list of tags (e.g., ["web","sqli","input-validation"])
- detection_notes: ng·∫Øn g·ªçn c√°c false-positive possible & tuning suggestions

Tr·∫£ v·ªÅ **m·ªôt JSON** h·ª£p l·ªá v·ªõi nh·ªØng field tr√™n. Ch·ªâ tr·∫£ JSON, KH√îNG gi·∫£i th√≠ch th√™m.
"""

def generate_splunk_rule(input_text: str, alpha=0.60, topk=6):
    """
    Pipeline:
      1) t·∫°o sub-queries (d√πng llm_json nh∆∞ PLAN) -> retrieve evidence
      2) build context -> g·ªçi llm_json v·ªõi SYSTEM_SPLUNK_RULE -> parse JSON -> tr·∫£ v·ªÅ dict
    """
    # 1) S·ª≠ d·ª•ng plan ƒë·ªÉ l·∫•y subquestions (t√°i d√πng SYSTEM_PLAN n·∫øu mu·ªën)
    try:
        plan = llm_json(llm, SYSTEM_PLAN, f"QUESTION (for rule generation):\n{input_text}")
        subqs = plan.get("subquestions", [])[:6]
    except Exception:
        subqs = [input_text]

    # 2) Retrieve evidence
    evid = retrieve_evidence_for_questions(subqs, topk=topk, alpha=alpha)
    ctx_blocks = []
    for e in evid[:12]:
        meta = e.get("meta") or {}
        url = meta.get("source_url") or meta.get("source") or ""
        title = meta.get("title") or meta.get("cheatsheet_name") or ""
        head = (e.get("text") or "")[:800]
        ctx_blocks.append(f"SOURCE: {title or url}\nURL: {url}\n{head}")
    context = "\n\n---\n\n".join(ctx_blocks)

    # 3) Ask LLM to generate Splunk rule JSON
    llm_input = f"CONTEXT:\n{context}\n\nINPUT:\n{input_text}\n\nPlease produce the JSON as requested."
    try:
        rule_json = llm_json(llm, SYSTEM_SPLUNK_RULE, llm_input, max_retries=2)
    except Exception as e:
        raise RuntimeError("LLM kh√¥ng tr·∫£ JSON rule h·ª£p l·ªá: " + str(e))

    # 4) Basic validation / normalize fields
    # Ensure required keys exist and have defaults
    keys_defaults = {
        "title": "Generated Splunk Rule",
        "description": "",
        "spl": "",
        "condition_examples": [],
        "severity": "medium",
        "mitre": [],
        "schedule": "every 5m",
        "alert_actions": [],
        "tags": [],
        "detection_notes": ""
    }
    for k, dv in keys_defaults.items():
        if k not in rule_json:
            rule_json[k] = dv

    # optional: attach top evidence urls
    top_urls = []
    for e in evid[:6]:
        m = e.get("meta") or {}
        u = m.get("source_url") or m.get("source") or ""
        if u and u not in top_urls:
            top_urls.append(u)
    rule_json.setdefault("evidence_urls", top_urls)

    return rule_json

# --------------------- Example usage ---------------------
if __name__ == "__main__" and llm is not None:
    # Example: mu·ªën rule ph√°t hi·ªán SQLi basic tr√™n webapp
    try:
        inp = "Detect simple SQL injection attempts in web URI and POST params (payloads like \"' OR '1'='1\" , union select, sleep(5), benchmark)."
        print("\nüîß Generating Splunk savedsearch for SQLi...")
        spl_rule = generate_splunk_rule(inp, alpha=0.55, topk=8)
        print("\n--- RULE JSON ---")
        print(json.dumps(spl_rule, ensure_ascii=False, indent=2))
    except Exception as e:
        print("‚ö†Ô∏è L·ªói khi sinh Splunk rule:", e)



üîß Generating Splunk savedsearch for SQLi...


INFO:httpx:HTTP Request: POST https://api.groq.com/openai/v1/chat/completions "HTTP/1.1 200 OK"
INFO:httpx:HTTP Request: POST https://api.groq.com/openai/v1/chat/completions "HTTP/1.1 200 OK"
INFO:httpx:HTTP Request: POST https://api.groq.com/openai/v1/chat/completions "HTTP/1.1 200 OK"



--- RULE JSON ---
{
  "title": "Simple SQL Injection Detection",
  "description": "Detects simple SQL injection attempts in web URI and POST params. This rule looks for common SQL injection payloads like ' OR '1'='1, union select, sleep(5), and benchmark.",
  "spl": "search (index=web_logs \"' OR '1'='1\" OR \"union select\" OR \"sleep(5)\" OR \"benchmark\") | stats count as num_events by src_ip, uri_path, user_agent",
  "condition_examples": [
    "http://example.com/user?id=' OR '1'='1",
    "http://example.com/user?id=1 union select * from users"
  ],
  "severity": "high",
  "mitre": [
    "T1190"
  ],
  "schedule": "*/5 * * * *",
  "alert_actions": [
    "email",
    "notable",
    "webhook"
  ],
  "tags": [
    "web",
    "sqli",
    "input-validation"
  ],
  "detection_notes": "This rule may generate false positives if the application uses SQL-like syntax in its URI or POST params. Tuning suggestions: adjust the search query to exclude known false positives, and consider adding 