From 4a2bb8791a112d5e61efc1cc3e62f548aea7f08a Mon Sep 17 00:00:00 2001
From: PakitoSec <jeromep83@gmail.com>
Date: Sat, 14 Mar 2026 18:29:45 +0100
Subject: [PATCH] feat: update version to 5.3.2 and add
 io_load_threat_intel_draft method for loading ThreatIntel from API reports

---
 docs/getting-started/concepts.md    | 25 +++++++++++++++++++++++--
 js/packages/cyvest-app/package.json |  2 +-
 js/packages/cyvest-js/package.json  |  2 +-
 js/packages/cyvest-vis/package.json |  2 +-
 pyproject.toml                      |  2 +-
 src/cyvest/__init__.py              |  2 +-
 src/cyvest/cyvest.py                |  2 +-
 uv.lock                             |  2 +-
 8 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/docs/getting-started/concepts.md b/docs/getting-started/concepts.md
index 57210b6..c6adbb1 100644
--- a/docs/getting-started/concepts.md
+++ b/docs/getting-started/concepts.md
@@ -133,9 +133,30 @@ obs.with_ti_draft(draft)
 
 Drafts are plain `ThreatIntel` objects without an `observable_key`; the key is generated on attach.
 
-### Tags
+To load a draft from an external API response dict (e.g. a SOAR/TIP report), use `io_load_threat_intel_draft`:
+
+```python
+report = {"source": "virustotal", "score": 4.256, "level": "SUSPICIOUS"}
+ti = Cyvest.io_load_threat_intel_draft(report)
+obs.with_ti_draft(ti)
+```
+
+An optional `preprocessor` callback lets you normalise source-specific data before validation:
 
-**Tags** organize checks with automatic hierarchy based on `:` delimiter:
+```python
+def misp_warning_list_preprocessor(data: dict) -> dict:
+    extra = data.get("extra")
+    task_name = str(extra.get("task_name", "")) if isinstance(extra, dict) else ""
+    warning_list_tasks = {"MISP.analyzer.DBWarningList", "MISP.analyzer.SearchWarningList"}
+    if task_name in warning_list_tasks and data.get("level") not in ("INFO", "SAFE"):
+        data["level"] = "SAFE"
+        data["score"] = 0.0
+    return data
+
+ti = Cyvest.io_load_threat_intel_draft(report, preprocessor=misp_warning_list_preprocessor)
+```
+
+### Tags
 - Group related checks together
 - Create logical investigation sections
 - Auto-create ancestor tags (e.g., `header:auth:dkim` creates `header` and `header:auth`)
diff --git a/js/packages/cyvest-app/package.json b/js/packages/cyvest-app/package.json
index f1bffda..a069567 100644
--- a/js/packages/cyvest-app/package.json
+++ b/js/packages/cyvest-app/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@cyvest/cyvest-app",
-  "version": "5.3.1",
+  "version": "5.3.2",
   "private": true,
   "scripts": {
     "dev": "vite",
diff --git a/js/packages/cyvest-js/package.json b/js/packages/cyvest-js/package.json
index 00410a4..430edea 100644
--- a/js/packages/cyvest-js/package.json
+++ b/js/packages/cyvest-js/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@cyvest/cyvest-js",
-  "version": "5.3.1",
+  "version": "5.3.2",
   "type": "module",
   "files": [
     "dist"
diff --git a/js/packages/cyvest-vis/package.json b/js/packages/cyvest-vis/package.json
index 1a77fa1..397cf1b 100644
--- a/js/packages/cyvest-vis/package.json
+++ b/js/packages/cyvest-vis/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@cyvest/cyvest-vis",
-  "version": "5.3.1",
+  "version": "5.3.2",
   "type": "module",
   "files": [
     "dist"
diff --git a/pyproject.toml b/pyproject.toml
index ce1f2c9..d537b41 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "cyvest"
-version = "5.3.1"
+version = "5.3.2"
 description = "Cybersecurity investigation model"
 readme = {file = "README.md", content-type = "text/markdown"}
 requires-python = ">=3.10"
diff --git a/src/cyvest/__init__.py b/src/cyvest/__init__.py
index 84a43c5..d19c0fa 100644
--- a/src/cyvest/__init__.py
+++ b/src/cyvest/__init__.py
@@ -21,7 +21,7 @@
 from cyvest.model_enums import ObservableType, RelationshipDirection, RelationshipType
 from cyvest.proxies import CheckProxy, EnrichmentProxy, ObservableProxy, TagProxy, ThreatIntelProxy
 
-__version__ = "5.3.1"
+__version__ = "5.3.2"
 
 logger.disable("cyvest")
 
diff --git a/src/cyvest/cyvest.py b/src/cyvest/cyvest.py
index ec53f98..bfdb3ff 100644
--- a/src/cyvest/cyvest.py
+++ b/src/cyvest/cyvest.py
@@ -1063,8 +1063,8 @@ def io_load_dict(data: dict[str, Any]) -> Cyvest:
         """
         return load_investigation_dict(data)
 
+    @staticmethod
     def io_load_threat_intel_draft(
-        self,
         report: dict[str, Any],
         *,
         preprocessor: Callable[[dict[str, Any]], dict[str, Any]] | None = None,
diff --git a/uv.lock b/uv.lock
index d464992..273412a 100644
--- a/uv.lock
+++ b/uv.lock
@@ -305,7 +305,7 @@ toml = [
 
 [[package]]
 name = "cyvest"
-version = "5.3.1"
+version = "5.3.2"
 source = { editable = "." }
 dependencies = [
     { name = "click" },