fix(ttp/stix): add Sighting SRO per process execution to link commands to threat-actor

2026-05-09 07:47:44 -04:00
parent d6a091be75
commit 8990d9321d
2 changed files with 20 additions and 5 deletions
--- a/decnet/ttp/stix_export.py
+++ b/decnet/ttp/stix_export.py
@@ -284,12 +284,22 @@ def build_attacker_bundle(
        seen_cmds.add(cmd_line)
        proc = stix2.Process(command_line=cmd_line, is_hidden=False)
        objs.append(proc)
+        proc_obs = stix2.ObservedData(
+            first_observed=fs or now,
+            last_observed=ls or now,
+            number_observed=1,
+            object_refs=[proc.id],
+            created_by_ref=org.id,
+        )
+        objs.append(proc_obs)
        objs.append(
-            stix2.ObservedData(
-                first_observed=fs or now,
-                last_observed=ls or now,
-                number_observed=1,
-                object_refs=[proc.id],
+            stix2.Sighting(
+                sighting_of_ref=ta.id,
+                first_seen=fs or now,
+                last_seen=ls or now,
+                count=1,
+                where_sighted_refs=[org.id],
+                observed_data_refs=[proc_obs.id],
                created_by_ref=org.id,
            )
        )