fix(ttp/stix): add Sighting SRO per process execution to link commands to threat-actor

2026-05-09 07:47:44 -04:00
parent d6a091be75
commit 8990d9321d
2 changed files with 20 additions and 5 deletions
--- a/tests/web/test_api_export_attacker_stix.py
+++ b/tests/web/test_api_export_attacker_stix.py
@@ -245,6 +245,11 @@ async def test_commands_emit_process_scos():
    assert len(processes) == 2
    cmd_lines = {p["command_line"] for p in processes}
    assert cmd_lines == {"whoami", "cat /etc/passwd"}
+    # Each unique command emits a Sighting back to the threat-actor (no TTP tags here)
+    sightings = [o for o in objs if o["type"] == "sighting"]
+    assert len(sightings) == 2
+    ta_id = next(o["id"] for o in objs if o["type"] == "threat-actor")
+    assert all(s["sighting_of_ref"] == ta_id for s in sightings)


@pytest.mark.asyncio