fix(ttp/stix): add Sighting SRO per process execution to link commands to threat-actor

decnet/ttp/stix_export.py

@@ -284,12 +284,22 @@ def build_attacker_bundle(
         seen_cmds.add(cmd_line)
         proc = stix2.Process(command_line=cmd_line, is_hidden=False)
         objs.append(proc)
+        proc_obs = stix2.ObservedData(
+            first_observed=fs or now,
+            last_observed=ls or now,
+            number_observed=1,
+            object_refs=[proc.id],
+            created_by_ref=org.id,
+        )
+        objs.append(proc_obs)
         objs.append(
-            stix2.ObservedData(
+            stix2.Sighting(
-                first_observed=fs or now,
+                sighting_of_ref=ta.id,
-                last_observed=ls or now,
+                first_seen=fs or now,
-                number_observed=1,
+                last_seen=ls or now,
-                object_refs=[proc.id],
+                count=1,
+                where_sighted_refs=[org.id],
+                observed_data_refs=[proc_obs.id],
                 created_by_ref=org.id,
             )
         )

tests/web/test_api_export_attacker_stix.py

@@ -245,6 +245,11 @@ async def test_commands_emit_process_scos():
     assert len(processes) == 2
     cmd_lines = {p["command_line"] for p in processes}
     assert cmd_lines == {"whoami", "cat /etc/passwd"}
+    # Each unique command emits a Sighting back to the threat-actor (no TTP tags here)
+    sightings = [o for o in objs if o["type"] == "sighting"]
+    assert len(sightings) == 2
+    ta_id = next(o["id"] for o in objs if o["type"] == "threat-actor")
+    assert all(s["sighting_of_ref"] == ta_id for s in sightings)
 
 
 @pytest.mark.asyncio