feat(ttp): rich ThreatActor STIX extensions via CustomExtension + CustomObject

- stix_custom.py: DecnetActorFingerprintExt (@CustomExtension) wrapping network_behavior (os_guess/hop_distance/tcp_fingerprint/timing_stats/ phase_sequence/behavior_class/beacon fields/tool_guesses) and protocol_fingerprints (ja3_hashes/hassh_hashes/kex_order_raw/ ssh_client_banners/tls_cert_sha256/payload_simhashes/c2_endpoints). XDecnetBehaveProfile (@CustomObject x-decnet-behave-profile) carrying full BEHAVE-SHELL observation envelopes + kd_digraph_simhash. FINGERPRINT_EXT_DEF singleton extension-definition SDO. - Drop legacy flat x_decnet_ja3_hashes / x_decnet_hassh_hashes / x_decnet_c2_endpoints (pre-v1, no consumers). - stix_export: _threat_actor() wired to behavior + observations; build_attacker_bundle/build_fleet_bundle grow observations parameter. - Repo: list_observations_by_attacker + get_all_observations_for_export abstract + sqlmodel impl; all four export endpoints extended. - 18 new tests; inter-DECNET round-trip (stix2.parse → typed objects) is the primary fidelity assertion.
2026-05-09 08:52:19 -04:00
parent 1200ac9132
commit 97c99a4e03
16 changed files with 745 additions and 15 deletions
--- a/decnet/web/db/repository.py
+++ b/decnet/web/db/repository.py
@@ -365,6 +365,35 @@ class BaseRepository(ABC):
        """
        raise NotImplementedError

+    @abstractmethod
+    async def list_observations_by_attacker(
+        self, attacker_uuid: str,
+    ) -> list[dict[str, Any]]:
+        """All BEHAVE-SHELL observations for *attacker_uuid*, ordered by
+        ``window_end_ts`` ASC, shaped as BEHAVE envelope dicts.
+
+        Each dict carries: ``primitive``, ``value``, ``confidence``,
+        ``window`` (``{start_ts, end_ts}``), ``source``, ``evidence_ref``,
+        and (when present) ``identity_ref``.
+
+        Empty list when the attacker has no observations. Used by the STIX
+        export to populate ``XDecnetBehaveProfile.observations``.
+        """
+        raise NotImplementedError
+
+    @abstractmethod
+    async def get_all_observations_for_export(
+        self,
+    ) -> dict[str, list[dict[str, Any]]]:
+        """Return ``{attacker_uuid: [observation_envelope, ...]}`` for all
+        attackers that have BEHAVE observations.
+
+        Used by the fleet STIX export to attach per-attacker observation
+        streams without N+1 queries. Same envelope shape as
+        ``list_observations_by_attacker``.
+        """
+        raise NotImplementedError
+
    async def upsert_observed_attachment(
        self,
        *,
--- a/decnet/web/db/sqlmodel_repo/observations.py
+++ b/decnet/web/db/sqlmodel_repo/observations.py
@@ -29,6 +29,21 @@ from decnet.web.db.models import Attacker, ObservationRow
 from decnet.web.db.sqlmodel_repo._helpers import _MixinBase


+def _to_envelope(row: "ObservationRow") -> dict:
+    """Map an ObservationRow to a BEHAVE envelope dict for STIX export."""
+    d: dict = {
+        "primitive": row.primitive,
+        "value": row.value,
+        "confidence": row.confidence,
+        "window": {"start_ts": row.window_start_ts, "end_ts": row.window_end_ts},
+        "source": row.source,
+        "evidence_ref": row.evidence_ref,
+    }
+    if row.identity_ref is not None:
+        d["identity_ref"] = row.identity_ref
+    return d
+
+
 class ObservationsMixin(_MixinBase):
    """Mixin: methods composed onto :class:`SQLModelRepository`."""

@@ -209,6 +224,36 @@ class ObservationsMixin(_MixinBase):
            )
            return (await session.execute(stmt)).scalar_one_or_none() is not None

+    async def list_observations_by_attacker(
+        self, attacker_uuid: str,
+    ) -> list[dict[str, Any]]:
+        """All observations for *attacker_uuid*, ordered by ``window_end_ts``
+        ASC, shaped as BEHAVE envelope dicts.
+        """
+        async with self._session() as session:
+            stmt = (
+                select(ObservationRow)
+                .where(ObservationRow.attacker_uuid == attacker_uuid)
+                .order_by(ObservationRow.window_end_ts)
+            )
+            rows = (await session.execute(stmt)).scalars().all()
+            return [_to_envelope(row) for row in rows]
+
+    async def get_all_observations_for_export(
+        self,
+    ) -> dict[str, list[dict[str, Any]]]:
+        """Return ``{attacker_uuid: [envelope, ...]}`` for all attackers."""
+        async with self._session() as session:
+            stmt = (
+                select(ObservationRow)
+                .order_by(ObservationRow.attacker_uuid, ObservationRow.window_end_ts)
+            )
+            rows = (await session.execute(stmt)).scalars().all()
+            result: dict[str, list[dict[str, Any]]] = {}
+            for row in rows:
+                result.setdefault(row.attacker_uuid, []).append(_to_envelope(row))
+            return result
+
    # Order desc(ts) reserved as the most-recent-first listing if a
    # paginated UI surface lands later. Not exposed today; named here
    # so a future grep finds the canonical desc-ts pattern.
--- a/decnet/web/router/attackers/api_export_attacker_misp.py
+++ b/decnet/web/router/attackers/api_export_attacker_misp.py
@@ -65,6 +65,7 @@ async def api_export_attacker_misp(
        repo.get_attacker_artifacts(uuid),
        repo.list_smtp_targets(uuid),
        repo.list_attacker_commands_deduped(uuid),
+        repo.list_observations_by_attacker(uuid),
    )
    behavior = cast(dict[str, Any] | None, results[0])
    identity = cast(dict[str, Any] | None, results[1])
@@ -74,6 +75,7 @@ async def api_export_attacker_misp(
    artifacts = cast(list[dict[str, Any]], results[5])
    smtp_targets = cast(list[dict[str, Any]], results[6])
    commands = cast(list[str], results[7])
+    observations = cast(list[dict[str, Any]], results[8])

    event = build_attacker_misp_event(
        attacker=attacker,
@@ -88,6 +90,7 @@ async def api_export_attacker_misp(
        artifacts=artifacts,
        smtp_targets=smtp_targets,
        commands=commands,
+        observations=observations,
    )
    return Response(
        content=json.dumps(event, default=str),
--- a/decnet/web/router/attackers/api_export_attacker_stix.py
+++ b/decnet/web/router/attackers/api_export_attacker_stix.py
@@ -69,6 +69,7 @@ async def api_export_attacker_stix(
        repo.get_attacker_artifacts(uuid),
        repo.list_smtp_targets(uuid),
        repo.list_attacker_commands_deduped(uuid),
+        repo.list_observations_by_attacker(uuid),
    )
    behavior = cast(dict[str, Any] | None, results[0])
    identity = cast(dict[str, Any] | None, results[1])
@@ -78,6 +79,7 @@ async def api_export_attacker_stix(
    artifacts = cast(list[dict[str, Any]], results[5])
    smtp_targets = cast(list[dict[str, Any]], results[6])
    commands = cast(list[str], results[7])
+    observations = cast(list[dict[str, Any]], results[8])

    bundle = build_attacker_bundle(
        attacker=attacker,
@@ -92,6 +94,7 @@ async def api_export_attacker_stix(
        artifacts=artifacts,
        smtp_targets=smtp_targets,
        commands=commands,
+        observations=observations,
    )
    return Response(
        content=bundle.serialize(pretty=True, indent=2),
--- a/decnet/web/router/attackers/api_export_attackers_misp.py
+++ b/decnet/web/router/attackers/api_export_attackers_misp.py
@@ -43,13 +43,15 @@ async def api_export_attackers_misp(
    user: dict[str, Any] = Depends(require_viewer),
 ) -> Response:
    """Download a MISP collection JSON covering every observed attacker."""
-    rows, ttp_by_attacker = await asyncio.gather(
+    rows, ttp_by_attacker, obs_by_attacker = await asyncio.gather(
        repo.get_all_attackers_for_export(),
        repo.get_all_ttp_rollups_for_export(),
+        repo.get_all_observations_for_export(),
    )
    collection = build_fleet_misp_collection(
        rows=rows,
        ttp_by_attacker=ttp_by_attacker,
+        observations_by_attacker=obs_by_attacker,
    )
    ts = datetime.now(timezone.utc).strftime("%Y%m%dT%H%M%SZ")
    return Response(
--- a/decnet/web/router/attackers/api_export_attackers_stix.py
+++ b/decnet/web/router/attackers/api_export_attackers_stix.py
@@ -42,8 +42,12 @@ async def api_export_attackers_stix(
    user: dict[str, Any] = Depends(require_viewer),
 ) -> Response:
    """Download a STIX 2.1 bundle covering every observed attacker."""
-    rows, ttp_by_attacker = await _gather_fleet_data()
-    bundle = build_fleet_bundle(rows=rows, ttp_by_attacker=ttp_by_attacker)
+    rows, ttp_by_attacker, obs_by_attacker = await _gather_fleet_data()
+    bundle = build_fleet_bundle(
+        rows=rows,
+        ttp_by_attacker=ttp_by_attacker,
+        observations_by_attacker=obs_by_attacker,
+    )
    ts = datetime.now(timezone.utc).strftime("%Y%m%dT%H%M%SZ")
    return Response(
        content=bundle.serialize(pretty=True, indent=2),
@@ -56,10 +60,15 @@ async def api_export_attackers_stix(
    )


-async def _gather_fleet_data() -> tuple[list[dict[str, Any]], dict[str, list[dict[str, Any]]]]:
+async def _gather_fleet_data() -> tuple[
+    list[dict[str, Any]],
+    dict[str, list[dict[str, Any]]],
+    dict[str, list[dict[str, Any]]],
+]:
    import asyncio
-    rows, ttp_by_attacker = await asyncio.gather(
+    rows, ttp_by_attacker, obs_by_attacker = await asyncio.gather(
        repo.get_all_attackers_for_export(),
        repo.get_all_ttp_rollups_for_export(),
+        repo.get_all_observations_for_export(),
    )
-    return rows, ttp_by_attacker
+    return rows, ttp_by_attacker, obs_by_attacker