fix(ttp/stix): extract commands from both 'command' and 'command_text' keys

2026-05-09 07:43:44 -04:00
parent e548be3c49
commit d6a091be75
2 changed files with 3 additions and 3 deletions
--- a/decnet/ttp/stix_export.py
+++ b/decnet/ttp/stix_export.py
@@ -323,9 +323,9 @@ def build_fleet_bundle(
            except Exception:
                raw_cmds = []
        cmds = [
-            str(e.get("command_text", "")).strip()
+            str(e.get("command_text") or e.get("command") or "").strip()
            for e in raw_cmds
-            if isinstance(e, dict) and e.get("command_text")
+            if isinstance(e, dict) and (e.get("command_text") or e.get("command"))
        ]

        intel = row.get("threat_intel")
--- a/decnet/web/db/sqlmodel_repo/attackers/activity.py
+++ b/decnet/web/db/sqlmodel_repo/attackers/activity.py
@@ -53,7 +53,7 @@ class AttackerActivityMixin(_MixinBase):
            seen: set[str] = set()
            out: list[str] = []
            for entry in commands:
-                text = str(entry.get("command_text", "")).strip()
+                text = str(entry.get("command_text") or entry.get("command") or "").strip()
                if text and text not in seen:
                    seen.add(text)
                    out.append(text)