OpenCTI-Platform
Importing a stix sighting with observed data breaks aggregation
Please replace every line in curly brackets { like this } with an appropriate answer, and remove this line.
Description
If an stix2 sighting is imported by the python client and it contains "observed data refs" - it imports the sighting multiple times, one time for the actual SDO and the same sighting with the same ID for the observed data ref. This breaks the aggregation behaviour of Sightings in OpenCTI, resetting the counter to 1.
Environment
OpenCTI 6.7.3
Reproducible Steps
Steps to create the smallest reproducible scenario:
Import: { "id": "sighting--d2ac9be3-6a27-5d76-b253-f73676089453", "type": "sighting", "sighted_by_ref": "", "where_sighted_refs": ["identity--9f830bef-8ea3-434d-ac1e-ec900c066adc"], "count": 1, "sighting_of_ref": "indicator--11f5d634-263f-54d6-8896-a450af589c6d", "spec_version": "", "created_by_ref": "", "description": "", "summary": false, "first_seen": "2025-07-20T21:29:46.433Z", "last_seen": "2025-07-20T22:51:46.923Z", "observed_data_refs": ["observed-data--307d5421-7504-55c2-a6fb-57db9359e725"] }
Expected Output
Sighting sighting--d2ac9be3-6a27-5d76-b253-f73676089453 is imported one time for the indicator--11f5d634-263f-54d6-8896-a450af589c6d
Actual Output
sighting--d2ac9be3-6a27-5d76-b253-f73676089453 is imported twice - fromId of the indicator and observed_data_refs
Additional information
This is the location of the code causing this: https://github.com/OpenCTI-Platform/client-python/blob/456034255753d2ca19205f32057548c8159db860/pycti/utils/opencti_stix2.py#L2732
Suggestion: Do not import the sighting additionally with the observed data refs.
