Harfanglab incidents: propagate sighting qualification changes to existing OpenCTI sightings

[Copilot]

Sighting qualification updates from Harfanglab (e.g., changing an alert to false_positive) were not reflected in OpenCTI, leaving sightings stuck as true positive. The connector was sending bundles without update semantics, so existing sighting data was not being overwritten.

• What changed

  • Enabled bundle updates in the Harfanglab incidents connector by passing update=True to send_stix2_bundle(...).
  • Kept ingestion behavior unchanged otherwise (same bundle content and cleanup behavior), with only update propagation added.

• Regression coverage

  • Added a focused connector test asserting process_message() calls send_stix2_bundle with update=True, preventing regressions in sighting update behavior.

• Key code change

  self.helper.send_stix2_bundle(
      stix_bundle,
      work_id=work_id,
      update=True,
      cleanup_inconsistent_bundle=True,
  )