Skip to content

[crowdstrike] Remove tag-based malware guessing with dedicated malware field when importing reports #4718

New issue
New issue
Closed
#5111
Closed
[crowdstrike] Remove tag-based malware guessing with dedicated malware field when importing reports#4718
#5111
Assignees
Kakudou
Labels
connector: crowdstrikefeatureuse for describing a new feature to developsolveduse to identify issue that has been solved (must be linked to the solving PR)
Milestone
Release 6.8.14
@romain-filigran

Description

@romain-filigran
romain-filigran
opened on Sep 12, 2025

Use case

The CrowdStrike connector currently uses a bad approach to model malware in reports. In fact, it parses the tags field to "guess" malware names through the "report_guess_malware" option. This method continuously queries the OpenCTI platform to check if each tag corresponds to a known malware. This approach is ineffective and may omit information.

The CrowdStrike API now appears to provide a dedicated field for “malware” in report modeling.
We should:

  • Use the new "malware" field to model malware families mentioned in a report
  • Completely remove the "report_guess_malware" option and all associated code. No need to deprecate it.

Metadata

Metadata

Assignees

Labels

connector: crowdstrikefeatureuse for describing a new feature to developsolveduse to identify issue that has been solved (must be linked to the solving PR)

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions