[Crowdstrike] Correct crowdstrike taxonomy #3532
Conversation
|
An alternative solution to this might be to completely remove this manual mapping, and allow OpenCTI admins to simply alias the vocabulary themselves in the platform. That would probably be more resilient to future changes on CrowdStrike's side. |
helene-nguyen
changed the title
Signed-off-by: GitHub <[email protected]>
Signed-off-by: GitHub <[email protected]>
Signed-off-by: GitHub <[email protected]>
initstring
force-pushed
the
crowdstrike-vocab-update
branch
from
177294b to
a2caa32
Compare
|
Thank you @initstring for your contribution! :) Before merging:
|
|
Hi @Jipegien - thanks for the reply! I only observe CrowdStrike using the categories I mention. I will open a support case to confirm. However, I think it's worth considering completely removing this mapping. As we can see, it creates warnings when not working as expected and simply adds no motivation at all. Perhaps it is better to consume whatever motivation CrowdStrike provides, and then allow individual OpenCTI admins to use those as-is or to configure aliases that make sense to them? There's no guarantee CrowdStrike won't simply change this tomorrow, and this function will break again. Let me know what you think and I can re-do the PR. Either way, I'll see what support comes back with in terms of their taxonomy. |
Proposed changes
Related issues
Checklist
Further comments
CrowdStrike uses these three "motivations" today:
Those are the only categories available for sorting in their web UI.
To confirm, I did a bulk scan of actors on the CrowdStrike API, looking for all iterations of motivation that may be returned. Almost all actors use State-Sponsored, Criminal, or Hacktivism (this also matches their web UI query fields). There seems to be some legacy entries using defacement, so I included it as well.