Skip to content

[crowdstrike] Add function to import malware families (#2003) #5223

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Kakudou wants to merge 8 commits into
base: feat/4649-crowdstrike-improve-connector-and-data-modeling
Choose a base branch
from
Open

[crowdstrike] Add function to import malware families (#2003) #5223

Kakudou wants to merge 8 commits into from

Conversation

@Kakudou
Copy link
Member

@Kakudou Kakudou commented Nov 21, 2025

Proposed changes

As stated in the issue #2003 we add a way to retrieve the malware families.

Tests have been added for that new feature.

Before:
No way to directly retrieve malware

After:
Screenshot 2025-11-18 175333
Screenshot 2025-11-18 175350
Screenshot 2025-11-18 175848

Related issues

Checklist

  • I consider the submitted work as finished
  • I have signed my commits using GPG key.
  • I tested the code for its functionality using different use cases
  • I added/update the relevant documentation (either on github or on notion)
  • Where necessary I refactored code to improve the overall quality

Further comments

@Kakudou Kakudou self-assigned this Nov 21, 2025
@Kakudou Kakudou added filigran team use to identify PR from the Filigran team connector: crowdstrike labels Nov 21, 2025
@Kakudou Kakudou linked an issue Nov 21, 2025 that may be closed by this pull request
[crowdstrike] Add function to import malware families #2003
Open
@Kakudou Kakudou changed the base branch from feat/4649-crowdstrike-improve-connector-and-data-modeling to master December 2, 2025 09:43
@Kakudou Kakudou changed the base branch from master to feat/4649-crowdstrike-improve-connector-and-data-modeling December 2, 2025 09:43
romain-filigran
romain-filigran reviewed Dec 6, 2025
View reviewed changes
external-import/crowdstrike/src/crowdstrike_feeds_connector/malware/builder.py
"""Create the main Malware entity."""
description = self._get_description()
external_references = self._create_external_references()
capabilities = self._get_capabilities()
Copy link
Member

@romain-filigran romain-filigran Dec 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we comment on this part of the code for now, for two reasons:

  1. There seems to be a problem when parsing this field:
Image
  1. In my opinion, the "Crowdstrike" field does not correspond to our "capabilities" field but rather to the "malware_type" field.
    @CTIBurn0ut : What's your opinion ?

external-import/crowdstrike/src/crowdstrike_feeds_connector/malware/builder.py
created_by=self.author,
is_family=True,
description=description,
capabilities=capabilities,
Copy link
Member

@romain-filigran romain-filigran Dec 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As we have information about the "kill chain phases" associated to the malware in CrowdStrike response, can we associate kill chain to the malware when creating it like we do here: https://github.com/OpenCTI-Platform/connectors/blob/master/external-import/crowdstrike/src/crowdstrike_feeds_connector/indicator/builder.py#L468

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@romain-filigran romain-filigran romain-filigran left review comments

Assignees

@Kakudou Kakudou

Labels

connector: crowdstrike filigran team use to identify PR from the Filigran team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[crowdstrike] Add function to import malware families

3 participants

@Kakudou @romain-filigran