[CrowdStrike-Endpoint-Security] Updating action when deleting indicator on OpenCTI #3167
Labels
feature
use for describing a new feature to develop
needs triage
use to identify issue needing triage from Filigran Product team
Comments
al0rd25l
added
feature
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Use case
Stop detecting matches on an indicator in CrowdStrike when it has been deleted on OpenCTI.
Current Workaround
When
CROWDSTRIKE_PERMANENT_DELETEis set toFalse, if an indicator is deleted (whether it is actually deleted or it just stops being seen by the stream), it is not removed from CrowdStrike. Instead, it is just labeled withTO_DELETE. And while you can update the action later, this approach is not practical since viewing these labels requires accessing each indicator individually.Proposed Solution
Add a function to update the
actionandmobile_actionfields fromdetecttono_actionfor a "deleted" indicator (pretty much similar to the_handle_labelsfunction).Additional Information
Perhaps, if to allow flexibility, it can be configured as an optional env variable
CROWDSTRIKE_UPDATE_ACTION.Not sure if you find it necessary to keep the label update with this approach (I personally don’t see the need for it).
Would you be willing to submit a PR?
Sure, I'm already running a custom version with a
_handle_actionfunction, I would just need to add the optional variable setting.The text was updated successfully, but these errors were encountered: