Skip to content

[CrowdStrike] Add motivations and adversary type as labels on IntrusionSet #6115

Open
#6129
Open
[CrowdStrike] Add motivations and adversary type as labels on IntrusionSet#6115
#6129
Assignees
CTIBurn0utcopilot-swe-agent
Labels
featureuse for describing a new feature to develop
@CTIBurn0ut

Description

@CTIBurn0ut
CTIBurn0ut
opened on Mar 27, 2026

Use case

When CrowdStrike actors are imported as IntrusionSet entities, the connector correctly maps motivations to STIX primary_motivation and secondary_motivations fields. However, these STIX properties are only visible in the entity detail view — they are not surfaced as OpenCTI labels.

Additionally, the CrowdStrike API provides an actor_type field (e.g. "Nation State", "eCrime", "Hacktivist") which is not mapped to any field in OpenCTI.

Users want both motivation values and adversary type surfaced as labels on IntrusionSet entities for:

  • Immediate visibility on entity cards in the UI
  • Platform-wide filtering across dashboards, investigations, and workbenches
  • Quick identification of actor classification without opening the detail view

Current Workaround

Users must manually open each IntrusionSet detail view to see the motivation STIX properties. There is no way to see adversary type at all — the field is completely ignored by the connector.

Manual label tagging is possible but does not scale with automated ingestion.

Proposed Solution

Add motivation values and adversary type as OpenCTI labels on IntrusionSet entities, in addition to the existing STIX motivation mapping.

Scope

Both ActorBundleBuilder and RelatedActorBundleBuilder should be updated:

  1. Motivations as labels: Extract values from the motivations field in the CrowdStrike actor data and pass them as labels to create_intrusion_set()
  2. Adversary type as label: Extract the actor_type field from the CrowdStrike actor data and pass it as a label to create_intrusion_set()

Example

For a CrowdStrike actor with:

  • motivations: ["Criminal", "Espionage"]
  • actor_type: "Nation State"

The resulting IntrusionSet should have:

  • primary_motivation: personal-gain (existing STIX mapping — unchanged)
  • secondary_motivations: ["organizational-gain"] (existing STIX mapping — unchanged)
  • labels: ["Criminal", "Espionage", "Nation State"] (new)

Implementation Reference

The labels parameter already exists on create_intrusion_set() but is currently unused by both builders. The change is additive — approximately 10-15 lines per builder.

Additional Information

  • The existing STIX motivation mapping (CS01_04 / _get_motivations()) should remain unchanged — labels are additive
  • The RelatedActorBundleBuilder uses raw CrowdStrike motivation values rather than STIX vocabulary — these raw values are appropriate for labels

Would you be willing to submit a PR?

Yes

Metadata

Metadata

Assignees

Labels

featureuse for describing a new feature to develop

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions