Working through the BaseReport implementation on the engines and came across a divergence of naming for the Crowdstrike engine.
def create_export_row(self, analysis_result: CrowdstrikeReport | None) -> dict:
if not analysis_result:
return {
f"cs_{k}": None
for k in [
"device_count",
"actor",
"confidence",
"threat_types",
"malwares",
"kill_chain",
"vulns",
]
}
return {
"cs_device_count": analysis_result.device_count,
"cs_actor": ", ".join(analysis_result.actors),
"cs_confidence": analysis_result.malicious_confidence,
"cs_threat_types": ", ".join(analysis_result.threat_types),
"cs_malwares": ", ".join(analysis_result.malware_families),
"cs_kill_chain": ", ".join(analysis_result.kill_chain),
"cs_vulns": ", ".join(analysis_result.vulnerabilities),
}The key names for the two returned dictionaries do not match. I think leaving the cs_ prefix is probably preferable, since it may be included in other engines during the export. I don't think the export is used anywhere as an import, right?
I plan on keeping the cs_ prefix across all use cases, for clarity when the export includes multiple engines, it would help identify the source of the data.
Working through the BaseReport implementation on the engines and came across a divergence of naming for the Crowdstrike engine.
The key names for the two returned dictionaries do not match. I think leaving the
cs_prefix is probably preferable, since it may be included in other engines during the export. I don't think the export is used anywhere as an import, right?I plan on keeping the
cs_prefix across all use cases, for clarity when the export includes multiple engines, it would help identify the source of the data.