CROWDSTRIKE_CREATE_OBSERVABLES=false was correctly applied to indicator-derived observables but not to IOC observables extracted from report text, causing unexpected observable creation. This change aligns all CrowdStrike observable creation paths with the same config flag.

• Behavior fix: gate report IOC observables behind create_observables

  • Updated ReportImporter._extract_iocs_from_report to short-circuit when observable creation is disabled.
  • This prevents creation of extracted ipv4-addr, domain-name, file observables when users explicitly disable observables.

• Targeted coverage for enabled/disabled paths

  • Added focused tests in tests/ioc_extraction/test_report_ioc_extraction.py to verify:
    • no observables are produced when create_observables=False
    • IOC extraction still produces expected observable types when create_observables=True

• Docs/config clarity

  • Updated CrowdStrike connector docs to explicitly state that CROWDSTRIKE_CREATE_OBSERVABLES controls both:
    • indicator-derived observables
    • report IOC extraction observables (CROWDSTRIKE_REPORT_EXTRACT_IOCS)

def _extract_iocs_from_report(self, report) -> list[_Observable]:
    if not self.indicator_config.get("create_observables", True):
        return []
    ...