Skip to content

[microsoft-sentinel-intel] Update connector to be "manager_supported" #5339

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jabesq merged 6 commits into from
Jan 13, 2026
Merged

[microsoft-sentinel-intel] Update connector to be "manager_supported" #5339

jabesq merged 6 commits into from
Jan 13, 2026

Conversation

@Powlinett
Copy link
Member

@Powlinett Powlinett commented Dec 3, 2025
edited by jabesq
Loading

Proposed changes

  • automated code changes:
    • add settings.py
    • update connector.py
    • update main.py or __main__.py
    • add unit tests

Related issues

Checklist

  • I consider the submitted work as finished
  • I have signed my commits using GPG key.
  • I tested the code for its functionality using different use cases
  • I added/update the relevant documentation (either on github or on notion)
  • Where necessary I refactored code to improve the overall quality

Further comments

The code needs to be reviewed by two people: one must fix any issue, the other one review the final commits.

@Powlinett Powlinett added filigran team use to identify PR from the Filigran team do not merge Do not merge this PR until this tag will be removed connector: microsoft sentinel intel composer labels Dec 3, 2025
jabesq
jabesq reviewed Dec 4, 2025
View reviewed changes
stream/microsoft-sentinel-intel/src/base_connector/config.py Outdated
4. Default values
"""
if Path(settings_cls.model_config["yaml_file"] or "").is_file(): # type: ignore
if Path(settings_cls.model_config["yaml_file"] or "").is_file():
Copy link
Member

@jabesq jabesq Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion

Suggested change
if Path(settings_cls.model_config["yaml_file"] or "").is_file():
if Path(settings_cls.model_config.get("yaml_file", "")).is_file():

stream/microsoft-sentinel-intel/src/base_connector/config.py Outdated
if Path(settings_cls.model_config["yaml_file"] or "").is_file():
return (YamlConfigSettingsSource(settings_cls),)
if Path(settings_cls.model_config["env_file"] or "").is_file(): # type: ignore
if Path(settings_cls.model_config["env_file"] or "").is_file():
Copy link
Member

@jabesq jabesq Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion

Suggested change
if Path(settings_cls.model_config["env_file"] or "").is_file():
if Path(settings_cls.model_config.get("env_file", "")).is_file():

@Powlinett Powlinett linked an issue Dec 4, 2025 that may be closed by this pull request
[microsoft-sentinel-intel] Migrate connector to be connector manager supported #4711
Closed
@Powlinett Powlinett force-pushed the feat/4847-migrate-microsoft-sentinel-intel branch from 64f1d5d to ac06a00 Compare December 9, 2025 11:53
@throuxel throuxel assigned throuxel and unassigned throuxel Dec 23, 2025
@mariot mariot self-assigned this Dec 23, 2025
@mariot mariot force-pushed the feat/4847-migrate-microsoft-sentinel-intel branch 2 times, most recently from 3dbe9e1 to c46b46f Compare December 23, 2025 21:45
@mariot mariot removed the do not merge Do not merge this PR until this tag will be removed label Dec 24, 2025
jabesq
jabesq reviewed Dec 30, 2025
View reviewed changes
Copy link
Member

@jabesq jabesq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comments, I will push to fix them

stream/microsoft-sentinel-intel/src/microsoft_sentinel_intel/settings.py Outdated
)
scope: ListFromString = Field(
description="The scope of the stream connector.",
default="sentinel",
Copy link
Member

@jabesq jabesq Dec 30, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue: Change this to ["sentinel"] otherwise it creates an invalid JSonschema

In XTM Composer with "sentinel":

Image

in XTM Composer with ["sentinel"]:

Image

stream/microsoft-sentinel-intel/src/microsoft_sentinel_intel/settings.py Outdated
)
live_stream_id: str = Field(
description="The ID of the live stream to connect to.",
default="live", # listen the global stream (not filtered)
Copy link
Member

@jabesq jabesq Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A stream ID must be explicitly set with appropriate filters.
Using "live" as the default is risky, as it would collect all events from every action on the OpenCTI platform.

Suggestion: remove default

stream/microsoft-sentinel-intel/src/microsoft_sentinel_intel/settings.py Outdated
description="Whether to listen for delete events in the live stream.",
default=True,
)
live_stream_no_dependencies: bool = Field(
Copy link
Member

@jabesq jabesq Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: live_stream_no_dependencies and live_stream_listen_delete are already defined in BaseStreamConnectorConfig class => To be removed here

@jabesq
Copy link
Member

jabesq commented Dec 31, 2025
edited
Loading

I still have UnauthorizedAccess error when using this connector with the given credentials:

Code: UnauthorizedAccess\nMessage: The Object ID [REDACTED] does not have required permission to perform this action on the workspace [REDACTED]

@jabesq jabesq force-pushed the feat/4847-migrate-microsoft-sentinel-intel branch from f1d1155 to bb721af Compare January 5, 2026 08:57
@SamuelHassine SamuelHassine force-pushed the master branch 2 times, most recently from a35f198 to 34b8e57 Compare January 9, 2026 14:33
@jabesq jabesq force-pushed the feat/4847-migrate-microsoft-sentinel-intel branch from bb721af to f58fd59 Compare January 13, 2026 08:11
helene-nguyen
helene-nguyen approved these changes Jan 13, 2026
View reviewed changes
Copy link
Member

@helene-nguyen helene-nguyen left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No permission issue anymore, discussed with @jabesq
All good to me :)

@jabesq jabesq merged commit decdefb into master Jan 13, 2026
6 checks passed
@jabesq jabesq deleted the feat/4847-migrate-microsoft-sentinel-intel branch January 13, 2026 08:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jabesq jabesq jabesq left review comments

@helene-nguyen helene-nguyen helene-nguyen approved these changes

@Megafredo Megafredo Awaiting requested review from Megafredo

@Kakudou Kakudou Awaiting requested review from Kakudou

@Ninoxe Ninoxe Awaiting requested review from Ninoxe

@mariot mariot Awaiting requested review from mariot

@throuxel throuxel Awaiting requested review from throuxel

Assignees

@mariot mariot

@Powlinett Powlinett

Labels

composer connector: microsoft sentinel intel filigran team use to identify PR from the Filigran team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[microsoft-sentinel-intel] Migrate connector to be connector manager supported

6 participants

@Powlinett @jabesq @helene-nguyen @mariot @throuxel