Sentinel Connector not setting indicator expiry date #2092
Labels
bug
use for describing something not working as expected
filigran support
[optional] use to identify an issue related to feature developed & maintained by Filigran.
needs more info
Intel needed about the use case
solved
use to identify issue that has been solved (must be linked to the solving PR)
Milestone
Description
The sentinel connector can be utilized to ingest IOCs into Microsoft Sentinel & Microsoft Defender for Endpoint via the Graph API. The expiry date of the indicators is specified in the connector configuration (eg. expire after 30 days) however this is not being set on the indicators when they are created.
Environment
Reproducible Steps
Steps to create the smallest reproducible scenario:
Expected Output
Ideally the expected expiry should be synced through which was set on the indicator. The sentinel connector configuration sets an age on it which is configurable (set to 30 days).
Actual Output
The age is set to 24 hours after the IoC was created. This is the default configuration when no expiry is set I believe.
Additional information
In the script which runs (https://github.com/OpenCTI-Platform/connectors/blob/master/stream/sentinel/src/sentinel.py) - line 255 is responsible for setting this date, I believe it should be "expirationDateTime" and not "expiration_datetime".
When other indicator types are created (email & File) they use the correct property name (line 277 & 304).
More information on this API is here: https://learn.microsoft.com/en-us/graph/api/tiindicators-post?view=graph-rest-beta&tabs=http#request
The text was updated successfully, but these errors were encountered: