[Sentinel-incident] Authentication problem - Error 401 after several iterations #3325
Assignees
Labels
bug
use for describing something not working as expected
filigran support
[optional] use to identify an issue related to feature developed & maintained by Filigran.
Milestone
Comments
Lhorus6
added
bug
helene-nguyen
added
filigran support
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
When using the Sentinel Incident connector, it works on its first iteration (successfully retrieved data), then stops working on subsequent iterations (error 401).
First iteration, here are the observed logs:
{ "timestamp": "2025-01-20T15:41:08.239290Z", "level": "ERROR", "name": "Sentinel Incidents", "message": "This observable value is not a valid IPv4 address: ", "exc_info": "NoneType: None", "taskName": null, "attributes": { "value": "2a00:23c8:9c2f:7a00:4469:e08b:df70:c3d8" } }Then
{ "timestamp": "2025-01-20T15:44:22.967558Z", "level": "ERROR", "name": "Sentinel Incidents", "message": "No values for required properties for Directory: (path).", "exc_info": "Traceback (most recent call last):\n File \"/opt/opencti-connector-sentinel-incidents/sentinel_incidents_connector/connector.py\", line 326, in process_message\n stix_objects = self._extract_intelligence(incident)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/opt/opencti-connector-sentinel-incidents/sentinel_incidents_connector/connector.py\", line 210, in _extract_intelligence\n self.converter_to_stix.create_evidence_directory(file)\n File \"/opt/opencti-connector-sentinel-incidents/sentinel_incidents_connector/converter_to_stix.py\", line 313, in create_evidence_directory\n stix_directory = stix2.Directory(\n ^^^^^^^^^^^^^^^^\n File \"/usr/local/lib/python3.12/site-packages/stix2/v21/base.py\", line 15, in __init__\n super(_Observable, self).__init__(**kwargs)\n File \"/usr/local/lib/python3.12/site-packages/stix2/base.py\", line 381, in __init__\n super(_Observable, self).__init__(**kwargs)\n File \"/usr/local/lib/python3.12/site-packages/stix2/base.py\", line 215, in __init__\n raise MissingPropertiesError(cls, missing_kwargs)\nstix2.exceptions.MissingPropertiesError: No values for required properties for Directory: (path).", "taskName": null }Second iteration, here are the observed logs:
{ "timestamp": "2025-01-20T16:14:42.006790Z", "level": "ERROR", "name": "Sentinel Incidents", "message": "No values for required properties for Directory: (path).", "exc_info": "Traceback (most recent call last):\n File \"/opt/opencti-connector-sentinel-incidents/sentinel_incidents_connector/connector.py\", line 326, in process_message\n stix_objects = self._extract_intelligence(incident)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/opt/opencti-connector-sentinel-incidents/sentinel_incidents_connector/connector.py\", line 210, in _extract_intelligence\n self.converter_to_stix.create_evidence_directory(file)\n File \"/opt/opencti-connector-sentinel-incidents/sentinel_incidents_connector/converter_to_stix.py\", line 313, in create_evidence_directory\n stix_directory = stix2.Directory(\n ^^^^^^^^^^^^^^^^\n File \"/usr/local/lib/python3.12/site-packages/stix2/v21/base.py\", line 15, in __init__\n super(_Observable, self).__init__(**kwargs)\n File \"/usr/local/lib/python3.12/site-packages/stix2/base.py\", line 381, in __init__\n super(_Observable, self).__init__(**kwargs)\n File \"/usr/local/lib/python3.12/site-packages/stix2/base.py\", line 215, in __init__\n raise MissingPropertiesError(cls, missing_kwargs)\nstix2.exceptions.MissingPropertiesError: No values for required properties for Directory: (path).", "taskName": null }From the third iteration onwards, all following iterations raise these logs:
{ "timestamp": "2025-01-20T16:44:42.409694Z", "level": "ERROR", "name": "Sentinel Incidents", "message": "A http error occurred during incident recovery", "exc_info": "Traceback (most recent call last):\n File \"/opt/opencti-connector-sentinel-incidents/sentinel_incidents_connector/client_api.py\", line 93, in pagination_incidents\n response.raise_for_status()\n File \"/usr/local/lib/python3.12/site-packages/requests/models.py\", line 1024, in raise_for_status\n raise HTTPError(http_error_msg, response=self)\nrequests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://graph.microsoft.com/v1.0/security/incidents?%24expand=alerts&%24filter=lastUpdateDateTime+ge+2025-01-20T10%3A34%3A05%2B00%3A00", "taskName": null, "attributes": { "url": "https://graph.microsoft.com/v1.0/security/incidents?%24expand=alerts&%24filter=lastUpdateDateTime+ge+2025-01-20T10%3A34%3A05%2B00%3A00", "http_error": "401 Client Error: Unauthorized for url: https://graph.microsoft.com/v1.0/security/incidents?%24expand=alerts&%24filter=lastUpdateDateTime+ge+2025-01-20T10%3A34%3A05%2B00%3A00" } }Environment
OCTI 6.4.8
Reproducible Steps
Steps to create the smallest reproducible scenario:
CONNECTOR_TYPE: EXTERNAL_IMPORT CONNECTOR_NAME: Sentinel Incidents CONNECTOR_SCOPE: sentinel CONNECTOR_LOG_LEVEL: error CONNECTOR_DURATION_PERIOD: PT30M SENTINEL_INCIDENTS_TENANT_ID: ChangeMe SENTINEL_INCIDENTS_WORKSPACE_ID: ChangeMe SENTINEL_INCIDENTS_CLIENT_ID: ChangeMe SENTINEL_INCIDENTS_CLIENT_SECRET: ChangeMe SENTINEL_INCIDENTS_TARGET_PRODUCT: "Azure Sentinel" SENTINEL_INCIDENTS_LOGIN_URL: https://login.microsoft.com SENTINEL_INCIDENTS_API_BASE_URL: https://graph.microsoft.com SENTINEL_INCIDENTS_INCIDENT_PATH: /v1.0/security/incidentsThe text was updated successfully, but these errors were encountered: