Sentinel Connector not setting indicator expiry date

[nzjoshellis]

Description

The sentinel connector can be utilized to ingest IOCs into Microsoft Sentinel & Microsoft Defender for Endpoint via the Graph API. The expiry date of the indicators is specified in the connector configuration (eg. expire after 30 days) however this is not being set on the indicators when they are created.

Environment

1. OS (where OpenCTI server runs): Ubuntu 22.04
2. OpenCTI version: 6.0.10
3. OpenCTI client: frontend
4. Other environment details: Sentinel Connector version 6.0.10 (also tested 5.12.32)

Reproducible Steps

Steps to create the smallest reproducible scenario:

1. Set up the Sentinel Connector using "TARGET_PRODUCT=Microsoft Defender ATP" & EXPIRE_TIME=30
2. Create a new indicator with an expiry more than 1 day in the future. This should then be pushed through to Microsoft Defender ATP
3. In the Defender for Endpoint Portal, review the indicator and note the expiry date is set 24 hours from when it was created

Expected Output

Ideally the expected expiry should be synced through which was set on the indicator. The sentinel connector configuration sets an age on it which is configurable (set to 30 days).

Actual Output

The age is set to 24 hours after the IoC was created. This is the default configuration when no expiry is set I believe.

Additional information

In the script which runs (https://github.com/OpenCTI-Platform/connectors/blob/master/stream/sentinel/src/sentinel.py) - line 255 is responsible for setting this date, I believe it should be "expirationDateTime" and not "expiration_datetime".

When other indicator types are created (email & File) they use the correct property name (line 277 & 304).

More information on this API is here: https://learn.microsoft.com/en-us/graph/api/tiindicators-post?view=graph-rest-beta&tabs=http#request

[nino-filigran]

@Megafredo & @helene-nguyen could you have a look when you have time please?