Microsoft Sentinel Stream Connector Issues

[swaybs]

Prerequisites

• [x] I read the Deployment and Setup section of the OpenCTI documentation as well as the Troubleshooting page and didn't find anything relevant to my problem.
• [x] I went through old GitHub issues and couldn't find anything relevant
• [x] I googled the issue and didn't find anything relevant

Description

I am trying to set up the MS Sentinel Stream connector. My current setup is running internally on a RHEL 8 server running OpenCTI within docker. I can't seem to find any proper instructions on how to set this up besides parameters that need to be entered in the connector.

Environment

1. OS : RHEL 8
2. OpenCTI version: Latest version
3. OpenCTI client: frontend
4. Other environment details: N/A

Additional information

ERROR:

Traceback (most recent call last):
  File "/opt/opencti-connector-sentinel/sentinel.py", line 458, in _process_message
    self._create_observable(data)
  File "/opt/opencti-connector-sentinel/sentinel.py", line 153, in _create_observable
    self._graph_api_authorization()
  File "/opt/opencti-connector-sentinel/sentinel.py", line 100, in _graph_api_authorization
    raise ValueError("[ERROR] Failed generating oauth token {" + str(e) + "}")
ValueError: [ERROR] Failed generating oauth token {'access_token'}

connector-sentinel:
    image: opencti/connector-sentinel:6.1.6
    environment:
      - OPENCTI_URL=http://opencti:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
      - CONNECTOR_ID=**REDACTED**
      - CONNECTOR_LIVE_STREAM_ID=**REDACTED** # ID of the live stream created in the OpenCTI UI
      - CONNECTOR_LIVE_STREAM_LISTEN_DELETE=true
      - CONNECTOR_LIVE_STREAM_NO_DEPENDENCIES=true
      - "CONNECTOR_NAME=Microsoft Sentinel"
      - CONNECTOR_SCOPE=sentinel # MIME type or Stix Object - Not used
      - CONNECTOR_CONFIDENCE_LEVEL=60 # From 0 (Unknown) to 100 (Fully trusted)
      - CONNECTOR_LOG_LEVEL=error
      - TENANT_ID=**REDACTED** # Azure Tentant ID
      - WORKSPACE_ID=**REDACTED** # Sentinel Workspace ID (only for Azure Sentinel)
      - CLIENT_ID=ChangeMe # Azure App Client ID
      - CLIENT_SECRET=ChangeMe # Azure App Client Secret
      - "TARGET_PRODUCT=Azure Sentinel" # "Azure Sentinel" or "Microsoft Defender ATP"
      - LOGIN_URL=https://login.microsoft.com
      - RESOURCE_URL=https://graph.microsoft.com
      - REQUEST_URL=/beta/security/tiIndicators
      - INCIDENT_URL=/v1.0/security/incidents
      - SENTINEL_URL=https://sentinelus.azure-api.net
      - USE_NEW_SENTINEL_API=false # Use the new API, only supporting indicators and not supporting action (not supported yet)
      - CONFIDENCE_LEVEL=50 # Alerts equal to or higher than this will be blocked, Lower will be alerted, and 0 will be allowed
      - EXPIRE_TIME=30 # Number of days for IOC to expire in Sentinel
      - ACTION=alert # Optional: Setting this will override all alerts to be this action (unknown, allow, block, alert)
      - TLP_LEVEL=amber # Optional: This will override all TLP submitted to Sentinel. (unknown, white, green, amber, red)
      - PASSIVE_ONLY=true # Optional: Defaults to false.
      - IMPORT_INCIDENTS=true
    restart: always
    depends_on:
      - opencti

I see the CLIENT_ID and CLIENT_SECRET that need to be supplied, but I have no idea where I am supposed to generate those from.

Any help would be greatly appreciated! Thanks in advance.

[symsal]

you must have an account on sentinel one.

[swaybs]

Are you saying I need an account with Sentinel One to use the Microsoft Sentinel stream connector? They are two different products.

[mrrothe]

You will need to create a new Entra ID app registration with the permissions to read/write ThreatIntelligenceIndicators and then create a new secret for it - this will give you the values that you need

[romain-filigran]

@swaybs Is your problem solved? FYI: I transfer the issue in "connectors" project

[romain-filigran]

@swaybs : any news ?