Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stream-Sentinel-Intel Connector Not Deleting Indicators from Defender #3177

Open
nick-pete opened this issue Dec 20, 2024 · 0 comments
Open

Stream-Sentinel-Intel Connector Not Deleting Indicators from Defender #3177

nick-pete opened this issue Dec 20, 2024 · 0 comments
Labels
bug use for describing something not working as expected filigran support [optional] use to identify an issue related to feature developed & maintained by Filigran. regression

Comments

@nick-pete
Copy link

Description

The Stream Sentinel Intel connector has been deployed in our dev environment and can successfully create indicators within our MDE tenant; however, when records are removed from the stream and a corresponding 'delete' event is observed being sent to the connector, no corresponding deletion occurs on the MDE tenant.

The functions responsible for deleting indicators begin by pulling a list of indicators within the MDE tenant, looking for a indicators with an externalID field matching the OpenCTI ID of the indicator to be deleted. I don't think that this externalID is being passed when indicators are added. I have pulled our list of indicators added to the platform through this connector, and they do not have an externalID.

Environment

  1. OS (where OpenCTI server runs): AWS Fargate Linux
  2. OpenCTI version: 6.4.4
  3. OpenCTI client: frontend
  4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Add Connector, configure to connect to an MDE tenant
  2. Create Stream
  3. Add Indicator to Stream
  4. Confirm Indicator is Added to MDE tenant
  5. Delete Indicator from Stream
  6. Confirm Indicator is(n't) deleted from MDE tenant

Expected Output

Expect the indicator to be deleted.

Actual Output

Indicator remains in MDE, likely because no externalID is associated with the indicator to allow the delete operation to proceed.

Additional information

Screenshots (optional)
@nick-pete nick-pete added bug use for describing something not working as expected needs triage use to identify issue needing triage from Filigran Product team labels Dec 20, 2024
@romain-filigran romain-filigran added filigran support [optional] use to identify an issue related to feature developed & maintained by Filigran. regression and removed needs triage use to identify issue needing triage from Filigran Product team labels Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug use for describing something not working as expected filigran support [optional] use to identify an issue related to feature developed & maintained by Filigran. regression
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nick-pete @romain-filigran