[SentinelOne] - Adding a v2 connector which uses the GraphQL Alerts Endpoint#14615
Open
jlheard wants to merge 3 commits into
Open
[SentinelOne] - Adding a v2 connector which uses the GraphQL Alerts Endpoint#14615jlheard wants to merge 3 commits into
jlheard wants to merge 3 commits into
Conversation
added 2 commits
July 2, 2026 12:12
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a new SentinelOne V2 CCF connector using the UAM GraphQL alerts endpoint and updates packaging/parsing so both v1 and v2 data work together and multi-connector solutions package correctly.
Changes:
- Introduces
SentinelOneV2_ccfconnector assets (DCR, polling, connector definition, and table definitions) includingSentinelOneAlertsV2_CL. - Updates the SentinelOne parser to include the new V2 alerts branch and bumps solution version/release notes/UI definition.
- Fixes the packaging tool to ensure each CCF connector includes all tables referenced by its own DCR.
Reviewed changes
Copilot reviewed 15 out of 17 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| Tools/Create-Azure-Sentinel-Solution/common/createCCPConnector.ps1 | Adds guarded logic to include connector-specific referenced tables when multiple CCF connectors exist. |
| Solutions/SentinelOne/ReleaseNotes.md | Adds 3.1.0 entry documenting the new V2 connector. |
| Solutions/SentinelOne/Parsers/SentinelOne.yaml | Updates parser metadata and unions in the new V2 alerts view. |
| Solutions/SentinelOne/Package/createUiDefinition.json | Updates solution description counts and adds UI text blocks for the V2 connector. |
| Solutions/SentinelOne/Data/Solution_SentinelOne.json | Registers the V2 connector and bumps solution version to 3.1.0. |
| Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/table_SentinelOneThreats.json | Adds table definition for threats used by the V2 connector. |
| Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/table_SentinelOneGroups.json | Adds table definition for groups used by the V2 connector. |
| Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/table_SentinelOneAlertsV2.json | Adds table definition for new UAM alerts table SentinelOneAlertsV2_CL. |
| Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/table_SentinelOneAgents.json | Adds table definition for agents used by the V2 connector. |
| Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/table_SentinelOneActivities.json | Adds table definition for activities used by the V2 connector. |
| Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/PollingConfig.json | Defines polling for REST logs and GraphQL alerts ingestion. |
| Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/DCR.json | Adds DCR streams/dataFlows and transformations for V2 connector ingestion. |
| Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/ConnectorDefinition.json | Adds the connector definition/UI config for SentinelOne V2. |
| Solutions/SentinelOne/Data Connectors/README.md | Documents rationale, usage, and migration guidance for the V2 connector. |
| .script/tests/KqlvalidationsTests/CustomTables/SentinelOneAlertsV2_CL.json | Adds KQL validation schema for the new V2 alerts custom table. |
| TotalAgents=column_ifexists('totalAgents_d', ''), | ||
| Type=column_ifexists('type_s', ''); | ||
| union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union | ||
| union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union,SentinelOneV2_Empty |
| { | ||
| "type": "Microsoft.SecurityInsights/dataConnectors", | ||
| "apiVersion": "2022-10-01-preview", | ||
| "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','SentinelOneActivities_CL' , uniqueString(parameters('managementUrl')) )]", |
| "properties": { | ||
| "auth": { | ||
| "type": "APIKey", | ||
| "ApiKey": "[[parameters('apitoken')]", |
| "ApiKeyIdentifier": "ApiToken" | ||
| }, | ||
| "request": { | ||
| "apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'activities')]", |
Comment on lines
+5
to
+8
| "tags": { | ||
| "DataSource": "SentinelOneV2Connector", | ||
| "Category": "SecurityEvents" | ||
| }, |
Comment on lines
+131
to
+133
| "name": "ProcessArguments", | ||
| "type": "string", | ||
| "description": "The unique identifier for the malicious group." |
Contributor
|
Hi @jlheard Kindly ensure all CCF files follow the naming convention: Thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Change(s):
• Added a new SentinelOne V2 codeless (CCF) data connector to the existing SentinelOne solution, ingesting Unified Alert Management (UAM) alerts from the SentinelOne GraphQL API into a new SentinelOneAlertsV2_CL table ( Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/ — ConnectorDefinition.json, DCR.json, PollingConfig.json, and 5 table definitions).
• Updated Solutions/SentinelOne/Parsers/SentinelOne.yaml to union the v1 and v2 alert tables so existing content works transparently across both connectors.
• Updated Solutions/SentinelOne/Data Connectors/README.md to document why the V2 connector was added (GraphQL/UAM alerts) and how to deploy/use it.
• Registered the second connector in Data/Solution_SentinelOne.json , added a ReleaseNotes.md entry, and regenerated the solution Package/ (mainTemplate.json, createUiDefinition.json, 3.1.0.zip) with a minor version bump (3.0.x → 3.1.0).
• Fixed Tools/Create-Azure-Sentinel-Solution/common/createCCPConnector.ps1 (guarded, additive) so solutions containing more than one CCF connector correctly emit every table each connector's DCR references into that connector's own templateSpec.
Reason for Change(s):
• The SentinelOne solution now supports SentinelOne's newer GraphQL UAM Alerts endpoint via a dedicated V2 connector, alongside the existing REST connector.
• The packaging tool previously assumed one CCF connector per solution: it routed only each connector's primary table into its own templateSpec and dumped the remaining tables into the first connector only. A second multi-table connector was therefore shipped missing tables and failed at connect-time with InvalidPayload / InvalidOutputTable . The guarded fix makes every CCF connector self-sufficient and independently connectable. It is purely additive (no tables/resources removed) and only activates when a solution has >1 CCF connector, so single-connector solutions are byte-for-byte unchanged.
Version Updated:
• Yes — solution version bumped minor (3.1.0) because a new connector was added. (No Detections/Analytic Rule template changes in this PR.)
Testing Completed:
• Yes — The V2 connector was deployed end-to-end into a live Microsoft Sentinel workspace; the DCR and all 5 tables provisioned successfully and alerts ingested into SentinelOneAlertsV2_CL . The updated SentinelOne parser was validated to union v1 + v2 tables. The packaging-tool fix was validated by regenerating the solution and confirming connect succeeds, then regression-tested across 6 solutions (Auth0, GitHub, Cortex XDR, Zscaler, BitSight, SentinelOne): single-connector solutions and Zscaler were byte-identical to baseline, and the two multi-connector solutions changed only in additive workspaces/tables resources (0 lines removed).
Checked that the validations are passing and have addressed any issues that are present:
• 👍