Skip to content

[SentinelOne] - Adding a v2 connector which uses the GraphQL Alerts Endpoint#14615

Open
jlheard wants to merge 3 commits into
Azure:masterfrom
jlheard:user/jlheard/sentinelone-v2-pupr
Open

[SentinelOne] - Adding a v2 connector which uses the GraphQL Alerts Endpoint#14615
jlheard wants to merge 3 commits into
Azure:masterfrom
jlheard:user/jlheard/sentinelone-v2-pupr

Conversation

@jlheard

@jlheard jlheard commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Change(s):

• Added a new SentinelOne V2 codeless (CCF) data connector to the existing SentinelOne solution, ingesting Unified Alert Management (UAM) alerts from the SentinelOne GraphQL API into a new  SentinelOneAlertsV2_CL  table ( Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/  — ConnectorDefinition.json, DCR.json, PollingConfig.json, and 5 table definitions).
• Updated  Solutions/SentinelOne/Parsers/SentinelOne.yaml  to union the v1 and v2 alert tables so existing content works transparently across both connectors.
• Updated  Solutions/SentinelOne/Data Connectors/README.md  to document why the V2 connector was added (GraphQL/UAM alerts) and how to deploy/use it.
• Registered the second connector in  Data/Solution_SentinelOne.json , added a  ReleaseNotes.md  entry, and regenerated the solution  Package/  (mainTemplate.json, createUiDefinition.json, 3.1.0.zip) with a minor version bump (3.0.x → 3.1.0).
• Fixed  Tools/Create-Azure-Sentinel-Solution/common/createCCPConnector.ps1  (guarded, additive) so solutions containing more than one CCF connector correctly emit every table each connector's DCR references into that connector's own templateSpec.

Reason for Change(s):
• The SentinelOne solution now supports SentinelOne's newer GraphQL UAM Alerts endpoint via a dedicated V2 connector, alongside the existing REST connector.
• The packaging tool previously assumed one CCF connector per solution: it routed only each connector's primary table into its own templateSpec and dumped the remaining tables into the first connector only. A second multi-table connector was therefore shipped missing tables and failed at connect-time with  InvalidPayload / InvalidOutputTable . The guarded fix makes every CCF connector self-sufficient and independently connectable. It is purely additive (no tables/resources removed) and only activates when a solution has >1 CCF connector, so single-connector solutions are byte-for-byte unchanged.

Version Updated:
• Yes — solution version bumped minor (3.1.0) because a new connector was added. (No Detections/Analytic Rule template changes in this PR.)

Testing Completed:
• Yes — The V2 connector was deployed end-to-end into a live Microsoft Sentinel workspace; the DCR and all 5 tables provisioned successfully and alerts ingested into  SentinelOneAlertsV2_CL . The updated  SentinelOne  parser was validated to union v1 + v2 tables. The packaging-tool fix was validated by regenerating the solution and confirming connect succeeds, then regression-tested across 6 solutions (Auth0, GitHub, Cortex XDR, Zscaler, BitSight, SentinelOne): single-connector solutions and Zscaler were byte-identical to baseline, and the two multi-connector solutions changed only in additive  workspaces/tables  resources (0 lines removed).

Checked that the validations are passing and have addressed any issues that are present:
• 👍

@jlheard jlheard requested review from a team as code owners July 2, 2026 17:03
@jlheard jlheard requested a review from a team as a code owner July 2, 2026 17:12
@v-atulyadav v-atulyadav requested a review from Copilot July 3, 2026 04:30

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a new SentinelOne V2 CCF connector using the UAM GraphQL alerts endpoint and updates packaging/parsing so both v1 and v2 data work together and multi-connector solutions package correctly.

Changes:

  • Introduces SentinelOneV2_ccf connector assets (DCR, polling, connector definition, and table definitions) including SentinelOneAlertsV2_CL.
  • Updates the SentinelOne parser to include the new V2 alerts branch and bumps solution version/release notes/UI definition.
  • Fixes the packaging tool to ensure each CCF connector includes all tables referenced by its own DCR.

Reviewed changes

Copilot reviewed 15 out of 17 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
Tools/Create-Azure-Sentinel-Solution/common/createCCPConnector.ps1 Adds guarded logic to include connector-specific referenced tables when multiple CCF connectors exist.
Solutions/SentinelOne/ReleaseNotes.md Adds 3.1.0 entry documenting the new V2 connector.
Solutions/SentinelOne/Parsers/SentinelOne.yaml Updates parser metadata and unions in the new V2 alerts view.
Solutions/SentinelOne/Package/createUiDefinition.json Updates solution description counts and adds UI text blocks for the V2 connector.
Solutions/SentinelOne/Data/Solution_SentinelOne.json Registers the V2 connector and bumps solution version to 3.1.0.
Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/table_SentinelOneThreats.json Adds table definition for threats used by the V2 connector.
Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/table_SentinelOneGroups.json Adds table definition for groups used by the V2 connector.
Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/table_SentinelOneAlertsV2.json Adds table definition for new UAM alerts table SentinelOneAlertsV2_CL.
Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/table_SentinelOneAgents.json Adds table definition for agents used by the V2 connector.
Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/table_SentinelOneActivities.json Adds table definition for activities used by the V2 connector.
Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/PollingConfig.json Defines polling for REST logs and GraphQL alerts ingestion.
Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/DCR.json Adds DCR streams/dataFlows and transformations for V2 connector ingestion.
Solutions/SentinelOne/Data Connectors/SentinelOneV2_ccf/ConnectorDefinition.json Adds the connector definition/UI config for SentinelOne V2.
Solutions/SentinelOne/Data Connectors/README.md Documents rationale, usage, and migration guidance for the V2 connector.
.script/tests/KqlvalidationsTests/CustomTables/SentinelOneAlertsV2_CL.json Adds KQL validation schema for the new V2 alerts custom table.

TotalAgents=column_ifexists('totalAgents_d', ''),
Type=column_ifexists('type_s', '');
union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union
union isfuzzy=true SentinelOneActivities_CL,SentinelOneAgents_CL,SentinelOneAlerts_CL,SentinelOneGroups_CL,SentinelOneThreats_CL,SentinelOneV1Empty_Union,SentinelOneV2_Empty
{
"type": "Microsoft.SecurityInsights/dataConnectors",
"apiVersion": "2022-10-01-preview",
"name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/','SentinelOneActivities_CL' , uniqueString(parameters('managementUrl')) )]",
"properties": {
"auth": {
"type": "APIKey",
"ApiKey": "[[parameters('apitoken')]",
"ApiKeyIdentifier": "ApiToken"
},
"request": {
"apiEndpoint": "[[concat(parameters('managementUrl'), '/web/api/','v2.1', '/', 'activities')]",
Comment on lines +5 to +8
"tags": {
"DataSource": "SentinelOneV2Connector",
"Category": "SecurityEvents"
},
Comment on lines +131 to +133
"name": "ProcessArguments",
"type": "string",
"description": "The unique identifier for the malicious group."
@v-maheshbh

Copy link
Copy Markdown
Contributor

Hi @jlheard

Kindly ensure all CCF files follow the naming convention:
SolutionName_ConnectorDefinition, SolutionName_PollerConfig, SolutionName_DCR and that the file name prefix matches the solution name consistently.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants