Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SentinelOne Solution version 3.0.5 issue with the SentinelOne (using Azure Functions) Data Connector #11738

Open
q0njg3m1 opened this issue Jan 29, 2025 · 2 comments
Open

SentinelOne Solution version 3.0.5 issue with the SentinelOne (using Azure Functions) Data Connector #11738

q0njg3m1 opened this issue Jan 29, 2025 · 2 comments
Assignees
@v-mabrindha
Labels
Solution Solution specialty review needed

Comments

@q0njg3m1
Copy link

We are running the latest SentinelOne Solution (version 3.0.5) and we've noticed a strange behavior with the SentinelOne (using Azure Functions) Data Connector. The connector looks ok if you view it inside the Solution in the Content Hub:
Image

Image

But here is what is shown when you click the Open connector page button:
Image

It shows the description and configuration of the new data connector: SentinelOne (Preview), including the new tables: SentinelOneActivities_CL, SentinelOneAgents_CL, SentinelOneGroups_CL, SentinelOneThreats_CL and SentinelOneAlerts_CL.

Also it shows as Connected even if we don't have any data in these new table.
Maybe it's referencing the correct table (SentinelOne_CL) even though it shows the new tables and the description for the new SentinelOne (Preview) data connector (the one using Microsoft Sentinel Codeless Connector Platform).

Image

Same thing is visible in the Data Connectors page:
Image

Image

Please advise on how can we see the configuration for the old data connector: SentinelOne (using Azure Functions).
Thanks!
@v-mabrindha v-mabrindha self-assigned this Jan 30, 2025
@v-mabrindha v-mabrindha added the Solution Solution specialty review needed label Jan 30, 2025
@v-mabrindha
Copy link

Please follow the below instruction to resolve this issue.

Scenario 1 -

1.Reinstall the solution,

Image

  1. Check SentinelOne(preview) behaviour ,

Image

  1. Check with open connector page, Both description and inside connector page should be same.

Image

  1. Check for SentinelOne (using Azure functions),

Image

  1. Check with open connector page , Both description and inside connector page should be same.

Image

Scenario 2 -

1.Go for workspace , Configuration ->Data Connector, delete the connectors

Image

  1. Reinstall the solution SentinelOne solution

Image

  1. Check the data connectors through manage.

Image

let us know if this resolves your issue.

Thanks.

@q0njg3m1
Copy link
Author

Hi @v-mabrindha,

Scenario 1 (only re-installing the SentinelOne Solution) didn't solve the issue.

Trying Scenario 2 (delete the Data Connectors then re-install the Solution) it says:

"Delete Data Connector
The data connector is currently connected and cannot be deleted. Please disconnect first and then delete.
Note that after disconnecting it may take some time until the connector status will change to disconnected."

What exactly happens if we disconnect then delete the data connector? We have two Function Apps created from the "SentinelOne (using Azure Functions)" Data Connector that are ingesting the logs from two SentinelOne consoles into this workspaces.
Will data ingestion continue even if we disconnect and delete the data connector?

Also as you can see from the screenshot the connector name is not listed as "SentinelOne (using Azure Functions)" anymore but just "SentinelOne".

Image

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@v-mabrindha v-mabrindha

Labels
Solution Solution specialty review needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@v-mabrindha @q0njg3m1