Connectors Setup Guide
Last updated: 2026-04-29
Status: Stable
Purpose
Step-by-step walkthrough of the Tool Catalog connector wizard. Covers the full lifecycle: finding a connector, entering credentials, testing, saving, and monitoring health.
The Tool Catalog Wizard
URL: /tool-catalog.html
The Tool Catalog is the single place to configure all 61 connectors. It replaces manual API credential entry and provides inline setup guides so you don't need to leave URIP to find documentation.
Finding a Connector
Search: Type the tool name in the search bar. Partial matches work ("crowd" finds "CrowdStrike Falcon").
Category filter: Filter by: VM, EDR, CSPM, DSPM, IDENTITY, NETWORK, DLP, FIREWALL, SOC, EMAIL, COLLABORATION, ITSM, LMS, PAM, NAC, OT, DAST, BAS, EASM, EXTERNAL_THREAT, ADVISORY, BUG_BOUNTY, GRC, BGV, HRIS.
Status filter: - All — shows both configured and available connectors - Configured — only connectors with credentials stored - Available — only connectors not yet configured
Setting Up a Connector
Step 1: Click the Tile
Click any connector tile. The Setup Drawer opens on the right side of the screen.
Step 2: Read the Setup Drawer
The drawer contains six sections:
| Section | Content |
|---|---|
| Quick Facts | Poll frequency, data freshness, setup difficulty, module requirement |
| What's Pulled | Exact finding types, asset types, and data fields URIP ingests |
| Prerequisites | What you need before starting: vendor plan, API permissions, admin access |
| Setup Steps | Numbered instructions with credential field explanations and vendor doc links |
| Required Scopes | API permissions / OAuth scopes required (copy-paste ready) |
| Common Errors | The most frequent errors and how to fix them |
Read the Prerequisites section first. Some connectors require vendor-side API configuration before you can enter credentials.
Step 3: Enter Credentials
Fill in the credential fields shown in the form. Each field has: - A label (e.g., "API Access Key") - A help icon (hover for explanation) - A link to the exact vendor documentation page where you find this value - A placeholder showing the expected format
Credential field types:
| Type | UI behaviour |
|---|---|
text |
Plain text input |
secret |
Password-masked input (shows dots), never displayed after save |
url |
URL validator applied |
select |
Dropdown from predefined options |
Step 4: Test Connection
Click Test Connection. URIP sends a live request to the vendor API using the credentials you entered.
Results:
| Result | Meaning |
|---|---|
Connected. Found X assets. Last scan: Y hours ago. |
Credentials valid, API accessible, data available |
HTTP 401 — Authentication failed |
Credentials are wrong or expired |
HTTP 403 — Insufficient permissions |
Credentials are valid but lack required role/scope |
HTTP 429 — Rate limited |
Vendor API is rate-limiting; wait 60 seconds and retry |
Connection timeout |
Vendor API unreachable; check network or vendor status page |
Invalid credential format |
Field has unexpected characters; re-enter carefully |
The test does NOT save credentials. You must click Save after a successful test.
Step 5: Save
Click Save. Credentials are: 1. Transmitted securely (encrypted in transit) to URIP 2. Encrypted with a unique key for your organisation before storage 3. Never logged or displayed again after this point
The connector tile immediately updates to show Configured status.
Step 6: First Poll
The first automatic poll runs within 15 minutes of saving. Poll schedule:
| Category | Frequency |
|---|---|
| High-volume (Tenable, CrowdStrike, SentinelOne, Zscaler) | 15 minutes |
| Medium-volume (Netskope, Entra ID, Okta, ManageEngine) | 60 minutes |
| Low-volume (Burp Enterprise, GTB, CloudSEK) | 4 hours |
To poll immediately: click Run Now in the connector drawer (requires ciso role).
Monitoring Connector Health
URL: /connector-status.html
This page shows all configured connectors with:
- Status pill: ok / degraded / error
- Last successful poll timestamp
- Records ingested in the last poll
- Error count in the last 24 hours
- Last error message (if any)
Status definitions:
| Status | Meaning | Action |
|---|---|---|
ok |
Last poll succeeded, data is fresh | No action needed |
degraded |
Last poll succeeded partially (rate-limited or partial data) | Monitor; usually self-recovers |
error |
Last poll failed | Read last error message and fix credentials or permissions |
Re-testing and Updating Credentials
Credentials expire at the vendor's rotation schedule (usually 90 days for API keys, 30 days for some tokens).
When a connector goes to error status with "HTTP 401":
- Go to Tool Catalog → click the connector tile
- Generate a new API key in the vendor portal
- Enter the new key in the credential form
- Click Test Connection → verify success
- Click Save
The old encrypted credentials are overwritten.
Removing a Connector
- Tool Catalog → connector tile
- Scroll to the bottom of the setup drawer
- Click Disconnect
- Confirm removal
This deletes the encrypted credentials. Historical findings collected by this connector remain in the Risk Register with the connector name as their source.
Bulk Connector Management
If you manage many connectors, use these techniques to save time:
| Action | How to do it |
|---|---|
| View all statuses at once | Navigate to Connector Status — a single page showing every configured connector with colour-coded status pills |
| Re-test multiple connectors | Tool Catalog → click each connector tile → Test Connection. There is no bulk re-test button, but the test takes only a few seconds per connector |
| Identify widespread issues | On Connector Status, sort by Error count (24h) — if multiple connectors show errors simultaneously, the cause is usually network-level (proxy change, firewall rule update, certificate expiry) |
| Update credentials in bulk | There is no bulk credential update for security reasons. Each connector must be updated individually in the Tool Catalog |
Connector Failure Impact on Reporting
When a connector goes offline, it does not just show a red light — it directly affects your dashboards and compliance scores.
| What breaks | Why |
|---|---|
| Risk Dashboard | New findings from the offline tool stop arriving. Risks already in the register remain, but their status may become stale (e.g., a patched vulnerability still shows as open because the tool cannot confirm the fix). |
| Compliance scores | Controls that depend on the offline connector's data become "inconclusive" after the data ages out. This can cause a framework score to drop without any real security degradation. |
| SLA tracking | If the connector cannot confirm a fix, risks stay "Open" even if they were remediated. This inflates your overdue count. |
| Threat Intel | IOC matches and KEV flags for assets from the offline tool may be incomplete. |
What to do when a connector goes offline overnight: 1. Check Connector Status first thing in the morning 2. Read the Last error message 3. Fix the root cause (usually expired credentials or a network change) 4. Click Run Now to trigger an immediate poll 5. Watch the Risk Register and Compliance Dashboard update within 15 minutes
Multi-Connector De-duplication
When the same vulnerability appears from multiple tools (for example, both CrowdStrike Spotlight and Tenable report the same CVE on the same host), URIP automatically deduplicates:
- The finding is merged into a single row in the Risk Register
- Both tools are listed as sources
- The highest score is kept
- Remediation steps from all sources are consolidated
This means your Risk Register does not multiply when you add more connectors — it gets smarter and more complete.
OAuth Connectors
Some connectors use OAuth (Microsoft Entra ID, Google Workspace):
- In the connector drawer, click Authorise with Microsoft (or Google)
- A popup opens with the vendor's consent screen
- Log in with an account that has admin consent authority
- Grant the listed permissions
- The popup closes and the drawer shows a success state
- Click Save
OAuth tokens are stored securely using the same encryption as API keys.
Connector Setup Checklist
Before configuring a connector, verify:
- [ ] You have the required vendor subscription or plan tier
- [ ] You have the administrator privileges in the vendor portal to generate API keys
- [ ] You have granted the required API scopes or permissions
- [ ] The API endpoint URL is correct (use the default for cloud-hosted tools; enter your on-premise URL if applicable)
- [ ] If your organisation restricts outbound network access, confirm that the URIP service can reach the vendor API. Your URIP account manager can provide the IP range to allowlist if needed.
Common Connector-Specific Notes
Tenable
- Generate key pair under Settings → My Account → API Keys
- The key needs Scanner role in Tenable, not just Reader
CrowdStrike
- Create an OAuth2 client in the Falcon console → API Clients and Keys
- Scopes needed: Detections:Read, Vulnerabilities:Read, Hosts:Read, Prevention Policy:Read
Microsoft Entra ID
- Register an App in Azure AD → API permissions → add Microsoft Graph permissions
- Must grant admin consent (not just user consent) for the listed permissions
- Client Secret expires — calendar a reminder before expiry
SentinelOne
- API token is per-Site or per-Account — ensure it covers all Sites you want to monitor
- Site ID is visible in the Singularity console URL when viewing a site
Okta
- Create an API Token in Okta Admin → Security → API → Tokens
- Token inherits the generating user's permissions — use a dedicated service account
Jira
- API token generation: Atlassian account → Security → API tokens (not Jira admin panel)
- The project key is the short code (e.g.,
SEC, not the full project name)
See Also
- CONNECTOR_CATALOGUE.md — Full connector list with prerequisites
- TROUBLESHOOTING.md — Connector Not Pulling
- TROUBLESHOOTING.md — Connector Test Fails