What Changed

Seven Python modules in the Semperis Lightning Function App connector had verify=False set on all outbound requests calls including authentication (token acquisition) and all data collection endpoints:

  • init.py – get_semperis_token(): authentication POST to SEMPERIS_AUTH_ENDPOINT
  • semperis_attack_paths.py – _fetch_attack_paths()
  • semperis_ioe_execution_results.py – _fetch_executions()
  • semperis_ioe_executions.py – _fetch_executions()
  • semperis_ioe_metadata.py – _fetch_metadata()
  • semperis_tier0_attackers.py – _fetch_attackers()
  • semperis_tier0_nodes.py – _fetch_nodes()

All seven calls now use default TLS verification (certificate chain validation enabled).

Security Impact

verify=False in Python requests library suppresses all TLS certificate validation, making every outbound connection susceptible to man-in-the-middle interception. In the context of a Tier 0 identity threat detection connector, this is particularly severe:

  • Token exposure: The authentication call to obtain the Semperis API bearer token was unprotected. An MITM attacker on the network path could capture the token and replay it to query Semperis Lightning directly.
  • Data integrity: All ingested telemetry (Tier 0 nodes, attack paths, IoE results, attackers) could have been tampered with in transit, causing Sentinel to ingest falsified identity threat data without detection.

Deployments of any version prior to this fix were operating with disabled TLS validation since initial release (v1.0.0.0 / solution v3.0.0).

Reviewer Note

The Copilot review flagged two residual issues worth tracking:

  1. The get_semperis_token() function in init.py does not set a timeout parameter (unlike all other connector calls which use timeout=30). A stalled auth endpoint could cause the Function App to hang indefinitely.
  2. Deployments using self-signed or private CA certificates for the Semperis API endpoint will now fail unless a trusted CA bundle is configured (e.g., via the REQUESTS_CA_BUNDLE or SSL_CERT_FILE environment variables).

Affected Files

Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/__init__.py
Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/semperis_attack_paths.py
Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/semperis_ioe_execution_results.py
Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/semperis_ioe_executions.py
Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/semperis_ioe_metadata.py
Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/semperis_tier0_attackers.py
Solutions/SemperisLightning/Data Connectors/SemperisLightningLogs/LightningLogs/semperis_tier0_nodes.py
(packaging artefacts: SemperisLightning.zip)