TacitRed SentinelOne Integration Solution

Documentation/TacitRed-SentinelOne/README.md

@@ -0,0 +1,41 @@
+# TacitRed SentinelOne - Solution Documentation
+
+## Overview
+**TacitRed SentinelOne** is an automation Playbook designed to push TacitRed threat intelligence indicators directly into the **SentinelOne Singularity** platform. This ensures that threats identified by TacitRed are immediately recognized and blocked/alerted on by SentinelOne agents.
+
+## Capabilities
+- **Automated Push**: Sends hashes, domains, and IPs from TacitRed to SentinelOne's Threat Intelligence list.
+- **Severity Mapping**: Maps TacitRed severity to SentinelOne exclusion/block lists.
+- **Validation**: Includes logic to check if indicators already exist before adding.
+
+## Purpose
+Similar to the CrowdStrike solution, this addresses the need for automated defense updates for customers utilizing the SentinelOne EDR platform alongside TacitRed.
+
+## Support & Contact
+- **Publisher**: Data443 Risk Mitigation, Inc.
+- **Website**: [https://www.data443.com](https://www.data443.com)
+- **Support Email**: [[email protected]](mailto:[email protected])
+- **Product Page**: [TacitRed](https://www.data443.com/products/tacitred/)
+
+## How to Run / Deploy Manually
+
+### Prerequisites
+1.  **TacitRed API Key**.
+2.  **SentinelOne API Token**: With privileges to manage Threat Intelligence.
+
+### Manual Deployment via Azure Portal
+1.  Use **"Deploy a custom template"** with `Package/mainTemplate.json`.
+2.  Fill in the `TacitRed_ApiKey` and `SentinelOne_ApiToken`.
+3.  Deploy to your Sentinel Resource Group.
+
+### Manual Deployment via PowerShell
+```powershell
+New-AzResourceGroupDeployment -ResourceGroupName "YourResourceGroup" `
+    -TemplateFile "Package/mainTemplate.json" `
+    -TacitRed_ApiKey "..." `
+    -SentinelOne_ApiToken "..."
+```
+
+## Pull Request
+- **PR #13243**: [Azure-Sentinel Pull Request](https://github.com/Azure/Azure-Sentinel/pull/13243)
+- **Status**: Active / In Review

Project_Structure_and_Workflow.md

@@ -0,0 +1,165 @@
+# Project Context, Structure, and Workflow Memory
+
+## Critical Deployment Rules
+**ALWAYS FOLLOW THESE RULES TO AVOID CONFLICTS:**
+1.  **One Solution Per PR**: Never bundle multiple solutions into a single Pull Request.
+2.  **Separate Branches**: Create a dedicated feature branch for each solution (e.g., `feature/solution-name`).
+3.  **Clean History**: Ensure your branch only contains commits relevant to that specific solution.
+
+## Active Pull Requests & Status
+
+### 1. Cyren Threat Intelligence
+- **PR #13224**: [Azure-Sentinel Pull Request](https://github.com/Azure/Azure-Sentinel/pull/13224)
+- **Status**: Active / In Review
+- **Source Branch**: [`feature/cyren-threat-intelligence-clean`](https://github.com/mazamizo21/Azure-Sentinel/tree/feature/cyren-threat-intelligence-clean)
+
+### 2. TacitRed CrowdStrike IOC
+- **PR #13241**: [Azure-Sentinel Pull Request](https://github.com/Azure/Azure-Sentinel/pull/13241)
+- **Status**: Active / In Review
+- **Source Branch**: [`feature/tacitred-crowdstrike-ioc`](https://github.com/mazamizo21/Azure-Sentinel/tree/feature/tacitred-crowdstrike-ioc)
+
+### 3. TacitRed Threat Intelligence (CCF)
+- **PR #13242**: [Azure-Sentinel Pull Request](https://github.com/Azure/Azure-Sentinel/pull/13242)
+- **Status**: Active / In Review
+- **Source Branch**: [`feature/tacitred-ccf-hub-v2`](https://github.com/mazamizo21/Azure-Sentinel/tree/feature/tacitred-ccf-hub-v2)
+
+### 4. TacitRed SentinelOne
+- **PR #13243**: [Azure-Sentinel Pull Request](https://github.com/Azure/Azure-Sentinel/pull/13243)
+- **Status**: Active / In Review
+- **Source Branch**: [`feature/tacitred-sentinelone-v1`](https://github.com/mazamizo21/Azure-Sentinel/tree/feature/tacitred-sentinelone-v1)
+
+### 5. TacitRed Defender Threat Intelligence
+- **PR #13247**: [Azure-Sentinel Pull Request](https://github.com/Azure/Azure-Sentinel/pull/13247)
+- **Status**: **Submitted / Waiting for CI**
+- **Source Branch**: [`feature/tacitred-defender-ti`](https://github.com/mazamizo21/Azure-Sentinel/tree/feature/tacitred-defender-ti)
+
+### Guidance
+- Use **“Conversation”** tab on the PR to see reviewer comments.
+- Use **“Checks”** tab to see latest SolutionValidations / arm‑ttk / KQL checks.
+
+### Previous/Related PR
+- **PR #13204**: [Azure-Sentinel Pull Request](https://github.com/Azure/Azure-Sentinel/pull/13204) (Superseded)
+
+### Important Links
+
+#### TacitRed CCF solution folders (in Azure repo)
+- **TacitRedThreatIntelligence (Master)**: [Link](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/TacitRedThreatIntelligence)
+- **CyrenThreatIntelligence (Master)**: [Link](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CyrenThreatIntelligence)
+- *Note: When the PR is merged, these folders in master will contain your final code.*
+
+#### TacitRed CrowdStrike IOC solution
+- **TacitRed-IOC-CrowdStrike (Master)**: [Link](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/TacitRed-IOC-CrowdStrike)
+- **TacitRed-IOC-CrowdStrike (Fork/PR Context)**: [Link](https://github.com/mazamizo21/Azure-Sentinel/tree/feature/tacitred-ccf-hub-v2threatintelligence/Solutions/TacitRed-IOC-CrowdStrike)
+
+---
+
+## Standard Operating Procedure (SOP)
+
+### 1. Development (Staging)
+- **Action**: Make all code changes, edits, and fixes in the **Staging** environment.
+- **Locations**:
+    - **TacitRed CCF**: `sentinel-production/Tacitred-CCF-Hub-v2`
+    - **Cyren CCF**: `sentinel-production/Cyren-CCF-Hub`
+    - **TacitRed CrowdStrike**: `sentinel-production/TacitRed-IOC-CrowdStrike`
+    - **TacitRed SentinelOne**: `sentinel-production/TacitRed-SentinelOne`
+- **Note**: These folders are the **Source of Truth**. Any changes made directly to the Production folder will be overwritten by the Deployment script.
+
+### 2. Validation (Local)
+- **Action**: Run validation tools locally against the **Staging** files to catch errors before uploading.
+- **Location**: `sentinel-production/Project/Deployment-Workflows/`
+- **Tools**:
+    - **API Version Check**: Verify all Azure resource API versions are up-to-date
+        - Check https://learn.microsoft.com/en-us/azure/templates/ for latest versions
+        - Common resources: Microsoft.Web/sites (2024-04-01), Microsoft.Logic/workflows (2019-05-01)
+    - **ARM-TTK**: Run `RUN-TTK-Validation.ps1 -SolutionName "Tacitred-CCF-Hub-v2"` (or other solution name).
+    - **TruffleHog**: Automatically run as part of the deployment script, or manually via `TruffleHog/run_safe_scan.sh`.
+
+
+### 3. Promotion & Deployment (Unified)
+- **Action**: Run the **Unified Deployment Script** to handle everything end-to-end.
+- **Script**: `DEPLOY-UNIFIED.ps1`
+- **Location**: `sentinel-production/Project/Deployment-Workflows/`
+- **Usage**: 
+    - **Live Deployment**: `pwsh -NoLogo -ExecutionPolicy Bypass -File ./Project/Deployment-Workflows/DEPLOY-UNIFIED.ps1`
+    - **Dry Run (Test)**: `pwsh -NoLogo -ExecutionPolicy Bypass -File ./Project/Deployment-Workflows/DEPLOY-UNIFIED.ps1 -DryRun`
+- **What this SINGLE script does**:
+    1.  **Security Scan**: Runs TruffleHog once for the whole project.
+    2.  **Upstream Sync**: Syncs your repo with Microsoft's `master` branch once.
+    3.  **Loop Through All Solutions**:
+        *   **Auto-Versioning**: Increments version in `packageMetadata.json` (and `mainTemplate.json` if applicable).
+        *   **Packaging**: Zips the appropriate folder (`Data Connectors` or `Playbooks`) into a versioned zip (e.g., `3.0.1.zip`).
+        *   **Promote**: Copies all files to the Production folder.
+        *   **Git Stage**: Adds changes to git staging area.
+    4.  **Commit & Push**: Commits all changes for all solutions in one go and pushes to GitHub (Microsoft Fork).
+    5.  **Sync to Data443**: Automatically pushes the same changes to the private Data443 repository (`data443` remote) as a backup.
+
+### 4. CI/CD (Remote)
+- **Action**: Monitor the Pull Request on GitHub.
+- **Check**: Ensure "SolutionValidations", "TruffleHog", and other Microsoft CI checks pass.
+
+---
+
+## Environments & Structure
+
+### Staging
+- **TacitRed CCF**: `sentinel-production/Tacitred-CCF-Hub-v2`
+- **Cyren CCF**: `sentinel-production/Cyren-CCF-Hub`
+- **TacitRed CrowdStrike**: `sentinel-production/TacitRed-IOC-CrowdStrike`
+- **TacitRed SentinelOne**: `sentinel-production/TacitRed-SentinelOne`
+
+### Production
+- **Location**: `sentinel-production/Project/Tools/Azure-Sentinel/Solutions/`
+- **Purpose**: The official production version of the solutions, located within the Azure-Sentinel solutions repository structure.
+
+## Tools
+
+### ARM TTK (Template Test Kit)
+- **Location**: `sentinel-production/Project/Tools/arm-ttk`
+- **Runner Script**: `sentinel-production/Project/Deployment-Workflows/RUN-TTK-Validation.ps1`
+
+### Sentinel CI
+- **Location**: `sentinel-production/Project/Tools/SentinelCI`
+
+## Workflows
+
+### Unified Deployment
+- **Directory**: `sentinel-production/Project/Deployment-Workflows`
+- **Script**: `DEPLOY-UNIFIED.ps1`
+- **Features**: Auto-versioning, Auto-zipping, TruffleHog Scan, Upstream Sync, Git Push.
+
+## Pre-Submission Checklist (Critical Lessons Learned)
+Before creating a Pull Request, you **MUST** verify the following to ensure it passes 'SolutionValidations' and 'SafeToRun' constraints:
+
+### 1. File Hygiene
+- [ ] **Allowed Extensions Only**: Ensure the solution folder contains **ONLY** `.json`, `.zip`, `.md`, `.txt`, `.png`, `.svg`.
+- [ ] **Prohibited Files**: Remove ALL `.ps1`, `.py`, `.sh`, `.exe`, `.dll`, `.bin` files.
+- [ ] **Clean Up**: Remove any temporary files (`.outofscope`, `.bak`) and **DELETE OLD ZIP VERSIONS** (only keep latest).
+- [ ] **Common Tools**: Do NOT modify shared scripts like `Tools/Create-Azure-Sentinel-Solution/common/commonFunctions.ps1`.
+
+### 2. Metadata Consistency
+- [ ] **Resource Existence**: Ensure `mainTemplate.json` includes the `Microsoft.OperationalInsights/workspaces/providers/contentPackages` resource (kind: Solution).
+- [ ] **Variables**: Ensure `mainTemplate.json` has `_solutionName`, `_solutionVersion`, `_solutionId` variables defined.
+- [ ] **Version Match**: The `_solutionVersion` in `mainTemplate.json` **MUST MATCH** the version in `packageMetadata.json`.
+
+### 3. JSON Validation
+- [ ] **Syntax Check**: Run `jq empty mainTemplate.json` or use an IDE linter to ensure valid JSON syntax. Trailing commas are a common failure cause.
+
+## Standardized Solution Mapping
+
+| Solution Name | Staging Path | Prod Zip Folder | Notes |
+| :--- | :--- | :--- | :--- |
+| **TacitRedThreatIntelligence** | `Tacitred-CCF-Hub` | `Solutions/TacitRedThreatIntelligence/Package` | Uses `Data Connectors` zip source. |
+| **CyrenThreatIntelligence** | `Cyren-CCF-Hub` | `Solutions/CyrenThreatIntelligence/Package` | Uses `Data Connectors` zip source. |
+| **TacitRed-IOC-CrowdStrike** | `TacitRed-IOC-CrowdStrike` | `Solutions/TacitRed-IOC-CrowdStrike/Package` | Uses `Playbooks` zip source. |
+| **TacitRed-SentinelOne** | `TacitRed-SentinelOne` | `Solutions/TacitRed-SentinelOne/Package` | Uses `Playbooks` zip source. |
+
+## PR & Validation Procedure
+
+1. **Clean Staging**: Always delete `*.zip` in Staging *before* running deployment script (`rm *.zip`).
+2. **Run Script**: `pwsh ... -SolutionName "TacitRedThreatIntelligence"`.
+3. **Clean Production**: The script creates a new zip but **does not delete old ones** in Prod. You **MUST** manually run `rm 1.0.X.zip` in `Tools/Azure-Sentinel/Solutions/.../Package` to leave *only* the new version.
+4. **Push & Verify**: Push to branch. Check PR.
+5. **Security Approval**: New PRs require "Security Approval" in GitHub. You cannot bypass this. Ask repository owner.
+
+## Sync Documentation
+When updating `Project_Structure_and_Workflow.md`, you **MUST** sync this single file to ALL active feature branches immediately to prevent outdated instructions.

Solutions/TacitRed-SentinelOne/Package/createUiDefinition.json

@@ -0,0 +1,147 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+    "handler": "Microsoft.Azure.CreateUIDef",
+    "version": "0.1.2-preview",
+    "parameters": {
+        "config": {
+            "isWizard": false,
+            "basics": {
+                "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/TacitRed-SentinelOne/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe TacitRed SentinelOne IOC Automation solution provides example playbooks that demonstrate how to consume TacitRed threat intelligence from Microsoft Sentinel and prepare indicators for ingestion into SentinelOne.\n\n**Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+                "subscription": {
+                    "resourceProviders": [
+                        "Microsoft.OperationsManagement/solutions",
+                        "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+                        "Microsoft.Insights/workbooks",
+                        "Microsoft.Logic/workflows"
+                    ]
+                },
+                "location": {
+                    "metadata": {
+                        "hidden": "Hiding location, we get it from the log analytics workspace"
+                    },
+                    "visible": false
+                },
+                "resourceGroup": {
+                    "allowExisting": true
+                }
+            }
+        },
+        "basics": [
+            {
+                "name": "getLAWorkspace",
+                "type": "Microsoft.Solutions.ArmApiControl",
+                "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+                "condition": "[greater(length(resourceGroup().name),0)]",
+                "request": {
+                    "method": "GET",
+                    "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+                }
+            },
+            {
+                "name": "workspace",
+                "type": "Microsoft.Common.DropDown",
+                "label": "Workspace",
+                "placeholder": "Select a workspace",
+                "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+                "constraints": {
+                    "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+                    "required": true
+                },
+                "visible": true
+            }
+        ],
+        "steps": [
+            {
+                "name": "configuration",
+                "label": "Configuration",
+                "subLabel": {
+                    "preValidation": "Configure API connections",
+                    "postValidation": "Done"
+                },
+                "bladeTitle": "Configuration",
+                "elements": [
+                    {
+                        "name": "auth-text",
+                        "type": "Microsoft.Common.TextBlock",
+                        "options": {
+                            "text": "Please provide the API credentials for TacitRed and SentinelOne."
+                        }
+                    },
+                    {
+                        "name": "tacitRedApiKey",
+                        "type": "Microsoft.Common.TextBox",
+                        "label": "TacitRed API Key",
+                        "toolTip": "Your TacitRed API Key",
+                        "constraints": {
+                            "required": true,
+                            "regex": "^[A-Za-z0-9]+$",
+                            "validationMessage": "Please enter a valid API Key (alphanumeric)."
+                        },
+                        "options": {
+                            "secure": true
+                        }
+                    },
+                    {
+                        "name": "sentinelOneApiToken",
+                        "type": "Microsoft.Common.TextBox",
+                        "label": "SentinelOne API Token",
+                        "toolTip": "Your SentinelOne API Token",
+                        "constraints": {
+                            "required": true,
+                            "regex": "^[A-Za-z0-9\\-_]+$",
+                            "validationMessage": "Please enter a valid API Token."
+                        },
+                        "options": {
+                            "secure": true
+                        }
+                    },
+                    {
+                        "name": "sentinelOneBaseUrl",
+                        "type": "Microsoft.Common.TextBox",
+                        "label": "SentinelOne Base URL",
+                        "defaultValue": "https://usea1-001.sentinelone.net",
+                        "toolTip": "Your SentinelOne Console URL",
+                        "constraints": {
+                            "required": true,
+                            "regex": "^https://[a-zA-Z0-9.-]+$",
+                            "validationMessage": "Please enter a valid HTTPS URL."
+                        }
+                    },
+                    {
+                        "name": "sentinelOneAccountId",
+                        "type": "Microsoft.Common.TextBox",
+                        "label": "SentinelOne Account ID",
+                        "toolTip": "Your SentinelOne Account ID (e.g. 2361866902403606722)",
+                        "constraints": {
+                            "required": true,
+                            "regex": "^[0-9]+$",
+                            "validationMessage": "Please enter a valid Account ID (digits only)."
+                        }
+                    },
+                    {
+                        "name": "tacitRedDomain",
+                        "type": "Microsoft.Common.TextBox",
+                        "label": "TacitRed Domain Filter (Optional)",
+                        "defaultValue": "",
+                        "toolTip": "Optional domain to filter findings",
+                        "constraints": {
+                            "required": false,
+                            "regex": "^([a-zA-Z0-9.-]+)?$",
+                            "validationMessage": "Please enter a valid domain name."
+                        }
+                    }
+                ]
+            }
+        ],
+        "outputs": {
+            "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+            "location": "[location()]",
+            "workspace": "[basics('workspace')]",
+            "TacitRed_ApiKey": "[steps('configuration').tacitRedApiKey]",
+            "SentinelOne_ApiToken": "[steps('configuration').sentinelOneApiToken]",
+            "SentinelOne_BaseUrl": "[steps('configuration').sentinelOneBaseUrl]",
+            "SentinelOne_AccountId": "[steps('configuration').sentinelOneAccountId]",
+            "TacitRed_Domain": "[steps('configuration').tacitRedDomain]"
+        }
+    }
+}

Solutions/TacitRed-SentinelOne/Package/deploymentParameters.json

@@ -0,0 +1,12 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "logicAppName": {
+            "value": "pb-tacitred-to-sentinelone"
+        },
+        "location": {
+            "value": "eastus"
+        }
+    }
+}