diff --git a/Documentation/TacitRed-Defender-ThreatIntelligence/README.md b/Documentation/TacitRed-Defender-ThreatIntelligence/README.md new file mode 100644 index 00000000000..130381b719b --- /dev/null +++ b/Documentation/TacitRed-Defender-ThreatIntelligence/README.md @@ -0,0 +1,50 @@ +# TacitRed Defender Threat Intelligence - Solution Documentation + +## Overview +**TacitRed Defender Threat Intelligence** provides a seamless integration between TacitRed's high-fidelity threat intelligence and **Microsoft Defender for Endpoint**. This solution enables automated ingestion of TacitRed findings as IOCs (Indicators of Compromise) into your Defender environment, enhancing your threat detection and response capabilities. + +## Capabilities +- **Automated Ingestion**: Periodically fetches compromised credentials and malware indicators from TacitRed. +- **Customizable Filtering**: Allows filtering findings by specific domains or severity levels. +- **Microsoft Defender Integration**: Post indicators directly to the Defender API for immediate blocking and alerting. +- **Sentinel Monitoring**: Provides logs and monitoring within Azure Sentinel for operational visibility. + +## Purpose +This package is designed for Security Operations Centers (SOCs) that utilize both TacitRed (by Data443) for external threat intelligence and Microsoft Defender for Endpoint for endpoint protection. It bridges the gap by automating the operationalization of threat intel. + +## Support & Contact +- **Publisher**: Data443 Risk Mitigation, Inc. +- **Website**: [https://www.data443.com](https://www.data443.com) +- **Support Email**: [support@data443.com](mailto:support@data443.com) +- **Product Page**: [TacitRed](https://www.data443.com/products/tacitred/) + +## How to Run / Deploy Manually + +### Prerequisites +1. **TacitRed API Key**: You must have a valid API key from your TacitRed account. +2. **Azure Subscription**: An active Azure subscription with permissions to deploy resources. +3. **Microsoft Sentinel**: A Log Analytics workspace with Sentinel enabled (optional, but recommended). + +### Manual Deployment via Azure Portal (Custom Template) +1. Navigate to the [Azure Portal](https://portal.azure.com). +2. Search for **"Deploy a custom template"**. +3. Click **"Build your own template in the editor"**. +4. Copy the contents of `Package/mainTemplate.json` and paste it into the editor. +5. Click **Save**. +6. Fill in the required parameters: + - `TacitRed_ApiKey`: Your API Key. + - `Workspace`: The name of your Log Analytics Workspace. + - `Location`: The region of your workspace. +7. Click **Review + create** -> **Create**. + +### Manual Deployment via PowerShell +```powershell +New-AzResourceGroupDeployment -ResourceGroupName "YourResourceGroup" ` + -TemplateFile "Package/mainTemplate.json" ` + -TacitRed_ApiKey "YOUR_API_KEY" ` + -workspace "YourLogAnalyticsWorkspaceName" +``` + +## Pull Request +- **PR #13247**: [Azure-Sentinel Pull Request](https://github.com/Azure/Azure-Sentinel/pull/13247) +- **Status**: Submitted / Waiting for CI diff --git a/Project_Structure_and_Workflow.md b/Project_Structure_and_Workflow.md new file mode 100644 index 00000000000..63ac5c88724 --- /dev/null +++ b/Project_Structure_and_Workflow.md @@ -0,0 +1,165 @@ +# Project Context, Structure, and Workflow Memory + +## Critical Deployment Rules +**ALWAYS FOLLOW THESE RULES TO AVOID CONFLICTS:** +1. **One Solution Per PR**: Never bundle multiple solutions into a single Pull Request. +2. **Separate Branches**: Create a dedicated feature branch for each solution (e.g., `feature/solution-name`). +3. **Clean History**: Ensure your branch only contains commits relevant to that specific solution. + +## Active Pull Requests & Status + +### 1. Cyren Threat Intelligence +- **PR #13224**: [Azure-Sentinel Pull Request](https://github.com/Azure/Azure-Sentinel/pull/13224) +- **Status**: Active / In Review +- **Source Branch**: [`feature/cyren-threat-intelligence-clean`](https://github.com/mazamizo21/Azure-Sentinel/tree/feature/cyren-threat-intelligence-clean) + +### 2. TacitRed CrowdStrike IOC +- **PR #13241**: [Azure-Sentinel Pull Request](https://github.com/Azure/Azure-Sentinel/pull/13241) +- **Status**: Active / In Review +- **Source Branch**: [`feature/tacitred-crowdstrike-ioc`](https://github.com/mazamizo21/Azure-Sentinel/tree/feature/tacitred-crowdstrike-ioc) + +### 3. TacitRed Threat Intelligence (CCF) +- **PR #13242**: [Azure-Sentinel Pull Request](https://github.com/Azure/Azure-Sentinel/pull/13242) +- **Status**: Active / In Review +- **Source Branch**: [`feature/tacitred-ccf-hub-v2`](https://github.com/mazamizo21/Azure-Sentinel/tree/feature/tacitred-ccf-hub-v2) + +### 4. TacitRed SentinelOne +- **PR #13243**: [Azure-Sentinel Pull Request](https://github.com/Azure/Azure-Sentinel/pull/13243) +- **Status**: Active / In Review +- **Source Branch**: [`feature/tacitred-sentinelone-v1`](https://github.com/mazamizo21/Azure-Sentinel/tree/feature/tacitred-sentinelone-v1) + +### 5. TacitRed Defender Threat Intelligence +- **PR #13247**: [Azure-Sentinel Pull Request](https://github.com/Azure/Azure-Sentinel/pull/13247) +- **Status**: **Submitted / Waiting for CI** +- **Source Branch**: [`feature/tacitred-defender-ti`](https://github.com/mazamizo21/Azure-Sentinel/tree/feature/tacitred-defender-ti) + +### Guidance +- Use **“Conversation”** tab on the PR to see reviewer comments. +- Use **“Checks”** tab to see latest SolutionValidations / arm‑ttk / KQL checks. + +### Previous/Related PR +- **PR #13204**: [Azure-Sentinel Pull Request](https://github.com/Azure/Azure-Sentinel/pull/13204) (Superseded) + +### Important Links + +#### TacitRed CCF solution folders (in Azure repo) +- **TacitRedThreatIntelligence (Master)**: [Link](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/TacitRedThreatIntelligence) +- **CyrenThreatIntelligence (Master)**: [Link](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CyrenThreatIntelligence) +- *Note: When the PR is merged, these folders in master will contain your final code.* + +#### TacitRed CrowdStrike IOC solution +- **TacitRed-IOC-CrowdStrike (Master)**: [Link](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/TacitRed-IOC-CrowdStrike) +- **TacitRed-IOC-CrowdStrike (Fork/PR Context)**: [Link](https://github.com/mazamizo21/Azure-Sentinel/tree/feature/tacitred-ccf-hub-v2threatintelligence/Solutions/TacitRed-IOC-CrowdStrike) + +--- + +## Standard Operating Procedure (SOP) + +### 1. Development (Staging) +- **Action**: Make all code changes, edits, and fixes in the **Staging** environment. +- **Locations**: + - **TacitRed CCF**: `sentinel-production/Tacitred-CCF-Hub-v2` + - **Cyren CCF**: `sentinel-production/Cyren-CCF-Hub` + - **TacitRed CrowdStrike**: `sentinel-production/TacitRed-IOC-CrowdStrike` + - **TacitRed SentinelOne**: `sentinel-production/TacitRed-SentinelOne` +- **Note**: These folders are the **Source of Truth**. Any changes made directly to the Production folder will be overwritten by the Deployment script. + +### 2. Validation (Local) +- **Action**: Run validation tools locally against the **Staging** files to catch errors before uploading. +- **Location**: `sentinel-production/Project/Deployment-Workflows/` +- **Tools**: + - **API Version Check**: Verify all Azure resource API versions are up-to-date + - Check https://learn.microsoft.com/en-us/azure/templates/ for latest versions + - Common resources: Microsoft.Web/sites (2024-04-01), Microsoft.Logic/workflows (2019-05-01) + - **ARM-TTK**: Run `RUN-TTK-Validation.ps1 -SolutionName "Tacitred-CCF-Hub-v2"` (or other solution name). + - **TruffleHog**: Automatically run as part of the deployment script, or manually via `TruffleHog/run_safe_scan.sh`. + + +### 3. Promotion & Deployment (Unified) +- **Action**: Run the **Unified Deployment Script** to handle everything end-to-end. +- **Script**: `DEPLOY-UNIFIED.ps1` +- **Location**: `sentinel-production/Project/Deployment-Workflows/` +- **Usage**: + - **Live Deployment**: `pwsh -NoLogo -ExecutionPolicy Bypass -File ./Project/Deployment-Workflows/DEPLOY-UNIFIED.ps1` + - **Dry Run (Test)**: `pwsh -NoLogo -ExecutionPolicy Bypass -File ./Project/Deployment-Workflows/DEPLOY-UNIFIED.ps1 -DryRun` +- **What this SINGLE script does**: + 1. **Security Scan**: Runs TruffleHog once for the whole project. + 2. **Upstream Sync**: Syncs your repo with Microsoft's `master` branch once. + 3. **Loop Through All Solutions**: + * **Auto-Versioning**: Increments version in `packageMetadata.json` (and `mainTemplate.json` if applicable). + * **Packaging**: Zips the appropriate folder (`Data Connectors` or `Playbooks`) into a versioned zip (e.g., `3.0.1.zip`). + * **Promote**: Copies all files to the Production folder. + * **Git Stage**: Adds changes to git staging area. + 4. **Commit & Push**: Commits all changes for all solutions in one go and pushes to GitHub (Microsoft Fork). + 5. **Sync to Data443**: Automatically pushes the same changes to the private Data443 repository (`data443` remote) as a backup. + +### 4. CI/CD (Remote) +- **Action**: Monitor the Pull Request on GitHub. +- **Check**: Ensure "SolutionValidations", "TruffleHog", and other Microsoft CI checks pass. + +--- + +## Environments & Structure + +### Staging +- **TacitRed CCF**: `sentinel-production/Tacitred-CCF-Hub-v2` +- **Cyren CCF**: `sentinel-production/Cyren-CCF-Hub` +- **TacitRed CrowdStrike**: `sentinel-production/TacitRed-IOC-CrowdStrike` +- **TacitRed SentinelOne**: `sentinel-production/TacitRed-SentinelOne` + +### Production +- **Location**: `sentinel-production/Project/Tools/Azure-Sentinel/Solutions/` +- **Purpose**: The official production version of the solutions, located within the Azure-Sentinel solutions repository structure. + +## Tools + +### ARM TTK (Template Test Kit) +- **Location**: `sentinel-production/Project/Tools/arm-ttk` +- **Runner Script**: `sentinel-production/Project/Deployment-Workflows/RUN-TTK-Validation.ps1` + +### Sentinel CI +- **Location**: `sentinel-production/Project/Tools/SentinelCI` + +## Workflows + +### Unified Deployment +- **Directory**: `sentinel-production/Project/Deployment-Workflows` +- **Script**: `DEPLOY-UNIFIED.ps1` +- **Features**: Auto-versioning, Auto-zipping, TruffleHog Scan, Upstream Sync, Git Push. + +## Pre-Submission Checklist (Critical Lessons Learned) +Before creating a Pull Request, you **MUST** verify the following to ensure it passes 'SolutionValidations' and 'SafeToRun' constraints: + +### 1. File Hygiene +- [ ] **Allowed Extensions Only**: Ensure the solution folder contains **ONLY** `.json`, `.zip`, `.md`, `.txt`, `.png`, `.svg`. +- [ ] **Prohibited Files**: Remove ALL `.ps1`, `.py`, `.sh`, `.exe`, `.dll`, `.bin` files. +- [ ] **Clean Up**: Remove any temporary files (`.outofscope`, `.bak`) and **DELETE OLD ZIP VERSIONS** (only keep latest). +- [ ] **Common Tools**: Do NOT modify shared scripts like `Tools/Create-Azure-Sentinel-Solution/common/commonFunctions.ps1`. + +### 2. Metadata Consistency +- [ ] **Resource Existence**: Ensure `mainTemplate.json` includes the `Microsoft.OperationalInsights/workspaces/providers/contentPackages` resource (kind: Solution). +- [ ] **Variables**: Ensure `mainTemplate.json` has `_solutionName`, `_solutionVersion`, `_solutionId` variables defined. +- [ ] **Version Match**: The `_solutionVersion` in `mainTemplate.json` **MUST MATCH** the version in `packageMetadata.json`. + +### 3. JSON Validation +- [ ] **Syntax Check**: Run `jq empty mainTemplate.json` or use an IDE linter to ensure valid JSON syntax. Trailing commas are a common failure cause. + +## Standardized Solution Mapping + +| Solution Name | Staging Path | Prod Zip Folder | Notes | +| :--- | :--- | :--- | :--- | +| **TacitRedThreatIntelligence** | `Tacitred-CCF-Hub` | `Solutions/TacitRedThreatIntelligence/Package` | Uses `Data Connectors` zip source. | +| **CyrenThreatIntelligence** | `Cyren-CCF-Hub` | `Solutions/CyrenThreatIntelligence/Package` | Uses `Data Connectors` zip source. | +| **TacitRed-IOC-CrowdStrike** | `TacitRed-IOC-CrowdStrike` | `Solutions/TacitRed-IOC-CrowdStrike/Package` | Uses `Playbooks` zip source. | +| **TacitRed-SentinelOne** | `TacitRed-SentinelOne` | `Solutions/TacitRed-SentinelOne/Package` | Uses `Playbooks` zip source. | + +## PR & Validation Procedure + +1. **Clean Staging**: Always delete `*.zip` in Staging *before* running deployment script (`rm *.zip`). +2. **Run Script**: `pwsh ... -SolutionName "TacitRedThreatIntelligence"`. +3. **Clean Production**: The script creates a new zip but **does not delete old ones** in Prod. You **MUST** manually run `rm 1.0.X.zip` in `Tools/Azure-Sentinel/Solutions/.../Package` to leave *only* the new version. +4. **Push & Verify**: Push to branch. Check PR. +5. **Security Approval**: New PRs require "Security Approval" in GitHub. You cannot bypass this. Ask repository owner. + +## Sync Documentation +When updating `Project_Structure_and_Workflow.md`, you **MUST** sync this single file to ALL active feature branches immediately to prevent outdated instructions. diff --git a/Solutions/TacitRed-Defender-ThreatIntelligence/Data/Solution_TacitRedDefenderThreatIntelligence.json b/Solutions/TacitRed-Defender-ThreatIntelligence/Data/Solution_TacitRedDefenderThreatIntelligence.json new file mode 100644 index 00000000000..64f98efd17d --- /dev/null +++ b/Solutions/TacitRed-Defender-ThreatIntelligence/Data/Solution_TacitRedDefenderThreatIntelligence.json @@ -0,0 +1,17 @@ +{ + "Name": "TacitRed-Defender-ThreatIntelligence", + "Author": "Data443 Risk Mitigation, Inc. - support@data443.com", + "Logo": "", + "Description": "The TacitRed Defender Threat Intelligence solution integrates TacitRed's threat intelligence feed with Microsoft Sentinel. It automatically retrieves compromised credentials and other threat indicators from TacitRed and ingests them into Microsoft Sentinel using the Upload API for enhanced threat detection.", + "Data Connectors": [ + "Package/mainTemplate.json" + ], + "Playbooks": [ + "Playbooks/TacitRedToDefenderTI_Playbook.json" + ], + "Metadata": "SolutionMetadata.json", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\TacitRed-Defender-ThreatIntelligence", + "Version": "1.0.0", + "TemplateSpec": true, + "Is1Pconnector": false +} \ No newline at end of file diff --git a/Solutions/TacitRed-Defender-ThreatIntelligence/Package/1.0.0.zip b/Solutions/TacitRed-Defender-ThreatIntelligence/Package/1.0.0.zip new file mode 100644 index 00000000000..65caab8c306 Binary files /dev/null and b/Solutions/TacitRed-Defender-ThreatIntelligence/Package/1.0.0.zip differ diff --git a/Solutions/TacitRed-Defender-ThreatIntelligence/Package/createUiDefinition.json b/Solutions/TacitRed-Defender-ThreatIntelligence/Package/createUiDefinition.json new file mode 100644 index 00000000000..9668cb57769 --- /dev/null +++ b/Solutions/TacitRed-Defender-ThreatIntelligence/Package/createUiDefinition.json @@ -0,0 +1,100 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "**TacitRed Defender Threat Intelligence** automates the synchronization of threat intelligence from TacitRed to Microsoft Defender.\n\n**Playbooks:** 1\n\n[Learn more about TacitRed >](https://www.tacitred.com/)", + "subscription": { + "constraints": { + "validations": [ + { + "permission": "Microsoft.OperationalInsights/workspaces/read", + "message": "Please ensure you have read permissions for the workspace" + } + ] + }, + "resourceProviders": [ + "Microsoft.OperationalInsights/workspaces", + "Microsoft.Logic" + ] + }, + "location": { + "label": "Location", + "toolTip": "Location for all resources", + "resourceTypes": [ + "Microsoft.OperationalInsights/workspaces" + ] + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This fetches all workspaces in the subscription", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace-guidance", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Please select the Microsoft Sentinel Workspace where you want to install the solution. This must be in the same Resource Group selected above." + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Sentinel Workspace", + "placeholder": "Select your Sentinel Workspace", + "toolTip": "Select the Microsoft Sentinel workspace where you want to deploy the solution. It must be in the current Resource Group.", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "configuration", + "label": "Configuration", + "bladeTitle": "Configuration", + "elements": [ + { + "name": "config-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Please provide the configuration details for the Logic App." + } + }, + { + "name": "TacitRed_ApiKey", + "type": "Microsoft.Common.PasswordBox", + "label": "TacitRed API Key", + "toolTip": "The API Key for TacitRed authentication.", + "constraints": { + "required": true, + "regex": "^[A-Za-z0-9]+$", + "validationMessage": "Please enter a valid API Key (alphanumeric)." + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "workspace": "[basics('workspace')]", + "TacitRed_ApiKey": "[steps('configuration').TacitRed_ApiKey]" + } + } +} \ No newline at end of file diff --git a/Solutions/TacitRed-Defender-ThreatIntelligence/Package/functionCode.zip b/Solutions/TacitRed-Defender-ThreatIntelligence/Package/functionCode.zip new file mode 100644 index 00000000000..65caab8c306 Binary files /dev/null and b/Solutions/TacitRed-Defender-ThreatIntelligence/Package/functionCode.zip differ diff --git a/Solutions/TacitRed-Defender-ThreatIntelligence/Package/mainTemplate.json b/Solutions/TacitRed-Defender-ThreatIntelligence/Package/mainTemplate.json new file mode 100644 index 00000000000..5f6a5e6015b --- /dev/null +++ b/Solutions/TacitRed-Defender-ThreatIntelligence/Package/mainTemplate.json @@ -0,0 +1,300 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "TacitRed", + "comments": "TacitRed Defender Threat Intelligence Solution" + }, + "parameters": { + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources" + } + }, + "workspace": { + "type": "string", + "metadata": { + "description": "Workspace name for Microsoft Sentinel" + } + }, + "TacitRed_ApiKey": { + "type": "securestring", + "metadata": { + "description": "TacitRed API Key" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "The base URI where artifacts required by this template are located" + }, + "defaultValue": "[if(contains(deployment().properties, 'templateLink'), deployment().properties.templateLink.uri, deployment().properties.template.contentVersion)]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation" + }, + "defaultValue": "" + } + }, + "variables": { + "logicAppName": "logic-tacitred-defender", + "functionAppName": "[concat('func-tacitred-', uniqueString(resourceGroup().id))]", + "hostingPlanName": "[concat('plan-tacitred-', uniqueString(resourceGroup().id))]", + "storageAccountName": "[concat('sttac', uniqueString(resourceGroup().id))]", + "appInsightsName": "[concat('appi-tacitred-', uniqueString(resourceGroup().id))]", + "sentinelContributorRole": "ab8e14d6-4a74-4a29-9ba8-549422addade", + "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace'))]", + "_solutionName": "TacitRed Defender Threat Intelligence", + "_solutionVersion": "1.0.0", + "_solutionId": "tacitred-defender-threat-intelligence", + "_solutioncontentProductId": "[concat('TacitRed-Defender-TI-Solution-', variables('_solutionId'), '-', variables('_solutionVersion'))]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2024-01-01", + "name": "[variables('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_LRS" + }, + "kind": "StorageV2" + }, + { + "type": "Microsoft.Insights/components", + "apiVersion": "2020-02-02", + "name": "[variables('appInsightsName')]", + "location": "[parameters('location')]", + "kind": "web", + "properties": { + "Application_Type": "web" + } + }, + { + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2024-11-01", + "name": "[variables('hostingPlanName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Y1", + "tier": "Dynamic" + }, + "properties": { + "reserved": true + } + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2023-12-01", + "name": "[variables('functionAppName')]", + "location": "[parameters('location')]", + "kind": "functionapp,linux", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "siteConfig": { + "appSettings": [ + { + "name": "AzureWebJobsStorage", + "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2024-01-01').keys[0].value)]" + }, + { + "name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING", + "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2024-01-01').keys[0].value)]" + }, + { + "name": "WEBSITE_CONTENTSHARE", + "value": "[toLower(variables('functionAppName'))]" + }, + { + "name": "FUNCTIONS_EXTENSION_VERSION", + "value": "~4" + }, + { + "name": "FUNCTIONS_WORKER_RUNTIME", + "value": "python" + }, + { + "name": "APPINSIGHTS_INSTRUMENTATIONKEY", + "value": "[reference(resourceId('Microsoft.Insights/components', variables('appInsightsName')), '2020-02-02').InstrumentationKey]" + }, + { + "name": "TACITRED_API_URL", + "value": "https://app.tacitred.com/api/v1/findings" + }, + { + "name": "SOURCE_SYSTEM", + "value": "TacitRed" + }, + { + "name": "SENTINEL_WORKSPACE_ID", + "value": "[variables('workspaceResourceId')]" + }, + { + "name": "WEBSITE_RUN_FROM_PACKAGE", + "value": "[if(not(empty(parameters('_artifactsLocation'))), uri(parameters('_artifactsLocation'), concat('Package/functionCode.zip', parameters('_artifactsLocationSasToken'))), '1')]" + } + ], + "linuxFxVersion": "PYTHON|3.11" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]" + ] + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceGroup().id, variables('functionAppName'), 'SentinelContributor')]", + "scope": "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspace'))]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('sentinelContributorRole'))]", + "principalId": "[reference(resourceId('Microsoft.Web/sites', variables('functionAppName')), '2023-12-01', 'Full').identity.principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]" + ] + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2019-05-01", + "name": "[variables('logicAppName')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "TacitRed_ApiKey": { + "type": "string", + "defaultValue": "[parameters('TacitRed_ApiKey')]" + } + }, + "triggers": { + "Recurrence": { + "type": "Recurrence", + "recurrence": { + "frequency": "Hour", + "interval": 6, + "timeZone": "UTC" + } + } + }, + "actions": { + "Initialize_Config": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "FunctionAppUrl", + "type": "String", + "value": "[concat('https://', reference(resourceId('Microsoft.Web/sites', variables('functionAppName')), '2023-12-01').defaultHostName, '/api/TacitRedToDefenderTI')]" + }, + { + "name": "Domains", + "type": "Array", + "value": [ + "usbank.com" + ] + } + ] + }, + "runAfter": {} + }, + "Call_Function_App": { + "type": "Http", + "inputs": { + "method": "POST", + "uri": "@variables('FunctionAppUrl')", + "headers": { + "Content-Type": "application/json" + }, + "body": { + "domains": "@variables('Domains')", + "date_from": "@{formatDateTime(addMinutes(utcNow(), -600), 'yyyy-MM-ddTHH:mm:ssZ')}", + "date_until": "@{formatDateTime(utcNow(), 'yyyy-MM-ddTHH:mm:ssZ')}", + "tacitred_api_key": "@parameters('TacitRed_ApiKey')" + } + }, + "runAfter": { + "Initialize_Config": [ + "Succeeded" + ] + } + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]" + ] + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'), '/Microsoft.SecurityInsights/', variables('_solutionId'))]", + "location": "[parameters('location')]", + "properties": { + "version": "[variables('_solutionVersion')]", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "[variables('_solutionName')]", + "publisherDisplayName": "TacitRed", + "descriptionHtml": "

TacitRed Defender Threat Intelligence provides automated synchronization of threat intelligence from TacitRed to Microsoft Defender.

This solution includes:

Key Features:

", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "[variables('_solutionName')]" + }, + "author": { + "name": "TacitRed" + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "support@data443.com", + "tier": "Partner", + "link": "https://www.data443.com" + }, + "providers": [ + "TacitRed" + ], + "categories": { + "domains": [ + "Security - Threat Protection", + "Security - SOAR" + ] + } + } + } + ], + "outputs": { + "location": { + "type": "string", + "value": "[parameters('location')]" + }, + "logicAppId": { + "type": "string", + "value": "[resourceId('Microsoft.Logic/workflows', variables('logicAppName'))]" + }, + "functionAppName": { + "type": "string", + "value": "[variables('functionAppName')]" + } + } +} \ No newline at end of file diff --git a/Solutions/TacitRed-Defender-ThreatIntelligence/Package/packageMetadata.json b/Solutions/TacitRed-Defender-ThreatIntelligence/Package/packageMetadata.json new file mode 100644 index 00000000000..1fa3d4bc11e --- /dev/null +++ b/Solutions/TacitRed-Defender-ThreatIntelligence/Package/packageMetadata.json @@ -0,0 +1,49 @@ +{ + "version": "1.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "contentId": "TacitRedDefenderThreatIntelligence", + "contentKind": "Solution", + "displayName": "TacitRed Defender Threat Intelligence", + "publisherDisplayName": "TacitRed", + "descriptionHtml": "

TacitRed Defender Threat Intelligence provides automated synchronization of threat intelligence from TacitRed to Microsoft Defender.

This solution includes:

Key Features:

", + "contentProductId": "tacitred-defender-threat-intelligence", + "id": "tacitred-defender-threat-intelligence", + "icon": "", + "threatAnalysisTactics": [ + "CommandAndControl", + "Exfiltration" + ], + "threatAnalysisTechniques": [], + "categories": { + "domains": [ + "Security - Threat Protection", + "Security - SOAR" + ] + }, + "support": { + "tier": "Partner", + "name": "Data443 Risk Mitigation, Inc.", + "email": "support@data443.com", + "link": "https://www.data443.com" + }, + "author": { + "name": "TacitRed" + }, + "providers": [ + "TacitRed" + ], + "firstPublishDate": "2025-01-01", + "lastPublishDate": "2025-01-01", + "customVersion": "1.0.0", + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "Playbook", + "contentId": "TacitRedDefenderSync", + "version": "1.0.0" + } + ] + } +} \ No newline at end of file diff --git a/Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/TacitRedToDefenderTI_Playbook.json b/Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/TacitRedToDefenderTI_Playbook.json new file mode 100644 index 00000000000..a38de62494f --- /dev/null +++ b/Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/TacitRedToDefenderTI_Playbook.json @@ -0,0 +1,38 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "TacitRed to Defender TI - Playbook", + "description": "This playbook orchestrates the ingestion of TacitRed threat intelligence into Microsoft Sentinel using the Upload API", + "prerequisites": "TacitRed API Key, Microsoft Sentinel workspace", + "postDeployment": [ + "Authorize Logic App connections" + ], + "lastUpdateTime": "2025-12-04T00:00:00.000Z", + "tags": [ + "TacitRed", + "Threat Intelligence", + "Automation" + ], + "support": { + "tier": "Partner" + }, + "author": { + "name": "TacitRed" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "TacitRedToDefenderTI", + "type": "string", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + } + }, + "variables": { + "comment": "This is a placeholder. The actual Logic App is deployed as part of the main template." + }, + "resources": [], + "outputs": {} +} \ No newline at end of file diff --git a/Solutions/TacitRed-Defender-ThreatIntelligence/ReleaseNotes.md b/Solutions/TacitRed-Defender-ThreatIntelligence/ReleaseNotes.md new file mode 100644 index 00000000000..eb1067196db --- /dev/null +++ b/Solutions/TacitRed-Defender-ThreatIntelligence/ReleaseNotes.md @@ -0,0 +1,28 @@ +# TacitRed Defender Threat Intelligence - Release Notes + +## Version 1.0.0 + +### Initial Release +- Integration with TacitRed threat intelligence feed +- Automated ingestion of compromised credentials into Microsoft Sentinel +- Azure Function App for data retrieval and transformation +- Logic App for orchestration +- Support for STIX 2.1 indicator format +- Upload API integration for threat intelligence ingestion +- Auto-deployment via Content Hub + +### Features +- **Automated Threat Intelligence Ingestion**: Retrieves threat indicators from TacitRed API +- **STIX 2.1 Compliant**: Uses official stix2 library for valid indicator format +- **Managed Identity**: Secure authentication using System-Assigned Managed Identity +- **Role-Based Access**: Automatic Microsoft Sentinel Contributor role assignment +- **Scalable Architecture**: Built on Azure Function Apps for high performance + +### Requirements +- Microsoft Sentinel workspace +- TacitRed API key +- Azure subscription + +### Deployment +- One-click installation via Microsoft Sentinel Content Hub +- All infrastructure automatically deployed via ARM template diff --git a/Solutions/TacitRed-Defender-ThreatIntelligence/SolutionMetadata.json b/Solutions/TacitRed-Defender-ThreatIntelligence/SolutionMetadata.json new file mode 100644 index 00000000000..e8cbb99d257 --- /dev/null +++ b/Solutions/TacitRed-Defender-ThreatIntelligence/SolutionMetadata.json @@ -0,0 +1,21 @@ +{ + "publisherId": "tacitred", + "offerId": "tacitred-defender-threat-intelligence", + "firstPublishDate": "2025-01-01", + "providers": [ + "TacitRed" + ], + "categories": { + "domains": [ + "Security - Threat Protection", + "Security - SOAR" + ], + "verticals": [] + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "support@data443.com", + "tier": "Partner", + "link": "https://www.data443.com" + } +} \ No newline at end of file diff --git a/Solutions/Threat Intelligence (NEW)/Package/3.0.0.zip b/Solutions/Threat Intelligence (NEW)/Package/3.0.0.zip deleted file mode 100644 index 159425b7046..00000000000 Binary files a/Solutions/Threat Intelligence (NEW)/Package/3.0.0.zip and /dev/null differ diff --git a/Solutions/Threat Intelligence (NEW)/Package/3.0.1.zip b/Solutions/Threat Intelligence (NEW)/Package/3.0.1.zip deleted file mode 100644 index 00f6f25821f..00000000000 Binary files a/Solutions/Threat Intelligence (NEW)/Package/3.0.1.zip and /dev/null differ diff --git a/Solutions/Threat Intelligence (NEW)/Package/3.0.10.zip b/Solutions/Threat Intelligence (NEW)/Package/3.0.10.zip deleted file mode 100644 index 51ea0d57135..00000000000 Binary files a/Solutions/Threat Intelligence (NEW)/Package/3.0.10.zip and /dev/null differ diff --git a/Solutions/Threat Intelligence (NEW)/Package/3.0.11.zip b/Solutions/Threat Intelligence (NEW)/Package/3.0.11.zip deleted file mode 100644 index 3a61e20e265..00000000000 Binary files a/Solutions/Threat Intelligence (NEW)/Package/3.0.11.zip and /dev/null differ diff --git a/Solutions/Threat Intelligence (NEW)/Package/3.0.2.zip b/Solutions/Threat Intelligence (NEW)/Package/3.0.2.zip deleted file mode 100644 index 5de6c52a997..00000000000 Binary files a/Solutions/Threat Intelligence (NEW)/Package/3.0.2.zip and /dev/null differ diff --git a/Solutions/Threat Intelligence (NEW)/Package/3.0.3.zip b/Solutions/Threat Intelligence (NEW)/Package/3.0.3.zip deleted file mode 100644 index f5d9d67aa58..00000000000 Binary files a/Solutions/Threat Intelligence (NEW)/Package/3.0.3.zip and /dev/null differ diff --git a/Solutions/Threat Intelligence (NEW)/Package/3.0.4.zip b/Solutions/Threat Intelligence (NEW)/Package/3.0.4.zip deleted file mode 100644 index acdeee2faf1..00000000000 Binary files a/Solutions/Threat Intelligence (NEW)/Package/3.0.4.zip and /dev/null differ diff --git a/Solutions/Threat Intelligence (NEW)/Package/3.0.5.zip b/Solutions/Threat Intelligence (NEW)/Package/3.0.5.zip deleted file mode 100644 index a60badba56d..00000000000 Binary files a/Solutions/Threat Intelligence (NEW)/Package/3.0.5.zip and /dev/null differ diff --git a/Solutions/Threat Intelligence (NEW)/Package/3.0.6.zip b/Solutions/Threat Intelligence (NEW)/Package/3.0.6.zip deleted file mode 100644 index fc7a1214af6..00000000000 Binary files a/Solutions/Threat Intelligence (NEW)/Package/3.0.6.zip and /dev/null differ diff --git a/Solutions/Threat Intelligence (NEW)/Package/3.0.7.zip b/Solutions/Threat Intelligence (NEW)/Package/3.0.7.zip deleted file mode 100644 index 19e3e6d1e83..00000000000 Binary files a/Solutions/Threat Intelligence (NEW)/Package/3.0.7.zip and /dev/null differ diff --git a/Solutions/Threat Intelligence (NEW)/Package/3.0.8.zip b/Solutions/Threat Intelligence (NEW)/Package/3.0.8.zip deleted file mode 100644 index cd2570d9165..00000000000 Binary files a/Solutions/Threat Intelligence (NEW)/Package/3.0.8.zip and /dev/null differ diff --git a/Solutions/Threat Intelligence (NEW)/Package/3.0.9.zip b/Solutions/Threat Intelligence (NEW)/Package/3.0.9.zip deleted file mode 100644 index bf5a1f7152b..00000000000 Binary files a/Solutions/Threat Intelligence (NEW)/Package/3.0.9.zip and /dev/null differ