![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/tacitred_logo.svg\"width=\"75px\"height=\"75px\"){kind=logo}
",
+ "Description": "The TacitRed Defender Threat Intelligence solution integrates TacitRed's threat intelligence feed with Microsoft Sentinel. It automatically retrieves compromised credentials and other threat indicators from TacitRed and ingests them into Microsoft Sentinel using the Upload API for enhanced threat detection.",
+ "Playbooks": [
+ "Playbooks/CustomConnector/TacitRedDefenderTI_FunctionApp/azuredeploy.json",
+ "Playbooks/TacitRedToDefenderTI/azuredeploy.json"
+ ],
+ "Metadata": "SolutionMetadata.json",
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\TacitRed-Defender-ThreatIntelligence",
+ "Version": "3.0.0",
+ "TemplateSpec": true,
+ "Is1Pconnector": false
+}
diff --git a/Solutions/TacitRed-Defender-ThreatIntelligence/Package/3.0.0.zip b/Solutions/TacitRed-Defender-ThreatIntelligence/Package/3.0.0.zip
new file mode 100644
index 00000000000..58e54276232
Binary files /dev/null and b/Solutions/TacitRed-Defender-ThreatIntelligence/Package/3.0.0.zip differ
diff --git a/Solutions/TacitRed-Defender-ThreatIntelligence/Package/createUiDefinition.json b/Solutions/TacitRed-Defender-ThreatIntelligence/Package/createUiDefinition.json
new file mode 100644
index 00000000000..dd9c779a1c4
--- /dev/null
+++ b/Solutions/TacitRed-Defender-ThreatIntelligence/Package/createUiDefinition.json
@@ -0,0 +1,90 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/TacitRed-Defender-ThreatIntelligence/ReleaseNotes.md)\n\n• There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe TacitRed Defender Threat Intelligence solution integrates TacitRed's threat intelligence feed with Microsoft Sentinel. It automatically retrieves compromised credentials and other threat indicators from TacitRed and ingests them into Microsoft Sentinel using the Upload API for enhanced threat detection.\n\n**Function Apps:** 1, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
+ },
+ "location": {
+ "metadata": {
+ "hidden": "Hiding location, we get it from the log analytics workspace"
+ },
+ "visible": false
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
+ }
+ },
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
+ },
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
+ },
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "playbooks",
+ "label": "Playbooks",
+ "subLabel": {
+ "preValidation": "Configure the playbooks",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Playbooks",
+ "elements": [
+ {
+ "name": "playbooks-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub.\n\n**Important:** Deploy the Azure Function App first, then deploy the Playbook and provide the Function App URL when prompted."
+ }
+ },
+ {
+ "name": "playbooks-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://learn.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ }
+ }
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+ "location": "[location()]",
+ "workspace": "[basics('workspace')]"
+ }
+ }
+}
+
diff --git a/Solutions/TacitRed-Defender-ThreatIntelligence/Package/functionCode.zip b/Solutions/TacitRed-Defender-ThreatIntelligence/Package/functionCode.zip
new file mode 100644
index 00000000000..e142f31a1b7
Binary files /dev/null and b/Solutions/TacitRed-Defender-ThreatIntelligence/Package/functionCode.zip differ
diff --git a/Solutions/TacitRed-Defender-ThreatIntelligence/Package/mainTemplate.json b/Solutions/TacitRed-Defender-ThreatIntelligence/Package/mainTemplate.json
new file mode 100644
index 00000000000..e83b00a6a62
--- /dev/null
+++ b/Solutions/TacitRed-Defender-ThreatIntelligence/Package/mainTemplate.json
@@ -0,0 +1,536 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "Data443 Risk Mitigation, Inc. - support@data443.com",
+ "comments": "Solution template for TacitRed-Defender-ThreatIntelligence"
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ }
+ },
+ "variables": {
+ "email": "support@data443.com",
+ "_email": "[variables('email')]",
+ "_solutionName": "TacitRed-Defender-ThreatIntelligence",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "data443.azure-sentinel-solution-tacitred-defender-ti",
+ "_solutionId": "[variables('solutionId')]",
+ "TacitRedDefenderTI_FunctionApp": "TacitRedDefenderTI_FunctionApp",
+ "_TacitRedDefenderTI_FunctionApp": "[variables('TacitRedDefenderTI_FunctionApp')]",
+ "playbookVersion1": "1.0",
+ "playbookContentId1": "TacitRedDefenderTI_FunctionApp",
+ "_playbookContentId1": "[variables('playbookContentId1')]",
+ "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-fa-',uniquestring(variables('_playbookContentId1'))))]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','fa','-', uniqueString(concat(variables('_solutionId'),'-','AzureFunction','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
+ "TacitRedToDefenderTI": "TacitRedToDefenderTI",
+ "_TacitRedToDefenderTI": "[variables('TacitRedToDefenderTI')]",
+ "TemplateEmptyArray": "[json('[]')]",
+ "playbookVersion2": "1.0",
+ "playbookContentId2": "TacitRedToDefenderTI",
+ "_playbookContentId2": "[variables('playbookContentId2')]",
+ "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]",
+ "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]",
+ "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]",
+ "blanks": "[replace('b', 'b', '')]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "TacitRedDefenderTI_FunctionApp Playbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('playbookVersion1')]",
+ "parameters": {
+ "FunctionAppName": {
+ "defaultValue": "tacitreddefenderti",
+ "type": "string",
+ "metadata": {
+ "description": "Prefix for the Azure Function App name"
+ }
+ },
+ "FunctionAppCodeUrl": {
+ "type": "string",
+ "metadata": {
+ "description": "URL to the Function App code zip file"
+ },
+ "defaultValue": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/TacitRed-Defender-ThreatIntelligence/Package/functionCode.zip"
+ },
+ "workspace": {
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ }
+ },
+ "variables": {
+ "functionAppName": "[[concat(parameters('FunctionAppName'), uniqueString(resourceGroup().id))]",
+ "hostingPlanName": "[[concat('plan-', variables('functionAppName'))]",
+ "storageAccountName": "[[concat('st', uniqueString(resourceGroup().id))]",
+ "appInsightsName": "[[concat('appi-', variables('functionAppName'))]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "playbookContentId1": "TacitRedDefenderTI_FunctionApp",
+ "playbookId1": "[[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Storage/storageAccounts",
+ "apiVersion": "2023-05-01",
+ "name": "[[variables('storageAccountName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "sku": {
+ "name": "Standard_LRS",
+ "tier": "Standard"
+ },
+ "kind": "StorageV2",
+ "properties": {
+ "supportsHttpsTrafficOnly": true,
+ "encryption": {
+ "services": {
+ "file": {
+ "keyType": "Account",
+ "enabled": true
+ },
+ "blob": {
+ "keyType": "Account",
+ "enabled": true
+ }
+ },
+ "keySource": "Microsoft.Storage"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Insights/components",
+ "apiVersion": "2020-02-02",
+ "name": "[[variables('appInsightsName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "kind": "web",
+ "properties": {
+ "Application_Type": "web"
+ }
+ },
+ {
+ "type": "Microsoft.Web/serverfarms",
+ "apiVersion": "2024-04-01",
+ "name": "[[variables('hostingPlanName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "sku": {
+ "name": "Y1",
+ "tier": "Dynamic",
+ "size": "Y1",
+ "family": "Y"
+ },
+ "properties": {
+ "computeMode": "Dynamic",
+ "reserved": true
+ }
+ },
+ {
+ "type": "Microsoft.Web/sites",
+ "apiVersion": "2024-04-01",
+ "name": "[[variables('functionAppName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "kind": "functionapp,linux",
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
+ "[[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
+ "[[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]"
+ ],
+ "properties": {
+ "reserved": true,
+ "httpsOnly": true,
+ "serverFarmId": "[[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",
+ "siteConfig": {
+ "linuxFxVersion": "python|3.11",
+ "appSettings": [
+ {
+ "name": "AzureWebJobsStorage",
+ "value": "[[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-05-01').keys[0].value)]"
+ },
+ {
+ "name": "FUNCTIONS_EXTENSION_VERSION",
+ "value": "~4"
+ },
+ {
+ "name": "FUNCTIONS_WORKER_RUNTIME",
+ "value": "python"
+ },
+ {
+ "name": "WEBSITE_RUN_FROM_PACKAGE",
+ "value": "[[parameters('FunctionAppCodeUrl')]"
+ },
+ {
+ "name": "SENTINEL_WORKSPACE_ID",
+ "value": "[[variables('workspaceResourceId')]"
+ },
+ {
+ "name": "APPINSIGHTS_INSTRUMENTATIONKEY",
+ "value": "[[reference(resourceId('Microsoft.Insights/components', variables('appInsightsName')), '2020-02-02').InstrumentationKey]"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Authorization/roleAssignments",
+ "apiVersion": "2022-04-01",
+ "name": "[[guid(resourceGroup().id, variables('functionAppName'), 'Reader')]",
+ "scope": "[[variables('workspaceResourceId')]",
+ "properties": {
+ "roleDefinitionId": "[[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
+ "principalId": "[[reference(resourceId('Microsoft.Web/sites', variables('functionAppName')), '2024-04-01', 'Full').identity.principalId]",
+ "principalType": "ServicePrincipal"
+ },
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Authorization/roleAssignments",
+ "apiVersion": "2022-04-01",
+ "name": "[[guid(resourceGroup().id, variables('functionAppName'), 'SentinelContributor')]",
+ "scope": "[[variables('workspaceResourceId')]",
+ "properties": {
+ "roleDefinitionId": "[[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]",
+ "principalId": "[[reference(resourceId('Microsoft.Web/sites', variables('functionAppName')), '2024-04-01', 'Full').identity.principalId]",
+ "principalType": "ServicePrincipal"
+ },
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
+ ]
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2025-09-01",
+ "name": "[[concat(variables('workspace-name'),'/Microsoft.SecurityInsights/',concat('AzureFunction-', last(split(variables('playbookId1'),'/'))))]",
+ "properties": {
+ "parentId": "[[variables('playbookId1')]",
+ "contentId": "[variables('_playbookContentId1')]",
+ "kind": "AzureFunction",
+ "version": "[variables('playbookVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "TacitRed-Defender-ThreatIntelligence",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Data443 Risk Mitigation, Inc.",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Data443 Risk Mitigation, Inc.",
+ "email": "support@data443.com",
+ "tier": "Partner",
+ "link": "https://www.data443.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId1')]",
+ "contentKind": "AzureFunction",
+ "displayName": "TacitRedDefenderTI_FunctionApp",
+ "contentProductId": "[variables('_playbookcontentProductId1')]",
+ "id": "[variables('_playbookcontentProductId1')]",
+ "version": "[variables('playbookVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName2')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "TacitRedToDefenderTI Playbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('playbookVersion2')]",
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "TacitRedToDefenderTI",
+ "type": "string",
+ "metadata": {
+ "description": "Name of the Logic App/Playbook"
+ }
+ },
+ "TacitRed_ApiKey": {
+ "type": "securestring",
+ "metadata": {
+ "description": "TacitRed API Key for authentication"
+ }
+ },
+ "FunctionAppUrl": {
+ "type": "string",
+ "metadata": {
+ "description": "URL of the deployed TacitRed Azure Function App (e.g., https://tacitreddefendertiXXX.azurewebsites.net/api/TacitRedToDefenderTI)"
+ }
+ }
+ },
+ "variables": {
+ "logicAppName": "[[parameters('PlaybookName')]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2019-05-01",
+ "name": "[[variables('logicAppName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "properties": {
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "TacitRed_ApiKey": {
+ "type": "securestring"
+ }
+ },
+ "triggers": {
+ "Recurrence": {
+ "type": "Recurrence",
+ "recurrence": {
+ "frequency": "Hour",
+ "interval": 6,
+ "timeZone": "UTC"
+ }
+ }
+ },
+ "actions": {
+ "Initialize_Config": {
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "FunctionAppUrl",
+ "type": "String",
+ "value": "[[parameters('FunctionAppUrl')]"
+ },
+ {
+ "name": "Domains",
+ "type": "Array",
+ "value": "[variables('TemplateEmptyArray')]"
+ }
+ ]
+ }
+ },
+ "Call_Function_App": {
+ "type": "Http",
+ "inputs": {
+ "method": "POST",
+ "uri": "@variables('FunctionAppUrl')",
+ "headers": {
+ "Content-Type": "application/json"
+ },
+ "body": {
+ "domains": "@variables('Domains')",
+ "date_from": "@{formatDateTime(addDays(utcNow(), -30), 'yyyy-MM-ddTHH:mm:ssZ')}",
+ "date_until": "@{formatDateTime(utcNow(), 'yyyy-MM-ddTHH:mm:ssZ')}",
+ "tacitred_api_key": "@parameters('TacitRed_ApiKey')"
+ }
+ },
+ "runAfter": {
+ "Initialize_Config": [
+ "Succeeded"
+ ]
+ }
+ }
+ }
+ },
+ "parameters": {
+ "TacitRed_ApiKey": {
+ "value": "[[parameters('TacitRed_ApiKey')]"
+ }
+ }
+ },
+ "tags": {
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2025-09-01",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]",
+ "properties": {
+ "parentId": "[variables('playbookId2')]",
+ "contentId": "[variables('_playbookContentId2')]",
+ "kind": "Playbook",
+ "version": "[variables('playbookVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "TacitRed-Defender-ThreatIntelligence",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Data443 Risk Mitigation, Inc.",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Data443 Risk Mitigation, Inc.",
+ "email": "support@data443.com",
+ "tier": "Partner",
+ "link": "https://www.data443.com"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "kind": "AzureFunction",
+ "contentId": "[variables('_TacitRedDefenderTI_FunctionApp')]",
+ "version": "[variables('playbookVersion1')]"
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "metadata": {
+ "title": "TacitRed to Defender TI - Playbook",
+ "description": "This playbook orchestrates the ingestion of TacitRed threat intelligence into Microsoft Sentinel using the Upload API. Includes Logic App and Azure Function for API integration.",
+ "prerequisites": [
+ "TacitRed API Key",
+ "Microsoft Sentinel workspace",
+ "Azure Function deployment"
+ ],
+ "postDeployment": [
+ "Configure TacitRed API Key in Logic App parameters",
+ "Update domain list in Logic App"
+ ],
+ "lastUpdateTime": "2025-12-09T00:00:00Z",
+ "tags": [
+ "TacitRed",
+ "Threat Intelligence",
+ "Automation",
+ "Azure Function"
+ ],
+ "releaseNotes": {
+ "version": "1.0",
+ "title": "[variables('blanks')]",
+ "notes": [
+ "Initial version"
+ ]
+ }
+ }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId2')]",
+ "contentKind": "Playbook",
+ "displayName": "TacitRedToDefenderTI",
+ "contentProductId": "[variables('_playbookcontentProductId2')]",
+ "id": "[variables('_playbookcontentProductId2')]",
+ "version": "[variables('playbookVersion2')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "version": "3.0.0",
+ "kind": "Solution",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "TacitRed-Defender-ThreatIntelligence",
+ "publisherDisplayName": "Data443 Risk Mitigation, Inc.",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe TacitRed Defender Threat Intelligence solution integrates TacitRed's threat intelligence feed with Microsoft Sentinel. It automatically retrieves compromised credentials and other threat indicators from TacitRed and ingests them into Microsoft Sentinel using the Upload API for enhanced threat detection.
\nFunction Apps: 1, Playbooks: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "TacitRed-Defender-ThreatIntelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "[variables('_email')]" + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "support@data443.com", + "tier": "Partner", + "link": "https://www.data443.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "AzureFunction", + "contentId": "[variables('_TacitRedDefenderTI_FunctionApp')]", + "version": "[variables('playbookVersion1')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_TacitRedToDefenderTI')]", + "version": "[variables('playbookVersion2')]" + } + ] + }, + "firstPublishDate": "2025-11-10", + "providers": [ + "Data443 Risk Mitigation, Inc." + ], + "categories": { + "domains": [ + "Security - Threat Intelligence" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/TacitRed-Defender-ThreatIntelligence/Package/testParameters.json b/Solutions/TacitRed-Defender-ThreatIntelligence/Package/testParameters.json new file mode 100644 index 00000000000..e55ec41a9ac --- /dev/null +++ b/Solutions/TacitRed-Defender-ThreatIntelligence/Package/testParameters.json @@ -0,0 +1,24 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } +} diff --git a/Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/CustomConnector/TacitRedDefenderTI_FunctionApp/azuredeploy.json b/Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/CustomConnector/TacitRedDefenderTI_FunctionApp/azuredeploy.json new file mode 100644 index 00000000000..71862dcebb8 --- /dev/null +++ b/Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/CustomConnector/TacitRedDefenderTI_FunctionApp/azuredeploy.json @@ -0,0 +1,165 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "FunctionAppName": { + "defaultValue": "tacitreddefenderti", + "type": "string", + "metadata": { + "description": "Prefix for the Azure Function App name" + } + }, + "FunctionAppCodeUrl": { + "type": "string", + "metadata": { + "description": "URL to the Function App code zip file" + }, + "defaultValue": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/TacitRed-Defender-ThreatIntelligence/Package/functionCode.zip" + }, + "workspace": { + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } + }, + "variables": { + "functionAppName": "[concat(parameters('FunctionAppName'), uniqueString(resourceGroup().id))]", + "hostingPlanName": "[concat('plan-', variables('functionAppName'))]", + "storageAccountName": "[concat('st', uniqueString(resourceGroup().id))]", + "appInsightsName": "[concat('appi-', variables('functionAppName'))]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-05-01", + "name": "[variables('storageAccountName')]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "supportsHttpsTrafficOnly": true, + "encryption": { + "services": { + "file": { + "keyType": "Account", + "enabled": true + }, + "blob": { + "keyType": "Account", + "enabled": true + } + }, + "keySource": "Microsoft.Storage" + } + } + }, + { + "type": "Microsoft.Insights/components", + "apiVersion": "2020-02-02", + "name": "[variables('appInsightsName')]", + "location": "[resourceGroup().location]", + "kind": "web", + "properties": { + "Application_Type": "web" + } + }, + { + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2024-04-01", + "name": "[variables('hostingPlanName')]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Y1", + "tier": "Dynamic", + "size": "Y1", + "family": "Y" + }, + "properties": { + "computeMode": "Dynamic", + "reserved": true + } + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2024-04-01", + "name": "[variables('functionAppName')]", + "location": "[resourceGroup().location]", + "kind": "functionapp,linux", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]" + ], + "properties": { + "reserved": true, + "httpsOnly": true, + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "siteConfig": { + "linuxFxVersion": "python|3.11", + "appSettings": [ + { + "name": "AzureWebJobsStorage", + "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-05-01').keys[0].value)]" + }, + { + "name": "FUNCTIONS_EXTENSION_VERSION", + "value": "~4" + }, + { + "name": "FUNCTIONS_WORKER_RUNTIME", + "value": "python" + }, + { + "name": "WEBSITE_RUN_FROM_PACKAGE", + "value": "[parameters('FunctionAppCodeUrl')]" + }, + { + "name": "SENTINEL_WORKSPACE_ID", + "value": "[variables('workspaceResourceId')]" + }, + { + "name": "APPINSIGHTS_INSTRUMENTATIONKEY", + "value": "[reference(resourceId('Microsoft.Insights/components', variables('appInsightsName')), '2020-02-02').InstrumentationKey]" + } + ] + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceGroup().id, variables('functionAppName'), 'Reader')]", + "scope": "[variables('workspaceResourceId')]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "principalId": "[reference(resourceId('Microsoft.Web/sites', variables('functionAppName')), '2024-04-01', 'Full').identity.principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]" + ] + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceGroup().id, variables('functionAppName'), 'SentinelContributor')]", + "scope": "[variables('workspaceResourceId')]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", + "principalId": "[reference(resourceId('Microsoft.Web/sites', variables('functionAppName')), '2024-04-01', 'Full').identity.principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]" + ] + } + ] +} diff --git a/Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/TacitRedToDefenderTI/Images/TacitRedToDefenderTIDark.png b/Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/TacitRedToDefenderTI/Images/TacitRedToDefenderTIDark.png new file mode 100644 index 00000000000..3811379cf6c Binary files /dev/null and b/Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/TacitRedToDefenderTI/Images/TacitRedToDefenderTIDark.png differ diff --git a/Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/TacitRedToDefenderTI/Images/TacitRedToDefenderTILight.png b/Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/TacitRedToDefenderTI/Images/TacitRedToDefenderTILight.png new file mode 100644 index 00000000000..d7860b5efff Binary files /dev/null and b/Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/TacitRedToDefenderTI/Images/TacitRedToDefenderTILight.png differ diff --git a/Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/TacitRedToDefenderTI/azuredeploy.json b/Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/TacitRedToDefenderTI/azuredeploy.json new file mode 100644 index 00000000000..2590b19375e --- /dev/null +++ b/Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/TacitRedToDefenderTI/azuredeploy.json @@ -0,0 +1,127 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "TacitRed to Defender TI - Playbook", + "description": "This playbook orchestrates the ingestion of TacitRed threat intelligence into Microsoft Sentinel using the Upload API. Includes Logic App and Azure Function for API integration.", + "prerequisites": ["TacitRed API Key", "Microsoft Sentinel workspace", "Azure Function deployment"], + "postDeployment": ["Configure TacitRed API Key in Logic App parameters", "Update domain list in Logic App"], + "lastUpdateTime": "2025-12-09T00:00:00.000Z", + "tags": ["TacitRed", "Threat Intelligence", "Automation", "Azure Function"], + "support": { + "tier": "Partner" + }, + "author": { + "name": "Data443 Risk Mitigation, Inc." + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "TacitRedToDefenderTI", + "type": "string", + "metadata": { + "description": "Name of the Logic App/Playbook" + } + }, + "TacitRed_ApiKey": { + "type": "securestring", + "metadata": { + "description": "TacitRed API Key for authentication" + } + }, + "FunctionAppName": { + "type": "string", + "defaultValue": "tacitreddefenderti", + "metadata": { + "description": "Prefix for the Azure Function App name" + } + } + }, + "variables": { + "logicAppName": "[parameters('PlaybookName')]", + "functionAppName": "[concat(parameters('FunctionAppName'), uniqueString(resourceGroup().id))]" + }, + "resources": [ + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2019-05-01", + "name": "[variables('logicAppName')]", + "location": "[resourceGroup().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "TacitRed_ApiKey": { + "type": "securestring" + } + }, + "triggers": { + "Recurrence": { + "type": "Recurrence", + "recurrence": { + "frequency": "Hour", + "interval": 6, + "timeZone": "UTC" + } + } + }, + "actions": { + "Initialize_Config": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "FunctionAppUrl", + "type": "String", + "value": "[concat('https://', reference(resourceId('Microsoft.Web/sites', variables('functionAppName')), '2024-04-01').defaultHostName, '/api/TacitRedToDefenderTI')]" + }, + { + "name": "Domains", + "type": "Array", + "value": [] + } + ] + }, + "runAfter": {} + }, + "Call_Function_App": { + "type": "Http", + "inputs": { + "method": "POST", + "uri": "@variables('FunctionAppUrl')", + "headers": { + "Content-Type": "application/json" + }, + "body": { + "domains": "@variables('Domains')", + "date_from": "@{formatDateTime(addDays(utcNow(), -30), 'yyyy-MM-ddTHH:mm:ssZ')}", + "date_until": "@{formatDateTime(utcNow(), 'yyyy-MM-ddTHH:mm:ssZ')}", + "tacitred_api_key": "@parameters('TacitRed_ApiKey')" + } + }, + "runAfter": { + "Initialize_Config": ["Succeeded"] + } + } + } + }, + "parameters": { + "TacitRed_ApiKey": { + "value": "[parameters('TacitRed_ApiKey')]" + } + } + } + } + ], + "outputs": { + "logicAppId": { + "type": "string", + "value": "[resourceId('Microsoft.Logic/workflows', variables('logicAppName'))]" + } + } +} diff --git a/Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/TacitRedToDefenderTI/readme.md b/Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/TacitRedToDefenderTI/readme.md new file mode 100644 index 00000000000..9bb31475fa0 --- /dev/null +++ b/Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/TacitRedToDefenderTI/readme.md @@ -0,0 +1,89 @@ +# TacitRed to Defender Threat Intelligence Playbook + +## Overview + +This playbook automatically synchronizes threat intelligence from TacitRed to Microsoft Defender Threat Intelligence. It retrieves compromised credentials and other threat indicators from TacitRed's API and uploads them to Microsoft Sentinel using the ARM-based createIndicator API. + +## Prerequisites + +1. **Microsoft Sentinel workspace** - Must be onboarded to Microsoft Sentinel +2. **TacitRed API Key** - Obtain from your TacitRed account +3. **Azure Function App** - Deployed automatically with this solution +4. **RBAC Permissions**: + - Reader role on the workspace + - Microsoft Sentinel Contributor role on the workspace + +## Deployment + +This playbook is deployed automatically as part of the TacitRed Defender Threat Intelligence solution from Microsoft Sentinel Content Hub. + +### Manual Deployment + +1. Click the **Deploy to Azure** button below +2. Fill in the required parameters: + - **Subscription**: Your Azure subscription + - **Resource Group**: Target resource group + - **Workspace**: Your Microsoft Sentinel workspace name + - **TacitRed API Key**: Your TacitRed API key + +[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FTacitRed-Defender-ThreatIntelligence%2FPlaybooks%2FTacitRedToDefenderTI%2Fazuredeploy.json) + +## How It Works + +1. **Scheduled Trigger**: The Logic App runs on a configurable schedule (default: every 4 hours) +2. **Fetch Findings**: Calls TacitRed API to retrieve compromised credentials from the last 30 days +3. **Process Data**: The Azure Function App converts findings to STIX format +4. **Upload to Sentinel**: Indicators are uploaded via the ARM-based createIndicator API +5. **Logging**: All operations are logged to Application Insights + +## Architecture + +``` +----------------- ----------------- ----------------- +| Logic App | --> | Function App | --> | Microsoft | +| (Scheduler) | | (Processing) | | Sentinel TI | +----------------- ----------------- ----------------- + | | + v v +----------------- ----------------- +| TacitRed | | Application | +| API | | Insights | +----------------- ----------------- +``` + +## Configuration + +| Parameter | Description | Default | +|-----------|-------------|---------| +| TacitRed_ApiKey | Your TacitRed API key | Required | +| Domains | Filter by specific domains (empty = all) | [] | +| DateRange | How far back to look for findings | 30 days | + +## Troubleshooting + +### No indicators appearing in Defender TI + +1. Verify the Logic App is running (check Run History) +2. Check Application Insights for Function App errors +3. Verify the workspace is onboarded to Microsoft Sentinel +4. Confirm the Function App MSI has the required roles + +### 500 errors from Sentinel API + +1. Ensure the workspace is onboarded to Microsoft Sentinel +2. Verify the Function App is using the ARM-based createIndicator API +3. Check that the indicator format is correct + +## Support + +- **Provider**: Data443 Risk Mitigation, Inc. +- **Email**: support@data443.com +- **Website**: https://www.data443.com + +## Version History + +| Version | Date | Changes | +|---------|------|---------| +| 3.0.0 | 2025-12-11 | Switched to ARM-based createIndicator API | +| 2.0.0 | 2025-11-10 | Added Function App for processing | +| 1.0.0 | 2025-10-01 | Initial release | diff --git a/Solutions/TacitRed-Defender-ThreatIntelligence/README.md b/Solutions/TacitRed-Defender-ThreatIntelligence/README.md new file mode 100644 index 00000000000..ec618702531 --- /dev/null +++ b/Solutions/TacitRed-Defender-ThreatIntelligence/README.md @@ -0,0 +1,44 @@ +# TacitRed Defender Threat Intelligence Solution for Microsoft Sentinel + +## Overview + +The TacitRed Defender Threat Intelligence solution integrates TacitRed's threat intelligence feed with Microsoft Sentinel. It automatically retrieves compromised credentials and other threat indicators from TacitRed and ingests them into Microsoft Sentinel using the Threat Intelligence Upload API for enhanced threat detection. + +## Solution Components + +| Component | Description | +|-----------|-------------| +| **Playbook** | Logic App that fetches compromised credentials from TacitRed and uploads them to Microsoft Defender Threat Intelligence | + +## Prerequisites + +- Microsoft Sentinel workspace +- TacitRed API credentials +- Microsoft Defender Threat Intelligence license +- Appropriate RBAC permissions to deploy Logic Apps + +## Deployment + +1. Navigate to Microsoft Sentinel Content Hub +2. Search for "TacitRed Defender Threat Intelligence" +3. Click Install and follow the deployment wizard +4. Configure the playbook with your TacitRed API credentials + +## How It Works + +1. The playbook runs on a scheduled trigger +2. It queries TacitRed for recent compromised credential findings +3. For each finding, it creates threat indicators via the Upload API +4. Microsoft Defender can then use these indicators for detection and response + +## Support + +- **Provider**: Data443 Risk Mitigation, Inc. +- **Email**: support@data443.com +- **Website**: https://www.data443.com + +## Learn More + +- [Microsoft Sentinel Documentation](https://learn.microsoft.com/azure/sentinel/) +- [TacitRed Platform](https://data443.com/tacitred-attack-surface-intelligence/) +- [Microsoft Defender Threat Intelligence](https://learn.microsoft.com/microsoft-365/security/defender/) diff --git a/Solutions/TacitRed-Defender-ThreatIntelligence/ReleaseNotes.md b/Solutions/TacitRed-Defender-ThreatIntelligence/ReleaseNotes.md new file mode 100644 index 00000000000..5ad319978b3 --- /dev/null +++ b/Solutions/TacitRed-Defender-ThreatIntelligence/ReleaseNotes.md @@ -0,0 +1,5 @@ +# Release Notes + +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------| +| 3.0.0 | 09-12-2024 | Initial release of TacitRed Defender Threat Intelligence solution with Azure Function and Logic App playbook for syncing TacitRed compromised credentials to Microsoft Defender Threat Intelligence. | diff --git a/Solutions/TacitRed-Defender-ThreatIntelligence/SolutionMetadata.json b/Solutions/TacitRed-Defender-ThreatIntelligence/SolutionMetadata.json new file mode 100644 index 00000000000..4b524a164e1 --- /dev/null +++ b/Solutions/TacitRed-Defender-ThreatIntelligence/SolutionMetadata.json @@ -0,0 +1,20 @@ +{ + "publisherId": "data443", + "offerId": "azure-sentinel-solution-tacitred-defender-ti", + "firstPublishDate": "2025-11-10", + "providers": [ + "Data443 Risk Mitigation, Inc." + ], + "categories": { + "domains": [ + "Security - Threat Intelligence" + ], + "verticals": [] + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "support@data443.com", + "tier": "Partner", + "link": "https://www.data443.com" + } +}