Solution: TacitRed SentinelOne IOC Automation (Official) #13267
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Cyren: IP Reputation and Malware URLs CCF data connectors - TacitRed: Compromised Credentials CCF data connector - Both solutions include workbooks, analytics rules, and custom tables - All templates pass arm-ttk validation (102/102 tests)
- CCF data connector - Workbooks and analytics rules - All templates pass arm-ttk validation
- CCF data connector - Workbooks and analytics rules - All templates pass arm-ttk validation
…d, and regenerate packages
…d cost warnings TacitRed: - Changed queryWindowInMin from 5 to 60 minutes (12x reduction in API calls) - Added cost warning in connector instructions Cyren: - Changed queryWindowInMin from 240 to 1440 minutes (6x reduction - daily polling) - Reduced rateLimitQps from 10 to 2 - Added risk_d >= 50 filter in DCR to filter out low-risk indicators - Added cost warning in connector instructions These changes reduce ingestion costs significantly while maintaining detection quality.
- Playbook to sync TacitRed compromised credentials to CrowdStrike IOCs - V3 packaging: Name matches folder, BasePath correct, Version 3.0.0 - Includes packageMetadata.json and 3.0.0.zip - Runs every 6 hours (reasonable for playbook-based automation)
TacitRed-LogicApp-Ingestion: - Logic App with managed identity for TacitRed API polling - Ingests to Sentinel via Logs Ingestion API (DCE/DCR) - Configurable polling interval Cyren-LogicApp-Ingestion: - Two Logic Apps for IP Reputation and Malware URLs feeds - Managed identity authentication to Azure Monitor - Ingests to Sentinel via Logs Ingestion API (DCE/DCR) Both solutions: - V3 packaging compliant - 3.0.0.zip with all required files - arm-ttk validated
- TacitRed Logic App: Replace hardcoded dates with dynamic utcNow() expressions - Regenerate all 3.0.0.zip files for all 5 solutions - All CCF and Logic App solutions now use proper placeholders for secrets
TacitRed CCF + Logic App: - TacitRed - Repeat Compromise Detection.yaml - TacitRed - High Confidence Compromise.yaml Cyren CCF + Logic App: - Cyren - High Risk IP Detection.yaml - Cyren - Malware URL Detected.yaml Updated Solution_*.json to reference analytics rules. Regenerated all V3 packages with analytics included.
- CCF data connector - Workbooks and analytics rules - All templates pass arm-ttk validation
…tRed analytic rules - Remove duplicate Cyren solutions (Cyren-CCFThreatIntelligence, Cyren-LogicApp-Ingestion) - Remove duplicate TacitRed solutions (TacitRed-LogicApp-Ingestion, Tacitred-CCF-Hub-v2ThreatIntelligence) - Keep canonical CyrenThreatIntelligence and TacitRedThreatIntelligence folders - Add TacitRed analytic rules with proper MITRE tactics (includes Reconnaissance for T1589) - Update Solution_TacitRed.json to reference analytic rules
…k/detectionTemplateSchemaValidation
This reverts commit 82bd62c.
…ccf-hub-v2threatintelligence
…ccf-hub-v2threatintelligence
mazamizo21
added a commit
to Data443/Azure-Sentinel
that referenced
this pull request
Dec 18, 2025
mazamizo21
added a commit
to Data443/Azure-Sentinel
that referenced
this pull request
Dec 18, 2025
mazamizo21
added a commit
to Data443/Azure-Sentinel
that referenced
this pull request
Dec 18, 2025
…alidConnectorIds.json)
Contributor
|
Hi @mazamizo21, Please remove the Also, remove the Additionally, create a folder named Image inside the Playbook folder and add all running playbook images into it. Please also correct the format of the Thanks! |
…ata/deploymentParameters outside Package, fix ReleaseNotes.md format
Author
Update: All Requested Changes AppliedHi Microsoft Team, Thank you for your feedback. We have addressed all the requested changes: ✅ 1. Removed 1.0.2 zip package
✅ 2. Moved packageMetadata.json and deploymentParameters.json outside Package folder
✅ 3. Created Images folder in Playbooks with running playbook screenshots
✅ 4. Fixed ReleaseNotes.md format
Thank you! Data443 Risk Mitigation, Inc. |
Contributor
|
Hi @mazamizo21, could you please grant me the branch access so I can make the necessary changes and commit them. Thanks!! |
Author
|
Hi,
I granted you access. Please accept the invitation here: https://github.com/Data443/Azure-Sentinel/invitations
Thanks for your support, I really appreciate it. I’m hoping we can get the five PRs released soon. I also granted you access to all five PRs for Data443.
The 5 Active PRs
PR
Solution
Source Branch
#13266
TacitRed Defender TI
Data443:feature/tacitred-defender-ti
#13267
TacitRed SentinelOne
Data443:feature/tacitred-sentinelone-v1
#13268
TacitRed CCF
Data443:feature/tacitred-ccf-hub-v2
#13269
TacitRed CrowdStrike
Data443:feature/tacitred-crowdstrike-ioc
#13278
Cyren TI
Data443:feature/cyren-threat-intelligence
Thanks
Taz Jack
…________________________________
From: v-shukore ***@***.***>
Sent: Tuesday, December 30, 2025 7:27 PM
To: Azure/Azure-Sentinel ***@***.***>
Cc: mazamizo21 ***@***.***>; Mention ***@***.***>
Subject: Re: [Azure/Azure-Sentinel] Solution: TacitRed SentinelOne IOC Automation (Official) (PR #13267)
[https://avatars.githubusercontent.com/u/159111145?s=20&v=4]v-shukore left a comment (Azure/Azure-Sentinel#13267)<#13267 (comment)>
Hi @mazamizo21<https://github.com/mazamizo21>, could you please grant me the branch access so I can make the necessary changes and commit them. Thanks!!
—
Reply to this email directly, view it on GitHub<#13267 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A45BJJV2BNM67RSKFA37GPT4ENNC5AVCNFSM6AAAAACONE6L46VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTOMBRGQ3TKOJVGI>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Author
|
Verified: This solution does not contain any broken tacitred.com or cyren.com documentation URLs. The only TacitRed references are API endpoints (app.tacitred.com) which are functional and required for the connector to work. |
Contributor
|
Hi @mazamizo21, we deployed the maintemplate in our Microsoft Sentinel workspace and checked, but the playbook isn't showing or loading, so we're unable to test it. Could you check in your workspace and share a screenshot here? Thanks! |
Update TacitRed Platform link from generic data443.com to specific: https://data443.com/tacitred-attack-surface-intelligence/ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
Author
|
Hi @v-shukore, Thank you for testing the solution! I've identified and fixed the issue with the playbook not showing/loading. Root CauseThe Fix Applied (commit 02582c3)
The playbook should now properly appear in Content Hub after deployment. Please redeploy and let me know if you can see and test the playbook now. Thanks! |
- Add tacitred_logo.svg to top-level Logos/ directory - Update Solution_TacitRedSentinelOneAutomation.json Logo field path from Workbooks/Images/Logos/ to Logos/ - Remove spaces between img tag attributes (svg"width= not svg" width=) - Remove packageMetadata.json (not needed for this solution type) Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
mazamizo21
force-pushed
the
feature/tacitred-sentinelone-v1
branch
2 times, most recently
from
33866c1 to
59a4da3
Compare
- TacitRed-SentinelOne solution has no workbooks - Revert accidental WorkbooksMetadata.json modifications - Branch contamination from earlier operations Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
mazamizo21
force-pushed
the
feature/tacitred-sentinelone-v1
branch
from
59a4da3 to
abf9afd
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Official Data443 Submission
This is the official submission from the Data443 organization for the TacitRed SentinelOne IOC Automation solution.
Changes
This PR supersedes and replaces PR #13243.
Please close #13243 in favor of this one.