![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/tacitred_logo.svg\"width=\"75px\"height=\"75px\"){kind=logo}
",
+ "Description": "The TacitRed SentinelOne IOC Automation solution provides example playbooks that demonstrate how to consume TacitRed threat intelligence from Microsoft Sentinel and prepare indicators for ingestion into SentinelOne.",
+ "Playbooks": [
+ "Playbooks/TacitRedToSentinelOne_Playbook.json"
+ ],
+ "Metadata": "SolutionMetadata.json",
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\TacitRed-SentinelOne",
+ "Version": "3.0.0",
+ "TemplateSpec": true,
+ "Is1Pconnector": false
+}
\ No newline at end of file
diff --git a/Solutions/TacitRed-SentinelOne/Package/3.0.0.zip b/Solutions/TacitRed-SentinelOne/Package/3.0.0.zip
new file mode 100644
index 00000000000..5ed2815db8e
Binary files /dev/null and b/Solutions/TacitRed-SentinelOne/Package/3.0.0.zip differ
diff --git a/Solutions/TacitRed-SentinelOne/Package/createUiDefinition.json b/Solutions/TacitRed-SentinelOne/Package/createUiDefinition.json
new file mode 100644
index 00000000000..f2cad13c645
--- /dev/null
+++ b/Solutions/TacitRed-SentinelOne/Package/createUiDefinition.json
@@ -0,0 +1,90 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {
+ "description": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/tacitred_logo.svg\"){kind=logo}
\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/TacitRed-SentinelOne/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe TacitRed SentinelOne IOC Automation solution provides example playbooks that demonstrate how to consume TacitRed threat intelligence from Microsoft Sentinel and prepare indicators for ingestion into SentinelOne.\n\n**Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
+ },
+ "location": {
+ "metadata": {
+ "hidden": "Hiding location, we get it from the log analytics workspace"
+ },
+ "visible": false
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
+ }
+ },
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
+ },
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
+ },
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "playbooks",
+ "label": "Playbooks",
+ "subLabel": {
+ "preValidation": "Configure the playbooks",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Playbooks",
+ "elements": [
+ {
+ "name": "playbooks-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub."
+ }
+ },
+ {
+ "name": "playbooks-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://learn.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ }
+ }
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+ "location": "[location()]",
+ "workspace": "[basics('workspace')]"
+ }
+ }
+}
+
diff --git a/Solutions/TacitRed-SentinelOne/Package/mainTemplate.json b/Solutions/TacitRed-SentinelOne/Package/mainTemplate.json
new file mode 100644
index 00000000000..104d4fd6511
--- /dev/null
+++ b/Solutions/TacitRed-SentinelOne/Package/mainTemplate.json
@@ -0,0 +1,318 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "Data443 Risk Mitigation, Inc. - support@data443.com",
+ "comments": "Solution template for TacitRed-SentinelOne"
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ }
+ },
+ "variables": {
+ "email": "support@data443.com",
+ "_email": "[variables('email')]",
+ "_solutionName": "TacitRed-SentinelOne",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "data443.azure-sentinel-solution-tacitred-sentinelone-ioc-automation",
+ "_solutionId": "[variables('solutionId')]",
+ "Playbooks": "Playbooks",
+ "_Playbooks": "[variables('Playbooks')]",
+ "blanks": "[replace('b', 'b', '')]",
+ "playbookVersion1": "1.0",
+ "playbookContentId1": "Playbooks",
+ "_playbookContentId1": "[variables('playbookContentId1')]",
+ "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
+ "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2025-09-01",
+ "name": "[variables('playbookTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Playbooks Playbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('playbookVersion1')]",
+ "parameters": {
+ "logicAppName": {
+ "type": "string",
+ "defaultValue": "pb-tacitred-to-sentinelone"
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[concat('[resourceGroup().locatio', 'n]')]"
+ },
+ "TacitRed_ApiKey": {
+ "type": "securestring",
+ "defaultValue": "",
+ "metadata": {
+ "description": "TacitRed API Key for authentication"
+ }
+ },
+ "TacitRed_Domain": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional domain filter for TacitRed findings"
+ }
+ },
+ "SentinelOne_ApiToken": {
+ "type": "securestring",
+ "defaultValue": "",
+ "metadata": {
+ "description": "SentinelOne API Token"
+ }
+ },
+ "SentinelOne_BaseUrl": {
+ "type": "string",
+ "defaultValue": "https://usea1-001.sentinelone.net",
+ "metadata": {
+ "description": "SentinelOne Console URL (e.g. https://usea1-001.sentinelone.net)"
+ }
+ }
+ },
+ "variables": {
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2019-05-01",
+ "name": "[[parameters('logicAppName')]",
+ "location": "[[parameters('location')]",
+ "properties": {
+ "state": "Enabled",
+ "parameters": {
+ "TacitRed_ApiKey": {
+ "value": "[[parameters('TacitRed_ApiKey')]"
+ },
+ "TacitRed_Domain": {
+ "value": "[[parameters('TacitRed_Domain')]"
+ },
+ "SentinelOne_ApiToken": {
+ "value": "[[parameters('SentinelOne_ApiToken')]"
+ },
+ "SentinelOne_BaseUrl": {
+ "value": "[[parameters('SentinelOne_BaseUrl')]"
+ }
+ },
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "TacitRed_ApiUrl": {
+ "type": "string",
+ "defaultValue": "https://app.tacitred.com/api/v1/findings"
+ },
+ "TacitRed_ApiKey": {
+ "type": "string",
+ "defaultValue": "[variables('blanks')]"
+ },
+ "TacitRed_Domain": {
+ "type": "string",
+ "defaultValue": "[variables('blanks')]"
+ },
+ "SentinelOne_BaseUrl": {
+ "type": "string",
+ "defaultValue": "https://usea1-001.sentinelone.net"
+ },
+ "SentinelOne_ApiToken": {
+ "type": "string",
+ "defaultValue": "[variables('blanks')]"
+ }
+ },
+ "triggers": {
+ "Recurrence": {
+ "type": "Recurrence",
+ "recurrence": {
+ "frequency": "Hour",
+ "interval": 6,
+ "timeZone": "UTC"
+ }
+ }
+ },
+ "actions": {
+ "Get_TacitRed_Findings": {
+ "type": "Http",
+ "inputs": {
+ "method": "GET",
+ "uri": "@{parameters('TacitRed_ApiUrl')}?types[]=compromised_credentials&domains[]=@{encodeUriComponent(parameters('TacitRed_Domain'))}&min_date=2025-10-26&page=1&page_size=100",
+ "headers": {
+ "accept": "application/json",
+ "User-Agent": "Microsoft-Sentinel-TacitRed/1.0",
+ "Authorization": "@{parameters('TacitRed_ApiKey')}"
+ }
+ }
+ },
+ "For_each_Finding": {
+ "type": "Foreach",
+ "foreach": "@body('Get_TacitRed_Findings')?['results']",
+ "runAfter": {
+ "Get_TacitRed_Findings": [
+ "Succeeded"
+ ]
+ },
+ "actions": {
+ "Post_IOC_to_SentinelOne": {
+ "type": "Http",
+ "inputs": {
+ "method": "POST",
+ "uri": "@{parameters('SentinelOne_BaseUrl')}/web/api/v2.1/threat-intelligence/iocs",
+ "headers": {
+ "Content-Type": "application/json",
+ "Authorization": "ApiToken @{parameters('SentinelOne_ApiToken')}"
+ },
+ "body": {
+ "data": [
+ {
+ "value": "@{coalesce(item()?['finding']?['supporting_data']?['site_domain'], item()?['finding']?['supporting_data']?['domain'])}",
+ "type": "DNS",
+ "source": "TacitRed",
+ "method": "EQUALS",
+ "validUntil": "@{addDays(utcNow(), 90)}",
+ "externalId": "@{coalesce(item()?['finding']?['uid'], string(item()?['activity_id']))}",
+ "description": "TacitRed: @{coalesce(item()?['finding']?['supporting_data']?['stealer'], 'Unknown Stealer')} | Credential: @{coalesce(item()?['finding']?['supporting_data']?['credential'], 'N/A')} | Compromised: @{coalesce(item()?['finding']?['supporting_data']?['date_compromised'], item()?['time'])} | Machine: @{coalesce(item()?['finding']?['supporting_data']?['machine_name'], 'Unknown')} (@{coalesce(item()?['finding']?['supporting_data']?['os'], 'Unknown OS')}) | URL: @{coalesce(item()?['finding']?['supporting_data']?['compromised_url'], 'N/A')}"
+ }
+ ]
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "tags": {
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2025-09-01",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
+ "properties": {
+ "parentId": "[variables('playbookId1')]",
+ "contentId": "[variables('_playbookContentId1')]",
+ "kind": "Playbook",
+ "version": "[variables('playbookVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "TacitRed-SentinelOne",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Data443 Risk Mitigation, Inc.",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Data443 Risk Mitigation, Inc.",
+ "email": "support@data443.com",
+ "tier": "Partner",
+ "link": "https://www.data443.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId1')]",
+ "contentKind": "Playbook",
+ "displayName": "Playbooks",
+ "contentProductId": "[variables('_playbookcontentProductId1')]",
+ "id": "[variables('_playbookcontentProductId1')]",
+ "version": "[variables('playbookVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2025-09-01",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "version": "3.0.0",
+ "kind": "Solution",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "TacitRed-SentinelOne",
+ "publisherDisplayName": "Data443 Risk Mitigation, Inc.",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe TacitRed SentinelOne IOC Automation solution provides example playbooks that demonstrate how to consume TacitRed threat intelligence from Microsoft Sentinel and prepare indicators for ingestion into SentinelOne.
\nPlaybooks: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
+ "contentId": "[variables('_solutionId')]",
+ "parentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "TacitRed-SentinelOne",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Data443 Risk Mitigation, Inc.",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Data443 Risk Mitigation, Inc.",
+ "email": "support@data443.com",
+ "tier": "Partner",
+ "link": "https://www.data443.com"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_Playbooks')]",
+ "version": "[variables('playbookVersion1')]"
+ }
+ ]
+ },
+ "firstPublishDate": "2025-12-01",
+ "lastPublishDate": "2025-12-10",
+ "providers": [
+ "Data443 Risk Mitigation, Inc."
+ ],
+ "categories": {
+ "domains": [
+ "Security - Threat Intelligence"
+ ]
+ }
+ },
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ }
+ ],
+ "outputs": {}
+}
diff --git a/Solutions/TacitRed-SentinelOne/Package/testParameters.json b/Solutions/TacitRed-SentinelOne/Package/testParameters.json
new file mode 100644
index 00000000000..e55ec41a9ac
--- /dev/null
+++ b/Solutions/TacitRed-SentinelOne/Package/testParameters.json
@@ -0,0 +1,24 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ }
+}
diff --git a/Solutions/TacitRed-SentinelOne/Playbooks/Images/TacitRedToSentinelOneDark.png b/Solutions/TacitRed-SentinelOne/Playbooks/Images/TacitRedToSentinelOneDark.png
new file mode 100644
index 00000000000..ef1f592a927
Binary files /dev/null and b/Solutions/TacitRed-SentinelOne/Playbooks/Images/TacitRedToSentinelOneDark.png differ
diff --git a/Solutions/TacitRed-SentinelOne/Playbooks/Images/TacitRedToSentinelOneLight.png b/Solutions/TacitRed-SentinelOne/Playbooks/Images/TacitRedToSentinelOneLight.png
new file mode 100644
index 00000000000..39b62d20594
Binary files /dev/null and b/Solutions/TacitRed-SentinelOne/Playbooks/Images/TacitRedToSentinelOneLight.png differ
diff --git a/Solutions/TacitRed-SentinelOne/Playbooks/TacitRedToSentinelOne_Playbook.json b/Solutions/TacitRed-SentinelOne/Playbooks/TacitRedToSentinelOne_Playbook.json
new file mode 100644
index 00000000000..9ca227df81e
--- /dev/null
+++ b/Solutions/TacitRed-SentinelOne/Playbooks/TacitRedToSentinelOne_Playbook.json
@@ -0,0 +1,154 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "logicAppName": {
+ "type": "string",
+ "defaultValue": "pb-tacitred-to-sentinelone"
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[concat('[resourceGroup().locatio', 'n]')]"
+ },
+ "TacitRed_ApiKey": {
+ "type": "securestring",
+ "defaultValue": "",
+ "metadata": {
+ "description": "TacitRed API Key for authentication"
+ }
+ },
+ "TacitRed_Domain": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Optional domain filter for TacitRed findings"
+ }
+ },
+ "SentinelOne_ApiToken": {
+ "type": "securestring",
+ "defaultValue": "",
+ "metadata": {
+ "description": "SentinelOne API Token"
+ }
+ },
+ "SentinelOne_BaseUrl": {
+ "type": "string",
+ "defaultValue": "https://usea1-001.sentinelone.net",
+ "metadata": {
+ "description": "SentinelOne Console URL (e.g. https://usea1-001.sentinelone.net)"
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2019-05-01",
+ "name": "[parameters('logicAppName')]",
+ "location": "[parameters('location')]",
+ "properties": {
+ "state": "Enabled",
+ "parameters": {
+ "TacitRed_ApiKey": {
+ "value": "[parameters('TacitRed_ApiKey')]"
+ },
+ "TacitRed_Domain": {
+ "value": "[parameters('TacitRed_Domain')]"
+ },
+ "SentinelOne_ApiToken": {
+ "value": "[parameters('SentinelOne_ApiToken')]"
+ },
+ "SentinelOne_BaseUrl": {
+ "value": "[parameters('SentinelOne_BaseUrl')]"
+ }
+ },
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "TacitRed_ApiUrl": {
+ "type": "string",
+ "defaultValue": "https://app.tacitred.com/api/v1/findings"
+ },
+ "TacitRed_ApiKey": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "TacitRed_Domain": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "SentinelOne_BaseUrl": {
+ "type": "string",
+ "defaultValue": "https://usea1-001.sentinelone.net"
+ },
+ "SentinelOne_ApiToken": {
+ "type": "string",
+ "defaultValue": ""
+ }
+ },
+ "triggers": {
+ "Recurrence": {
+ "type": "Recurrence",
+ "recurrence": {
+ "frequency": "Hour",
+ "interval": 6,
+ "timeZone": "UTC"
+ }
+ }
+ },
+ "actions": {
+ "Get_TacitRed_Findings": {
+ "type": "Http",
+ "inputs": {
+ "method": "GET",
+ "uri": "@{parameters('TacitRed_ApiUrl')}?types[]=compromised_credentials&domains[]=@{encodeUriComponent(parameters('TacitRed_Domain'))}&min_date=2025-10-26&page=1&page_size=100",
+ "headers": {
+ "accept": "application/json",
+ "User-Agent": "Microsoft-Sentinel-TacitRed/1.0",
+ "Authorization": "@{parameters('TacitRed_ApiKey')}"
+ }
+ },
+ "runAfter": {}
+ },
+ "For_each_Finding": {
+ "type": "Foreach",
+ "foreach": "@body('Get_TacitRed_Findings')?['results']",
+ "runAfter": {
+ "Get_TacitRed_Findings": [
+ "Succeeded"
+ ]
+ },
+ "actions": {
+ "Post_IOC_to_SentinelOne": {
+ "type": "Http",
+ "inputs": {
+ "method": "POST",
+ "uri": "@{parameters('SentinelOne_BaseUrl')}/web/api/v2.1/threat-intelligence/iocs",
+ "headers": {
+ "Content-Type": "application/json",
+ "Authorization": "ApiToken @{parameters('SentinelOne_ApiToken')}"
+ },
+ "body": {
+ "data": [
+ {
+ "value": "@{coalesce(item()?['finding']?['supporting_data']?['site_domain'], item()?['finding']?['supporting_data']?['domain'])}",
+ "type": "DNS",
+ "source": "TacitRed",
+ "method": "EQUALS",
+ "validUntil": "@{addDays(utcNow(), 90)}",
+ "externalId": "@{coalesce(item()?['finding']?['uid'], string(item()?['activity_id']))}",
+ "description": "TacitRed: @{coalesce(item()?['finding']?['supporting_data']?['stealer'], 'Unknown Stealer')} | Credential: @{coalesce(item()?['finding']?['supporting_data']?['credential'], 'N/A')} | Compromised: @{coalesce(item()?['finding']?['supporting_data']?['date_compromised'], item()?['time'])} | Machine: @{coalesce(item()?['finding']?['supporting_data']?['machine_name'], 'Unknown')} (@{coalesce(item()?['finding']?['supporting_data']?['os'], 'Unknown OS')}) | URL: @{coalesce(item()?['finding']?['supporting_data']?['compromised_url'], 'N/A')}"
+ }
+ ]
+ }
+ }
+ }
+ }
+ }
+ },
+ "outputs": {}
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Solutions/TacitRed-SentinelOne/README.md b/Solutions/TacitRed-SentinelOne/README.md
new file mode 100644
index 00000000000..c577b184c2f
--- /dev/null
+++ b/Solutions/TacitRed-SentinelOne/README.md
@@ -0,0 +1,49 @@
+# TacitRed SentinelOne IOC Automation Solution for Microsoft Sentinel
+
+## Overview
+
+The TacitRed SentinelOne IOC Automation solution provides playbooks that demonstrate how to consume TacitRed threat intelligence from Microsoft Sentinel and push indicators of compromise (IOCs) to SentinelOne for automated threat response.
+
+## Solution Components
+
+| Component | Description |
+|-----------|-------------|
+| **Playbook** | Logic App that fetches compromised credentials from TacitRed and creates IOC entries in SentinelOne |
+
+## Prerequisites
+
+- Microsoft Sentinel workspace
+- TacitRed API Key
+- SentinelOne console access with API token
+- SentinelOne Account ID
+- Appropriate RBAC permissions to deploy Logic Apps
+
+## Deployment
+
+1. Navigate to Microsoft Sentinel Content Hub
+2. Search for "TacitRed SentinelOne"
+3. Click Install and follow the deployment wizard
+4. Provide the following parameters:
+ - **TacitRed API Key**: Your TacitRed API credentials
+ - **SentinelOne API Token**: Your SentinelOne API token
+ - **SentinelOne Base URL**: Your SentinelOne console URL (e.g., https://usea1-001.sentinelone.net)
+ - **SentinelOne Account ID**: Your SentinelOne account identifier
+
+## How It Works
+
+1. The playbook runs on a scheduled trigger
+2. It queries TacitRed for recent compromised credential findings
+3. For each finding, it creates an IOC entry in SentinelOne
+4. SentinelOne can then use these IOCs for detection and response
+
+## Support
+
+- **Provider**: Data443 Risk Mitigation, Inc.
+- **Email**: support@data443.com
+- **Website**: https://www.data443.com
+
+## Learn More
+
+- [Microsoft Sentinel Documentation](https://learn.microsoft.com/azure/sentinel/)
+- [TacitRed Platform](https://data443.com/tacitred-attack-surface-intelligence/)
+- [SentinelOne Documentation](https://www.sentinelone.com/docs/)
diff --git a/Solutions/TacitRed-SentinelOne/ReleaseNotes.md b/Solutions/TacitRed-SentinelOne/ReleaseNotes.md
new file mode 100644
index 00000000000..d4dd1d43c25
--- /dev/null
+++ b/Solutions/TacitRed-SentinelOne/ReleaseNotes.md
@@ -0,0 +1,6 @@
+# Release Notes
+
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------|
+| 3.0.0 | 09-12-2024 | V3 packaging with ARM-TTK fixes and updated createUiDefinition |
+| 1.0.0 | 01-12-2024 | Initial TacitRed SentinelOne IOC Automation solution with playbook for syncing compromised credentials to SentinelOne IOCs |
diff --git a/Solutions/TacitRed-SentinelOne/SolutionMetadata.json b/Solutions/TacitRed-SentinelOne/SolutionMetadata.json
new file mode 100644
index 00000000000..1cd40cf93d8
--- /dev/null
+++ b/Solutions/TacitRed-SentinelOne/SolutionMetadata.json
@@ -0,0 +1,21 @@
+{
+ "publisherId": "data443",
+ "offerId": "azure-sentinel-solution-tacitred-sentinelone-ioc-automation",
+ "firstPublishDate": "2025-12-01",
+ "lastPublishDate": "2025-12-10",
+ "providers": [
+ "Data443 Risk Mitigation, Inc."
+ ],
+ "categories": {
+ "domains": [
+ "Security - Threat Intelligence"
+ ],
+ "verticals": []
+ },
+ "support": {
+ "name": "Data443 Risk Mitigation, Inc.",
+ "email": "support@data443.com",
+ "tier": "Partner",
+ "link": "https://www.data443.com"
+ }
+}
\ No newline at end of file
diff --git a/Solutions/TacitRed-SentinelOne/deploymentParameters.json b/Solutions/TacitRed-SentinelOne/deploymentParameters.json
new file mode 100644
index 00000000000..6d6afcd22f5
--- /dev/null
+++ b/Solutions/TacitRed-SentinelOne/deploymentParameters.json
@@ -0,0 +1,12 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "logicAppName": {
+ "value": "pb-tacitred-to-sentinelone"
+ },
+ "location": {
+ "value": "eastus"
+ }
+ }
+}
\ No newline at end of file