Skip to content

Solution: TacitRed SentinelOne IOC Automation (Official) #13267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mazamizo21 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Solution: TacitRed SentinelOne IOC Automation (Official) #13267

mazamizo21 wants to merge 1 commit into from

Conversation

@mazamizo21
Copy link
Contributor

@mazamizo21 mazamizo21 commented Dec 8, 2025

Official Data443 Submission

This is the official submission from the Data443 organization for the TacitRed SentinelOne IOC Automation solution.

Changes

  • Standardized publisher information to 'Data443 Risk Mitigation, Inc.'.
  • Added comprehensive documentation.
  • Validated implementation.

This PR supersedes and replaces PR #13243.
Please close #13243 in favor of this one.

@mazamizo21 mazamizo21 requested review from a team as code owners December 8, 2025 19:24
@mazamizo21 mazamizo21 mentioned this pull request Dec 8, 2025
Closed
@mazamizo21 mazamizo21 requested a review from a team as a code owner December 8, 2025 20:11
@v-shukore v-shukore self-assigned this Dec 9, 2025
@v-shukore v-shukore added the New Solution For new Solutions which are new to Microsoft Sentinel label Dec 9, 2025
@v-shukore
Copy link
Contributor

v-shukore commented Dec 9, 2025
edited
Loading

Hi @mazamizo21,
Please ensure that each solution includes the data connector folder and its relevant files, as well as the data file, releasenote file, solutionmetadata file, maintemplate, createui files, and a zip file with version 3.0.0. All these files are required.
You can package the solution using the V3 tool. Here is the readme file for creating a new solution: https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V3/README.…
Also, you can refer any solution from our repo to get understanding of folder structure.
If you have any questions, please feel free to connect with me and Mahesh on MS teams this is my email id: [email protected].
Thanks!

@mazamizo21 mazamizo21 force-pushed the feature/tacitred-sentinelone-v1 branch 3 times, most recently from 9a78d60 to 4895423 Compare December 10, 2025 00:50
@mazamizo21
Copy link
Contributor Author

mazamizo21 commented Dec 10, 2025

Hi @v-shukore,

Thank you for the feedback! We've reviewed the Azure Sentinel Solutions repository and found 20+ approved production solutions that are playbook-only without data connector folders.

Examples of Approved Playbook-Only Solutions

Pure playbook solutions (no data connectors):

  • HYAS (v3.0.0) - 24 playbooks, no data connectors
  • Recorded Future (v3.2.17) - 14 playbooks + 8 workbooks + 4 analytics, no data connectors
  • Tanium - Playbooks + workbooks + analytics, no data connectors
  • Pure Storage - Playbooks + workbooks, no data connectors
  • SalemCyber, Farsight DNSDB, GoogleDirectory, Apache Log4j Vulnerability Detection, SAP, AWS Systems Manager, Group-IB, NCSC-NL NDN, Neustar IP GeoPoint, DNS Essentials, ShadowByte Aria, AWS_IAM, IronNet IronDefense, Intel471, Torq - All playbook-only, no data connectors

Our Solution Structure

TacitRed SentinelOne IOC Automation follows the same pattern:

  • Playbook-only automation solution (no data ingestion)
  • ✅ Consumes existing threat intelligence from Sentinel
  • ✅ Prepares indicators for SentinelOne ingestion
  • ✅ All V3 packaging files present:
    • mainTemplate.json, createUiDefinition.json, 3.0.0.zip
    • SolutionMetadata.json (with lastPublishDate: 2025-12-10)
    • ReleaseNotes.md, README.md

Question

Based on these 20+ approved playbook-only solutions in the repository, can you confirm that data connector folders are not required for automation-only solutions?

Our solution structure is identical to HYAS and other approved playbook-only solutions.

Thank you for your guidance!

Data443 Risk Mitigation, Inc.
[email protected]

@v-shukore
Copy link
Contributor

v-shukore commented Dec 11, 2025

Hi @mazamizo21, the solution now appears well-organized with the appropriate files included. I will review it and inform you if any updates are required. Thank you.

@mazamizo21 mazamizo21 force-pushed the feature/tacitred-sentinelone-v1 branch 5 times, most recently from 1f9e4b5 to 9cb6018 Compare December 15, 2025 11:22
mazamizo21 added a commit to Data443/Azure-Sentinel that referenced this pull request Dec 18, 2025
@mazamizo21
fix: resolve ValidConnectorIds allowlist conflict (PR Azure#13267)
d4b7032
mazamizo21 added a commit to Data443/Azure-Sentinel that referenced this pull request Dec 18, 2025
@mazamizo21
fix: resolve ValidConnectorIds allowlist conflict (PR Azure#13267)
8f92140
mazamizo21 added a commit to Data443/Azure-Sentinel that referenced this pull request Dec 18, 2025
@mazamizo21
fix: resolve ValidConnectorIds allowlist conflict (PR Azure#13267)
06180eb
mazamizo21 added a commit to Data443/Azure-Sentinel that referenced this pull request Dec 18, 2025
@mazamizo21
fix: resolve ValidConnectorIds allowlist conflict (PR Azure#13267)
06df6ea
@v-shukore
Copy link
Contributor

v-shukore commented Dec 30, 2025

Hi @mazamizo21,

Please remove the 1.0.2 zip package from the solution.

Also, remove the packagemetadata.json and deploymentParameters.json files from the package folder. If these files are necessary, please keep them outside the package folder.

Additionally, create a folder named Image inside the Playbook folder and add all running playbook images into it.

Please also correct the format of the releasenote.md file.

Thanks!

@mazamizo21
Copy link
Contributor Author

mazamizo21 commented Dec 30, 2025

Update: All Requested Changes Applied

Hi Microsoft Team,

Thank you for your feedback. We have addressed all the requested changes:

✅ 1. Removed 1.0.2 zip package

  • Deleted Solutions/TacitRed-SentinelOne/Package/1.0.2.zip
  • Only 3.0.0.zip remains in the Package folder

✅ 2. Moved packageMetadata.json and deploymentParameters.json outside Package folder

  • Before: Solutions/TacitRed-SentinelOne/Package/packageMetadata.json
  • After: Solutions/TacitRed-SentinelOne/packageMetadata.json
  • Before: Solutions/TacitRed-SentinelOne/Package/deploymentParameters.json
  • After: Solutions/TacitRed-SentinelOne/deploymentParameters.json

✅ 3. Created Images folder in Playbooks with running playbook screenshots

  • Solutions/TacitRed-SentinelOne/Playbooks/Images/TacitRedToSentinelOneLight.png
  • Solutions/TacitRed-SentinelOne/Playbooks/Images/TacitRedToSentinelOneDark.png

✅ 4. Fixed ReleaseNotes.md format

  • Added proper # Release Notes heading
  • Aligned table columns correctly

Thank you!

Data443 Risk Mitigation, Inc.

@mazamizo21 mazamizo21 mentioned this pull request Dec 30, 2025
Open
@v-shukore
Copy link
Contributor

v-shukore commented Dec 31, 2025

Hi @mazamizo21, could you please grant me the branch access so I can make the necessary changes and commit them. Thanks!!

@mazamizo21 mazamizo21 mentioned this pull request Dec 31, 2025
Open
@mazamizo21
Copy link
Contributor Author

mazamizo21 commented Dec 31, 2025 via email

@mazamizo21
Copy link
Contributor Author

mazamizo21 commented Dec 31, 2025

Verified: This solution does not contain any broken tacitred.com or cyren.com documentation URLs. The only TacitRed references are API endpoints (app.tacitred.com) which are functional and required for the connector to work.

@v-shukore
Copy link
Contributor

v-shukore commented Jan 6, 2026

Hi @mazamizo21, we deployed the maintemplate in our Microsoft Sentinel workspace and checked, but the playbook isn't showing or loading, so we're unable to test it. Could you check in your workspace and share a screenshot here? Thanks!
image

@mazamizo21
Copy link
Contributor Author

mazamizo21 commented Jan 6, 2026

Hi @v-shukore,

Thank you for testing the solution! I've identified and fixed the issue with the playbook not showing/loading.

Root Cause

The playbookContentId1 in the mainTemplate was set to a generic string "Playbooks" instead of a unique identifier. This prevented Content Hub from properly registering and displaying the playbook after deployment.

Fix Applied (commit 02582c3)

  1. Changed playbookContentId1 from "Playbooks""TacitRedToSentinelOne"
  2. Updated displayName from "Playbooks""TacitRed to SentinelOne IOC Automation"
  3. Fixed dependency contentId reference to use the correct variable
  4. Removed unused variables for ARM-TTK compliance

The playbook should now properly appear in Content Hub after deployment. Please redeploy and let me know if you can see and test the playbook now.

Thanks!

@mazamizo21 mazamizo21 force-pushed the feature/tacitred-sentinelone-v1 branch 3 times, most recently from 59a4da3 to abf9afd Compare January 14, 2026 01:35
@mazamizo21 mazamizo21 mentioned this pull request Jan 15, 2026
Open
@mazamizo21 mazamizo21 force-pushed the feature/tacitred-sentinelone-v1 branch from aec9a39 to 831026f Compare January 19, 2026 10:43
@mazamizo21
Solution: TacitRed SentinelOne IOC Automation (Official) - Clean branch
9cd6f8b 
- Dynamic 7-day lookback matching CCF polling window for cost reduction
- Uses date_from=@{formatDateTime(addDays(utcNow(), -7), 'yyyy-MM-dd')}
- Clean branch with only TacitRed-SentinelOne solution files
@mazamizo21 mazamizo21 force-pushed the feature/tacitred-sentinelone-v1 branch from 8381800 to 9cd6f8b Compare January 19, 2026 12:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@v-shukore v-shukore

Labels

auto-package New Solution For new Solutions which are new to Microsoft Sentinel

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mazamizo21 @v-shukore