diff --git a/Solutions/TacitRed-IOC-CrowdStrike/Data/Solution_TacitRedCrowdStrikeAutomation.json b/Solutions/TacitRed-IOC-CrowdStrike/Data/Solution_TacitRedCrowdStrikeAutomation.json new file mode 100644 index 00000000000..86c82ec170d --- /dev/null +++ b/Solutions/TacitRed-IOC-CrowdStrike/Data/Solution_TacitRedCrowdStrikeAutomation.json @@ -0,0 +1,14 @@ +{ + "Name": "TacitRed-IOC-CrowdStrike", + "Author": "Data443 Risk Mitigation, Inc. - support@data443.com", + "Logo": "", + "Description": "The TacitRed CrowdStrike IOC Automation solution provides example playbooks that demonstrate how to consume TacitRed threat intelligence from Microsoft Sentinel and prepare indicators for ingestion into CrowdStrike.", + "Playbooks": [ + "Playbooks/TacitRedToCrowdStrike_Playbook.json" + ], + "Metadata": "SolutionMetadata.json", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\TacitRed-IOC-CrowdStrike", + "Version": "3.0.0", + "TemplateSpec": true, + "Is1Pconnector": false +} diff --git a/Solutions/TacitRed-IOC-CrowdStrike/Package/3.0.0.zip b/Solutions/TacitRed-IOC-CrowdStrike/Package/3.0.0.zip new file mode 100644 index 00000000000..ff90009ff03 Binary files /dev/null and b/Solutions/TacitRed-IOC-CrowdStrike/Package/3.0.0.zip differ diff --git a/Solutions/TacitRed-IOC-CrowdStrike/Package/3.0.4.zip b/Solutions/TacitRed-IOC-CrowdStrike/Package/3.0.4.zip new file mode 100644 index 00000000000..d57e598c447 Binary files /dev/null and b/Solutions/TacitRed-IOC-CrowdStrike/Package/3.0.4.zip differ diff --git a/Solutions/TacitRed-IOC-CrowdStrike/Package/createUiDefinition.json b/Solutions/TacitRed-IOC-CrowdStrike/Package/createUiDefinition.json new file mode 100644 index 00000000000..ce3187ddc5f --- /dev/null +++ b/Solutions/TacitRed-IOC-CrowdStrike/Package/createUiDefinition.json @@ -0,0 +1,90 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/TacitRed-IOC-CrowdStrike/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe TacitRed CrowdStrike IOC Automation solution provides example playbooks that demonstrate how to consume TacitRed threat intelligence from Microsoft Sentinel and prepare indicators for ingestion into CrowdStrike.\n\n**Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "playbooks", + "label": "Playbooks", + "subLabel": { + "preValidation": "Configure the playbooks", + "postValidation": "Done" + }, + "bladeTitle": "Playbooks", + "elements": [ + { + "name": "playbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub." + } + }, + { + "name": "playbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://learn.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} + diff --git a/Solutions/TacitRed-IOC-CrowdStrike/Package/deploymentParameters.json b/Solutions/TacitRed-IOC-CrowdStrike/Package/deploymentParameters.json new file mode 100644 index 00000000000..450c14f844e --- /dev/null +++ b/Solutions/TacitRed-IOC-CrowdStrike/Package/deploymentParameters.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "logicAppName": { + "value": "pb-tacitred-to-crowdstrike" + }, + "location": { + "value": "eastus" + } + } +} diff --git a/Solutions/TacitRed-IOC-CrowdStrike/Package/mainTemplate.json b/Solutions/TacitRed-IOC-CrowdStrike/Package/mainTemplate.json new file mode 100644 index 00000000000..943ff60dea9 --- /dev/null +++ b/Solutions/TacitRed-IOC-CrowdStrike/Package/mainTemplate.json @@ -0,0 +1,354 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "TacitRed - support@data443.com", + "comments": "Solution template for TacitRed-IOC-CrowdStrike" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } + }, + "variables": { + "email": "support@data443.com", + "_email": "[variables('email')]", + "_solutionName": "TacitRed-IOC-CrowdStrike", + "_solutionVersion": "3.0.0", + "solutionId": "data443.azure-sentinel-solution-tacitred-crowdstrike-ioc-automation", + "_solutionId": "[variables('solutionId')]", + "Playbooks": "Playbooks", + "_Playbooks": "[variables('Playbooks')]", + "blanks": "[replace('b', 'b', '')]", + "playbookVersion1": "1.0", + "playbookContentId1": "TacitRedToCrowdStrike", + "_playbookContentId1": "[variables('playbookContentId1')]", + "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", + "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2025-09-01", + "name": "[variables('playbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "TacitRed to CrowdStrike IOC Automation Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion1')]", + "parameters": { + "logicAppName": { + "type": "string", + "defaultValue": "pb-tacitred-to-crowdstrike" + }, + "location": { + "type": "string", + "defaultValue": "[concat('[resourceGroup().locatio', 'n]')]" + }, + "TacitRed_ApiKey": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "TacitRed API Key for authentication" + } + }, + "TacitRed_Domain": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional domain filter for TacitRed findings" + } + }, + "CrowdStrike_ClientId": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "CrowdStrike OAuth2 Client ID" + } + }, + "CrowdStrike_ClientSecret": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "CrowdStrike OAuth2 Client Secret" + } + } + }, + "variables": { + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2019-05-01", + "name": "[[parameters('logicAppName')]", + "location": "[[parameters('location')]", + "properties": { + "state": "Enabled", + "parameters": { + "TacitRed_ApiKey": { + "value": "[[parameters('TacitRed_ApiKey')]" + }, + "TacitRed_Domain": { + "value": "[[parameters('TacitRed_Domain')]" + }, + "CrowdStrike_ClientId": { + "value": "[[parameters('CrowdStrike_ClientId')]" + }, + "CrowdStrike_ClientSecret": { + "value": "[[parameters('CrowdStrike_ClientSecret')]" + } + }, + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "TacitRed_ApiUrl": { + "type": "string", + "defaultValue": "https://app.tacitred.com/api/v1/findings" + }, + "TacitRed_ApiKey": { + "type": "string", + "defaultValue": "[variables('blanks')]" + }, + "TacitRed_Domain": { + "type": "string", + "defaultValue": "[variables('blanks')]" + }, + "CrowdStrike_BaseUrl": { + "type": "string", + "defaultValue": "https://api.us-2.crowdstrike.com" + }, + "CrowdStrike_TokenPath": { + "type": "string", + "defaultValue": "/oauth2/token" + }, + "CrowdStrike_IocPath": { + "type": "string", + "defaultValue": "/iocs/entities/indicators/v1" + }, + "CrowdStrike_ClientId": { + "type": "string", + "defaultValue": "[variables('blanks')]" + }, + "CrowdStrike_ClientSecret": { + "type": "string", + "defaultValue": "[variables('blanks')]" + } + }, + "triggers": { + "Recurrence": { + "type": "Recurrence", + "recurrence": { + "frequency": "Hour", + "interval": 6, + "timeZone": "UTC" + } + } + }, + "actions": { + "Get_TacitRed_Findings": { + "type": "Http", + "inputs": { + "method": "GET", + "uri": "@{parameters('TacitRed_ApiUrl')}?types[]=compromised_credentials&domains[]=@{encodeUriComponent(if(empty(parameters('TacitRed_Domain')),'',parameters('TacitRed_Domain')))}&page=1&page_size=50", + "headers": { + "accept": "application/json", + "Authorization": "@{parameters('TacitRed_ApiKey')}" + } + } + }, + "Get_CrowdStrike_Token": { + "type": "Http", + "inputs": { + "method": "POST", + "uri": "@{parameters('CrowdStrike_BaseUrl')}@{parameters('CrowdStrike_TokenPath')}", + "headers": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "body": "client_id=@{parameters('CrowdStrike_ClientId')}&client_secret=@{parameters('CrowdStrike_ClientSecret')}" + }, + "runAfter": { + "Get_TacitRed_Findings": [ + "Succeeded" + ] + } + }, + "For_each_Finding": { + "type": "Foreach", + "foreach": "@body('Get_TacitRed_Findings')?['results']", + "runAfter": { + "Get_CrowdStrike_Token": [ + "Succeeded" + ] + }, + "actions": { + "Post_IOC_to_CrowdStrike": { + "type": "Http", + "inputs": { + "method": "POST", + "uri": "@{parameters('CrowdStrike_BaseUrl')}@{parameters('CrowdStrike_IocPath')}?ignore_warnings=true", + "headers": { + "Content-Type": "application/json", + "Authorization": "Bearer @{body('Get_CrowdStrike_Token')?['access_token']}" + }, + "body": { + "indicators": [ + { + "type": "domain", + "value": "@{coalesce(item()?['finding']?['supporting_data']?['site_domain'], item()?['finding']?['supporting_data']?['domain'])}", + "action": "detect", + "severity": "medium", + "description": "TacitRed: @{coalesce(item()?['finding']?['supporting_data']?['stealer'], 'Unknown Stealer')} | Credential: @{coalesce(item()?['finding']?['supporting_data']?['credential'], 'N/A')} | Compromised: @{coalesce(item()?['finding']?['supporting_data']?['date_compromised'], item()?['time'])} | Machine: @{coalesce(item()?['finding']?['supporting_data']?['machine_name'], 'Unknown')} (@{coalesce(item()?['finding']?['supporting_data']?['os'], 'Unknown OS')}) | URL: @{coalesce(item()?['finding']?['supporting_data']?['compromised_url'], 'N/A')} | UID: @{coalesce(item()?['finding']?['uid'], string(item()?['activity_id']))}", + "source": "TacitRed", + "tags": [ + "compromised_credential", + "@{coalesce(item()?['finding']?['supporting_data']?['stealer'], 'stealer')}", + "tacitred" + ], + "platforms": [ + "windows", + "mac", + "linux" + ], + "applied_globally": true + } + ] + } + } + } + } + } + } + } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2025-09-01", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId1')]", + "contentId": "[variables('_playbookContentId1')]", + "kind": "Playbook", + "version": "[variables('playbookVersion1')]", + "source": { + "kind": "Solution", + "name": "TacitRed-IOC-CrowdStrike", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "TacitRed", + "email": "[variables('_email')]" + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "support@data443.com", + "tier": "Partner", + "link": "https://www.data443.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId1')]", + "contentKind": "Playbook", + "displayName": "TacitRed to CrowdStrike IOC Automation", + "contentProductId": "[variables('_playbookcontentProductId1')]", + "id": "[variables('_playbookcontentProductId1')]", + "version": "[variables('playbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2025-09-01", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "TacitRed-IOC-CrowdStrike", + "publisherDisplayName": "Data443 Risk Mitigation, Inc.", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The TacitRed CrowdStrike IOC Automation solution provides example playbooks that demonstrate how to consume TacitRed threat intelligence from Microsoft Sentinel and prepare indicators for ingestion into CrowdStrike.

\n

Playbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "TacitRed-IOC-CrowdStrike", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "TacitRed", + "email": "[variables('_email')]" + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "support@data443.com", + "tier": "Partner", + "link": "https://www.data443.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "Playbook", + "contentId": "[variables('_playbookContentId1')]", + "version": "[variables('playbookVersion1')]" + } + ] + }, + "firstPublishDate": "2025-11-25", + "providers": [ + "Data443 Risk Mitigation, Inc." + ], + "categories": { + "domains": [ + "Security - Threat Intelligence" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/TacitRed-IOC-CrowdStrike/Package/packageMetadata.json b/Solutions/TacitRed-IOC-CrowdStrike/Package/packageMetadata.json new file mode 100644 index 00000000000..f0a6831867c --- /dev/null +++ b/Solutions/TacitRed-IOC-CrowdStrike/Package/packageMetadata.json @@ -0,0 +1,13 @@ +{ + "version": "3.0.4", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "contentId": "TacitRedCrowdStrikeIOCAutomation", + "contentKind": "Solution", + "displayName": "TacitRed CrowdStrike IOC Automation", + "publisherDisplayName": "Data443 Risk Mitigation, Inc.", + "descriptionHtml": "

TacitRed CrowdStrike IOC Automation provides a Logic App playbook that automatically syncs compromised credential indicators from TacitRed to CrowdStrike Falcon.

This solution includes:

Key Features:

", + "contentProductId": "tacitred-crowdstrike-ioc-automation", + "id": "tacitred-crowdstrike-ioc-automation", + "icon": "" +} \ No newline at end of file diff --git a/Solutions/TacitRed-IOC-CrowdStrike/Package/testParameters.json b/Solutions/TacitRed-IOC-CrowdStrike/Package/testParameters.json new file mode 100644 index 00000000000..e55ec41a9ac --- /dev/null +++ b/Solutions/TacitRed-IOC-CrowdStrike/Package/testParameters.json @@ -0,0 +1,24 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } +} diff --git a/Solutions/TacitRed-IOC-CrowdStrike/Playbooks/Images/TacitRedToCrowdStrikeDark.png b/Solutions/TacitRed-IOC-CrowdStrike/Playbooks/Images/TacitRedToCrowdStrikeDark.png new file mode 100644 index 00000000000..dc5814278b4 Binary files /dev/null and b/Solutions/TacitRed-IOC-CrowdStrike/Playbooks/Images/TacitRedToCrowdStrikeDark.png differ diff --git a/Solutions/TacitRed-IOC-CrowdStrike/Playbooks/Images/TacitRedToCrowdStrikeLight.png b/Solutions/TacitRed-IOC-CrowdStrike/Playbooks/Images/TacitRedToCrowdStrikeLight.png new file mode 100644 index 00000000000..690c1f86f46 Binary files /dev/null and b/Solutions/TacitRed-IOC-CrowdStrike/Playbooks/Images/TacitRedToCrowdStrikeLight.png differ diff --git a/Solutions/TacitRed-IOC-CrowdStrike/Playbooks/TacitRedToCrowdStrike_Playbook.json b/Solutions/TacitRed-IOC-CrowdStrike/Playbooks/TacitRedToCrowdStrike_Playbook.json new file mode 100644 index 00000000000..1fe8147450d --- /dev/null +++ b/Solutions/TacitRed-IOC-CrowdStrike/Playbooks/TacitRedToCrowdStrike_Playbook.json @@ -0,0 +1,183 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "logicAppName": { + "type": "string", + "defaultValue": "pb-tacitred-to-crowdstrike" + }, + "location": { + "type": "string", + "defaultValue": "[concat('[resourceGroup().locatio', 'n]')]" + }, + "TacitRed_ApiKey": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "TacitRed API Key for authentication" + } + }, + "TacitRed_Domain": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional domain filter for TacitRed findings" + } + }, + "CrowdStrike_ClientId": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "CrowdStrike OAuth2 Client ID" + } + }, + "CrowdStrike_ClientSecret": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "CrowdStrike OAuth2 Client Secret" + } + } + }, + "resources": [ + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2019-05-01", + "name": "[parameters('logicAppName')]", + "location": "[parameters('location')]", + "properties": { + "state": "Enabled", + "parameters": { + "TacitRed_ApiKey": { + "value": "[parameters('TacitRed_ApiKey')]" + }, + "TacitRed_Domain": { + "value": "[parameters('TacitRed_Domain')]" + }, + "CrowdStrike_ClientId": { + "value": "[parameters('CrowdStrike_ClientId')]" + }, + "CrowdStrike_ClientSecret": { + "value": "[parameters('CrowdStrike_ClientSecret')]" + } + }, + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "TacitRed_ApiUrl": { + "type": "string", + "defaultValue": "https://app.tacitred.com/api/v1/findings" + }, + "TacitRed_ApiKey": { + "type": "string", + "defaultValue": "" + }, + "TacitRed_Domain": { + "type": "string", + "defaultValue": "" + }, + "CrowdStrike_BaseUrl": { + "type": "string", + "defaultValue": "https://api.us-2.crowdstrike.com" + }, + "CrowdStrike_TokenPath": { + "type": "string", + "defaultValue": "/oauth2/token" + }, + "CrowdStrike_IocPath": { + "type": "string", + "defaultValue": "/iocs/entities/indicators/v1" + }, + "CrowdStrike_ClientId": { + "type": "string", + "defaultValue": "" + }, + "CrowdStrike_ClientSecret": { + "type": "string", + "defaultValue": "" + } + }, + "triggers": { + "Recurrence": { + "type": "Recurrence", + "recurrence": { + "frequency": "Hour", + "interval": 6, + "timeZone": "UTC" + } + } + }, + "actions": { + "Get_TacitRed_Findings": { + "type": "Http", + "inputs": { + "method": "GET", + "uri": "@{parameters('TacitRed_ApiUrl')}?types[]=compromised_credentials&domains[]=@{encodeUriComponent(if(empty(parameters('TacitRed_Domain')),'',parameters('TacitRed_Domain')))}&page=1&page_size=50", + "headers": { + "accept": "application/json", + "Authorization": "@{parameters('TacitRed_ApiKey')}" + } + }, + "runAfter": {} + }, + "Get_CrowdStrike_Token": { + "type": "Http", + "inputs": { + "method": "POST", + "uri": "@{parameters('CrowdStrike_BaseUrl')}@{parameters('CrowdStrike_TokenPath')}", + "headers": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "body": "client_id=@{parameters('CrowdStrike_ClientId')}&client_secret=@{parameters('CrowdStrike_ClientSecret')}" + }, + "runAfter": { + "Get_TacitRed_Findings": [ + "Succeeded" + ] + } + }, + "For_each_Finding": { + "type": "Foreach", + "foreach": "@body('Get_TacitRed_Findings')?['results']", + "runAfter": { + "Get_CrowdStrike_Token": [ + "Succeeded" + ] + }, + "actions": { + "Post_IOC_to_CrowdStrike": { + "type": "Http", + "inputs": { + "method": "POST", + "uri": "@{parameters('CrowdStrike_BaseUrl')}@{parameters('CrowdStrike_IocPath')}?ignore_warnings=true", + "headers": { + "Content-Type": "application/json", + "Authorization": "Bearer @{body('Get_CrowdStrike_Token')?['access_token']}" + }, + "body": { + "indicators": [ + { + "type": "domain", + "value": "@{coalesce(item()?['finding']?['supporting_data']?['site_domain'], item()?['finding']?['supporting_data']?['domain'])}", + "action": "detect", + "severity": "medium", + "description": "TacitRed: @{coalesce(item()?['finding']?['supporting_data']?['stealer'], 'Unknown Stealer')} | Credential: @{coalesce(item()?['finding']?['supporting_data']?['credential'], 'N/A')} | Compromised: @{coalesce(item()?['finding']?['supporting_data']?['date_compromised'], item()?['time'])} | Machine: @{coalesce(item()?['finding']?['supporting_data']?['machine_name'], 'Unknown')} (@{coalesce(item()?['finding']?['supporting_data']?['os'], 'Unknown OS')}) | URL: @{coalesce(item()?['finding']?['supporting_data']?['compromised_url'], 'N/A')} | UID: @{coalesce(item()?['finding']?['uid'], string(item()?['activity_id']))}", + "source": "TacitRed", + "tags": ["compromised_credential", "@{coalesce(item()?['finding']?['supporting_data']?['stealer'], 'stealer')}", "tacitred"], + "platforms": ["windows", "mac", "linux"], + "applied_globally": true + } + ] + } + } + } + } + } + }, + "outputs": {} + } + } + } + ] +} diff --git a/Solutions/TacitRed-IOC-CrowdStrike/README.md b/Solutions/TacitRed-IOC-CrowdStrike/README.md new file mode 100644 index 00000000000..82a326d4128 --- /dev/null +++ b/Solutions/TacitRed-IOC-CrowdStrike/README.md @@ -0,0 +1,48 @@ +# TacitRed CrowdStrike IOC Automation Solution for Microsoft Sentinel + +## Overview + +The TacitRed CrowdStrike IOC Automation solution provides playbooks that demonstrate how to consume TacitRed threat intelligence from Microsoft Sentinel and push indicators of compromise (IOCs) to CrowdStrike Falcon for automated threat response. + +## Solution Components + +| Component | Description | +|-----------|-------------| +| **Playbook** | Logic App that fetches compromised credentials from TacitRed and creates custom IOC entries in CrowdStrike Falcon | + +## Prerequisites + +- Microsoft Sentinel workspace +- TacitRed API Key +- CrowdStrike Falcon console access with API credentials (Client ID and Client Secret) +- Appropriate RBAC permissions to deploy Logic Apps + +## Deployment + +1. Navigate to Microsoft Sentinel Content Hub +2. Search for "TacitRed CrowdStrike" +3. Click Install and follow the deployment wizard +4. Provide the following parameters: + - **TacitRed API Key**: Your TacitRed API credentials + - **CrowdStrike Client ID**: Your CrowdStrike API Client ID + - **CrowdStrike Client Secret**: Your CrowdStrike API Client Secret + - **CrowdStrike Base URL**: Your CrowdStrike API URL (e.g., https://api.crowdstrike.com) + +## How It Works + +1. The playbook runs on a scheduled trigger +2. It queries TacitRed for recent compromised credential findings +3. For each finding, it creates a custom IOC entry in CrowdStrike Falcon +4. CrowdStrike can then use these IOCs for detection and response + +## Support + +- **Provider**: Data443 Risk Mitigation, Inc. +- **Email**: support@data443.com +- **Website**: https://www.data443.com + +## Learn More + +- [Microsoft Sentinel Documentation](https://learn.microsoft.com/azure/sentinel/) +- [TacitRed Platform](https://data443.com/tacitred-attack-surface-intelligence/) +- [CrowdStrike Falcon Documentation](https://www.crowdstrike.com/resources/) diff --git a/Solutions/TacitRed-IOC-CrowdStrike/ReleaseNotes.md b/Solutions/TacitRed-IOC-CrowdStrike/ReleaseNotes.md new file mode 100644 index 00000000000..64b5b63aaa1 --- /dev/null +++ b/Solutions/TacitRed-IOC-CrowdStrike/ReleaseNotes.md @@ -0,0 +1,5 @@ +# Release Notes + +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------| +| 3.0.0 | 30-12-2025 | The initial release of the TacitRed CrowdStrike IOC Automation Solution includes a Logic App **Playbook** designed for automated IOC synchronization. This release supports IOC types such as Domain and SHA256. | diff --git a/Solutions/TacitRed-IOC-CrowdStrike/SolutionMetadata.json b/Solutions/TacitRed-IOC-CrowdStrike/SolutionMetadata.json new file mode 100644 index 00000000000..c3602559a31 --- /dev/null +++ b/Solutions/TacitRed-IOC-CrowdStrike/SolutionMetadata.json @@ -0,0 +1,16 @@ +{ + "publisherId": "data443", + "offerId": "azure-sentinel-solution-tacitred-crowdstrike-ioc-automation", + "firstPublishDate": "2025-11-25", + "providers": ["Data443 Risk Mitigation, Inc."], + "categories": { + "domains": ["Security - Threat Intelligence"], + "verticals": [] + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "support@data443.com", + "tier": "Partner", + "link": "https://www.data443.com" + } +} diff --git a/Solutions/TacitRed-IOC-CrowdStrike/deploymentParameters.json b/Solutions/TacitRed-IOC-CrowdStrike/deploymentParameters.json new file mode 100644 index 00000000000..450c14f844e --- /dev/null +++ b/Solutions/TacitRed-IOC-CrowdStrike/deploymentParameters.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "logicAppName": { + "value": "pb-tacitred-to-crowdstrike" + }, + "location": { + "value": "eastus" + } + } +}