Hi @mazamizo21,

Please ensure that each solution includes the data connector folder and its relevant files, as well as the data file, releasenote file, solutionmetadata file, maintemplate, createui files, and a zip file with version 3.0.0. All these files are required.
You can package the solution using the V3 tool. Here is the readme file for creating a new solution: https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V3/README.…
If you have any questions, please feel free to connect with me and Mahesh on MS teams this is my email id: [email protected].
Thanks!

Hi @v-shukore,

Thank you for the feedback! We've reviewed the Azure Sentinel Solutions repository and found 20+ approved production solutions that are playbook-only without data connector folders.

Examples of Approved Playbook-Only Solutions

Pure playbook solutions (no data connectors):

• HYAS (v3.0.0) - 24 playbooks, no data connectors
• Recorded Future (v3.2.17) - 14 playbooks + 8 workbooks + 4 analytics, no data connectors
• Tanium - Playbooks + workbooks + analytics, no data connectors
• Pure Storage - Playbooks + workbooks, no data connectors
• SalemCyber, Farsight DNSDB, GoogleDirectory, Apache Log4j Vulnerability Detection, SAP, AWS Systems Manager, Group-IB, NCSC-NL NDN, Neustar IP GeoPoint, DNS Essentials, ShadowByte Aria, AWS_IAM, IronNet IronDefense, Intel471, Torq - All playbook-only, no data connectors

Our Solution Structure

TacitRed CrowdStrike IOC Automation follows the same pattern:

• ✅ Playbook-only automation solution (no data ingestion)
• ✅ Consumes existing threat intelligence from Sentinel
• ✅ Prepares indicators for CrowdStrike ingestion
• ✅ All V3 packaging files present:
  • mainTemplate.json, createUiDefinition.json, 3.0.0.zip
  • SolutionMetadata.json (with lastPublishDate)
  • ReleaseNotes.md, README.md

Question

Based on these 20+ approved playbook-only solutions in the repository, can you confirm that data connector folders are not required for automation-only solutions?

Our solution structure is identical to HYAS and other approved playbook-only solutions.

Thank you for your guidance!

Data443 Risk Mitigation, Inc.
[email protected]

Hi @mazamizo21, the solution now appears well-organized with the appropriate files included. I will review it and inform you if any updates are required. Thank you.

@v-shukore can you please run the review on all 5 PR

@v-shukore Just a side note it seem like the V3 tool is reverting back old API version after I corrected it couple times in my repo. I corrected my V3 local version but you might need to check on your V3 to correct it as well

Hi @mazamizo21,

Please add the solution logo to the following path:
https://github.com/Azure/Azure-Sentinel/tree/master/Logos

Also, remove the packagemetadata.json and deploymentParameters.json files from the package folder. If these files are necessary, please keep them outside the package folder.

Additionally, create a folder named Image inside the Playbook folder and add all running playbook images into it.

Please also correct the format of the releasenote.md file.

Thanks!

Update: All Requested Changes Applied

Hi Microsoft Team,

Thank you for your feedback. We have addressed all the requested changes:

✅ 1. Added solution logo to Logos folder

• Added Logos/tacitred_logo.svg

✅ 2. Moved packageMetadata.json and deploymentParameters.json outside Package folder

• Before: Solutions/TacitRed-IOC-CrowdStrike/Package/packageMetadata.json
• After: Solutions/TacitRed-IOC-CrowdStrike/packageMetadata.json
• Before: Solutions/TacitRed-IOC-CrowdStrike/Package/deploymentParameters.json
• After: Solutions/TacitRed-IOC-CrowdStrike/deploymentParameters.json

✅ 3. Created Images folder in Playbooks with running playbook screenshots

• Solutions/TacitRed-IOC-CrowdStrike/Playbooks/Images/TacitRedToCrowdStrikeLight.png
• Solutions/TacitRed-IOC-CrowdStrike/Playbooks/Images/TacitRedToCrowdStrikeDark.png

✅ 4. Fixed ReleaseNotes.md format

• Converted to standard table format with Version, Date Modified, and Change History columns

Thank you!

Data443 Risk Mitigation, Inc.

Hi @mazamizo21, could you please grant me the branch access so I can make the necessary changes and commit them. Thanks!!

Verified: This solution does not contain any broken tacitred.com or cyren.com documentation URLs. The only TacitRed references are API endpoints (app.tacitred.com) which are functional and required for the connector to work.

Hi @mazamizo21, we deployed the maintemplate in our Microsoft Sentinel workspace and checked, but the playbook isn't showing or loading, so we're unable to test it. Could you check in your workspace and share a screenshot here? Thanks!

Hi @v-shukore,

Thank you for testing the solution! I've identified and fixed the issue with the playbook not showing/loading.

Root Cause

The playbookContentId1 in the mainTemplate was set to a generic string "Playbooks" instead of a unique identifier. This prevented Content Hub from properly registering and displaying the playbook after deployment.

Fix Applied (commits f8fe527, 3fb2e86)

1. Changed playbookContentId1 from "Playbooks" → "TacitRedToCrowdStrike"
2. Updated displayName from "Playbooks" → "TacitRed to CrowdStrike IOC Automation"
3. Fixed dependency contentId reference to use the correct variable
4. Removed unused variables to pass ARM-TTK validation

The playbook should now properly appear in Content Hub after deployment. Please redeploy and let me know if you can see and test the playbook now.

Thanks!

Hi @mazamizo21, I tested again with the updated template, but the playbook still isn't loading in the content hub. Could you please check this? Also, there are now two playbooks appearing in the list, as shown in the screenshot.


Thanks!!

Hi @v-shukore,

Thank you for testing again. I've deployed the solution to a fresh test environment and confirmed the template is working correctly.

✅ Test Results (Fresh Deployment)

Why You're Seeing Two Playbooks

The two entries ("Playbooks" + "TacitRed to CrowdStrike IOC Automation") are residual data from a previous deployment that used the old generic contentId: "Playbooks". Content Hub cached the old entry when testing the earlier version.

Steps to Resolve

1. Completely uninstall the TacitRed-IOC-CrowdStrike solution from Content Hub (click Delete)
2. Go to Resource Groups → find the test resource group → delete any orphaned Logic Apps named pb-tacitred-to-crowdstrike
3. Reinstall the solution fresh from Content Hub

After a clean reinstall, you should see only one playbook: "TacitRed to CrowdStrike IOC Automation"

Latest Commit

I also pushed commit 38ec4d675c improving the description for clarity.

Could you please try the uninstall/reinstall steps and let me know if it resolves the duplicate issue?

Thanks!

Hi @mazamizo21, I tested again in a new workspace and now I can see only one playbook. However, that playbook still isn't loading in the content hub. If it's loading for you, could you please share a screenshot of the running playbook? Thanks!

Hi @v-gokulm,

Thank you for testing again! I've pushed a fix that should resolve the playbook template loading issue.

Root Cause

The playbookContentId1 was set to a generic string "Playbooks" instead of a unique identifier. This caused Content Hub to fail to properly register and display the playbook template.

Fix Applied (commit 08bf4b2)

1. Changed playbookContentId1 from "Playbooks" to "TacitRedToCrowdStrike"
2. Updated displayName from "Playbooks" to "TacitRed to CrowdStrike IOC Automation"
3. Fixed dependencies contentId reference to use the unique playbook identifier
4. Regenerated the package zip with the fixed mainTemplate.json

Could you please re-run the validation and test the playbook loading again?

Meeting Request

We've been working on 5 PRs over the past month and the feedback cycle has been challenging due to timezone differences. Could we schedule a 30-minute session next week to discuss these PRs together?

I'm available in EST (Eastern Standard Time) and flexible on timing. A brief call would help us:

• Quickly resolve any remaining issues across all 5 PRs
• Get immediate feedback instead of waiting for the next day
• Ensure we address all requirements correctly

Please let me know if this would be possible. Thank you!

Hi @mazamizo21, we can connect for 30 minutes to discuss all the PR issues. Please schedule the call, let us know the meeting time, and include [email protected] in the invite. Thanks!!

Hi @mazamizo21, could you please resolve the arm-ttk failures