Solution: TacitRed SentinelOne IOC Automation (Official)

[mazamizo21]

Official Data443 Submission

This is the official submission from the Data443 organization for the TacitRed SentinelOne IOC Automation solution.

Changes

• Standardized publisher information to 'Data443 Risk Mitigation, Inc.'.
• Added comprehensive documentation.
• Validated implementation.

This PR supersedes and replaces PR #13243.
Please close #13243 in favor of this one.

[v-shukore]

Hi @mazamizo21,
Please ensure that each solution includes the data connector folder and its relevant files, as well as the data file, releasenote file, solutionmetadata file, maintemplate, createui files, and a zip file with version 3.0.0. All these files are required.
You can package the solution using the V3 tool. Here is the readme file for creating a new solution: https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V3/README.…
Also, you can refer any solution from our repo to get understanding of folder structure.
If you have any questions, please feel free to connect with me and Mahesh on MS teams this is my email id: v-shukore@microsoft.com.
Thanks!

[mazamizo21]

Hi @v-shukore,

Thank you for the feedback! We've reviewed the Azure Sentinel Solutions repository and found 20+ approved production solutions that are playbook-only without data connector folders.

Examples of Approved Playbook-Only Solutions

Pure playbook solutions (no data connectors):

• HYAS (v3.0.0) - 24 playbooks, no data connectors
• Recorded Future (v3.2.17) - 14 playbooks + 8 workbooks + 4 analytics, no data connectors
• Tanium - Playbooks + workbooks + analytics, no data connectors
• Pure Storage - Playbooks + workbooks, no data connectors
• SalemCyber, Farsight DNSDB, GoogleDirectory, Apache Log4j Vulnerability Detection, SAP, AWS Systems Manager, Group-IB, NCSC-NL NDN, Neustar IP GeoPoint, DNS Essentials, ShadowByte Aria, AWS_IAM, IronNet IronDefense, Intel471, Torq - All playbook-only, no data connectors

Our Solution Structure

TacitRed SentinelOne IOC Automation follows the same pattern:

• ✅ Playbook-only automation solution (no data ingestion)
• ✅ Consumes existing threat intelligence from Sentinel
• ✅ Prepares indicators for SentinelOne ingestion
• ✅ All V3 packaging files present:
  • mainTemplate.json, createUiDefinition.json, 3.0.0.zip
  • SolutionMetadata.json (with lastPublishDate: 2025-12-10)
  • ReleaseNotes.md, README.md

Question

Based on these 20+ approved playbook-only solutions in the repository, can you confirm that data connector folders are not required for automation-only solutions?

Our solution structure is identical to HYAS and other approved playbook-only solutions.

Thank you for your guidance!

Data443 Risk Mitigation, Inc.
support@data443.com

[v-shukore]

Hi @mazamizo21, the solution now appears well-organized with the appropriate files included. I will review it and inform you if any updates are required. Thank you.

[v-shukore]

Hi @mazamizo21,

Please remove the 1.0.2 zip package from the solution.

Also, remove the packagemetadata.json and deploymentParameters.json files from the package folder. If these files are necessary, please keep them outside the package folder.

Additionally, create a folder named Image inside the Playbook folder and add all running playbook images into it.

Please also correct the format of the releasenote.md file.

Thanks!

[mazamizo21]

Update: All Requested Changes Applied

Hi Microsoft Team,

Thank you for your feedback. We have addressed all the requested changes:

✅ 1. Removed 1.0.2 zip package

• Deleted Solutions/TacitRed-SentinelOne/Package/1.0.2.zip
• Only 3.0.0.zip remains in the Package folder

✅ 2. Moved packageMetadata.json and deploymentParameters.json outside Package folder

• Before: Solutions/TacitRed-SentinelOne/Package/packageMetadata.json
• After: Solutions/TacitRed-SentinelOne/packageMetadata.json
• Before: Solutions/TacitRed-SentinelOne/Package/deploymentParameters.json
• After: Solutions/TacitRed-SentinelOne/deploymentParameters.json

✅ 3. Created Images folder in Playbooks with running playbook screenshots

• Solutions/TacitRed-SentinelOne/Playbooks/Images/TacitRedToSentinelOneLight.png
• Solutions/TacitRed-SentinelOne/Playbooks/Images/TacitRedToSentinelOneDark.png

✅ 4. Fixed ReleaseNotes.md format

• Added proper # Release Notes heading
• Aligned table columns correctly

Thank you!

Data443 Risk Mitigation, Inc.

[v-shukore]

Hi @mazamizo21, could you please grant me the branch access so I can make the necessary changes and commit them. Thanks!!

[mazamizo21]

Hi, I granted you access. Please accept the invitation here: https://github.com/Data443/Azure-Sentinel/invitations Thanks for your support, I really appreciate it. I’m hoping we can get the five PRs released soon. I also granted you access to all five PRs for Data443. The 5 Active PRs PR Solution Source Branch #13266 TacitRed Defender TI Data443:feature/tacitred-defender-ti #13267 TacitRed SentinelOne Data443:feature/tacitred-sentinelone-v1 #13268 TacitRed CCF Data443:feature/tacitred-ccf-hub-v2 #13269 TacitRed CrowdStrike Data443:feature/tacitred-crowdstrike-ioc #13278 Cyren TI Data443:feature/cyren-threat-intelligence Thanks Taz Jack

…

________________________________ From: v-shukore ***@***.***> Sent: Tuesday, December 30, 2025 7:27 PM To: Azure/Azure-Sentinel ***@***.***> Cc: mazamizo21 ***@***.***>; Mention ***@***.***> Subject: Re: [Azure/Azure-Sentinel] Solution: TacitRed SentinelOne IOC Automation (Official) (PR #13267) [https://avatars.githubusercontent.com/u/159111145?s=20&v=4]v-shukore left a comment (Azure/Azure-Sentinel#13267)<#13267 (comment)> Hi @mazamizo21<https://github.com/mazamizo21>, could you please grant me the branch access so I can make the necessary changes and commit them. Thanks!! — Reply to this email directly, view it on GitHub<#13267 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A45BJJV2BNM67RSKFA37GPT4ENNC5AVCNFSM6AAAAACONE6L46VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTOMBRGQ3TKOJVGI>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[mazamizo21]

Verified: This solution does not contain any broken tacitred.com or cyren.com documentation URLs. The only TacitRed references are API endpoints (app.tacitred.com) which are functional and required for the connector to work.

[v-shukore]

Hi @mazamizo21, we deployed the maintemplate in our Microsoft Sentinel workspace and checked, but the playbook isn't showing or loading, so we're unable to test it. Could you check in your workspace and share a screenshot here? Thanks!

[mazamizo21]

Hi @v-shukore,

Thank you for testing the solution! I've identified and fixed the issue with the playbook not showing/loading.

Root Cause

The playbookContentId1 in the mainTemplate was set to a generic string "Playbooks" instead of a unique identifier. This prevented Content Hub from properly registering and displaying the playbook after deployment.

Fix Applied (commit 02582c3)

1. Changed playbookContentId1 from "Playbooks" → "TacitRedToSentinelOne"
2. Updated displayName from "Playbooks" → "TacitRed to SentinelOne IOC Automation"
3. Fixed dependency contentId reference to use the correct variable
4. Removed unused variables for ARM-TTK compliance

The playbook should now properly appear in Content Hub after deployment. Please redeploy and let me know if you can see and test the playbook now.

Thanks!

[mazamizo21]

[mazamizo21]

Fix Applied: Playbook Content Hub Loading Issue

Root Cause

The playbookContentId1 variable was set to a generic value "Playbooks" instead of a unique identifier. This caused Content Hub to fail when trying to register and display the playbook template.

Changes Made (commit 592d8f9)

1. Changed playbookContentId1 from "Playbooks" to "TacitRedToSentinelOne"
2. Updated displayName from "Playbooks" to "TacitRed to SentinelOne IOC Automation"
3. Removed orphaned "Playbooks" variables that may have been causing duplicate entries
4. Regenerated 3.0.0.zip

Reference Solution Comparison

I've compared our solution structure with the HYAS partner solution (Solutions/HYAS/), which is also:

• Partner-supported
• Playbook-only (25 playbooks)
• Threat Intelligence category
• Same folder structure and metadata pattern

The structure matches correctly. The only differences are newer API versions (2025-09-01 vs 2023-04-01-preview).

Testing Instructions

The duplicate playbook entries you're seeing are from previous deployments. To test the fix:

1. DELETE the existing TacitRed-SentinelOne solution from Content Hub
2. DELETE any orphaned playbook templates from the workspace
3. REINSTALL the solution from a fresh deployment

The new template has unique playbookContentId and proper displayName.

[mazamizo21]

Fix Applied: Added Playbook Metadata for Content Hub

Issue

Microsoft reviewer noted that the playbook metadata was missing, which is required for Content Hub to properly load and display the playbook template.

Changes Made (commit c4e1baf)

Added metadata section to both the playbook JSON and mainTemplate.json following the Microsoft Defender XDR playbook pattern:

• title: TacitRed to SentinelOne IOC Automation
• description: Playbook functionality description
• prerequisites: API keys and URLs required
• postDeployment: Configuration steps after deployment
• support: Partner tier with Data443 contact info
• author: Data443 Risk Mitigation, Inc.
• tags: ThreatIntelligence, IOC, SentinelOne, TacitRed

Reference Solution

Used as reference: Solutions/Microsoft Defender XDR/Playbooks/AttackSimulatorTrainingNonReporters/azuredeploy.json

Testing Instructions

1. Delete any existing TacitRed-SentinelOne solution from Content Hub
2. Redeploy the solution from the updated mainTemplate
3. Verify the playbook template loads correctly with metadata displayed

Thanks for the feedback!