Solution: TacitRed CrowdStrike IOC Automation (Official)#13269
Solution: TacitRed CrowdStrike IOC Automation (Official)#13269v-atulyadav merged 5 commits intoAzure:masterfrom
Conversation
v-shukore
added
the
New Solution
|
Hi @mazamizo21, Please ensure that each solution includes the data connector folder and its relevant files, as well as the data file, releasenote file, solutionmetadata file, maintemplate, createui files, and a zip file with version 3.0.0. All these files are required. |
mazamizo21
force-pushed
the
feature/tacitred-crowdstrike-ioc
branch
3 times, most recently
from
710dc5d to
87d5486
Compare
|
Hi @v-shukore, Thank you for the feedback! We've reviewed the Azure Sentinel Solutions repository and found 20+ approved production solutions that are playbook-only without data connector folders. Examples of Approved Playbook-Only SolutionsPure playbook solutions (no data connectors):
Our Solution StructureTacitRed CrowdStrike IOC Automation follows the same pattern:
QuestionBased on these 20+ approved playbook-only solutions in the repository, can you confirm that data connector folders are not required for automation-only solutions? Our solution structure is identical to HYAS and other approved playbook-only solutions. Thank you for your guidance! Data443 Risk Mitigation, Inc. |
|
Hi @mazamizo21, the solution now appears well-organized with the appropriate files included. I will review it and inform you if any updates are required. Thank you. |
|
@v-shukore can you please run the review on all 5 PR |
|
@v-shukore Just a side note it seem like the V3 tool is reverting back old API version after I corrected it couple times in my repo. I corrected my V3 local version but you might need to check on your V3 to correct it as well |
mazamizo21
force-pushed
the
feature/tacitred-crowdstrike-ioc
branch
5 times, most recently
from
3f1c487 to
e9d37b3
Compare
|
Hi @mazamizo21, Please add the solution logo to the following path: Also, remove the Additionally, create a folder named Image inside the Playbook folder and add all running playbook images into it. Please also correct the format of the Thanks! |
Update: All Requested Changes AppliedHi Microsoft Team, Thank you for your feedback. We have addressed all the requested changes: ✅ 1. Added solution logo to Logos folder
✅ 2. Moved packageMetadata.json and deploymentParameters.json outside Package folder
✅ 3. Created Images folder in Playbooks with running playbook screenshots
✅ 4. Fixed ReleaseNotes.md format
Thank you! Data443 Risk Mitigation, Inc. |
|
Hi @mazamizo21, could you please grant me the branch access so I can make the necessary changes and commit them. Thanks!! |
|
Verified: This solution does not contain any broken tacitred.com or cyren.com documentation URLs. The only TacitRed references are API endpoints (app.tacitred.com) which are functional and required for the connector to work. |
|
Hi @mazamizo21, we deployed the maintemplate in our Microsoft Sentinel workspace and checked, but the playbook isn't showing or loading, so we're unable to test it. Could you check in your workspace and share a screenshot here? Thanks! |
|
Hi @v-shukore, Thank you for testing the solution! I've identified and fixed the issue with the playbook not showing/loading. Root CauseThe Fix Applied (commits f8fe527, 3fb2e86)
The playbook should now properly appear in Content Hub after deployment. Please redeploy and let me know if you can see and test the playbook now. Thanks! |
|
Hi @mazamizo21, I tested again with the updated template, but the playbook still isn't loading in the content hub. Could you please check this? Also, there are now two playbooks appearing in the list, as shown in the screenshot. |
|
Hi @v-shukore, Thank you for testing again. I've deployed the solution to a fresh test environment and confirmed the template is working correctly. ✅ Test Results (Fresh Deployment)
Why You're Seeing Two PlaybooksThe two entries ("Playbooks" + "TacitRed to CrowdStrike IOC Automation") are residual data from a previous deployment that used the old generic Steps to Resolve
After a clean reinstall, you should see only one playbook: "TacitRed to CrowdStrike IOC Automation" Latest CommitI also pushed commit Could you please try the uninstall/reinstall steps and let me know if it resolves the duplicate issue? Thanks! |
|
Hi @mazamizo21, I tested again in a new workspace and now I can see only one playbook. However, that playbook still isn't loading in the content hub. If it's loading for you, could you please share a screenshot of the running playbook? Thanks! |
|
Hi @v-gokulm, Thank you for testing again! I've pushed a fix that should resolve the playbook template loading issue. Root CauseThe Fix Applied (commit 08bf4b2)
Could you please re-run the validation and test the playbook loading again? Meeting RequestWe've been working on 5 PRs over the past month and the feedback cycle has been challenging due to timezone differences. Could we schedule a 30-minute session next week to discuss these PRs together? I'm available in EST (Eastern Standard Time) and flexible on timing. A brief call would help us:
Please let me know if this would be possible. Thank you! |
|
Hi @mazamizo21, we can connect for 30 minutes to discuss all the PR issues. Please schedule the call, let us know the meeting time, and include |
|
Hi,
I scheduled a call for tomorrow morning since I’m not sure if you’re still working today.
https://teams.microsoft.com/l/meetup-join/19%3ameeting_MDc2MjU2OTAtYjU3NC00YmI0LThkZTMtODJjMjEwZDU3Y2Zj%40thread.v2/0?context=%7b%22Tid%22%3a%226ac7a1f4-5fb1-4153-bb4f-12d2020a1f7d%22%2c%22Oid%22%3a%2275a1d53f-c4fd-440f-a826-db81e7edd7a2%22%7d
…________________________________
From: v-shukore ***@***.***>
Sent: Sunday, January 11, 2026 7:12 PM
To: Azure/Azure-Sentinel ***@***.***>
Cc: mazamizo21 ***@***.***>; Mention ***@***.***>
Subject: Re: [Azure/Azure-Sentinel] Solution: TacitRed CrowdStrike IOC Automation (Official) (PR #13269)
[https://avatars.githubusercontent.com/u/159111145?s=20&v=4]v-shukore left a comment (Azure/Azure-Sentinel#13269)<#13269 (comment)>
Hi @mazamizo21<https://github.com/mazamizo21>, we can connect for 30 minutes to discuss all the PR issues. Please schedule the call, let us know the meeting time, and include ***@***.*** in the invite. Thanks!!
—
Reply to this email directly, view it on GitHub<#13269 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A45BJJU7IJE762M4JG55L4L4GMUKBAVCNFSM6AAAAACONE73XOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTOMZWHEYTKMBRGM>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
Hi,
I did text you on Team from ***@***.***
Please let me know if 8 EST tomorrow Tuesday works for you or not!
Thanks
Taz Jack
…________________________________
From: Taz Jack ***@***.***>
Sent: Monday, January 12, 2026 2:35 AM
To: Azure/Azure-Sentinel ***@***.***>; Azure/Azure-Sentinel ***@***.***>; ***@***.*** ***@***.***>; ***@***.*** ***@***.***>
Cc: Mention ***@***.***>
Subject: Re: [Azure/Azure-Sentinel] Solution: TacitRed CrowdStrike IOC Automation (Official) (PR #13269)
Hi,
I scheduled a call for tomorrow morning since I’m not sure if you’re still working today.
https://teams.microsoft.com/l/meetup-join/19%3ameeting_MDc2MjU2OTAtYjU3NC00YmI0LThkZTMtODJjMjEwZDU3Y2Zj%40thread.v2/0?context=%7b%22Tid%22%3a%226ac7a1f4-5fb1-4153-bb4f-12d2020a1f7d%22%2c%22Oid%22%3a%2275a1d53f-c4fd-440f-a826-db81e7edd7a2%22%7d
________________________________
From: v-shukore ***@***.***>
Sent: Sunday, January 11, 2026 7:12 PM
To: Azure/Azure-Sentinel ***@***.***>
Cc: mazamizo21 ***@***.***>; Mention ***@***.***>
Subject: Re: [Azure/Azure-Sentinel] Solution: TacitRed CrowdStrike IOC Automation (Official) (PR #13269)
[https://avatars.githubusercontent.com/u/159111145?s=20&v=4]v-shukore left a comment (Azure/Azure-Sentinel#13269)<#13269 (comment)>
Hi @mazamizo21<https://github.com/mazamizo21>, we can connect for 30 minutes to discuss all the PR issues. Please schedule the call, let us know the meeting time, and include ***@***.*** in the invite. Thanks!!
—
Reply to this email directly, view it on GitHub<#13269 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A45BJJU7IJE762M4JG55L4L4GMUKBAVCNFSM6AAAAACONE73XOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTOMZWHEYTKMBRGM>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
mazamizo21
force-pushed
the
feature/tacitred-crowdstrike-ioc
branch
from
9e32d06 to
d16e952
Compare
Fixed branch contamination - removed unrelated solutions. This PR contains only TacitRed-IOC-CrowdStrike solution files.
mazamizo21
force-pushed
the
feature/tacitred-crowdstrike-ioc
branch
from
d16e952 to
f269cd7
Compare
|
Hi @mazamizo21, could you please resolve the arm-ttk failures |
|
Fixed please check again
Thanks
Taz Jack
On Jan 15, 2026, at 1:15 AM, v-shukore ***@***.***> wrote:
[https://avatars.githubusercontent.com/u/159111145?s=20&v=4]v-shukore left a comment (Azure/Azure-Sentinel#13269)<#13269 (comment)>
Hi @mazamizo21<https://github.com/mazamizo21>, could you please resolve the arm-ttk failures
image.png (view on web)<https://github.com/user-attachments/assets/2c11bddd-4f69-40f6-b011-31f8849d0822>
—
Reply to this email directly, view it on GitHub<#13269 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A45BJJQP6QJHTJLFAPSIKRT4G4WA3AVCNFSM6AAAAACONE73XOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTONJTGA2TMMJZGY>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
- Fix metadata.author to use Data443 company name - Remove unused Playbooks and _Playbooks variables (ARM-TTK: Variables Must Be Referenced) - Add support contact to packageMetadata.json - Clean up old 3.0.4.zip (keep only 3.0.0.zip matching solution version) - Regenerate 3.0.0.zip with fixed mainTemplate.json
|
… ________________________________
From: v-shukore ***@***.***>
Sent: Wednesday, January 14, 2026 8:15 PM
To: Azure/Azure-Sentinel ***@***.***>
Cc: mazamizo21 ***@***.***>; Mention ***@***.***>
Subject: Re: [Azure/Azure-Sentinel] Solution: TacitRed CrowdStrike IOC Automation (Official) (PR #13269)
[https://avatars.githubusercontent.com/u/159111145?s=20&v=4]v-shukore left a comment (Azure/Azure-Sentinel#13269)<#13269 (comment)>
Hi @mazamizo21<https://github.com/mazamizo21>, could you please resolve the arm-ttk failures
image.png (view on web)<https://github.com/user-attachments/assets/2c11bddd-4f69-40f6-b011-31f8849d0822>
—
Reply to this email directly, view it on GitHub<#13269 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A45BJJQP6QJHTJLFAPSIKRT4G4WA3AVCNFSM6AAAAACONE73XOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTONJTGA2TMMJZGY>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Added metadata section to playbook as required by Content Hub: - title: TacitRed to CrowdStrike IOC Automation - description: Playbook functionality description - prerequisites: API keys required (TacitRed + CrowdStrike OAuth2) - postDeployment: Configuration steps after deployment - support: Partner tier with Data443 contact info - author: Data443 Risk Mitigation, Inc. - tags: ThreatIntelligence, IOC, CrowdStrike, TacitRed Reference: Solutions/Microsoft Defender XDR/Playbooks/AttackSimulatorTrainingNonReporters/azuredeploy.json
Fix Applied: Added Playbook Metadata for Content HubIssueMicrosoft reviewer noted that the playbook metadata was missing, which is required for Content Hub to properly load and display the playbook template. Changes Made (commit b64c1ae)Added metadata section to both the playbook JSON and mainTemplate.json following the Microsoft Defender XDR playbook pattern:
Reference SolutionUsed as reference: Solutions/Microsoft Defender XDR/Playbooks/AttackSimulatorTrainingNonReporters/azuredeploy.json Testing Instructions
Thanks for the feedback! |
…tern Applied same changes as Microsoft reviewer made to PR Azure#13267: - Renamed logicAppName parameter to PlaybookName - Moved metadata to END of nested mainTemplate (after resources array) - Updated metadata format: prerequisites as array, simplified support - Added releaseNotes section - Updated description and displayName to use playbook name Reference: PR Azure#13267 (TacitRed-SentinelOne) reviewer changes
Fix Applied: Updated Playbook Metadata PatternApplied the same changes as Microsoft reviewer made to PR #13267 (TacitRed-SentinelOne): Changes Made (commit a5a4bf0)
ReferencePR #13267 (TacitRed-SentinelOne) reviewer changes by @v-maheshbh Testing Instructions
Thanks! |
…er request - Remove header line to match standard format - Update date to current (23-01-2026) - Simplify description to match other solutions
|
Hi @v-shukore, I have updated the release notes as requested (commit 7f2e92d):
Thanks! |
…nelOne pattern Changed API versions from 2025-09-01 to 2023-04-01-preview for: - contentTemplates (Function App and Playbook) - contentPackages This matches the working SentinelOne and CrowdStrike solutions that are successfully loading playbooks in Content Hub. Reference: PR Azure#13267 (SentinelOne) and PR Azure#13269 (CrowdStrike) as requested by Microsoft reviewer
3 participants
Official Data443 Submission
This is the official submission from the Data443 organization for the TacitRed CrowdStrike IOC Automation solution.
Changes
This PR supersedes and replaces PR #13241.
Please close #13241 in favor of this one.