Solution: TacitRed CrowdStrike IOC Automation (Official) #13269
Conversation
- Cyren: IP Reputation and Malware URLs CCF data connectors - TacitRed: Compromised Credentials CCF data connector - Both solutions include workbooks, analytics rules, and custom tables - All templates pass arm-ttk validation (102/102 tests)
- CCF data connector - Workbooks and analytics rules - All templates pass arm-ttk validation
- CCF data connector - Workbooks and analytics rules - All templates pass arm-ttk validation
…d, and regenerate packages
…d cost warnings TacitRed: - Changed queryWindowInMin from 5 to 60 minutes (12x reduction in API calls) - Added cost warning in connector instructions Cyren: - Changed queryWindowInMin from 240 to 1440 minutes (6x reduction - daily polling) - Reduced rateLimitQps from 10 to 2 - Added risk_d >= 50 filter in DCR to filter out low-risk indicators - Added cost warning in connector instructions These changes reduce ingestion costs significantly while maintaining detection quality.
- Playbook to sync TacitRed compromised credentials to CrowdStrike IOCs - V3 packaging: Name matches folder, BasePath correct, Version 3.0.0 - Includes packageMetadata.json and 3.0.0.zip - Runs every 6 hours (reasonable for playbook-based automation)
TacitRed-LogicApp-Ingestion: - Logic App with managed identity for TacitRed API polling - Ingests to Sentinel via Logs Ingestion API (DCE/DCR) - Configurable polling interval Cyren-LogicApp-Ingestion: - Two Logic Apps for IP Reputation and Malware URLs feeds - Managed identity authentication to Azure Monitor - Ingests to Sentinel via Logs Ingestion API (DCE/DCR) Both solutions: - V3 packaging compliant - 3.0.0.zip with all required files - arm-ttk validated
- TacitRed Logic App: Replace hardcoded dates with dynamic utcNow() expressions - Regenerate all 3.0.0.zip files for all 5 solutions - All CCF and Logic App solutions now use proper placeholders for secrets
TacitRed CCF + Logic App: - TacitRed - Repeat Compromise Detection.yaml - TacitRed - High Confidence Compromise.yaml Cyren CCF + Logic App: - Cyren - High Risk IP Detection.yaml - Cyren - Malware URL Detected.yaml Updated Solution_*.json to reference analytics rules. Regenerated all V3 packages with analytics included.
- CCF data connector - Workbooks and analytics rules - All templates pass arm-ttk validation
…tRed analytic rules - Remove duplicate Cyren solutions (Cyren-CCFThreatIntelligence, Cyren-LogicApp-Ingestion) - Remove duplicate TacitRed solutions (TacitRed-LogicApp-Ingestion, Tacitred-CCF-Hub-v2ThreatIntelligence) - Keep canonical CyrenThreatIntelligence and TacitRedThreatIntelligence folders - Add TacitRed analytic rules with proper MITRE tactics (includes Reconnaissance for T1589) - Update Solution_TacitRed.json to reference analytic rules
…k/detectionTemplateSchemaValidation
This reverts commit 82bd62c.
…ccf-hub-v2threatintelligence
…ccf-hub-v2threatintelligence
… branch (one-solution-per-branch)
…ValidConnectorIds.json)
|
Hi @mazamizo21, Please add the solution logo to the following path: Also, remove the Additionally, create a folder named Image inside the Playbook folder and add all running playbook images into it. Please also correct the format of the Thanks! |
…adata/deploymentParameters outside Package, add playbook screenshots, fix ReleaseNotes.md format
Update: All Requested Changes AppliedHi Microsoft Team, Thank you for your feedback. We have addressed all the requested changes: ✅ 1. Added solution logo to Logos folder
✅ 2. Moved packageMetadata.json and deploymentParameters.json outside Package folder
✅ 3. Created Images folder in Playbooks with running playbook screenshots
✅ 4. Fixed ReleaseNotes.md format
Thank you! Data443 Risk Mitigation, Inc. |
|
Hi @mazamizo21, could you please grant me the branch access so I can make the necessary changes and commit them. Thanks!! |
|
Verified: This solution does not contain any broken tacitred.com or cyren.com documentation URLs. The only TacitRed references are API endpoints (app.tacitred.com) which are functional and required for the connector to work. |
|
Hi @mazamizo21, we deployed the maintemplate in our Microsoft Sentinel workspace and checked, but the playbook isn't showing or loading, so we're unable to test it. Could you check in your workspace and share a screenshot here? Thanks! |
Update TacitRed Platform link from generic data443.com to specific: https://data443.com/tacitred-attack-surface-intelligence/ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Changed playbookContentId1 from generic 'Playbooks' to 'TacitRedToCrowdStrike' - Updated displayName to 'TacitRed to CrowdStrike IOC Automation' - Fixed dependencies contentId reference This fixes the issue where the playbook wasn't showing/loading after deployment because Content Hub couldn't properly identify it with a generic contentId.
|
Hi @v-shukore, Thank you for testing the solution! I've identified and fixed the issue with the playbook not showing/loading. Root CauseThe Fix Applied (commits f8fe527, 3fb2e86)
The playbook should now properly appear in Content Hub after deployment. Please redeploy and let me know if you can see and test the playbook now. Thanks! |
|
Hi @mazamizo21, I tested again with the updated template, but the playbook still isn't loading in the content hub. Could you please check this? Also, there are now two playbooks appearing in the list, as shown in the screenshot. |
- Changed description from generic 'Playbooks Playbook' to 'TacitRed to CrowdStrike IOC Automation Playbook'
- Regenerated Package zip
Note to reviewer: If you see two playbooks ('Playbooks' + 'TacitRed to CrowdStrike IOC Automation'),
please completely uninstall the solution and reinstall. The old 'Playbooks' entry is residual
data from a previous deployment with a generic contentId that has been fixed.
|
Hi @v-shukore, Thank you for testing again. I've deployed the solution to a fresh test environment and confirmed the template is working correctly. ✅ Test Results (Fresh Deployment)
Why You're Seeing Two PlaybooksThe two entries ("Playbooks" + "TacitRed to CrowdStrike IOC Automation") are residual data from a previous deployment that used the old generic Steps to Resolve
After a clean reinstall, you should see only one playbook: "TacitRed to CrowdStrike IOC Automation" Latest CommitI also pushed commit Could you please try the uninstall/reinstall steps and let me know if it resolves the duplicate issue? Thanks! |
|
Hi @mazamizo21, I tested again in a new workspace and now I can see only one playbook. However, that playbook still isn't loading in the content hub. If it's loading for you, could you please share a screenshot of the running playbook? Thanks! |
…Content Hub registration - Changed playbookContentId1 from generic 'Playbooks' to 'TacitRedToCrowdStrike' - Updated displayName to 'TacitRed to CrowdStrike IOC Automation' - Fixed dependencies contentId reference to use _playbookContentId1 - Regenerated 3.0.0.zip with fixed mainTemplate.json This fixes the Content Hub playbook template loading issue.
|
Hi @v-gokulm, Thank you for testing again! I've pushed a fix that should resolve the playbook template loading issue. Root CauseThe Fix Applied (commit 08bf4b2)
Could you please re-run the validation and test the playbook loading again? Meeting RequestWe've been working on 5 PRs over the past month and the feedback cycle has been challenging due to timezone differences. Could we schedule a 30-minute session next week to discuss these PRs together? I'm available in EST (Eastern Standard Time) and flexible on timing. A brief call would help us:
Please let me know if this would be possible. Thank you! |
2 participants
Official Data443 Submission
This is the official submission from the Data443 organization for the TacitRed CrowdStrike IOC Automation solution.
Changes
This PR supersedes and replaces PR #13241.
Please close #13241 in favor of this one.