TacitRed SentinelOne IOC Automation for Microsoft Sentinel

Solution: TacitRed-SentinelOne

TacitRed-SentinelOne Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Data443 Risk Mitigation, Inc.
Support Tier	Partner
Support Link	https://www.data443.com
Categories	domains
Version	3.0.3
Author	Data443 Risk Mitigation, Inc. - support@data443.com
First Published	2025-12-01
Last Updated	2026-03-09
Solution Folder	TacitRed-SentinelOne
Marketplace	Azure Marketplace · Popularity: ⚪ Very Low (0%)

The TacitRed SentinelOne IOC Automation solution provides example playbooks that demonstrate how to consume TacitRed threat intelligence from Microsoft Sentinel and prepare indicators for ingestion into SentinelOne.

Data Connectors
Content Items
Additional Documentation

Data Connectors

This solution does not include data connectors.

This solution may contain other components such as analytics rules, workbooks, hunting queries, or playbooks.

Content Items

This solution includes 1 content item(s):

Content Type	Count
Playbooks	1

Playbooks

Name	Description	Tables Used
TacitRed to SentinelOne IOC Automation	This playbook fetches compromised credential findings from TacitRed threat intelligence and creates ...	-

Additional Documentation

📄 Source: TacitRed-SentinelOne/README.md

Overview

The TacitRed SentinelOne IOC Automation solution provides playbooks that demonstrate how to consume TacitRed threat intelligence from Microsoft Sentinel and push indicators of compromise (IOCs) to SentinelOne for automated threat response.

Solution Components

Component	Description
Playbook	Logic App that fetches compromised credentials from TacitRed and creates IOC entries in SentinelOne

Prerequisites

Microsoft Sentinel workspace
TacitRed API Key
SentinelOne console access with API token
SentinelOne Account ID
Appropriate RBAC permissions to deploy Logic Apps

Deployment

Navigate to Microsoft Sentinel Content Hub
Search for "TacitRed SentinelOne"
Click Install and follow the deployment wizard
Provide the following parameters: - TacitRed API Key: Your TacitRed API credentials - SentinelOne API Token: Your SentinelOne API token - SentinelOne Base URL: Your SentinelOne console URL (e.g., https://usea1-001.sentinelone.net) - SentinelOne Account ID: Your SentinelOne account identifier

How It Works

The playbook runs on a scheduled trigger
It queries TacitRed for recent compromised credential findings
For each finding, it creates an IOC entry in SentinelOne
SentinelOne can then use these IOCs for detection and response

Support

Provider: Data443 Risk Mitigation, Inc.
Email: support@data443.com
Website: https://www.data443.com

Learn More

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.3	03-03-2026	Added `filter.accountIds` to SentinelOne IOC POST request body. Without this field, the SentinelOne API (`/web/api/v2.1/threat-intelligence/iocs`) returns HTTP 500. Playbook now includes the account ID in the POST body for reliable IOC creation.
3.0.2	23-02-2026	Fixed `SentinelOne_BaseUrl` parameter: default value was hardcoded to `https://usea1-001.sentinelone.net` (a non-existent placeholder URL) since v1.0.0. Customers deploying from Content Hub without changing this field would get a connection timeout on every playbook run. Default is now blank — customers must enter their actual SentinelOne console URL. Updated parameter description and README to guide customers.
3.0.1	17-02-2026	Fixed `InvalidResourceLocation` deployment error by removing non-standard `location` parameter from inner template, aligned with standard Content Hub variable pattern. Fixed metadata resource name bracket type. Removed `TacitRed_Domain` filter parameter from deployment UI. Added missing `hidden-SentinelTemplateName` and `hidden-SentinelTemplateVersion` tags for Content Hub template discovery.
3.0.0	09-12-2025	Initial Solution Release.