Solution: TacitRed IOC CrowdStrike Automation (Official)

This solution provides example playbooks that demonstrate how to consume TacitRed
threat intelligence from Microsoft Sentinel and prepare indicators for ingestion
into CrowdStrike.

Key features:
- Playbook for automated IOC export to CrowdStrike
- Integration with TacitRed threat intelligence feed
- V3 package artifacts
- Comprehensive setup documentation

Changes:
- Add tacitred_logo.svg to top-level Logos/ directory
- Solution files with correct logo format (no spaces between attributes)
- Playbook templates and configuration

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: mazamizo21

Logos/tacitred_logo.svg

@@ -0,0 +1,14 @@
+{
+  "Name": "TacitRed-IOC-CrowdStrike",
+  "Author": "Data443 Risk Mitigation, Inc. - support@data443.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/tacitred_logo.svg\"width=\"75px\"height=\"75px\">",
+  "Description": "The TacitRed CrowdStrike IOC Automation solution provides example playbooks that demonstrate how to consume TacitRed threat intelligence from Microsoft Sentinel and prepare indicators for ingestion into CrowdStrike.",
+  "Playbooks": [
+    "Playbooks/TacitRedToCrowdStrike_Playbook.json"
+  ],
+  "Metadata": "SolutionMetadata.json",
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\TacitRed-IOC-CrowdStrike",
+  "Version": "3.0.0",
+  "TemplateSpec": true,
+  "Is1Pconnector": false
+}

Solutions/TacitRed-IOC-CrowdStrike/Data/Solution_TacitRedCrowdStrikeAutomation.json

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/TacitRed-IOC-CrowdStrike/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe TacitRed CrowdStrike IOC Automation solution provides example playbooks that demonstrate how to consume TacitRed threat intelligence from Microsoft Sentinel and prepare indicators for ingestion into CrowdStrike.\n\n**Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/tacitred_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/TacitRed-IOC-CrowdStrike/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe TacitRed CrowdStrike IOC Automation solution provides example playbooks that demonstrate how to consume TacitRed threat intelligence from Microsoft Sentinel and prepare indicators for ingestion into CrowdStrike.\n\n**Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -73,7 +73,7 @@
             "options": {
               "link": {
                 "label": "Learn more",
-                "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+                "uri": "https://learn.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
               }
             }
           }
@@ -87,3 +87,4 @@
     }
   }
 }
+

Solutions/TacitRed-IOC-CrowdStrike/Package/3.0.0.zip

@@ -2,7 +2,7 @@
   "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "metadata": {
-    "author": "Data443 Risk Mitigation, Inc. - support@data443.com",
+    "author": "TacitRed - support@data443.com",
     "comments": "Solution template for TacitRed-IOC-CrowdStrike"
   },
   "parameters": {
@@ -33,15 +33,14 @@
     "email": "support@data443.com",
     "_email": "[variables('email')]",
     "_solutionName": "TacitRed-IOC-CrowdStrike",
-    "_solutionVersion": "3.0.4",
-    "solutionId": "tacitred.azure-sentinel-solution-tacitred-crowdstrike-ioc-automation",
+    "_solutionVersion": "3.0.0",
+    "solutionId": "data443.azure-sentinel-solution-tacitred-crowdstrike-ioc-automation",
     "_solutionId": "[variables('solutionId')]",
-    "_tacitRedFindingsQuery": "[concat('?types[]=compromised_credentials', if(empty(parameters('TacitRed_Domain')), '', concat('&domains[]=', uriComponent(parameters('TacitRed_Domain')))), '&page=1&page_size=100')]",
     "Playbooks": "Playbooks",
     "_Playbooks": "[variables('Playbooks')]",
     "blanks": "[replace('b', 'b', '')]",
     "playbookVersion1": "1.0",
-    "playbookContentId1": "Playbooks",
+    "playbookContentId1": "TacitRedToCrowdStrike",
     "_playbookContentId1": "[variables('playbookContentId1')]",
     "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
     "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]",
@@ -52,14 +51,14 @@
   "resources": [
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
-      "apiVersion": "2023-04-01-preview",
+      "apiVersion": "2025-09-01",
       "name": "[variables('playbookTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
       "dependsOn": [
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Playbooks Playbook with template version 3.0.0",
+        "description": "TacitRed to CrowdStrike IOC Automation Playbook with template version 3.0.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('playbookVersion1')]",
@@ -69,7 +68,8 @@
               "defaultValue": "pb-tacitred-to-crowdstrike"
             },
             "location": {
-              "type": "string"
+              "type": "string",
+              "defaultValue": "[concat('[resourceGroup().locatio', 'n]')]"
             },
             "TacitRed_ApiKey": {
               "type": "securestring",
@@ -120,9 +120,6 @@
                   "TacitRed_Domain": {
                     "value": "[[parameters('TacitRed_Domain')]"
                   },
-                  "TacitRed_FindingsQuery": {
-                    "value": "[[variables('_tacitRedFindingsQuery')]"
-                  },
                   "CrowdStrike_ClientId": {
                     "value": "[[parameters('CrowdStrike_ClientId')]"
                   },
@@ -146,10 +143,6 @@
                       "type": "string",
                       "defaultValue": "[variables('blanks')]"
                     },
-                    "TacitRed_FindingsQuery": {
-                      "type": "string",
-                      "defaultValue": "[variables('blanks')]"
-                    },
                     "CrowdStrike_BaseUrl": {
                       "type": "string",
                       "defaultValue": "https://api.us-2.crowdstrike.com"
@@ -186,7 +179,7 @@
                       "type": "Http",
                       "inputs": {
                         "method": "GET",
-                        "uri": "@{parameters('TacitRed_ApiUrl')}@{parameters('TacitRed_FindingsQuery')}",
+                        "uri": "@{parameters('TacitRed_ApiUrl')}?types[]=compromised_credentials&domains[]=@{encodeUriComponent(if(empty(parameters('TacitRed_Domain')),'',parameters('TacitRed_Domain')))}&page=1&page_size=50",
                         "headers": {
                           "accept": "application/json",
                           "Authorization": "@{parameters('TacitRed_ApiKey')}"
@@ -225,7 +218,7 @@
                             "uri": "@{parameters('CrowdStrike_BaseUrl')}@{parameters('CrowdStrike_IocPath')}?ignore_warnings=true",
                             "headers": {
                               "Content-Type": "application/json",
-                              "Authorization": "@{concat('Bearer ', body('Get_CrowdStrike_Token')?['access_token'])}"
+                              "Authorization": "Bearer @{body('Get_CrowdStrike_Token')?['access_token']}"
                             },
                             "body": {
                               "indicators": [
@@ -263,7 +256,7 @@
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
+              "apiVersion": "2025-09-01",
               "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
               "properties": {
                 "parentId": "[variables('playbookId1')]",
@@ -276,7 +269,7 @@
                   "sourceId": "[variables('_solutionId')]"
                 },
                 "author": {
-                  "name": "Data443 Risk Mitigation, Inc.",
+                  "name": "TacitRed",
                   "email": "[variables('_email')]"
                 },
                 "support": {
@@ -296,25 +289,27 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('_playbookContentId1')]",
         "contentKind": "Playbook",
-        "displayName": "Playbooks",
+        "displayName": "TacitRed to CrowdStrike IOC Automation",
         "contentProductId": "[variables('_playbookcontentProductId1')]",
+        "id": "[variables('_playbookcontentProductId1')]",
         "version": "[variables('playbookVersion1')]"
       }
     },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
-      "apiVersion": "2023-04-01-preview",
+      "apiVersion": "2025-09-01",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.3",
+        "version": "3.0.0",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "TacitRed-IOC-CrowdStrike",
-        "publisherDisplayName": "TacitRed",
-        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/TacitRed-IOC-CrowdStrike/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The TacitRed CrowdStrike IOC Automation solution provides example playbooks that demonstrate how to consume TacitRed threat intelligence from Microsoft Sentinel and prepare indicators for ingestion into CrowdStrike.</p>\n<p><strong>Playbooks:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "publisherDisplayName": "Data443 Risk Mitigation, Inc.",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>&#8226; Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/TacitRed-IOC-CrowdStrike/ReleaseNotes.md\">Release Notes</a></p>\n<p>&#8226; There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The TacitRed CrowdStrike IOC Automation solution provides example playbooks that demonstrate how to consume TacitRed threat intelligence from Microsoft Sentinel and prepare indicators for ingestion into CrowdStrike.</p>\n<p><strong>Playbooks:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
         "contentKind": "Solution",
         "contentProductId": "[variables('_solutioncontentProductId')]",
-        "icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">",
+        "id": "[variables('_solutioncontentProductId')]",
+        "icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/tacitred_logo.svg\" width=\"75px\" height=\"75px\">",
         "contentId": "[variables('_solutionId')]",
         "parentId": "[variables('_solutionId')]",
         "source": {
@@ -323,7 +318,7 @@
           "sourceId": "[variables('_solutionId')]"
         },
         "author": {
-          "name": "Data443 Risk Mitigation, Inc.",
+          "name": "TacitRed",
           "email": "[variables('_email')]"
         },
         "support": {
@@ -337,14 +332,14 @@
           "criteria": [
             {
               "kind": "Playbook",
-              "contentId": "[variables('_Playbooks')]",
+              "contentId": "[variables('_playbookContentId1')]",
               "version": "[variables('playbookVersion1')]"
             }
           ]
         },
         "firstPublishDate": "2025-11-25",
         "providers": [
-          "TacitRed"
+          "Data443 Risk Mitigation, Inc."
         ],
         "categories": {
           "domains": [
@@ -356,4 +351,4 @@
     }
   ],
   "outputs": {}
-}
+}