TacitRed-SentinelOne v3.0.2: Fix InvalidResourceLocation and remove domain filter

[mazamizo21]

Summary

Fix InvalidResourceLocation deployment error and remove unnecessary domain filter parameter from TacitRed SentinelOne IOC Automation playbook.

Bugs Fixed

1. InvalidResourceLocation — location parameter in inner template

The inner template (contentTemplate) had location as a parameter with the concat trick as defaultValue. When Content Hub deploys, it passes the literal string [resourceGroup().location] instead of evaluating it. 489 out of 492 Sentinel solutions use a variable (workspace-location-inline) instead — we were one of only 3 outliers.

Fix: Remove location parameter, use variables('workspace-location-inline') (which already existed in the template).

2. Metadata resource name — wrong bracket type

The metadata resource name used [[ (double bracket) instead of [ (single bracket). Double bracket means the expression is evaluated at inner template deploy time, but the inner template has no workspace parameter — causing a reference error. 481 out of 482 Sentinel solutions use single brackets for metadata names — we were the only outlier.

Fix: Change [[ to [ so the expression resolves at outer template (solution install) time.

3. TacitRed_Domain filter — unnecessary UI parameter

The TacitRed_Domain parameter was exposed in the Content Hub deployment wizard with domains[]= hardcoded in the API URI. This forced users to specify a domain filter, limiting results. The playbook should fetch all findings by default.

Fix: Remove TacitRed_Domain from inner template parameters, Logic App parameters, workflow parameters, and API URI. Updated standalone playbook template to match.

Files Changed

File	Change
Package/mainTemplate.json	Remove location + domain params, fix metadata bracket, bump version
Playbooks/TacitRedToSentinelOne_Playbook.json	Remove domain param + filter from standalone template
Data/Solution_TacitRedSentinelOneAutomation.json	Version → 3.0.2
ReleaseNotes.md	Add v3.0.2 entry
Package/3.0.2.zip	New package (3.0.0 preserved)

Validation

• Confirmed all 3 patterns now match the standard used by 480+ Sentinel solutions
• Validated JSON structure
• Verified no remaining references to removed parameters

[mazamizo21]

Detailed Bug Report & Evidence

Issue

TacitRed-SentinelOne solution deployed from Content Hub fails with InvalidResourceLocation and playbook template is not visible in Sentinel Automation > Playbook templates.

---

Root Cause Analysis

Bug 1: location parameter in inner template → InvalidResourceLocation

The inner template used location as a parameter with the concat trick default:

"location": { "type": "string", "defaultValue": "[concat('[resourceGroup().locatio', 'n]')]" }

When Content Hub deploys the inner template, it passes the literal string [resourceGroup().location] as the location value (e.g., "[resourceGroup().location]" instead of "eastus"). ARM rejects this as an invalid Azure region.

Survey of 492 solutions with Playbook contentTemplates:

• ✅ 489 solutions use variables('workspace-location-inline') — a variable with the same concat trick that evaluates correctly at inner-template level
• ⚠️ Only 3 solutions (including ours) used a location parameter

Fix: Removed location parameter from inner template. Logic App now uses [[variables('workspace-location-inline')] matching the standard pattern.

---

Bug 2: Metadata resource name double-bracket [[

The metadata resource name used double brackets:

"name": "[[concat(parameters('workspace'), ...)]"

This causes the name to be treated as a literal string [concat(...)] instead of being evaluated. The metadata resource name should use single bracket [ because it needs to be resolved at outer deploy time (not escaped for inner template).

Survey: 481/482 solutions use single bracket [ for metadata resource names.

Fix: Changed [[concat( to [concat( in metadata resource name.

---

Bug 3: Missing hidden-SentinelTemplateName and hidden-SentinelTemplateVersion tags

The Logic App resource only had hidden-SentinelWorkspaceId but was missing the other two required hidden tags. Sentinel uses these tags to discover and display playbook templates in the Automation > Playbook templates view.

Survey: 330/482 solutions have all 3 hidden tags. Compare:

// ✅ Working pattern (e.g., Cybersixgill)
"tags": {
  "hidden-SentinelTemplateName": "CybersixgillAlertStatusUpdate",
  "hidden-SentinelTemplateVersion": "1.0",
  "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
}

// ❌ Our v3.0.0 — missing 2 tags
"tags": {
  "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
}

Fix: Added hidden-SentinelTemplateName: TacitRedToSentinelOne and hidden-SentinelTemplateVersion: 1.0.

---

Bug 4: TacitRed_Domain parameter — unnecessary UI friction

TacitRed_Domain was exposed in the deployment wizard with domains[]= hardcoded in the API URI. Playbook should fetch all findings by default without requiring a domain filter.

Fix: Removed from all parameter locations and cleaned API URI.

---

Changes Summary

File	Change
Package/mainTemplate.json	Remove location param, fix metadata bracket, remove domain param/filter, add hidden tags, bump to 3.0.2
Playbooks/TacitRedToSentinelOne_Playbook.json	Remove domain param + filter from standalone template
Data/Solution_TacitRedSentinelOneAutomation.json	Version → 3.0.2
ReleaseNotes.md	Add v3.0.2 entry
Package/3.0.2.zip	New package (3.0.0.zip preserved)