TacitRed-IOC-CrowdStrike v3.0.1: Fix deployment errors and missing playbook template

[mazamizo21]

Summary

Fix three bugs preventing the TacitRed CrowdStrike IOC Automation playbook from deploying and appearing in Sentinel Automation.

Bugs Fixed

1. InvalidResourceLocation — location parameter in inner template

Inner template had location as a parameter with the concat trick defaultValue. Content Hub passes the literal string [resourceGroup().location] instead of evaluating it. 489/492 solutions use variables('workspace-location-inline') instead.

Fix: Remove location parameter, use existing variable.

2. Missing hidden-Sentinel tags — playbook template not visible

The Logic App resource was missing hidden-SentinelTemplateName and hidden-SentinelTemplateVersion tags. Sentinel uses these to discover playbook templates in the Automation > Playbook templates view. Without them, the template is invisible even though the solution shows as installed.

Fix: Add hidden-SentinelTemplateName: TacitRedToCrowdStrike and hidden-SentinelTemplateVersion: 1.0 tags.

3. TacitRed_Domain filter — unnecessary UI parameter

TacitRed_Domain was exposed in deployment wizard with domains[]= hardcoded in API URI. Playbook should fetch all findings by default.

Fix: Remove from all parameter locations and API URI.

Files Changed

File	Change
Package/mainTemplate.json	Remove location + domain params, add hidden tags, bump version
Playbooks/TacitRedToCrowdStrike_Playbook.json	Remove domain param + filter from standalone
Data/Solution_TacitRedCrowdStrikeAutomation.json	Version → 3.0.1
ReleaseNotes.md	Add v3.0.1 entry
Package/3.0.1.zip	New package (3.0.0 preserved)

[mazamizo21]

Detailed Bug Report & Evidence

Issue Reported

After installing the TacitRed-IOC-CrowdStrike solution from Content Hub, the playbook template does not appear in Sentinel > Automation > Playbook templates. Searching for "TacitRedToCrowdStrike" returns "No results." The resource group shows no deployments, and the installation wizard never prompted for resource group or workspace selection.

Content Hub shows the solution as "Installed" with "Configuration needed" warning, but clicking Configuration navigates to an empty Automation page with no deployment wizard.

---

Root Cause Analysis

Bug 1: Missing hidden-SentinelTemplateName and hidden-SentinelTemplateVersion tags (PRIMARY)

This is why the playbook template is invisible. Sentinel uses these hidden tags on Microsoft.Logic/workflows resources to discover and display playbook templates in the Automation page. Without them, Sentinel cannot link the installed contentTemplate to the Playbook templates UI.

Survey of 482 solutions with playbook contentTemplates:

• ✅ 330 solutions have all 3 hidden tags (hidden-SentinelTemplateName, hidden-SentinelTemplateVersion, hidden-SentinelWorkspaceId)
• ⚠️ 152 solutions are missing TemplateName and/or TemplateVersion — many of these likely have the same invisible-template issue

Our CrowdStrike template only had hidden-SentinelWorkspaceId. Compare with a working solution (Cybersixgill):

// ✅ Working (Cybersixgill) — all 3 tags
"tags": {
  "hidden-SentinelTemplateName": "CybersixgillAlertStatusUpdate",
  "hidden-SentinelTemplateVersion": "1.0",
  "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
}

// ❌ Broken (CrowdStrike v3.0.0) — missing 2 tags
"tags": {
  "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
}

Fix: Added hidden-SentinelTemplateName: TacitRedToCrowdStrike and hidden-SentinelTemplateVersion: 1.0.

---

Bug 2: location parameter in inner template → InvalidResourceLocation

Inner template had location as a parameter with the concat trick default:

"location": { "type": "string", "defaultValue": "[concat('[resourceGroup().locatio', 'n]')]" }

Content Hub passes the literal string [resourceGroup().location] instead of evaluating it, causing InvalidResourceLocation errors on deployment.

Survey: 489/492 solutions with Playbook contentTemplates use variables('workspace-location-inline') instead of a location parameter.

Fix: Removed location parameter, Logic App now uses [[variables('workspace-location-inline')].

---

Bug 3: TacitRed_Domain parameter — unnecessary UI friction

TacitRed_Domain was exposed in the deployment wizard with domains[]= hardcoded in the API URI. This forces users to provide a domain filter value that most won't need. The playbook should fetch all findings by default.

Fix: Removed TacitRed_Domain from all parameter locations (inner template params, Logic App properties, workflow definition params) and cleaned the API URI to fetch all findings.

---

Changes Summary

File	Change
Package/mainTemplate.json	Remove location param, remove TacitRed_Domain param + filter, add hidden tags, bump to 3.0.1
Playbooks/TacitRedToCrowdStrike_Playbook.json	Remove domain param + filter from standalone template
Data/Solution_TacitRedCrowdStrikeAutomation.json	Version → 3.0.1
ReleaseNotes.md	Add v3.0.1 entry
Package/3.0.1.zip	New package (3.0.0.zip preserved)

[mazamizo21]

Screenshots — Observed Bugs

Content Hub: Solution shows "Installed" with "Configuration needed"

The solution appears installed (v3.0.0, 1 content item), playbook pb-tacitred-to-crowdstrike shows status "Installed" with ⚠️ Configuration needed. Clicking Configuration navigates to the Automation page instead of showing a deployment wizard — because the template is invisible.

---

Automation > Playbook Templates: Template not found

Searching "TacitRedToCrowdStrike" in Playbook templates returns "No results." Root cause: missing hidden-SentinelTemplateName and hidden-SentinelTemplateVersion tags on the Logic App resource.

---

Active Playbooks: Empty — playbook never deployed

No active playbooks found. Since the template is invisible, users cannot deploy it from the Configuration wizard.

---

Resource Group: No resources, no deployments

CrowdStrike-Marketplace resource group shows 0 resources and 0 deployments. The installation never prompted for resource group selection because the hidden-Sentinel* tags were missing, preventing the Configuration wizard from launching.