Skip to content

Solution: TacitRed Threat Intelligence (Official) #13268

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mazamizo21 wants to merge 12 commits into
base: master
Choose a base branch
from
Open

Solution: TacitRed Threat Intelligence (Official) #13268

mazamizo21 wants to merge 12 commits into from

Conversation

@mazamizo21
Copy link
Contributor

@mazamizo21 mazamizo21 commented Dec 8, 2025

Official Data443 Submission

This is the official submission from the Data443 organization for the TacitRed Threat Intelligence solution (CCF Connector).

Changes

  • Standardized publisher information to 'Data443 Risk Mitigation, Inc.'.
  • Added comprehensive documentation.
  • Validated implementation.

This PR supersedes and replaces PR #13242.
Please close #13242 in favor of this one.

@mazamizo21 mazamizo21 requested review from a team as code owners December 8, 2025 19:24
@mazamizo21 mazamizo21 mentioned this pull request Dec 8, 2025
Closed
@mazamizo21 mazamizo21 requested a review from a team as a code owner December 8, 2025 20:11
@v-shukore v-shukore added the New Solution For new Solutions which are new to Microsoft Sentinel label Dec 9, 2025
@mazamizo21 mazamizo21 force-pushed the feature/tacitred-ccf-hub-v2 branch 3 times, most recently from 2f2b2ce to 2942f6a Compare December 10, 2025 12:37
@mazamizo21
Copy link
Contributor Author

mazamizo21 commented Dec 10, 2025

Update: Validation Files Added

Hi Microsoft Team,

We've identified and resolved the CI/CD validation failures. The issue was that the required validation schema files existed locally but were not pushed to the remote branch.

What Was Fixed

Added the following validation files:

  1. .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json

    • Registered connector ID: TacitRedThreatIntel
    • Required for Detection Template Schema validation

  2. .script/tests/KqlvalidationsTests/CustomTables/TacitRed_Findings_CL.json

    • Custom table schema with 16 properties
    • Required for KQL validation tests
    • Defines the structure of TacitRed_Findings_CL table

Expected Results

After this push, the CI/CD checks should now pass:

  • DetectionTemplateSchemaValidation: Will pass (connector ID registered)
  • KqlValidations: Will pass (table schema present)
  • All other checks: Already passing (22/23)

Solution Details

TacitRed Threat Intelligence is a data ingestion solution that includes:

  • Data Connector (Codeless Connector Framework)
  • 2 Analytic Rules
  • Workbook (SecOps dashboard)
  • V3 Packaging (mainTemplate, createUiDefinition, 3.0.0.zip)

Ready for Review

The solution is now ready for full review with all validation files present.

Thank you for your patience!

Data443 Risk Mitigation, Inc.

@mazamizo21 mazamizo21 force-pushed the feature/tacitred-ccf-hub-v2 branch 4 times, most recently from f214540 to 4fa9f97 Compare December 15, 2025 11:22
@v-maheshbh
Copy link
Contributor

v-maheshbh commented Dec 30, 2025

Hi @mazamizo21
Please remove the packageMetadata.json file from the package folder. If these files are required, kindly place them outside the package folder. Also, please update the WorkbooksMetadata file [https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/WorkbooksMetadata.json] and add the preview images to the Images folder.
You may refer to the below solution from our repository for guidance.
https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloudflare/Workbooks
and
Could you please attach the screenshot of the CCF connector in the connected state for reference?

Thanks!

@mazamizo21
Copy link
Contributor Author

mazamizo21 commented Dec 30, 2025

Update: All Requested Changes Applied

Hi Microsoft Team,

Thank you for your feedback. We have addressed all the requested changes:

✅ 1. Removed packageMetadata.json from Package folder

  • Before: Solutions/TacitRedThreatIntelligence/Package/packageMetadata.json
  • After: Solutions/TacitRedThreatIntelligence/packageMetadata.json (moved to solution root)

✅ 2. Updated WorkbooksMetadata.json

  • Added TacitRed workbook entry with:
    • workbookKey: TacitRedSecOpsWorkbook
    • logoFileName: tacitred_logo.svg
    • dataTypesDependencies: TacitRed_Findings_CL
    • dataConnectorsDependencies: TacitRedThreatIntel
    • previewImagesFileNames: TacitRedSecOpsWorkbookWhite.png, TacitRedSecOpsWorkbookBlack.png

✅ 3. Added Preview Images

  • Workbooks/Images/Preview/TacitRedSecOpsWorkbookWhite.png
  • Workbooks/Images/Preview/TacitRedSecOpsWorkbookBlack.png

✅ 4. CCF Connector Screenshot (Connected State)

  • Added screenshot showing connector in Connected state:
    • Solutions/TacitRedThreatIntelligence/Data Connectors/TacitRed_CCF/Images/TacitRedConnectorConnected.png

All changes follow the structure of existing solutions (e.g., Cloudflare, Lookout) as referenced.

Thank you!

Data443 Risk Mitigation, Inc.

@mazamizo21 mazamizo21 mentioned this pull request Dec 30, 2025
Open
@v-maheshbh
Copy link
Contributor

v-maheshbh commented Dec 31, 2025

Hi @mazamizo21
Kindly check, as the link provided below is not working.

image

Thanks!

@mazamizo21
Copy link
Contributor Author

mazamizo21 commented Dec 31, 2025 via email

@mazamizo21 mazamizo21 mentioned this pull request Dec 31, 2025
Open
@mazamizo21
Copy link
Contributor Author

mazamizo21 commented Dec 31, 2025

Fixed the broken URL. Replaced https://www.tacitred.com/ with https://www.data443.com/tacitred/ in all documentation files. The tacitred.com domain is no longer active - all TacitRed product information is now hosted on the Data443 website.

@mazamizo21
Copy link
Contributor Author

mazamizo21 commented Jan 2, 2026

Proactive fix applied: Converted workbook preview images from JPEG to PNG format.

During investigation of PR #13278, I discovered that workbook preview images were being rejected by Microsoft's validator due to a file format issue. The images had .png extensions but contained JPEG data.

I checked this PR and found the same issue with:

  • TacitRedSecOpsWorkbookBlack.png
  • TacitRedSecOpsWorkbookWhite.png

Both files have been converted to proper PNG format using macOS sips utility and pushed to the PR branch. This should prevent validation failures when Microsoft reviews the workbook preview images.

@v-maheshbh
Copy link
Contributor

v-maheshbh commented Jan 6, 2026
edited
Loading

Hi @mazamizo21
Kindly check, as the link provided below is not working. and Kindly update logo link in data file.

image

Thanks!

@mazamizo21
Copy link
Contributor Author

mazamizo21 commented Jan 6, 2026

Update: Broken Link Fixed

Hi @v-maheshbh,

Thank you for catching the broken link. The issue has been resolved.

What Was Fixed

Replaced all instances of the deprecated URLs:

  • https://www.data443.com/tacitred/
  • https://tacitred.com/

With the correct product page URL:

Files Updated

  • Data/Solution_TacitRed.json
  • Analytic Rules/TacitRed - High Confidence Compromise.yaml
  • Analytic Rules/TacitRed - Repeat Compromise Detection.yaml
  • Package/mainTemplate.json
  • Package/createUiDefinition.json

The link should now work correctly in the Azure Portal.

Thanks!

Data443 Risk Mitigation, Inc.

@mazamizo21 mazamizo21 force-pushed the feature/tacitred-ccf-hub-v2 branch 3 times, most recently from c6caaa5 to 8bd41ff Compare January 14, 2026 01:30
@mazamizo21
Copy link
Contributor Author

mazamizo21 commented Jan 16, 2026 via email

@mazamizo21
Copy link
Contributor Author

mazamizo21 commented Jan 16, 2026 via email

@mazamizo21 mazamizo21 force-pushed the feature/tacitred-ccf-hub-v2 branch 2 times, most recently from 0f8fbea to 083a178 Compare January 16, 2026 13:53
@v-maheshbh
Copy link
Contributor

v-maheshbh commented Jan 19, 2026

Hi @mazamizo21
Please update the workbook metadata and add the required preview images.
Please refer to the solution files provided below

https://github.com/Azure/Azure-Sentinel/pull/13278/files

Thanks!

@mazamizo21
feat(TacitRedThreatIntelligence): TacitRed CCF solution (no workbook …
5128b78 
…metadata)

TacitRed Compromised Credentials CCF solution with:
- Data connector (CCF)
- 2 Analytics rules
- 1 Workbook with preview images
- Custom table schema

Note: WorkbooksMetadata.json not modified due to upstream BeyondTrust
validation issue. Workbook still functions correctly.
@mazamizo21 mazamizo21 force-pushed the feature/tacitred-ccf-hub-v2 branch 3 times, most recently from b45a59e to 5128b78 Compare January 20, 2026 10:56
@v-maheshbh
Copy link
Contributor

v-maheshbh commented Jan 21, 2026

Hi @mazamizo21

Kindly review the comments mentioned above and address them accordingly.

Thanks!

@mazamizo21
feat(TacitRedThreatIntelligence): Add workbook metadata entry per rev…
4b93f24 
…iewer request

Per Microsoft reviewer feedback (Jan 19, 2026):
- Added TacitRedSecOpsWorkbook entry to WorkbooksMetadata.json
- Following Cyren PR Azure#13278 pattern
- Preview images already present (Black/White)
- Logo already present (tacitred_logo.svg)

Note: This change may trigger WorkbooksValidations CI failure due to
pre-existing upstream BeyondTrust bug (uses Light/Dark instead of
Black/White naming). The TacitRed workbook itself is correctly
configured and will function properly.
@mazamizo21
Copy link
Contributor Author

mazamizo21 commented Jan 21, 2026

Hi @v-maheshbh,

I have addressed your feedback from Jan 19, 2026 regarding the workbook metadata and preview images.

Changes Applied:

  • Added TacitRed workbook metadata entry to Workbooks/WorkbooksMetadata.json
  • Following the Cyren PR Solution: Cyren Threat Intelligence (Official) #13278 pattern as referenced
  • Entry includes all required fields (workbookKey, logoFileName, description, dependencies, previewImagesFileNames, etc.)
  • Preview images already present: TacitRedSecOpsWorkbookBlack.png and TacitRedSecOpsWorkbookWhite.png
  • Logo already present: tacitred_logo.svg

Important Note: Expected CI Validation Issue

The WorkbooksValidations CI check will likely fail with the following error:

Invalid Preview Images for workbook BeyondTrustPMCloudWorkbook.
All preview image file names must include either "Black" or "White"

This is NOT caused by the TacitRed solution. This is a pre-existing upstream bug in Microsoft's BeyondTrustPMCloudWorkbook entry (line 2165 of WorkbooksMetadata.json), which uses "Light/Dark" naming instead of the required "Black/White" naming convention.

The CI validator checks ALL entries in WorkbooksMetadata.json whenever the file is modified, which triggers validation on the broken BeyondTrust entry.

The TacitRed workbook is correctly configured and will function properly when deployed. The preview images use the correct "Black/White" naming convention.

Please advise on how to proceed:

  1. Merge as-is (workbook will function correctly despite CI warning)
  2. Wait for Microsoft to fix the BeyondTrust entry first
  3. Alternative approach you recommend

Thanks!

@v-maheshbh
Copy link
Contributor

v-maheshbh commented Jan 21, 2026

Hi @mazamizo21
Please also include preview images in the workbook folder.

Thanks!

@mazamizo21
feat(TacitRedThreatIntelligence): Add preview images to workbook folder
fbd8934 
Per Microsoft reviewer feedback (Jan 21, 2026):
- Added TacitRedSecOpsWorkbookBlack.png to Workbooks folder
- Added TacitRedSecOpsWorkbookWhite.png to Workbooks folder
- Preview images now present in both repo-level and solution-level locations
@mazamizo21
Copy link
Contributor Author

mazamizo21 commented Jan 21, 2026

Hi @v-maheshbh,

I have added the preview images to the workbook folder as requested.

Changes Applied:

  • Added TacitRedSecOpsWorkbookBlack.png to Solutions/TacitRedThreatIntelligence/Workbooks/
  • Added TacitRedSecOpsWorkbookWhite.png to Solutions/TacitRedThreatIntelligence/Workbooks/

Preview images are now present in both locations:

  • Repo-level: Workbooks/Images/Preview/
  • Solution-level: Solutions/TacitRedThreatIntelligence/Workbooks/

Thanks!

v-maheshbh and others added 5 commits January 22, 2026 14:53
@v-maheshbh
Move SecOps workbook images to Preview folder
a192a38 
Relocated TacitRedSecOpsWorkbookBlack.png and TacitRedSecOpsWorkbookWhite.png to the Images/Preview directory for better organization.
@v-maheshbh
Merge branch 'master' into pr/13268
555793a
@v-maheshbh
Revert "feat(TacitRedThreatIntelligence): Add workbook metadata entry…
995addc 
… per reviewer request"

This reverts commit 4b93f24.
@v-maheshbh
Add TacitRed SecOps Workbook metadata
9b84b57 
Introduced metadata for the TacitRed SecOps Workbook, including details such as dependencies, preview images, and provider information. Also reformatted several existing workbook entries for consistent indentation.
@mazamizo21
fix(WorkbooksMetadata): Fix BeyondTrust preview image naming for CI v…
24d6a7e 
…alidation

Fix upstream bug in BeyondTrustPMCloudWorkbook entry:
- Changed Light01/02/03 to White01/02/03
- Changed Dark01/02/03 to Black01/02/03

The CI validator requires preview image filenames to include 'Black' or 'White',
not 'Light' or 'Dark'. This fix allows the TacitRed PR to pass validation.
@mazamizo21
Copy link
Contributor Author

mazamizo21 commented Jan 22, 2026

Hi @v-maheshbh,

The WorkbooksMetadata validation was still failing due to the BeyondTrustPMCloudWorkbook entry using 'Light/Dark' instead of 'Black/White' in preview image filenames.

Fix Applied:

  • Changed BeyondTrustPMCloudLight01/02/03.png to BeyondTrustPMCloudWhite01/02/03.png
  • Changed BeyondTrustPMCloudDark01/02/03.png to BeyondTrustPMCloudBlack01/02/03.png

The CI validator requires preview image filenames to include 'Black' or 'White', not 'Light' or 'Dark'. This fix should allow the PR to pass validation.

Thanks!

@mazamizo21
Revert BeyondTrust metadata fix per Microsoft request
a5aff40 
Microsoft is raising a separate PR to resolve the BeyondTrust preview image
naming issue. Reverting our fix as requested.
@mazamizo21
Copy link
Contributor Author

mazamizo21 commented Jan 22, 2026

Hi @v-maheshbh,

I have reverted the BeyondTrust metadata commit as requested.

Reverted commit: 24d6a7e (fix(WorkbooksMetadata): Fix BeyondTrust preview image naming for CI validation)

The BeyondTrust preview image naming has been restored to the original Light/Dark values. Awaiting Microsoft's separate PR to resolve this issue.

Thanks!

@v-maheshbh
Copy link
Contributor

v-maheshbh commented Jan 23, 2026
edited
Loading

Hi @mazamizo21
Kindly attach a screenshot of the Log Analytics table data for TacitRed_Findings_CL.

Thanks!

@mazamizo21
Copy link
Contributor Author

mazamizo21 commented Jan 23, 2026

Monosnap taz-final-ws-3 - Microsoft Azure 2026-01-23 11-41-52 Monosnap Workbook - Microsoft Defender 2026-01-23 11-42-30 Monosnap Analytics - Microsoft Defender 2026-01-23 11-42-53

@mazamizo21
Fix TacitRed CCF connector data ingestion
a4e80a8 
- Update queryWindowInMin from 7 days to 60 days (86400 min) to capture December 2025 API data
- Add dataConnectorDefinitions dependency to ensure proper CCF initialization
- Fix workbook text formatting (newline escaping)
- Repackaged with V3 tooling

Fixes:
- Data connector now successfully ingests 50+ records into TacitRed_Findings_CL
- Analytics rules appear in Rule templates tab
- Workbook text renders correctly with line breaks

Source files modified:
- Data Connectors/TacitRed_CCF/TacitRed_PollerConfig.json (queryWindowInMin)
- Workbooks/TacitRedSecOpsWorkbook.json (text escaping)

Package regenerated with V3 tooling to maintain consistency.
@mazamizo21
Copy link
Contributor Author

mazamizo21 commented Jan 23, 2026

Update: Fixed Data Ingestion Issues

This PR has been updated with critical fixes to enable successful data ingestion:

Fixes Applied

  1. Extended Polling Window to 60 Days

    • Changed from 7 days to 60 days (86400 minutes)
    • Root cause: TacitRed API data is from December 2025, outside the original 7-day window

  2. Added dataConnectorDefinitions Dependency

    • Ensures proper CCF polling engine initialization

  3. Fixed Workbook Text Formatting

    • Corrected newline escaping for proper rendering

Verification Results

Data Connector: Successfully ingesting 50+ records into
Analytics Rules: 2 templates visible in Rule templates tab
Workbook: Text renders correctly with line breaks

All changes made to source files and repackaged with V3 tooling per Microsoft requirements.

Latest commit: a4e80a8

@mazamizo21
Restore top-level deployment resources after V3 packaging
be67e20 
V3 tooling removed critical top-level resources needed for direct ARM deployment.
This commit restores them while keeping V3-generated Content Hub templates.

Restored resources:
- tacitRedApiKey parameter (securestring)
- Microsoft.Insights/dataCollectionEndpoints (DCE)
- Microsoft.OperationalInsights/workspaces/tables (TacitRed_Findings_CL)
- Microsoft.Insights/dataCollectionRules (DCR with transformKql)
- Microsoft.OperationalInsights/workspaces/providers/dataConnectors (RestApiPoller)

Also restored in createUiDefinition.json:
- tacitRedApiKey PasswordBox input field
- tacitRedApiKey output mapping

Configuration:
- queryWindowInMin: 86400 (60 days)
- dataConnectorDefinitions dependency for proper CCF initialization

This ensures the solution deploys all infrastructure immediately upon ARM deployment,
rather than requiring manual Content Hub installation steps.
@mazamizo21
Copy link
Contributor Author

mazamizo21 commented Jan 23, 2026

Update: Restored Top-Level Deployment Resources

V3 tooling removed critical infrastructure resources needed for direct ARM deployment. This commit restores them while keeping V3-generated Content Hub templates.

Restored Resources

Resource Purpose
tacitRedApiKey parameter Secure API key input
dataCollectionEndpoints DCE for data ingestion
workspaces/tables TacitRed_Findings_CL custom table
dataCollectionRules DCR with transformKql
dataConnectors RestApiPoller connector

UI Updates

  • Added tacitRedApiKey PasswordBox input in deployment wizard
  • Added output mapping to pass API key to mainTemplate

Configuration

  • queryWindowInMin: 86400 (60 days)
  • dataConnectorDefinitions dependency for proper CCF initialization

This ensures the solution deploys all infrastructure immediately upon ARM deployment.

Commit: be67e20

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@v-maheshbh v-maheshbh

Labels

auto-package Codeless Connector Framework (CCF) Connector New Solution For new Solutions which are new to Microsoft Sentinel

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mazamizo21 @v-maheshbh @v-shukore