What Changed
TacitRed-SentinelOne solution v3.0.1 addresses critical deployment failures affecting Content Hub installations:
- Fixed InvalidResourceLocation error by removing non-standard location parameter from ARM template
- Fixed metadata resource naming using incorrect double-bracket syntax
- Removed restrictive domain filter that limited IOC retrieval scope
Deployment Template Fixes
ARM Template Standardization:
- Before: Used non-standard location parameter causing Content Hub deployment failures
- After: Aligned with 489/492 Sentinel solutions using workspace-location-inline variable pattern
- Metadata naming: Fixed double-bracket to single-bracket syntax matching 481/482 solutions
Security Impact (IOC Automation)
This was a complete solution deployment blocker:
- Pre-fix: TacitRed-SentinelOne solution failed to deploy from Content Hub due to ARM template errors
- Post-fix: Solution deploys successfully enabling IOC automation between TacitRed threat intelligence and SentinelOne
IOC Retrieval Enhancement:
- Removed forced domain filter: Previously hardcoded domains parameter limited IOC scope
- Full threat intelligence access: Playbook now retrieves all available TacitRed compromised credentials IOCs
- Default 7-day lookback: Maintains recent IOC focus while removing artificial domain restrictions
The domain filter removal significantly improves threat intelligence coverage by allowing organizations to consume the complete TacitRed IOC feed rather than being restricted to pre-specified domains.
Affected Files
Solutions/TacitRed-SentinelOne/Playbooks/TacitRedToSentinelOne_Playbook.json
(packaging artefacts: 3.0.1.zip, ReleaseNotes.md, mainTemplate.json)