What Changed
TacitRed-SentinelOne v3.0.2 fixes a critical bug present since v1.0.0: the SentinelOne_BaseUrl parameter had a hardcoded defaultValue of https://usea1-001.sentinelone.net, which is a non-existent placeholder URL.
Security Impact (Visibility & Fidelity)
This was a complete connector failure scenario. Any customer deploying the TacitRed-SentinelOne solution from Content Hub without explicitly changing the BaseUrl parameter would experience:
- Connection timeout on every playbook run
- Post IOC to SentinelOne step fails with host unreachable error
- Zero threat intelligence indicators pushed to SentinelOne for automated response
- Complete loss of IOC automation capability
Per PR discussion: curl https://usea1-001.sentinelone.net returns HTTP 000 (no server at this address), confirming the URL never existed. Real SentinelOne console URLs like usea1-021, usea1-022, usea1-050 return HTTP 200.
Technical Details
Root cause: The hardcoded defaultValue was set from the initial commit (Dec 8, 2025) and persisted through all subsequent versions. Every SentinelOne customer receives their own unique management console subdomain at sign-up — the hardcoded usea1-001 subdomain was never a valid endpoint.
Changes made:
- mainTemplate.json: Cleared defaultValue for SentinelOne_BaseUrl to empty string
- Updated parameter description with guidance: “SentinelOne Console URL (e.g. https://usea1-021.sentinelone.net) — find this in your browser address bar when logged into SentinelOne”
- createUiDefinition.json: Updated placeholder from usea1-001 to YOUR-CONSOLE
- Rebuilt package with corrected templates
Affected Files
(packaging artefacts: 3.0.2.zip, ReleaseNotes.md, Solution_TacitRedSentinelOneAutomation.json, mainTemplate.json)