What Changed
TacitRed SentinelOne v3.0.3 fixes a critical API integration failure in the IOC automation playbook. The Post_IOC_to_SentinelOne HTTP action was missing the required filter.accountIds field, causing the SentinelOne /web/api/v2.1/threat-intelligence/iocs endpoint to return HTTP 500 errors on every playbook execution.
Security Impact (Visibility & Fidelity)
Deployments running any version prior to 3.0.3 have had complete IOC automation failure since installation. The playbook appeared to execute successfully in Microsoft Sentinel but failed silently at the SentinelOne API level — zero threat indicators were actually ingested into SentinelOne for automated threat response.
Per PR testing: Without accountIds: HTTP 500 vs With accountIds: HTTP 200 — this confirms the API requirement was enforced server-side and all prior versions were non-functional.
Fix Details
- Added filter: { accountIds: [parameters SentinelOne_AccountId] } to POST request body
- Added SentinelOne_AccountId parameter to deployment template
- Testing confirmed TacitRed IOCs now successfully ingest into SentinelOne after the fix
Organizations using this solution should upgrade immediately to restore IOC automation functionality.
Affected Files
(packaging artefacts: 3.0.3.zip, ReleaseNotes.md, Solution_TacitRedSentinelOneAutomation.json, mainTemplate.json)