TacitRed Defender TI Playbook: Fixing Content Hub Deployment Failure on Hyphenated Workspace Names

What Changed

TacitRed-Defender-ThreatIntelligence bumped from v3.0.1 to v3.0.2 with fixes to the FunctionApp ARM template (Playbooks/TacitRedDefenderTI_FunctionApp/azuredeploy.json) and the packaged mainTemplate.json.

Security Impact (Visibility & Fidelity)

Deployment was completely broken for any workspace with a hyphen in its name. The FunctionApp inner template used a non-standard parameters(workspace) reference inside resourceId() calls. When the workspace name contained hyphens (e.g., Sentinel-Defender-Prod-7), ARM evaluated the expression as arithmetic subtraction – Sentinel minus Defender minus Prod minus 7 – producing an InvalidTemplate error and aborting the entire Content Hub installation. No other Sentinel solution uses this pattern; the standard is the workspace-name variable resolved at install time.

Affected environments: any operator who attempted to install TacitRed Defender TI from Content Hub on a workspace with a hyphenated name received a hard deployment failure. The Threat Intelligence sync Function App was never deployed, meaning no TacitRed compromised credential indicators were flowing to Microsoft Defender Threat Intelligence.

Fixes applied:

• SENTINEL_WORKSPACE_ID app setting: changed from parameters(workspace) to variables(workspaceResourceId) – the workspaceResourceId variable is now correctly built via resourceId() at template evaluation time, not passed as a raw string through a parameter
• Storage endpoint: AzureWebJobsStorage connection string previously hardcoded EndpointSuffix=core.windows.net; now uses environment().suffixes.storage – fixes deployments in Azure Government and other sovereign clouds where the storage endpoint differs
• Microsoft.Storage/storageAccounts API version: 2023-05-01 to 2025-06-01 (ARM-TTK compliance)
• Application Insights: WorkspaceResourceId property added, binding the appi- resource to the target Log Analytics workspace rather than creating an orphaned Classic Application Insights resource
• Location parameterized: all resources (storage, hosting plan, App Insights, Function App) now use a location parameter defaulting to resourceGroup().location, enabling standalone deployments to resolve a valid region
• allowSharedKeyAccess: true set on the storage account to satisfy the AzureWebJobsStorage shared-key connection string requirement (previous template omitted this, causing RequestDisallowedByPolicy failures in tenants with restrictive storage policies)

Post-deployment RBAC now documented:

The README and azuredeploy.json postDeployment steps now explicitly require assigning Storage Blob Data Owner to the Function App managed identity on the deployed storage account – this was previously missing and would cause the Function App to fail at runtime even after a successful deployment.

No changes to detection logic, ingestion pipelines, or Threat Intelligence indicator schema.

Affected Files

Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/Images/deployments-list.png
Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/Images/functionapp-deploy-success.png
Solutions/TacitRed-Defender-ThreatIntelligence/Playbooks/TacitRedDefenderTI_FunctionApp/azuredeploy.json
Solutions/TacitRed-Defender-ThreatIntelligence/README.md
(packaging artefacts: 3.0.2.zip, ReleaseNotes.md, Solution_TacitRedDefenderThreatIntelligence.json, mainTemplate.json)