TFT444 · TFT444 · Jun 6, 2026 · Jun 4, 2026 · Jun 5, 2026 · Jun 5, 2026
diff --git a/solution/README.md b/solution/README.md
@@ -0,0 +1,125 @@
+# RetailShield — Microsoft Sentinel Solution Package
+
+This directory contains the deployment package for RetailShield as a Microsoft Sentinel Solution.
+
+## What's included
+
+| Component | Count | Location |
+|-----------|-------|----------|
+| Analytics rules | 13 | `sentinel/analytics-rules/` |
+| Response playbooks | 5 | `logic-apps/` |
+| Custom table schemas | 2 | `sentinel/data-connectors/` |
+| Solution orchestration template | 1 | `solution/mainTemplate.json` |
+| Azure portal UI definition | 1 | `solution/createUiDefinition.json` |
+
+## Quick deployment
+
+### Option A — Deploy everything via Azure CLI
+
+```bash
+az deployment group create \
+  --resource-group <your-resource-group> \
+  --template-file solution/mainTemplate.json \
+  --parameters \
+      workspaceName=<your-workspace-name> \
+      complianceContactEmail=security@yourorganisation.com \
+      organisationName="Your Organisation Ltd"
+```
+
+### Option B — Deploy individual components
+
+```bash
+# 1. Create custom tables first
+az deployment group create \
+  --resource-group <rg> \
+  --template-file sentinel/data-connectors/retailshield-connector.json \
+  --parameters workspaceName=<workspace>
+
+# 2. Deploy analytics rules
+for f in sentinel/analytics-rules/*.json; do
+  az deployment group create --resource-group <rg> --template-file "$f" \
+    --parameters workspaceName=<workspace>
+done
+
+# 3. Deploy playbooks
+for f in logic-apps/*/workflow.json; do
+  az deployment group create --resource-group <rg> --template-file "$f" \
+    --parameters workspaceName=<workspace>
+done
+```
+
+### Option C — Azure portal (Custom deployment)
+
+1. Navigate to **Deploy a custom template** in the Azure portal
+2. Use **Build your own template in the editor** and paste `solution/mainTemplate.json`
+3. Use the `createUiDefinition.json` for a guided wizard experience
+
+## Deployment parameters
+
+| Parameter | Required | Default | Description |
+|-----------|----------|---------|-------------|
+| `workspaceName` | Yes | — | Log Analytics workspace name |
+| `location` | No | Resource group location | Azure region |
+| `complianceContactEmail` | No | *(empty)* | Internal compliance contact email for incident-reporting playbook |
+| `organisationName` | No | `Retail Organisation` | Organisation name in compliance emails |
+| `deployAnalyticsRules` | No | `true` | Deploy all 13 analytics rules |
+| `deployPlaybooks` | No | `true` | Deploy all 5 Logic App playbooks |
+| `deployDataConnector` | No | `true` | Create custom Log Analytics tables |
+
+## Post-deployment steps
+
+After the ARM deployment completes:
+
+1. **Authorise API connections** — for each Logic App playbook in the Azure portal, open the Logic App → API Connections → Authorise each connection (azuresentinel, office365, mdfc-connection as applicable)
+
+2. **Grant Sentinel Responder role** — for each Logic App's system-assigned managed identity:
+   ```bash
+   az role assignment create \
+     --assignee <managed-identity-object-id> \
+     --role "Microsoft Sentinel Responder" \
+     --scope /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.OperationalInsights/workspaces/<workspace>
+   ```
+
+3. **Create watchlists** — RetailShield rules depend on four watchlists. See `docs/deployment_guide.md` for schema and population instructions:
+   - `RetailIOCWatchlist` — threat intelligence IOCs
+   - `AbuseIPDBWatchlist` — known malicious IPs
+   - `RetailServiceAccounts` — excluded automation accounts
+   - `RetailSupplierAccounts` — supplier account UPNs
+
+4. **Create automation rules** — link each analytics rule to its recommended playbook via Sentinel → Automation → Create automation rule
+
+5. **Validate** — trigger a test incident in each severity tier and confirm the correct playbook fires
+
+## Architecture
+
+```
+RetailShield Solution
+├── Data Ingestion
+│   ├── RetailShield_POS_CL      (POS terminal events via Data Collector API)
+│   └── RetailShield_Logs_CL     (Voice fraud and device events)
+│
+├── Detection Layer (13 Scheduled Analytics Rules)
+│   ├── Critical: Data Exfiltration, Ransomware Indicator
+│   ├── High:     Phishing, POS Void/Refund, MFA Fatigue, AI Voice Fraud,
+│   │             Credential Stuffing, Gift Card Fraud, POS Anomaly,
+│   │             Privileged Role Addition, Supply Chain Anomaly
+│   └── Medium:   After-Hours Access, Supplier Impossible Travel
+│
+└── Response Layer (5 Logic App Playbooks)
+    ├── block-ip              — Block attacker IP via Defender for Endpoint
+    ├── isolate-endpoint      — Device isolation via Defender for Endpoint
+    ├── quarantine-email      — Email quarantine via Defender for Office 365
+    ├── suspend-terminal      — Disable POS terminal
+    └── incident-reporting    — UK compliance assistant (24h/72h deadlines)
+```
+
+## Data connector dependencies
+
+These Sentinel data connectors must be configured separately:
+
+| Connector | Tables | Used by rules |
+|-----------|--------|--------------|
+| Azure Active Directory | SigninLogs, AuditLogs | mfa_fatigue, credential_stuffing, after_hours_access, supplier_impossible_travel, privileged_role_addition |
+| Microsoft Defender for Endpoint | DeviceNetworkEvents, DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceLogonEvents | data_exfiltration, pos_anomaly, ransomware_indicator, after_hours_access |
+| Microsoft Defender for Office 365 | EmailAttachmentInfo, EmailEvents | phishing_detection |
+| Azure Diagnostics | AzureDiagnostics | supply_chain_anomaly |
diff --git a/solution/createUiDefinition.json b/solution/createUiDefinition.json
@@ -0,0 +1,144 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+  "handler": "Microsoft.Azure.CreateUIDef",
+  "version": "0.1.2-preview",
+  "parameters": {
+    "config": {
+      "isWizard": false,
+      "basics": {
+        "description": "**RetailShield** is a Microsoft Sentinel Solution providing retail-specific threat detection rules, automated response playbooks, and UK compliance assistance. It covers Point-of-Sale fraud, phishing, ransomware, credential attacks, supply chain threats, and more.\n\n**Version:** 1.0.0  \n**Publisher:** ShieldTech Ltd  \n**Category:** Security – Retail\n\n> After deployment, authorise the API connections for each Logic App playbook and assign the **Sentinel Responder** role to each playbook's managed identity."
+      }
+    },
+    "basics": [
+      {
+        "name": "workspaceName",
+        "type": "Microsoft.Common.TextBox",
+        "label": "Sentinel workspace name",
+        "placeholder": "my-sentinel-workspace",
+        "toolTip": "Name of the existing Log Analytics workspace where Microsoft Sentinel is enabled.",
+        "constraints": {
+          "required": true,
+          "regex": "^[a-zA-Z0-9][a-zA-Z0-9-]{1,61}[a-zA-Z0-9]$",
+          "validationMessage": "Workspace name must be 3–63 characters, letters, numbers, and hyphens only."
+        }
+      },
+      {
+        "name": "location",
+        "type": "Microsoft.Common.TextBox",
+        "label": "Azure region",
+        "defaultValue": "uksouth",
+        "toolTip": "Azure region where the solution resources will be deployed. Must match the region of your Sentinel workspace.",
+        "constraints": {
+          "required": true
+        }
+      }
+    ],
+    "steps": [
+      {
+        "name": "playbooks",
+        "label": "Playbooks",
+        "elements": [
+          {
+            "name": "deployPlaybooks",
+            "type": "Microsoft.Common.CheckBox",
+            "label": "Deploy response playbooks (Logic Apps)",
+            "toolTip": "Deploy the five Logic App playbooks: block-ip, isolate-endpoint, quarantine-email, suspend-terminal, and incident-reporting.",
+            "defaultValue": true
+          },
+          {
+            "name": "complianceSection",
+            "type": "Microsoft.Common.Section",
+            "label": "UK Compliance Assistant",
+            "elements": [
+              {
+                "name": "complianceInfo",
+                "type": "Microsoft.Common.InfoBox",
+                "visible": "[steps('playbooks').deployPlaybooks]",
+                "options": {
+                  "icon": "Warning",
+                  "text": "The incident-reporting playbook sends draft compliance notifications to your INTERNAL security/compliance contact when a Critical incident is detected. It does NOT auto-submit reports to regulators. A human must review and submit via the ICO and NCSC portals."
+                }
+              },
+              {
+                "name": "complianceContactEmail",
+                "type": "Microsoft.Common.TextBox",
+                "label": "Compliance contact email",
+                "placeholder": "security@yourorganisation.com",
+                "toolTip": "Internal email address for compliance notifications. NOT an ICO or government address.",
+                "visible": "[steps('playbooks').deployPlaybooks]",
+                "constraints": {
+                  "required": false,
+                  "regex": "^[^@]+@[^@]+\\.[^@]+$",
+                  "validationMessage": "Enter a valid email address."
+                }
+              },
+              {
+                "name": "organisationName",
+                "type": "Microsoft.Common.TextBox",
+                "label": "Organisation name",
+                "defaultValue": "Retail Organisation",
+                "toolTip": "Your organisation name, used in compliance notification emails.",
+                "visible": "[steps('playbooks').deployPlaybooks]",
+                "constraints": {
+                  "required": false
+                }
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "name": "detection",
+        "label": "Detection Rules",
+        "elements": [
+          {
+            "name": "deployAnalyticsRules",
+            "type": "Microsoft.Common.CheckBox",
+            "label": "Deploy analytics rules (13 retail detection rules)",
+            "toolTip": "Deploy all 13 scheduled analytics rules. Requires the custom tables to be created first (handled automatically if 'Deploy data connector' is enabled).",
+            "defaultValue": true
+          },
+          {
+            "name": "rulesInfo",
+            "type": "Microsoft.Common.InfoBox",
+            "visible": "[steps('detection').deployAnalyticsRules]",
+            "options": {
+              "icon": "Info",
+              "text": "Rules deployed: Phishing Detection, POS Void/Refund Fraud, MFA Fatigue, Data Exfiltration, AI Voice Fraud, Credential Stuffing, After-Hours Access, Gift Card Fraud, POS Anomaly, Ransomware Indicator, Supply Chain Anomaly, Supplier Impossible Travel, Privileged Role Addition."
+            }
+          },
+          {
+            "name": "deployDataConnector",
+            "type": "Microsoft.Common.CheckBox",
+            "label": "Create custom Log Analytics tables (RetailShield_POS_CL and RetailShield_Logs_CL)",
+            "toolTip": "Creates the custom table schemas required by POS and voice fraud detection rules. Disable if tables already exist.",
+            "defaultValue": true
+          }
+        ]
+      },
+      {
+        "name": "prerequisites",
+        "label": "Pre-deployment checklist",
+        "elements": [
+          {
+            "name": "prereqInfo",
+            "type": "Microsoft.Common.InfoBox",
+            "options": {
+              "icon": "Warning",
+              "text": "Before deploying, ensure the following are in place:\n\n1. Microsoft Sentinel is enabled on the target workspace\n2. The following data connectors are configured: Azure Active Directory, Microsoft Defender for Endpoint, Microsoft Defender for Office 365\n3. The following watchlists exist (or will be created manually): RetailIOCWatchlist, AbuseIPDBWatchlist, RetailServiceAccounts, RetailSupplierAccounts, RetailApprovedSenders\n4. After deployment, grant 'Sentinel Responder' role to each Logic App's managed identity\n5. After deployment, authorise the azuresentinel and office365 API connections in each Logic App"
+            }
+          }
+        ]
+      }
+    ],
+    "outputs": {
+      "workspaceName": "[basics('workspaceName')]",
+      "location": "[basics('location')]",
+      "deployPlaybooks": "[steps('playbooks').deployPlaybooks]",
+      "complianceContactEmail": "[steps('playbooks').complianceSection.complianceContactEmail]",
+      "organisationName": "[steps('playbooks').complianceSection.organisationName]",
+      "deployAnalyticsRules": "[steps('detection').deployAnalyticsRules]",
+      "deployDataConnector": "[steps('detection').deployDataConnector]"
+    }
+  }
+}