![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/data443_logo.svg\"){kind=logo}
",
+ "Description": "The [Vaikora AI Agent Behavioral Signals](https://vaikora.com) solution provides the capability to ingest AI agent behavioral data from the Vaikora API into Microsoft Sentinel using the Codeless Connector Framework (CCF). This solution deploys a REST API poller connector, a custom log table, data collection rules, analytics rules, and a visualization workbook to help security teams monitor AI agent activity, detect behavioral anomalies, and investigate policy violations.",
+ "Data Connectors": [
+ "Data Connectors/VaikoraSentinel_CCF/Vaikora_ConnectorDefinition.json"
+ ],
+ "Analytic Rules": [
+ "Analytic Rules/Vaikora - High Risk AI Agent Action.yaml",
+ "Analytic Rules/Vaikora - Behavioral Anomaly Detected.yaml",
+ "Analytic Rules/Vaikora - Agent Policy Violation.yaml"
+ ],
+ "Workbooks": [
+ "Workbooks/VaikoraAgentSignalsDashboard.json"
+ ],
+ "WorkbookDescription": "This workbook provides visualization and monitoring for Vaikora AI agent behavioral signals including action timelines, severity breakdowns, anomaly detection, and policy violations.",
+ "Metadata": "SolutionMetadata.json",
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Vaikora-Sentinel",
+ "Version": "3.0.0",
+ "TemplateSpec": true,
+ "Is1Pconnector": false
+}
diff --git a/Solutions/Vaikora-Sentinel/Package/3.0.0.zip b/Solutions/Vaikora-Sentinel/Package/3.0.0.zip
new file mode 100644
index 00000000000..21661684aea
Binary files /dev/null and b/Solutions/Vaikora-Sentinel/Package/3.0.0.zip differ
diff --git a/Solutions/Vaikora-Sentinel/Package/createUiDefinition.json b/Solutions/Vaikora-Sentinel/Package/createUiDefinition.json
new file mode 100644
index 00000000000..c4fb814ec6a
--- /dev/null
+++ b/Solutions/Vaikora-Sentinel/Package/createUiDefinition.json
@@ -0,0 +1,206 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {
+ "description": "\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Vaikora AI Agent Behavioral Signals](https://vaikora.com) solution ingests AI agent behavioral data from the Vaikora API into Microsoft Sentinel. Deploy this solution to monitor AI agent activity, detect behavioral anomalies, and investigate policy violations.\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
+ },
+ "location": {
+ "metadata": {
+ "hidden": true
+ },
+ "visible": true
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
+ }
+ },
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
+ },
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
+ },
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "dataconnectors",
+ "label": "Data Connectors",
+ "bladeTitle": "Data Connectors",
+ "elements": [
+ {
+ "name": "dataconnectors1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "visible": true,
+ "options": {
+ "text": "This Solution installs the data connector for Vaikora. You can get Vaikora AI agent behavioral signals data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors-link2",
+ "type": "Microsoft.Common.TextBlock",
+ "visible": true,
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytics",
+ "label": "Analytics",
+ "subLabel": {
+ "preValidation": "Configure the analytics",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Analytics",
+ "elements": [
+ {
+ "name": "analytics-text",
+ "type": "Microsoft.Common.TextBlock",
+ "visible": true,
+ "options": {
+ "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
+ }
+ },
+ {
+ "name": "analytics-link",
+ "type": "Microsoft.Common.TextBlock",
+ "visible": true,
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ }
+ }
+ },
+ {
+ "name": "analytic1",
+ "type": "Microsoft.Common.Section",
+ "label": "Vaikora - High Risk AI Agent Action",
+ "elements": [
+ {
+ "name": "analytic1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "visible": true,
+ "options": {
+ "text": "Detects AI agent actions with a risk score of 75 or above and high or critical severity. Triggered when Vaikora scores an agent action as dangerous, which may indicate prompt injection, unauthorized resource access, or dangerous tool invocations."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic2",
+ "type": "Microsoft.Common.Section",
+ "label": "Vaikora - Behavioral Anomaly Detected",
+ "elements": [
+ {
+ "name": "analytic2-text",
+ "type": "Microsoft.Common.TextBlock",
+ "visible": true,
+ "options": {
+ "text": "Detects AI agent behavioral anomalies flagged by the Vaikora anomaly detection engine with a score of 0.7 or above. A high anomaly score indicates the agent is deviating significantly from its established behavioral baseline."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic3",
+ "type": "Microsoft.Common.Section",
+ "label": "Vaikora - Agent Policy Violation",
+ "elements": [
+ {
+ "name": "analytic3-text",
+ "type": "Microsoft.Common.TextBlock",
+ "visible": true,
+ "options": {
+ "text": "Detects AI agent actions that were explicitly blocked by a Vaikora policy. Repeated violations from the same agent may indicate prompt injection, policy circumvention, or a compromised agent workflow."
+ }
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "name": "workbooks",
+ "label": "Workbooks",
+ "subLabel": {
+ "preValidation": "Configure the workbooks",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Workbooks",
+ "elements": [
+ {
+ "name": "workbooks-text",
+ "type": "Microsoft.Common.TextBlock",
+ "visible": true,
+ "options": {
+ "text": "This solution installs a workbook to visualize Vaikora AI agent behavioral signals in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
+ }
+ },
+ {
+ "name": "workbooks-link",
+ "type": "Microsoft.Common.TextBlock",
+ "visible": true,
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ }
+ }
+ },
+ {
+ "name": "workbook1",
+ "type": "Microsoft.Common.Section",
+ "label": "Vaikora AI Agent Signals Dashboard",
+ "elements": [
+ {
+ "name": "workbook1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "visible": true,
+ "options": {
+ "text": "Provides visualization and monitoring for Vaikora AI agent behavioral signals including action timelines, severity breakdowns, anomaly detection, and policy violations."
+ }
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace": "[basics('workspace')]",
+ "location": "[location()]"
+ }
+ }
+}
diff --git a/Solutions/Vaikora-Sentinel/Package/mainTemplate.json b/Solutions/Vaikora-Sentinel/Package/mainTemplate.json
new file mode 100644
index 00000000000..e96f81540d0
--- /dev/null
+++ b/Solutions/Vaikora-Sentinel/Package/mainTemplate.json
@@ -0,0 +1,1044 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "Data443 Risk Mitigation, Inc. - support@data443.com",
+ "comments": "Solution template for VaikoraSentinel"
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "Resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "type": "string",
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "metadata": {
+ "description": "Subscription id where Microsoft Sentinel is setup"
+ }
+ },
+ "workbook1-name": {
+ "type": "string",
+ "defaultValue": "Vaikora AI Agent Behavioral Signals Dashboard",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ },
+ "dataCollectionEndpoint": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Data collection endpoint for DCR ingestion (auto-managed by Sentinel)"
+ }
+ },
+ "vaikoraDcrImmutableId": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "DCR immutable ID (auto-managed by Sentinel)"
+ }
+ },
+ "vaikoraApiKey": {
+ "type": "securestring",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Vaikora API Key"
+ }
+ },
+ "vaikoraAgentId": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "Vaikora Agent ID to monitor"
+ }
+ },
+ "dcrImmutableId": {
+ "type": "string",
+ "defaultValue": ""
+ }
+ },
+ "variables": {
+ "email": "support@data443.com",
+ "_email": "[variables('email')]",
+ "_solutionName": "VaikoraSentinel",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "data443riskmitigationinc1761580347231.vaikora-sentinel-connector",
+ "_solutionId": "[variables('solutionId')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "dataConnectorCCPVersion": "3.0.0",
+ "_dataConnectorContentIdConnectorDefinition1": "VaikoraSentinel",
+ "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]",
+ "_dataConnectorContentIdConnections1": "VaikoraSentinelConnections",
+ "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]",
+ "dataCollectionEndpointId1": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
+ "blanks": "[replace('b', 'b', '')]",
+ "analyticRuleObject1": {
+ "analyticRuleVersion1": "3.0.0",
+ "_analyticRulecontentId1": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a1b2c3d4-e5f6-7890-abcd-ef1234567890')]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a1b2c3d4-e5f6-7890-abcd-ef1234567890')))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a1b2c3d4-e5f6-7890-abcd-ef1234567890','-', '3.0.0')))]"
+ },
+ "analyticRuleObject2": {
+ "analyticRuleVersion2": "3.0.0",
+ "_analyticRulecontentId2": "b2c3d4e5-f6a7-8901-bcde-f12345678901",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b2c3d4e5-f6a7-8901-bcde-f12345678901')]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b2c3d4e5-f6a7-8901-bcde-f12345678901')))]",
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b2c3d4e5-f6a7-8901-bcde-f12345678901','-', '3.0.0')))]"
+ },
+ "analyticRuleObject3": {
+ "analyticRuleVersion3": "3.0.0",
+ "_analyticRulecontentId3": "c3d4e5f6-a7b8-9012-cdef-123456789012",
+ "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c3d4e5f6-a7b8-9012-cdef-123456789012')]",
+ "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c3d4e5f6-a7b8-9012-cdef-123456789012')))]",
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c3d4e5f6-a7b8-9012-cdef-123456789012','-', '3.0.0')))]"
+ },
+ "workbookVersion1": "3.0.0",
+ "workbookContentId1": "VaikoraAgentSignalsDashboard",
+ "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
+ "_workbookContentId1": "[variables('workbookContentId1')]",
+ "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+ "displayName": "Vaikora AI Agent Behavioral Signals",
+ "contentKind": "DataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "VaikoraSentinel",
+ "connectorId": "VaikoraSentinel",
+ "title": "Vaikora AI Agent Behavioral Signals",
+ "publisher": "Data443 Risk Mitigation, Inc.",
+ "descriptionMarkdown": "Ingest AI agent behavioral signals from the Vaikora API into Microsoft Sentinel using the Codeless Connector Framework (CCF). Monitor agent actions, policy decisions, anomaly scores, and risk levels to detect suspicious AI activity in your environment.",
+ "graphQueriesTableName": "Vaikora_AgentSignals_CL",
+ "graphQueries": [
+ {
+ "metricName": "Total Vaikora agent signals received",
+ "legend": "Vaikora Agent Signals",
+ "baseQuery": "Vaikora_AgentSignals_CL"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "High-risk agent actions (last 24 hours)",
+ "query": "Vaikora_AgentSignals_CL | where TimeGenerated >= ago(24h) | where risk_score_d >= 75 | project TimeGenerated, agent_id_s, action_type_s, severity_s, policy_decision_s, risk_score_d, anomaly_score_d"
+ },
+ {
+ "description": "Anomalous agent behavior (last 7 days)",
+ "query": "Vaikora_AgentSignals_CL | where TimeGenerated >= ago(7d) | where is_anomaly_b == true | summarize AnomalyCount=count(), AvgAnomalyScore=avg(anomaly_score_d) by agent_id_s, action_type_s | order by AnomalyCount desc"
+ },
+ {
+ "description": "Blocked policy decisions (last 48 hours)",
+ "query": "Vaikora_AgentSignals_CL | where TimeGenerated >= ago(48h) | where policy_decision_s == 'block' | project TimeGenerated, agent_id_s, action_type_s, resource_type_s, policy_id_s, log_hash_s"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "Vaikora_AgentSignals_CL",
+ "lastDataReceivedQuery": "Vaikora_AgentSignals_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors"
+ }
+ ],
+ "availability": {
+ "status": "Available",
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": false
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Vaikora API Key",
+ "description": "A Vaikora API key (vk_xxxxx) with read access to the actions endpoint. Obtain this from your Vaikora dashboard under Settings > API Keys."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "title": "Connect Vaikora AI Agent Behavioral Signals",
+ "description": "To enable the Vaikora connector, provide your Vaikora API key and the agent ID you want to monitor, then click Connect.\n\nYour API key is available in the Vaikora dashboard under **Settings > API Keys**. The agent ID is the UUID shown on your agent's detail page.",
+ "instructions": [
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Vaikora API Key",
+ "placeholder": "vk_xxxxxxxxxxxxxxxxxxxxxxxx",
+ "type": "password",
+ "name": "vaikoraApiKey"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Vaikora Agent ID",
+ "placeholder": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+ "type": "text",
+ "name": "vaikoraAgentId"
+ }
+ },
+ {
+ "type": "ConnectionToggleButton",
+ "parameters": {
+ "connectLabel": "Connect",
+ "name": "connect"
+ }
+ }
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Data443 Risk Mitigation, Inc.",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Data443 Risk Mitigation, Inc.",
+ "email": "support@data443.com",
+ "tier": "Partner",
+ "link": "https://www.data443.com"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "dcr-vaikora-agent-signals",
+ "apiVersion": "2022-06-01",
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "location": "[parameters('workspace-location')]",
+ "kind": "[variables('blanks')]",
+ "properties": {
+ "dataCollectionEndpointId": "[variables('dataCollectionEndpointId1')]",
+ "streamDeclarations": {
+ "Custom-Vaikora_AgentSignals_CL": {
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "payload",
+ "type": "dynamic"
+ },
+ {
+ "name": "timestamp",
+ "type": "datetime"
+ },
+ {
+ "name": "action_type_s",
+ "type": "string"
+ },
+ {
+ "name": "agent_id_s",
+ "type": "string"
+ },
+ {
+ "name": "status_s",
+ "type": "string"
+ },
+ {
+ "name": "severity_s",
+ "type": "string"
+ },
+ {
+ "name": "policy_decision_s",
+ "type": "string"
+ },
+ {
+ "name": "policy_id_s",
+ "type": "string"
+ },
+ {
+ "name": "risk_score_d",
+ "type": "int"
+ },
+ {
+ "name": "risk_level_s",
+ "type": "string"
+ },
+ {
+ "name": "is_anomaly_b",
+ "type": "boolean"
+ },
+ {
+ "name": "anomaly_score_d",
+ "type": "real"
+ },
+ {
+ "name": "anomaly_reason_s",
+ "type": "string"
+ },
+ {
+ "name": "threat_detected_b",
+ "type": "boolean"
+ },
+ {
+ "name": "threat_score_d",
+ "type": "int"
+ },
+ {
+ "name": "log_hash_s",
+ "type": "string"
+ },
+ {
+ "name": "resource_type_s",
+ "type": "string"
+ },
+ {
+ "name": "action_id_s",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "[variables('workspaceResourceId')]",
+ "name": "clv2ws1"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Custom-Vaikora_AgentSignals_CL"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source | extend p=todynamic(payload) | extend TimeGenerated=todatetime(timestamp), action_type_s=tostring(p.action_type), agent_id_s=tostring(p.agent_id), status_s=tostring(p.status), severity_s=tostring(p.severity), policy_decision_s=tostring(p.policy_decision), policy_id_s=tostring(p.policy_id), risk_score_d=toint(p.risk_score), risk_level_s=tostring(p.risk_level), is_anomaly_b=tobool(p.is_anomaly), anomaly_score_d=toreal(p.anomaly_score), anomaly_reason_s=tostring(p.anomaly_reason), threat_detected_b=tobool(p.threat_detected), threat_score_d=toint(p.threat_score), log_hash_s=tostring(p.log_hash), resource_type_s=tostring(p.resource_type), action_id_s=tostring(p.id) | project TimeGenerated, action_type_s, agent_id_s, status_s, severity_s, policy_decision_s, policy_id_s, risk_score_d, risk_level_s, is_anomaly_b, anomaly_score_d, anomaly_reason_s, threat_detected_b, threat_score_d, log_hash_s, resource_type_s, action_id_s",
+ "outputStream": "Custom-Vaikora_AgentSignals_CL"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentProductId": "[concat('vaikora-sentinel-connector', '.', variables('_solutionId'))]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "displayName": "Vaikora AI Agent Behavioral Signals - Connections",
+ "contentKind": "ResourcesDataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {
+ "connectorDefinitionName": {
+ "defaultValue": "VaikoraSentinel",
+ "type": "string"
+ },
+ "workspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "string"
+ },
+ "dcrImmutableId": {
+ "defaultValue": "",
+ "type": "string"
+ },
+ "dataCollectionEndpoint": {
+ "defaultValue": "",
+ "type": "string"
+ },
+ "vaikoraApiKey": {
+ "defaultValue": "",
+ "type": "securestring"
+ },
+ "vaikoraAgentId": {
+ "defaultValue": "",
+ "type": "string"
+ }
+ },
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/VaikoraAgentSignals')]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "connectorDefinitionName": "VaikoraSentinel",
+ "dataType": "Vaikora_AgentSignals_CL",
+ "dcrConfig": {
+ "streamName": "Custom-Vaikora_AgentSignals_CL",
+ "dataCollectionEndpoint": "[parameters('dataCollectionEndpoint')]",
+ "dataCollectionRuleImmutableId": "[parameters('dcrImmutableId')]"
+ },
+ "auth": {
+ "type": "APIKey",
+ "ApiKeyName": "X-API-Key",
+ "ApiKey": "[parameters('vaikoraApiKey')]"
+ },
+ "request": {
+ "apiEndpoint": "https://api.vaikora.com/api/v1/actions",
+ "httpMethod": "GET",
+ "queryParameters": {
+ "agent_id": "[parameters('vaikoraAgentId')]",
+ "per_page": 100,
+ "page": 1
+ },
+ "queryWindowInMin": 360,
+ "rateLimitQps": 1,
+ "retryCount": 3,
+ "timeoutInSeconds": 60,
+ "headers": {
+ "Accept": "application/json",
+ "User-Agent": "Microsoft-Sentinel-Vaikora/1.0"
+ }
+ },
+ "paging": {
+ "pagingType": "PageNumber",
+ "pageSize": 100,
+ "pageSizeParaName": "per_page",
+ "pageNumberParaName": "page",
+ "pageNumberStart": 1,
+ "hasNextPageFilter": "$.actions | length > 0"
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.actions"
+ ],
+ "format": "json"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentProductId": "[concat('vaikora-sentinel-connector', '.', variables('_solutionId'))]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "displayName": "Vaikora - High risk AI agent action detected",
+ "contentKind": "AnalyticsRule",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Identifies high-risk AI agent actions from Vaikora where the risk score is 75 or above and severity is high or critical. These events may indicate an agent operating outside safe parameters or triggering policy thresholds.",
+ "displayName": "Vaikora - High risk AI agent action detected",
+ "enabled": false,
+ "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated > ago(1h)\n| where risk_score_d >= 75\n| where severity_s in ('high', 'critical')\n| summarize\n ActionCount = count(),\n MaxRiskScore = max(risk_score_d),\n Actions = make_set(action_type_s),\n PolicyDecisions = make_set(policy_decision_s),\n ResourceTypes = make_set(resource_type_s)\n by AgentId = agent_id_s, RiskLevel = risk_level_s, Severity = severity_s\n| extend\n ActionList = strcat_array(Actions, ', '),\n PolicyList = strcat_array(PolicyDecisions, ', '),\n ResourceList = strcat_array(ResourceTypes, ', ')",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "connectorId": "VaikoraSentinel",
+ "dataTypes": [
+ "Vaikora_AgentSignals_CL"
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact",
+ "Execution",
+ "PrivilegeEscalation"
+ ],
+ "techniques": [
+ "T1059",
+ "T1078",
+ "T1548"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "Name",
+ "columnName": "AgentId"
+ }
+ ]
+ }
+ ],
+ "customDetails": {
+ "MaxRiskScore": "MaxRiskScore",
+ "ActionCount": "ActionCount",
+ "Actions": "ActionList",
+ "PolicyDecisions": "PolicyList"
+ },
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": true,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT1H",
+ "matchingMethod": "Selected",
+ "groupByEntities": [
+ "Account"
+ ]
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
+ "properties": {
+ "description": "Vaikora Sentinel Analytics Rule 1",
+ "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
+ "source": {
+ "kind": "Solution",
+ "name": "[variables('_solutionName')]",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Data443 Risk Mitigation, Inc.",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Data443 Risk Mitigation, Inc.",
+ "email": "support@data443.com",
+ "tier": "Partner",
+ "link": "https://www.data443.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
+ "contentProductId": "[concat('vaikora-sentinel-connector', '.', variables('_solutionId'))]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "displayName": "Vaikora - Behavioral anomaly detected",
+ "contentKind": "AnalyticsRule",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Identifies AI agent behavioral anomalies flagged by Vaikora with an anomaly score of 0.7 or above, indicating significant deviation from the agent's established behavioral baseline.",
+ "displayName": "Vaikora - Behavioral anomaly detected",
+ "enabled": false,
+ "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated > ago(1h)\n| where is_anomaly_b == true\n| where anomaly_score_d >= 0.7\n| summarize\n AnomalyCount = count(),\n MaxAnomalyScore = max(anomaly_score_d),\n AvgAnomalyScore = avg(anomaly_score_d),\n AnomalyReasons = make_set(anomaly_reason_s),\n ActionTypes = make_set(action_type_s)\n by AgentId = agent_id_s, Severity = severity_s\n| extend\n ReasonList = strcat_array(AnomalyReasons, '; '),\n ActionList = strcat_array(ActionTypes, ', ')",
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT1H",
+ "severity": "Medium",
+ "suppressionDuration": "PT30M",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "connectorId": "VaikoraSentinel",
+ "dataTypes": [
+ "Vaikora_AgentSignals_CL"
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion",
+ "Execution"
+ ],
+ "techniques": [
+ "T1059",
+ "T1027"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "Name",
+ "columnName": "AgentId"
+ }
+ ]
+ }
+ ],
+ "customDetails": {
+ "MaxAnomalyScore": "MaxAnomalyScore",
+ "AnomalyCount": "AnomalyCount",
+ "AnomalyReasons": "ReasonList"
+ },
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": true,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT1H",
+ "matchingMethod": "Selected",
+ "groupByEntities": [
+ "Account"
+ ]
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
+ "properties": {
+ "description": "Vaikora Sentinel Analytics Rule 2",
+ "parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
+ "source": {
+ "kind": "Solution",
+ "name": "[variables('_solutionName')]",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Data443 Risk Mitigation, Inc.",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Data443 Risk Mitigation, Inc.",
+ "email": "support@data443.com",
+ "tier": "Partner",
+ "link": "https://www.data443.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
+ "contentProductId": "[concat('vaikora-sentinel-connector', '.', variables('_solutionId'))]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "displayName": "Vaikora - Agent policy violation",
+ "contentKind": "AnalyticsRule",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Identifies AI agent actions explicitly blocked by a Vaikora policy. Repeated violations from the same agent may indicate prompt injection, policy circumvention, or a compromised workflow.",
+ "displayName": "Vaikora - Agent policy violation",
+ "enabled": false,
+ "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated > ago(1h)\n| where policy_decision_s == 'block'\n| summarize\n ViolationCount = count(),\n PolicyIds = make_set(policy_id_s),\n ActionTypes = make_set(action_type_s),\n ResourceTypes = make_set(resource_type_s),\n MaxRiskScore = max(risk_score_d)\n by AgentId = agent_id_s\n| extend\n PolicyList = strcat_array(PolicyIds, ', '),\n ActionList = strcat_array(ActionTypes, ', '),\n ResourceList = strcat_array(ResourceTypes, ', ')\n| where ViolationCount >= 1",
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT1H",
+ "severity": "Medium",
+ "suppressionDuration": "PT15M",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "connectorId": "VaikoraSentinel",
+ "dataTypes": [
+ "Vaikora_AgentSignals_CL"
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact",
+ "DefenseEvasion"
+ ],
+ "techniques": [
+ "T1078",
+ "T1562"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "Name",
+ "columnName": "AgentId"
+ }
+ ]
+ }
+ ],
+ "customDetails": {
+ "ViolationCount": "ViolationCount",
+ "PolicyIds": "PolicyList",
+ "MaxRiskScore": "MaxRiskScore"
+ },
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": true,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT1H",
+ "matchingMethod": "Selected",
+ "groupByEntities": [
+ "Account"
+ ]
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]",
+ "properties": {
+ "description": "Vaikora Sentinel Analytics Rule 3",
+ "parentId": "[variables('analyticRuleObject3').analyticRuleId3]",
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]",
+ "source": {
+ "kind": "Solution",
+ "name": "[variables('_solutionName')]",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Data443 Risk Mitigation, Inc.",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Data443 Risk Mitigation, Inc.",
+ "email": "support@data443.com",
+ "tier": "Partner",
+ "link": "https://www.data443.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]",
+ "contentProductId": "[concat('vaikora-sentinel-connector', '.', variables('_solutionId'))]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('workbookTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_workbookContentId1')]",
+ "displayName": "[parameters('workbook1-name')]",
+ "contentKind": "Workbook",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('workbookVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Insights/workbooks",
+ "name": "[variables('workbookContentId1')]",
+ "location": "[parameters('workspace-location')]",
+ "kind": "shared",
+ "apiVersion": "2021-08-01",
+ "metadata": {
+ "description": "Gain insights into Vaikora AI agent behavioral signals including action timelines, severity breakdowns, anomaly detection, and policy violations."
+ },
+ "properties": {
+ "displayName": "[parameters('workbook1-name')]",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Vaikora AI Agent Behavioral Signals\\n\\nThis workbook visualizes AI agent behavioral data ingested from Vaikora into Microsoft Sentinel.\"},\"name\":\"header\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Vaikora_AgentSignals_CL\\n| where TimeGenerated > ago(24h)\\n| summarize TotalActions=count(), BlockedActions=countif(policy_decision_s=='block'), Anomalies=countif(is_anomaly_b==true), HighRisk=countif(risk_score_d>=75)\\n| project TotalActions, BlockedActions, Anomalies, HighRisk\",\"size\":4,\"title\":\"Signal Overview (last 24h)\",\"queryType\":0,\"visualization\":\"tiles\"},\"name\":\"overview-tiles\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Vaikora_AgentSignals_CL\\n| where TimeGenerated > ago(24h)\\n| summarize TotalActions=count(), Blocked=countif(policy_decision_s=='block'), Anomalies=countif(is_anomaly_b==true) by bin(TimeGenerated,1h)\\n| order by TimeGenerated asc\",\"size\":0,\"title\":\"Agent Actions Over Time\",\"queryType\":0,\"visualization\":\"timechart\"},\"name\":\"actions-timechart\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Vaikora_AgentSignals_CL\\n| where TimeGenerated > ago(24h)\\n| summarize Count=count() by severity_s\",\"size\":3,\"title\":\"Actions by Severity\",\"queryType\":0,\"visualization\":\"piechart\"},\"name\":\"severity-pie\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Vaikora_AgentSignals_CL\\n| where TimeGenerated > ago(24h)\\n| where is_anomaly_b==true\\n| summarize Count=count() by bin(TimeGenerated,1h)\\n| order by TimeGenerated asc\",\"size\":0,\"title\":\"Anomalies Over Time\",\"queryType\":0,\"visualization\":\"timechart\"},\"name\":\"anomaly-timechart\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Vaikora_AgentSignals_CL\\n| where TimeGenerated > ago(24h)\\n| where risk_score_d>=75 or severity_s in ('high','critical')\\n| project TimeGenerated, agent_id_s, action_type_s, severity_s, risk_score_d, anomaly_score_d, policy_decision_s, anomaly_reason_s\\n| order by TimeGenerated desc\\n| take 50\",\"size\":0,\"title\":\"Recent High-Risk Actions\",\"queryType\":0,\"visualization\":\"table\"},\"name\":\"highrisk-table\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Vaikora_AgentSignals_CL\\n| where TimeGenerated > ago(24h)\\n| where policy_decision_s=='block'\\n| summarize ViolationCount=count(), MaxRiskScore=max(risk_score_d), Actions=make_set(action_type_s), LastSeen=max(TimeGenerated) by agent_id_s, policy_id_s\\n| extend ActionList=strcat_array(Actions,', ')\\n| project agent_id_s, policy_id_s, ViolationCount, MaxRiskScore, ActionList, LastSeen\\n| order by ViolationCount desc\",\"size\":0,\"title\":\"Policy Violations by Agent\",\"queryType\":0,\"visualization\":\"table\"},\"name\":\"violations-table\"}],\"styleSettings\":{},\"fromTemplateId\":\"sentinel-VaikoraAgentSignalsDashboard\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}",
+ "version": "1.0",
+ "sourceId": "[variables('workspaceResourceId')]",
+ "category": "sentinel"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
+ "properties": {
+ "description": "Vaikora Sentinel Workbook",
+ "parentId": "[variables('workbookId1')]",
+ "contentId": "[variables('_workbookContentId1')]",
+ "kind": "Workbook",
+ "version": "[variables('workbookVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "[variables('_solutionName')]",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Data443 Risk Mitigation, Inc.",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Data443 Risk Mitigation, Inc.",
+ "email": "support@data443.com",
+ "tier": "Partner",
+ "link": "https://www.data443.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('workbookVersion1')]",
+ "contentProductId": "[concat('vaikora-sentinel-connector', '.', variables('_solutionId'))]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "version": "[variables('_solutionVersion')]",
+ "kind": "Solution",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "Vaikora AI Agent Behavioral Signals",
+ "publisherDisplayName": "Data443 Risk Mitigation, Inc.",
+ "descriptionHtml": "The Vaikora AI Agent Behavioral Signals solution provides the capability to ingest AI agent behavioral data from the Vaikora API into Microsoft Sentinel using the Codeless Connector Framework (CCF). This solution deploys a REST API poller connector, a custom log table, data collection rules, analytics rules, and a visualization workbook to help security teams monitor AI agent activity, detect behavioral anomalies, and investigate policy violations.
", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
+ "contentId": "[variables('_solutionId')]",
+ "parentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "VaikoraSentinel",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Data443 Risk Mitigation, Inc.",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Data443 Risk Mitigation, Inc.",
+ "email": "support@data443.com",
+ "tier": "Partner",
+ "link": "https://www.data443.com"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
+ },
+ {
+ "kind": "Workbook",
+ "contentId": "[variables('_workbookContentId1')]",
+ "version": "[variables('workbookVersion1')]"
+ }
+ ]
+ },
+ "providers": [
+ "Data443 Risk Mitigation, Inc."
+ ],
+ "categories": {
+ "domains": [
+ "Security - Others"
+ ],
+ "verticals": []
+ }
+ }
+ }
+ ],
+ "outputs": {}
+}
\ No newline at end of file
diff --git a/Solutions/Vaikora-Sentinel/README.md b/Solutions/Vaikora-Sentinel/README.md
new file mode 100644
index 00000000000..4fb522e8ee3
--- /dev/null
+++ b/Solutions/Vaikora-Sentinel/README.md
@@ -0,0 +1,79 @@
+# Vaikora AI Agent Behavioral Signals — Microsoft Sentinel Solution
+
+This solution ingests AI agent behavioral data from the [Vaikora](https://vaikora.com) API into Microsoft Sentinel. It deploys a REST API poller connector, a custom log table, data collection rules, analytics rules, and a visualization workbook.
+
+## What Gets Deployed
+
+| Component | Description |
+|-----------|-------------|
+| Data connector | REST API poller — polls `https://api.vaikora.com/api/v1/actions` every 6 hours |
+| Custom table | `Vaikora_AgentSignals_CL` — 17-column schema for agent signals |
+| Analytic rule | Vaikora - High Risk AI Agent Action |
+| Analytic rule | Vaikora - Behavioral Anomaly Detected |
+| Analytic rule | Vaikora - Agent Policy Violation |
+| Workbook | Vaikora AI Agent Signals Dashboard |
+
+## Prerequisites
+
+- Microsoft Sentinel workspace
+- Vaikora API key (obtain from your Vaikora account)
+- Agent ID from your Vaikora deployment
+
+## Data Connector Setup
+
+After deploying the solution:
+
+1. Go to **Microsoft Sentinel > Data connectors**
+2. Find **Vaikora AI Agent Behavioral Signals** and open it
+3. Click **Open connector page**
+4. Enter your Vaikora API key and agent ID
+5. Click **Connect**
+
+The connector polls the Vaikora API every 6 hours. Data appears in `Vaikora_AgentSignals_CL` within the first polling window.
+
+## Custom Table Schema
+
+| Column | Type | Description |
+|--------|------|-------------|
+| TimeGenerated | datetime | Timestamp of the agent action |
+| action_id_s | string | Unique action identifier |
+| action_type_s | string | Type of action performed |
+| agent_id_s | string | Agent identifier |
+| status_s | string | Action status (success, failure, blocked) |
+| severity_s | string | Severity level (low, medium, high, critical) |
+| policy_decision_s | string | Policy enforcement decision (allow, block, warn) |
+| policy_id_s | string | Policy that evaluated the action |
+| risk_score_d | int | Risk score 0-100 |
+| risk_level_s | string | Risk level label |
+| is_anomaly_b | bool | Whether Vaikora flagged this as anomalous |
+| anomaly_score_d | real | Anomaly score 0.0-1.0 |
+| anomaly_reason_s | string | Human-readable anomaly explanation |
+| threat_detected_b | bool | Whether a threat was detected |
+| threat_score_d | int | Threat score 0-100 |
+| resource_type_s | string | Type of resource the agent accessed |
+| log_hash_s | string | Unique hash for deduplication |
+
+## Analytic Rules
+
+All three rules are deployed in disabled state. Enable them from **Analytics > Rule templates** after confirming data is flowing.
+
+**Vaikora - High Risk AI Agent Action** — fires when an action has `risk_score_d >= 75` and severity is `high` or `critical`. Severity: High. Frequency: 1h.
+
+**Vaikora - Behavioral Anomaly Detected** — fires when `is_anomaly_b == true` and `anomaly_score_d >= 0.7`. Severity: Medium. Frequency: 30m.
+
+**Vaikora - Agent Policy Violation** — fires when `policy_decision_s == 'block'`. Severity: Medium. Frequency: 15m.
+
+## Workbook
+
+The **Vaikora AI Agent Signals Dashboard** workbook is available under **Workbooks** after deployment. It includes:
+
+- Signal overview tiles (total actions, blocked, anomalies, high-risk, critical)
+- Actions over time chart
+- Severity and policy decision breakdowns
+- Anomaly timeline
+- Recent high-risk actions table (top 50)
+- Policy violations by agent and policy
+
+## Support
+
+Data443 Risk Mitigation, Inc. — support@data443.com — https://data443.com/support
diff --git a/Solutions/Vaikora-Sentinel/ReleaseNotes.md b/Solutions/Vaikora-Sentinel/ReleaseNotes.md
new file mode 100644
index 00000000000..8d3bd373556
--- /dev/null
+++ b/Solutions/Vaikora-Sentinel/ReleaseNotes.md
@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|---|---|---|
+| 3.0.0 | 03-04-2026 | Initial release. REST API poller connector, custom Vaikora_AgentSignals_CL table, 3 analytic rules (High Risk Action, Behavioral Anomaly, Policy Violation), and AI agent signals dashboard workbook. |
diff --git a/Solutions/Vaikora-Sentinel/SolutionMetadata.json b/Solutions/Vaikora-Sentinel/SolutionMetadata.json
new file mode 100644
index 00000000000..7f8a8e598da
--- /dev/null
+++ b/Solutions/Vaikora-Sentinel/SolutionMetadata.json
@@ -0,0 +1,21 @@
+{
+ "publisherId": "data443riskmitigationinc1761580347231",
+ "offerId": "vaikora-sentinel-connector",
+ "firstPublishDate": "2026-04-03",
+ "lastPublishDate": "2026-04-03",
+ "providers": [
+ "Data443 Risk Mitigation, Inc."
+ ],
+ "categories": {
+ "domains": [
+ "Security - Threat Intelligence",
+ "Security - Others"
+ ]
+ },
+ "support": {
+ "name": "Data443 Risk Mitigation, Inc.",
+ "email": "support@data443.com",
+ "tier": "Partner",
+ "link": "https://data443.com/support"
+ }
+}
\ No newline at end of file
diff --git a/Solutions/Vaikora-Sentinel/Workbooks/VaikoraAgentSignalsDashboard.json b/Solutions/Vaikora-Sentinel/Workbooks/VaikoraAgentSignalsDashboard.json
new file mode 100644
index 00000000000..15c3d7a72a7
--- /dev/null
+++ b/Solutions/Vaikora-Sentinel/Workbooks/VaikoraAgentSignalsDashboard.json
@@ -0,0 +1,202 @@
+{
+ "version": "Notebook/1.0",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "## Vaikora AI Agent Behavioral Signals\n\nThis workbook visualizes AI agent behavioral data ingested from Vaikora into Microsoft Sentinel. Use it to monitor agent activity, detect anomalies, and investigate policy violations."
+ },
+ "name": "header"
+ },
+ {
+ "type": 9,
+ "content": {
+ "version": "KqlParameterItem/1.0",
+ "parameters": [
+ {
+ "id": "timeRange",
+ "version": "KqlParameterItem/1.0",
+ "name": "TimeRange",
+ "label": "Time Range",
+ "type": 4,
+ "value": {
+ "durationMs": 86400000
+ },
+ "typeSettings": {
+ "selectableValues": [
+ { "durationMs": 3600000 },
+ { "durationMs": 14400000 },
+ { "durationMs": 43200000 },
+ { "durationMs": 86400000 },
+ { "durationMs": 259200000 },
+ { "durationMs": 604800000 },
+ { "durationMs": 2592000000 }
+ ]
+ }
+ },
+ {
+ "id": "agentId",
+ "version": "KqlParameterItem/1.0",
+ "name": "AgentId",
+ "label": "Agent ID",
+ "type": 2,
+ "query": "Vaikora_AgentSignals_CL | where TimeGenerated {TimeRange} | where isnotempty(agent_id_s) | summarize by agent_id_s | project value=agent_id_s, label=agent_id_s",
+ "typeSettings": {
+ "additionalResourceOptions": [ "value::all" ],
+ "showDefault": false
+ },
+ "defaultValue": "value::all",
+ "queryType": 0
+ }
+ ],
+ "style": "pills"
+ },
+ "name": "parameters"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "### Summary"
+ },
+ "name": "summary-header"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated {TimeRange}\n| where agent_id_s == '{AgentId}' or '{AgentId}' == 'value::all'\n| summarize\n TotalActions = count(),\n BlockedActions = countif(policy_decision_s == 'block'),\n Anomalies = countif(is_anomaly_b == true),\n HighRisk = countif(risk_score_d >= 75),\n CriticalSeverity = countif(severity_s == 'critical')\n| project TotalActions, BlockedActions, Anomalies, HighRisk, CriticalSeverity",
+ "size": 4,
+ "title": "Signal Overview",
+ "queryType": 0,
+ "visualization": "tiles",
+ "tileSettings": {
+ "showBorder": true,
+ "titleContent": { "columnMatch": "", "formatter": 1 },
+ "leftContent": { "columnMatch": "TotalActions", "formatter": 12, "formatOptions": { "palette": "blue" } }
+ }
+ },
+ "name": "overview-tiles"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "### Actions Over Time"
+ },
+ "name": "timechart-header"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated {TimeRange}\n| where agent_id_s == '{AgentId}' or '{AgentId}' == 'value::all'\n| summarize\n TotalActions = count(),\n Blocked = countif(policy_decision_s == 'block'),\n Anomalies = countif(is_anomaly_b == true)\n by bin(TimeGenerated, 1h)\n| order by TimeGenerated asc",
+ "size": 0,
+ "title": "Agent Actions Over Time",
+ "queryType": 0,
+ "visualization": "timechart"
+ },
+ "name": "actions-timechart"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "### Actions by Severity"
+ },
+ "name": "severity-header"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated {TimeRange}\n| where agent_id_s == '{AgentId}' or '{AgentId}' == 'value::all'\n| summarize Count = count() by severity_s\n| order by Count desc",
+ "size": 3,
+ "title": "Actions by Severity",
+ "queryType": 0,
+ "visualization": "piechart"
+ },
+ "name": "severity-pie"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated {TimeRange}\n| where agent_id_s == '{AgentId}' or '{AgentId}' == 'value::all'\n| summarize Count = count() by policy_decision_s\n| order by Count desc",
+ "size": 3,
+ "title": "Actions by Policy Decision",
+ "queryType": 0,
+ "visualization": "piechart"
+ },
+ "name": "policy-pie"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "### Anomaly Detection"
+ },
+ "name": "anomaly-header"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated {TimeRange}\n| where agent_id_s == '{AgentId}' or '{AgentId}' == 'value::all'\n| where is_anomaly_b == true\n| summarize Count = count() by bin(TimeGenerated, 1h)\n| order by TimeGenerated asc",
+ "size": 0,
+ "title": "Anomalies Over Time",
+ "queryType": 0,
+ "visualization": "timechart",
+ "chartSettings": {
+ "seriesLabelSettings": [
+ { "seriesName": "Count", "color": "orange" }
+ ]
+ }
+ },
+ "name": "anomaly-timechart"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "### Recent High-Risk Actions"
+ },
+ "name": "highrisk-header"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated {TimeRange}\n| where agent_id_s == '{AgentId}' or '{AgentId}' == 'value::all'\n| where risk_score_d >= 75 or severity_s in ('high', 'critical')\n| project TimeGenerated, agent_id_s, action_type_s, severity_s, risk_score_d, anomaly_score_d, policy_decision_s, status_s, resource_type_s, anomaly_reason_s\n| order by TimeGenerated desc\n| take 50",
+ "size": 0,
+ "title": "Recent High-Risk Actions (top 50)",
+ "queryType": 0,
+ "visualization": "table",
+ "gridSettings": {
+ "formatters": [
+ { "columnMatch": "severity_s", "formatter": 18, "formatOptions": { "thresholdsOptions": "colors", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "critical", "representation": "red", "text": "{0}" }, { "operator": "==", "thresholdValue": "high", "representation": "orange", "text": "{0}" }, { "operator": "Default", "thresholdValue": null, "representation": "blue", "text": "{0}" } ] } },
+ { "columnMatch": "policy_decision_s", "formatter": 18, "formatOptions": { "thresholdsOptions": "colors", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "block", "representation": "red", "text": "{0}" }, { "operator": "Default", "thresholdValue": null, "representation": "green", "text": "{0}" } ] } }
+ ]
+ }
+ },
+ "name": "highrisk-table"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "### Policy Violations"
+ },
+ "name": "violations-header"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated {TimeRange}\n| where agent_id_s == '{AgentId}' or '{AgentId}' == 'value::all'\n| where policy_decision_s == 'block'\n| summarize\n ViolationCount = count(),\n MaxRiskScore = max(risk_score_d),\n Actions = make_set(action_type_s),\n Resources = make_set(resource_type_s),\n LastSeen = max(TimeGenerated)\n by AgentId = agent_id_s, PolicyId = policy_id_s\n| extend ActionList = strcat_array(Actions, ', '), ResourceList = strcat_array(Resources, ', ')\n| project AgentId, PolicyId, ViolationCount, MaxRiskScore, ActionList, ResourceList, LastSeen\n| order by ViolationCount desc",
+ "size": 0,
+ "title": "Policy Violations by Agent and Policy",
+ "queryType": 0,
+ "visualization": "table"
+ },
+ "name": "violations-table"
+ }
+ ],
+ "styleSettings": {},
+ "fromTemplateId": "sentinel-VaikoraAgentSignalsDashboard",
+ "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
+}