From f3ea143121c0c7a770821322feea7e1332a108da Mon Sep 17 00:00:00 2001 From: Taz Jack Date: Tue, 31 Mar 2026 07:01:52 -0400 Subject: [PATCH 01/38] fix: remove testParameters.json from 3.0.1.zip (cert rule 300.4.1.1) --- .../Package/3.0.1.zip | Bin 0 -> 7771 bytes .../Package/mainTemplate.json | 14 +++++++------- 2 files changed, 7 insertions(+), 7 deletions(-) create mode 100644 Solutions/Cyren-SentinelOne-ThreatIntelligence/Package/3.0.1.zip diff --git a/Solutions/Cyren-SentinelOne-ThreatIntelligence/Package/3.0.1.zip b/Solutions/Cyren-SentinelOne-ThreatIntelligence/Package/3.0.1.zip new file mode 100644 index 0000000000000000000000000000000000000000..ea29e778b67f65037c7d2041cffc73df81b4fd65 GIT binary patch literal 7771 zcmZ{pWl$VYl%*RD4h;bs4GHeSJ;B}GX&PJiRP9d9 z?ACp^?z?}^-&6N|stQQRZvg-R8i0pC(6EGMAi9JI0I;b90Du5;fW0ZyLDRzC$p6gOh z8Ff#Q7NNgfRpvU!Pn1th3geQhM}{t+J_H70CIQ6oX~b5Y^A_yr;$^`NE9XWv!=L-a zD(?99*)As!{S$qr_;FV6iq(9q+FcN>f_3<#BEP?r3yWkkvY1)1_7#2@13!a57Q_jY zKi;Gy3XN9(@Pr6I;}#G6y=mq5%S7c6engRp`w_&>MUwCkc(_ZLKrs{j@EAB~)xJw} znIi4C<=XytYXC=(<^-#Ujzf>1qklzwzMrB90U`&QV+hzU-Q^EJtk88I0Yb>9fqw`- z;f|2_SSwREdy;H}osdIigI?MYD9PEWPlh!_m+vMJ->{t_)H4TL9!TPR!N?s4{;6cX zQ1jd}_9KDx(#2BavvAto^UBpHhDvpZMH09#54qA`?wXK)1~z??%$lWfxl{ov4aUR1 z8tzDjYSQVVMt1f?`dRX0Zh8g--hA3kgF(^ip2x?KC{ZRM79FOjw4Ioa< zCDG^D;G-=WVXt431q!BXbrNBlW|D|RW@EdmYTd&J%b2A34L_VOML#?+ck1GMMx#kk zCX5TP2qYfJW5MB4Hsb6OPx8-ynRayv3$Tr*-k!*o<5K0s9V!0 zfJlReP1(>4L+(duik#NR*#7DSG83o8_xf$Ze+olan|qfZMHb~VVaD*O7F7TUgJPu| zvzd(l)k4t__2&=}Rm7Eg@<3QxosVCFBq6oF`AsSLZ)M3mjd!-42)rTph>JcH`ITbt z-iF2Zwy(m4)rx88Hvvn2_31kq^tSs}Z{lVoagt`rDFf5qlLYtZF}g}1dR}c5PYm@X zdQ$qe^>E3>ZwFbRVbMedGvk@1B78jq)PRgiA%>&0MhbA(SIPDJ;B&(QbssuA-B&Sj zX5ppa$~UAn8gTT+WZ*a-+JN-m=DzT`zUE+4UV-9e$<^blpq_;qm7Zu4k!ya6nIkkL zN|%C#!OFH-9ehFL2imhJ=GmX+#8|g;h<%+wZhA8BJvzda+?u{HH>oea?rR68?K*{R z(0sW3#SJ!Zh+D1bTjce{dklTm#!rId=T%)rM6?CF1+_8b;bCmx7q=&w!&@#; z%lwEYqd8*`Z%k=5XiqH0Be}w+=ZbE5h1wu6kyE?!tbvm#yTCGc>b8uf*#%OciwhYd zoO$e2gQS7$)j+eZh&ToDoa%CfkPZnK@glvSruwvK^&Z)RvFRk_(%$-Nyjuw^2(N({LM(5e8xSWH1s}r zPsMaVrBJ=Xy{a-?F2=?GGov!!@Xb*+jSP|7+rlLo2;Hv67o( zk`#qf2fTba7wiT<_FwL+?paEjmk6@ZUjU4~7*lNCa|;7|_7n=F@eo6u1Pb0Lnjb7g zf1_sqrjSY%ANYw+3bQC>C%kN?>lBs-H8?LPXtnqDz}#FbAEd<6^Kf@9jr&4puP+oJ zaJZ8#*Ufmtnk^rDNRkTnA&R{-BoN^ex4|egY9^+}@<_n3=m(l_cr_x>u*Cu^Hsuj=vm1WbZgJ6tXVtCq; zRka{J`3*YN;g_j9Q&&B?ZwrC^$s2**toZ^j(uE0fu+<>EMFv?JN`g8(@DN?@e$JDX zc3W)vuKsaUYNQh7d)fcIp_}qN$43FA;TDMtD0lgLiB&>4H%)XC{ql$UsY%5ldDpRk1k|Lr?(oeNqYN zJ{|%0W>s}BG(`P(DzJ|S|9u4Ti(1+ew@52O;HkFTR31@=Epi?9Iotjr8+c>H&rm|s z0W`1e>boqv?m*}m-M++2;iSt#3Y&UQZ%30*#==_~|7}Cp90@oIqkc9(9AXpL(!mp1 z3<(=RKCwY&do%jU21Jxf_{yhL{OmdAYk8H8z7k%Oz^`HdDX_tER0J;{rX1YjIf-G%`9d=&bUF);-wson93}gGOD%sfb z_3F4JS8@S_65o?keLpOmkOKC^(f=`RfjMCd2{>nPHkwUWQ-SM~Zqi;FGWPzQvSvc7 zBfrg&zV|ljV951kE?TYN2}FN*yRTstU8-B4eq>gz6;oFh7>9{(r^r&N~yrb6JjHGl<_PyFyb>m7MExPkr;RZG>J7J-ApiI-BP3NMQ- zjD*}O&vWnxJ@mn6m{}yAb90?gWMB_h3mAA?E^L@|$jX#&kQEzVpSk9KbW@y5bi&%; zOUDhq-SPZ^#w?Qcy{;NX>sOb5_E=x!^Ik)5SXR6%;3`K zX7()2CzI?2zh!PI@1`Q)(F0c`6Js83*U*CoLrA5oHc*ibs5MQsoq%Vs#ftfMYZ3kS zb(}X~R$!IZ*A?bqYx8;In3ywN0P=4ttFz}3GNX$yp8A50)&^O)*J9=*`Cv$I*D6dO zkV~O%=K9X;YZ)Y>l-UMlvBcro<}0fFdjF{h$w6eP)covZV8AQ?158E2F)iY4mST2%7 zaLEg5T_wF!n7P|84sEM zVOVb<0w3QaeAMrP02GS!`e)R0ZTyyY*c}EwrYE<0-qz%#qaw0 zcX6BJrxt&6zY*+uv1$nRAQ-JZd{vzCn{L_b-vrO?Z6)U3Ricf~9h2Cv>{9AE_PZ#5 z*M{xh?ZKELGwoi8JwH)o*@)?HX0or;P0MLrofJu2w%8$HAnF}rhw~?c>UeoI#@beM zFgNN?K!k@=`1#zp>M|Nl8L6B+Gam>v%({RrVp-<}LamBh3-`B@%Er9L1OPTkR<1^5 zrZVB{kvb=Hy7q*hyk*+PX4TI23;Q~`yItr7t91B~3k6b`G5;ASbyAi3>L`!83IGT7 zqlf8;FxfP=F)VeL^(N?XZo07eKdO zw`MaO1_^P%xT7F?XNvX_w;@;BbE)eLOtP4lU?~YJHhNoVa$B#_eR3>TnmuE9BuaF+ zGcED=;_Eq*k`-3e+GpU|T8=P=b(hpKJDD#vJ9Bc1j?4#3x<~t)om4fh=ncLbNO9=I zcQK)YyPqBAWcZ^*q;_r6>Lb+zrL|*g;w}3|R;g5U6smM)-G}QvdWu$$cLSY4NBV;d z(}PTWkI5CoZ_ZOEh_ZPc#fydjehQ&D!1j? z>E0B|e9W#wg&x{eKNk+I9*!Ud_lwDE4^Zfxk!LyAoM3R_OXW|5Oa6|1WSJL&t{oke z8Vp060PlLru$$P*qmN!9R2>68mvx?9Pcp}12&6!E5gA}ul}|@t9BXwL;mWg)%ZJwy z=Q?YoITJp{w7Un#w_5&f-&xSYQ?^*X5Z_u%VThMH!heHGt*%hwdWk>NK1hx+Gfyzy zXb#E#MgDYY5^`L4fiaak`;Fg7^skgJ-YiT1TgVbZO0IHejp#a|Spf+8%ltZ)%Qz+K z(&YCLPt*RhH>I5om$y0mV*{up#``#n{E30Sr!%{P?Z@fZT0%3KRr+`f@gQqVD0@I6 zbrL?SYi>{e3`r|&O;D$Ggr=u6UtT1Uk+=Q1Sx39QL@k*5AjBQj(L|Dfi&UO?sig>K zgganEF?uZG@LXJlqQUcCP!l0y?+KV-u>OKc&~;rTC;ge3t8=3BmqXp zsLv~Q9JZ|NklmIa+sKZ{uEVpby;v*V*&0urx?Isw^Hke~hy{IGdpf#4)-G;5F3cSm zwacyOl2ts%&UcQn;xzNl$%Yx3Xm=`1{`qB&&DcSE#`o#(GsV~%-=0GqyuEkzq4)Sc z$7pO6{_C;&mV6zvEz2{NVr;bT;dOB>f#(rEvbh^4(?oN%+F3i+(&y#&!|if zTXKDB<6Qll?5@s_D!aLQc7>F=9otJ8$jr;48(S_k0N%@jTFoUIFJIUZ z*^yv!7eCEYUAH=3GyBk+D=>20o4e|?;mMWxt*$Ru&lB~I751NRzvJI5{94*^M2@d2 z?SwgcyXtOWxi~Pk{pw%migdDXZ1uvwt=ueljJDw^2=^2;aojUHbz>{_@T}VCXeD>; z5}D!olTcT7>0O&C_7>nDarRrkqvuJf^0-yB?#TrWrJ@pdO>t)C2Ue}ZZvJVM@skoB z3i!@`mi!{VMarblXQr;t!O>0ay0--N(0vm_4d4c+%}+FJQqWH=VE>}^=!5SHXE*YN zyS4e$`IX;y(7-JANjKRyo-rIwH!6=7cP+GaHbr}SL_jL{@0`+qBb#t{N3Z?hsqE44 zt*+~7_!HGF-1xGCp&z3uIwqogi<=F|D;Ua$&DE+-T)v$DMDhNn>yo#k~o;DA4$Zie^6W%bHS z4wRA;ywC5Enf3MGeG^!YAa?SpD7nVE$TRYZK_poG5&f;-coiAer7|xlR4ry}b5o(& z_oGzzpIixvZ~UDW4#ddTd89%m20{aS&)C1vgkdpJhK)WxtG>EnINuR! z3Ri61Pm1yB4!;uRd}3$Xlgpk+8<}xFn4i*GON8uPiP3$QFM{>mPBR9`rRMEGLgY|` zc0|F`^V4xkxmwht9VSMrKj!U?+n7i^szVgV3(DM#<{6KPIP)|d(P_CUS#8EzBWT59 zjFEr(NBtSLJ)Cs_VK_b4GF&TMQUy+MPHtXKho^358HiGeBJT$|3rJnTCWb8culX5S zC&*J5V4_>M)*m-X?9Ry($KbJ_|FW%zujqkb!Qr;&!8baNN36K%k%!sFySyK!c|d(% zErl%5wwuwQoaDG;W&E-N*%xj}1q~x^{hXSW2wF6~mOAU^OeWY-jUycm4HqUIuK08# z3gm%Q!+NMV>7|qINkx5&h5IVap-CYE7;;> z{82;590)(yNsCTd==^u6;E$wTcZAkh<_d*gB5Aa)URPF=+I#|OOb3$}o%gY!FI1{0 z7e)LWH-4)yIL8rs6h2X@vVt!&6YFGm{YKjl5xW7Y@|n@FW2{^j+O;VBF! zY#U{a`;7^*Wt?xNz#o5~f!$S&X@kT8l7J8V-!4ErzOJC zFJm|%r{4?xG!I7+Yrrm(T=BDK@3xBO`v}9Oox?7zQ4+9as3*{P8{h99s9sYKrQbE& zad(9d*N##DhLZd?d!-mKgo%n+o>xvjR0Y&_w_7Jz+LK5(-jL=Y|R4enxZ z$UiI_J>$@0#fvqJr%86@P}CAM<)7SIu=OlkIUn%CG)^dEJ|mIF>?gG~x#g*=4xz_(-a;^_O5dX-e4j++u|-YB4k(2BbOgVZ0rifp@& z=viFHke0HTiyC{oXZ(6w3K&Hq9A4J`mSiJ{zh{(N0CpH=@) z-0de9U^ok0)KNnP0PukT0P(-L+swt{U(l@um9(&gIzZi^jt>7f^v?5`gns?k|1I>c z)j4)p=Y9KHSkC_gRTsyck@ce;S_V8bw30I39{sm=w~iyQk1<)0aHB!1E+)9@0#^9fJxR z2w@;%jwFPlYc-gMe@lNIZzN{M_dgBi!%giuVSe1o@n?8h|EYMo5ahMC)W2GD+*?zc$*`U&BDQbF^cA#dSZAsi~8eqe)~Q zR)=om>**aadL&QoI>O4R1gL%!qh6}HZ8``k3fH8{2$Ewg83*}ntIW_#M>w&PR~VCx z5o;jFBdgmaoBp9q0?Umo*%d3OYk_H?x~AtLsqrX{2wPkdT>{0D`$^fd$>9t<%@!L~ z@ToL=TBXj23!xJQ=;igpl>IjXAZ`!XV6w`vy``JgMR@4AD2<~hX(yOg3#r2y)PJh< z8;v}d`cLa=xLWm++QWj#V0i~;cuf({ErM1ONJw<{AOWpa!e7tjk;Ie&ofkpn8scc$ zU||ShS1lOwTz?I46CaUMd>jmerPD~JQglLhSmY|~lO1&-OjST&f6idc2Nxa|U;@$2 z$`+nNm?Jl@p|#l->Ft5fuE@s`qC8&KuH^%|$huO7Sfi=v!;rd9AHzW$^P*F8$u3*3 zbrud|Vo1nVEPMP`aZLv+tM{EP@CIo|j5P`7!b@6YR;^KGGGBc>wrvcKT<*se7oy|&;8QVK9Oj6Dw{MlMPN_eiXv9QSBwNVo+PM$~rd%VAm46NSI$_mu07i9_JMW z#ODu`dlQ~_cnaU4B7k^(nS%y?V(u5Tl>EJM4k~i&+TwPyOri6I^+zwYp7OI0wmKZM z1y?IwhSRBWQ#TR|5&M_xGFtIS(95)+K>~E=+^ifS%Le3uL;(MsY1Xf9cWag7`3}dO z-CHzYxyovnUq;{8OpmYUCkqjn&O9ZTy}LO}@@d?(9DgRjNq*WOE21idFs%K0~zY!G^4y>shPBfXRH#84|Bhh2CZKyW;D`>_w9>1ZfC+ z5k`xj+#I;H|?wxpT!cyc) zUjkRpfoiXT2M-9m5W}M!vQ{YH(Xs(dXlQ`tI{{d)G{u9vtH=p{ivj5Zi{;TZyKmPmw eHNt=5|6zpxLmcIwivj?M|El@lOs4pc?SBCU8O7TG literal 0 HcmV?d00001 diff --git a/Solutions/Cyren-SentinelOne-ThreatIntelligence/Package/mainTemplate.json b/Solutions/Cyren-SentinelOne-ThreatIntelligence/Package/mainTemplate.json index 38d459febcd..a538ae42956 100644 --- a/Solutions/Cyren-SentinelOne-ThreatIntelligence/Package/mainTemplate.json +++ b/Solutions/Cyren-SentinelOne-ThreatIntelligence/Package/mainTemplate.json @@ -33,7 +33,7 @@ "email": "support@data443.com", "_email": "[variables('email')]", "_solutionName": "Cyren-SentinelOne-ThreatIntelligence", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.0.1", "solutionId": "data443riskmitigationinc1761580347231.azure-sentinel-solution-cyren-s1-ioc-automation", "_solutionId": "[variables('solutionId')]", "Playbooks": "Playbooks", @@ -58,7 +58,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "pb-cyren-to-sentinelone Playbook with template version 3.0.0", + "description": "pb-cyren-to-sentinelone Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -153,11 +153,11 @@ "defaultValue": "https://api-feeds.cyren.com/v1/feed/data" }, "Cyren_IpReputation_JwtToken": { - "type": "string", + "type": "securestring", "defaultValue": "[variables('blanks')]" }, "Cyren_MalwareUrl_JwtToken": { - "type": "string", + "type": "securestring", "defaultValue": "[variables('blanks')]" }, "SentinelOne_BaseUrl": { @@ -165,7 +165,7 @@ "defaultValue": "[variables('blanks')]" }, "SentinelOne_ApiToken": { - "type": "string", + "type": "securestring", "defaultValue": "[variables('blanks')]" }, "SentinelOne_AccountId": { @@ -827,7 +827,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "Cyren-SentinelOne-ThreatIntelligence", "publisherDisplayName": "Data443 Risk Mitigation, Inc.", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Cyren SentinelOne Threat Intelligence solution polls the Cyren CCF (IP reputation, malware URLs) threat intelligence feed and pushes indicators of compromise (IOCs) to SentinelOne's Threat Intelligence API for automated detection and response.

\n

Playbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

\u2022 Review the solution Release Notes

\n

\u2022 There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Cyren SentinelOne Threat Intelligence solution polls the Cyren CCF (IP reputation, malware URLs) threat intelligence feed and pushes indicators of compromise (IOCs) to SentinelOne's Threat Intelligence API for automated detection and response.

\n

Playbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -874,4 +874,4 @@ } ], "outputs": {} -} +} \ No newline at end of file From c1fb7ee6779220dee6db948f457fcf84bcfbeea6 Mon Sep 17 00:00:00 2001 From: Taz Jack Date: Fri, 3 Apr 2026 11:01:51 -0400 Subject: [PATCH 02/38] feat: add Vaikora AI Agent Signals connector v3.0.0 --- .../Data/Solution_VaikoraCrowdStrike.json | 14 + .../Package/3.0.0.zip | Bin 0 -> 6447 bytes .../Package/createUiDefinition.json | 182 +++++++ .../Package/mainTemplate.json | 471 ++++++++++++++++++ .../VaikoraToCrowdStrike_Playbook.json | 275 ++++++++++ .../README.md | 90 ++++ .../ReleaseNotes.md | 3 + .../SolutionMetadata.json | 21 + 8 files changed, 1056 insertions(+) create mode 100644 Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Data/Solution_VaikoraCrowdStrike.json create mode 100644 Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/3.0.0.zip create mode 100644 Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/createUiDefinition.json create mode 100644 Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/mainTemplate.json create mode 100644 Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Playbooks/VaikoraToCrowdStrike_Playbook.json create mode 100644 Solutions/Vaikora-CrowdStrike-ThreatIntelligence/README.md create mode 100644 Solutions/Vaikora-CrowdStrike-ThreatIntelligence/ReleaseNotes.md create mode 100644 Solutions/Vaikora-CrowdStrike-ThreatIntelligence/SolutionMetadata.json diff --git a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Data/Solution_VaikoraCrowdStrike.json b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Data/Solution_VaikoraCrowdStrike.json new file mode 100644 index 00000000000..a5bf894f1f9 --- /dev/null +++ b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Data/Solution_VaikoraCrowdStrike.json @@ -0,0 +1,14 @@ +{ + "Name": "Vaikora-CrowdStrike-AIAgentSecurity", + "Author": "Data443 Risk Mitigation, Inc. - support@data443.com", + "Logo": "", + "Description": "The Vaikora CrowdStrike AI Agent Security solution polls Vaikora AI agent signals (actions with high/critical risk levels or anomaly detections) and pushes them as Custom IOCs to CrowdStrike Falcon for detection and prevention.", + "Playbooks": [ + "Playbooks/VaikoraToCrowdStrike_Playbook.json" + ], + "Metadata": "SolutionMetadata.json", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Vaikora-CrowdStrike-AIAgentSecurity", + "Version": "1.0.0", + "TemplateSpec": true, + "Is1Pconnector": false +} diff --git a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/3.0.0.zip b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/3.0.0.zip new file mode 100644 index 0000000000000000000000000000000000000000..c1290f65fb56fc86ada62edb715b9e48679a9301 GIT binary patch literal 6447 zcmZ{pWlS7kv+r@2qQw>{?(Rj3@8U&USXkWM-QC^Y-F?yG6!+p3DaGC8_B}VbxydEG# zVY76yvz;Wfa$4iN^72EJadS#EQy6n4?>?rn0GHVaE8;=2oB98^tEUIkW-|sN0-0@( z-hI(O_#rT8XsY(t>HWaQ z@NKZWWM2MJ;eCvZ}bshc1a`+ zO!k;^zvQXdrtv|m$aMLHiiqu3G@6VoPVMvq4<0ansoii-!`OZ>; z%^`!Zce`1=Xi5O5dXMulp^1y)GBB)(IYaFilEN>&-7{)ZWloxhg5F zo3+GC=7imJsnF4_8AqjE!9qCN;CZX`tHh=dI6sH*6aN6ZXU*5{MKr75$JEO%sJ0Ac z+#E{j);!*drsH3TDx--}jkslK;iUELrAPvKD96%2;j@*|q;7>mnI(xaCtr7_raX}6 z+3E~(1D6)VmLZd126(g-^e%mF=k%SM()aHQ;InS+`K|inl)#$;@R_&z{7W{o)5W z;8L)2;wyk~k5##?0Xs>`L20BxiV?MNRn`A9j#3#p|5jxsw#zi z%yEom=(NFmfDb7i1i8dtT2!WEo2^$M3N;bQNV+(*JJ}W}==-3Gk6y+t@pOqURnVUO zl7oYp@Yx5zD^iF3HZZV4&K!D%h^_lwOm}VC<#F)#Z@o zr_-WJq0dTpuY->}V5Y1O0l#RK%6n?3~&;uT_@Y2VxdFUH> zYJB*+p`c%->pN3t_Kk)8L~9O6I39Z8WA<%U&dFu7_H7e~=OwZF)M2)9hyM0q&QZrL z1agux=<-`t+4d&=0xdMF$!yYul=BWElJT{p$^!D^E0yX_I@`>uMgzQmH;}y&&v)3& zP0D-nBVXquePXBuz?i%;nx766zwt(mkVhLVhgkm6F>^#GAG#CHOf4ESf+u`DvpnFj zE>8cy9v4*F9 zCUML{>BEf`tZVK;rvJ39Cb_R3#o6EC({A;H!~x;uTj^KZ_GqU)F#De?bR9JOYE8@q znaw2}L}(!$pa)I>sEGGN2PCxHc9O{g>29}nR?~@kjwM>JUOO7Gmi@S7{ODxas+`u! zniX?)DsR%VxnVP9+jMN@xSBK~s=GbX^o|Ps;eV42;RShi%6L^}j8bQo%-AlbZc9Yv zHP($yEjxX|tYH;}L;Wo5TywM8dgq#`mBYk8!f&#~@@InH+^@g1!b0PCC~IOCn^Knl zQ_aiN(a*Fhh1KL8&wbZ}l>W>g-R5uvaoy~Zm8!(vd7u{%yrh?O{-;jdMkHvf)g|xu z1sUvPA>O<-I$a-C9n#5lZb-}Yx#U%XI>P)|X|j5FYbhPs=`&uTL$J9y_*#Wl z4SDi#6)%otFx2F+vPmb7P^tfoW7UfR-4*YPrn)pOsAHtSPifNT1heI zAU-zKLq+pduD$okL|;)p7np0~LrXjfowuB1*EiZoc9qJFi$4Z@=!lTqOhBwoGt!w~ zBUbMvo4t$d%3Cz|3bW2P;IoRMtfOtnHf|Xy7hfVfq%`Wnmhp$~?cL+{8B-DohiS8g zQl7(6F7^%{jB``aGFKk`|tv{E>&HMh$VL`tE!-j=Q&UdWRTPdwt^Ky zhFIa)WB~L6DQQam_nE%$o8ZtX^?xzU;MQo%>k{&rr+Z9PL%q9^G$ZNF;plkX(^qA% z)v?z+rah&Rqp!v_y^%pj{^KE6mFa#Zs?C-*OS>CYzQ>rJux>ZYMW64*j1s3V<(6yz zn5&_<*OW_Hn!mk|N0-Xr6ss|sKDX!a&9*A?;*NquubgOJaCpJC?cWEbTml*Kh71~n znb?_B8hC`f>{Tnqm6?!L=?WSEa>5XtWRIrAHF%CL`C3&QaES*Wchh zyDhM0;_mNXG>Yi*%YuFpOi;FzT0m{wY9wcXdezV6)gfYW@|zJ9FJIKQeV($X4(9Qc zGQ2q&A|zj+G%p8i!i9gMA*EuYG2n4W;}ud&kz#DO)oOK{OjQ&jivD*M>}~aEb8*6= z9J}dI$NPRB+GQF*?s?%389w*=FKK{2=OHEwhsJc~l0ilK?`T$gPig~ny~Ld1${d0z zQ-a;>L9O{e->eO}M$#y(*a0%nkC?fyDIfxXPrsh)+Bk z&$6;9Ijs>G(WShGW7B%auknL>^!R112~Jv=mHxi^-cKU2e=@skz4a$>Lve@}$)W7L zGfXhe=&bu@Y-@IXX7FBdzKrd2&9;GVORB#JZxKw~ z3YA%)LL3C3s7SFg7BrhczHU+Tnu&yNv-`GfF~Q+n#OY9ICOQP7+R%|v_Uh>KMrz1A zXsJ?3ea?SLvr1Ft%bIFP$DR&q=y-CjSHr8fr4p_2{;Ur#bRG$@)Q{7*5w-aQ^yO=W z^JG+W8ji&IzBd%JMPyug>n{-6P~_@6^YZlefd}xTBDx5Wft0Yar}dD;(ZOm&q_o%F z-kK>Wl#?sLS-_|4`}GY)^;q|*T`alFYe{qQ;{%iumGz?=#3N?^8$)9O)7jm^)XL_%LHkhWT3We*z-v5 z-0XO*Q62i*H0n)8;YPCj%XpZ#+(w{B^VD@#&C)50$jYR-^w&NkonXwQaUPnCDOJ~i zd3B-Y2?tVhTu0{i4+3%`yXh-p&V&KQ+#z}POJX)wE(h}(Aj53;9OdG-Y_rct*>tF5R8B&hXYhPF;Xcp$T5HiFq=wq}W%ny6 z>(AL~8>X8b8V}oF$gi%luN$dPQg=QJ8d^*v$lZe)7-Znqn_Wkz1VNQEOR=wl!7itC zND`B!tmg$qtB;GTqbu2RV2UG=wnJ$L>88r+Wq5Cn-$zXqOkm|e(E zU(T;qA-xO;DJ~EfZoI486kv4)^dYWODWw;Pg$xW*7DyCwV$|iWxXmt1i$0@RWFtU| z!feHygE;O|tQ1z=&o01Cg5l7~h65XH`Y@$Sy|xuadHXXvZ>xib?|`_ghl*%xLm zJU;O0YaXKPgiQV-<9Wikh-SY|#^g2Q?Z_2x*qsw`JzQgw+!4Xx_tlUgeAcToR--4sEYy=Q=fJY53iK_&TSjqM4CjMg~{|IoMcN-Sd0l8v$My#CZ*Y=I4jFxQX5>%-h4-d2TjP{oWEdflzl4Y#z|3SOj?@T z!fh7<6rZ5~TYix$zI8w>1b{jgCclO)favy>-j_8IP5Smwp4_1UgJizhVWDCAl|UUR zcr+6;`@wt{v0qpcol(gfcCzx1i?$rdFZ5Pd(jq0dekE*k^>DmL`wAp)jQS^X2A#K4 zO?oTAf#4_k><|Vj`Ddyfcfne4D}Jz*u)+CaEVB+*$w!bRr(xT`s^}oupW15JQCj8 zo-?iItV3M<7EW|ET&-L-dMkTsO5`5ja1)0nHC_7DBhr}5^Uoo1kA1vk&elZ)c2X!zgRSNB8h(4hIx+E@Xwa}Ex zg|cDKPZQlAmaW##gM9!i&P0C+EYq7PG}BLPN^CjS_KhJ}=gsfDeDvxS}QfAN6* z@5i>J9RzQAWdiAJlw*t0Wba2Lz>ksHXJ{^#18K$O`y>k(B?d#pN}yN*TC4o&Ioac+ zn|P;PAoYk+G@-fQN$rr}{dEp{2Sg9nU96m=6!kK;KdNPF;nG|^8vzwGmPp652>X~V zPZCVU*jq7ca3Lgc#SJ-qj&CCEzJN1-3ud z2?TjY3JcI*lqCPRI5v3$%bS4ul=#6sU_&fhi!t+2T-h$IqwX9>nu487i9{7UurQzj zE80VgQ<@#OQ9NwhG$qmnO`&3)H>&yro@KEdHxqwy30pXF{MQOp!#;!`gOQBo3S<(k zq~pf?fdLI@n1OTD_QHXe_|@_%j|;)v1I6W;sHhRN>ed;CcLfwpCc;0+tO#+j5-SMe zXFOq06kcR$g6$|Jzyu@kUb*{BrIqz54C#AvQ3$1GcqU+bn`iicD;OcnIvAho1C-A4 z8{u$UP>_=npVKGJahQ`9L8xGfRB3#=N_@vC?*c8H#&0)OgP)D#BQU-px{SP{2UC5c*f8Hq}n?o2YHI`#_r#T6)tFuY05()QNG3f}LNF%7Hta7lRBmqu!NP5LwsBDubdE;X z^6rwgkF@|h;Ng)Gk32Y3w10n_uWXVszX`BcXj0UXX!M2c_x+0Tsz-X!EpBf&8m2Ob zxjlIf>yqAI@uZzyDD~ZUz#BVMCC5d=)*r#A)WUFo+p^facTnm4XLb1f#OGX(?oUKq zKY4>UCrGD+tw8t7VdRlLHbL`!86c8V9(a0f#We>Yn)ODiE}T}{39}+qm5edH>lC!d zup~Pbp@wYdVd$m4{Ag-(ur^ZQjRmHYhnTIvIqOuaSgFlLH`fVwmbtWMd1Lrf^~C5} zZh{V;!H5@RUfI(Ncv{oOOye6RY1}gTsnKx4Hja{df}xzLT(5N8W#UXkMGzqzyIDaE z`ZSnq)_2h-ghVQ3+LV$5>S9PQWE}n_Fj5k+fR3{S4n0sggyhDsBT*jhQ~F=R8T8r} zkY_?h&CtoT7Q;=!*5(Kvk$@u3n@YasYR3_nEEcC8r~#rW&gK`ODz$L6KJNFTsArW0 zj6K5y3qw2doh7t?WU(Hjy~WC&8@V7KEX*YRC<{uO~;Xy_+X=3 z>Niz{R`e>DQ$_=+nU5clg+hdJ@bg^Zrz;n0r0Of?I=?4(0-7B_)Mhq%mxg_>>&?_= z_}RM7ZmKx;7Qy}V6fVQj zdV6-4ZPsANfA00-{Y_;1OK4qs>ByENv~27 zPoy^g3269ci8^hVcz~M163jt|3mAI!MY*JlvWWCcFEII2h}K|MRi?49t8e+*vvCCW z`kpuED0v-U7-?3OW(x(x@vv_N0BGIpA_|uid)*OR^nT317a`ZOE9I$zZm*Sx;pkUP zx%^5-?}F|0n6S4=-tC9}jEk)<8B|?8&4~rZM+w8d>^IJ=`)!O}oso#WAV1$k@v42q z#+%CBQiWJ@K>sph{5|WAi~D2CI1QMqP3B%7+bxnIV!IUzwIJc_>O`x^w})c7PTjplRZPSn=K#66A0l z@4Mx(`v`&G;K#auIzRf}^}0mun6qDl!W$Rfb8ULIkuNWI-+TFrk(Tr3)>VMX`8BvI zazHdt<7heNpk{>cSzq&UTQt>!b)=HQC#}$9mWKw=Nw#`-IyJNQvDvrIm$F{mLRUM8 zP%W(9@uy#DbKp;$<(B)CgkKH2h=3EX;AP1h(h{wgxJY)d3AYLc<7DjPQX+Cak*+6x z6?s@VeE9$UEb&i|{FnI${3rakBgOwe{y%A%|2qr=;~#+b;eS;&D)NX(|7nE#=fVGC J3ekVE{{t3xQ4Ih9 literal 0 HcmV?d00001 diff --git a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/createUiDefinition.json b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/createUiDefinition.json new file mode 100644 index 00000000000..a0b659aaceb --- /dev/null +++ b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/createUiDefinition.json @@ -0,0 +1,182 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Vaikora-CrowdStrike-AIAgentSecurity/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Vaikora CrowdStrike AI Agent Security solution polls Vaikora AI agent signals (high/critical risk actions and anomaly detections) and pushes them as Custom IOCs to CrowdStrike Falcon for detection and prevention.\n\n**Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "playbooks", + "label": "Playbooks", + "subLabel": { + "preValidation": "Configure the playbooks", + "postValidation": "Done" + }, + "bladeTitle": "Playbooks", + "elements": [ + { + "name": "playbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub." + } + }, + { + "name": "playbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "vaikora-section", + "type": "Microsoft.Common.Section", + "label": "Vaikora API Settings", + "elements": [ + { + "name": "VaikoraApiKey", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "Vaikora API Key", + "confirmPassword": "Confirm Vaikora API Key" + }, + "toolTip": "Vaikora API key used in the X-API-Key request header", + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": true + }, + "visible": true + }, + { + "name": "VaikoraAgentId", + "type": "Microsoft.Common.TextBox", + "label": "Vaikora Agent ID", + "defaultValue": "", + "toolTip": "The agent_id to poll for AI signal actions from the Vaikora API", + "constraints": { + "required": true, + "regex": "^[a-zA-Z0-9_\\-]+$", + "validationMessage": "Agent ID must contain only alphanumeric characters, hyphens, and underscores" + }, + "visible": true + } + ], + "visible": true + }, + { + "name": "crowdstrike-section", + "type": "Microsoft.Common.Section", + "label": "CrowdStrike Falcon API Settings", + "elements": [ + { + "name": "CrowdStrike_BaseUrl", + "type": "Microsoft.Common.TextBox", + "label": "CrowdStrike API Base URL", + "defaultValue": "https://api.crowdstrike.com", + "toolTip": "CrowdStrike Falcon API base URL. Use https://api.us-2.crowdstrike.com for US-2 cloud or https://api.eu-1.crowdstrike.com for EU-1.", + "constraints": { + "required": true + }, + "visible": true + }, + { + "name": "CrowdStrike_ClientId", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "CrowdStrike Client ID", + "confirmPassword": "Confirm CrowdStrike Client ID" + }, + "toolTip": "CrowdStrike OAuth2 Client ID with Indicators (IOCs) write permission", + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": true + }, + "visible": true + }, + { + "name": "CrowdStrike_ClientSecret", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "CrowdStrike Client Secret", + "confirmPassword": "Confirm CrowdStrike Client Secret" + }, + "toolTip": "CrowdStrike OAuth2 Client Secret corresponding to the Client ID above", + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": true + }, + "visible": true + } + ], + "visible": true + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]", + "VaikoraApiKey": "[steps('playbooks').vaikora-section.VaikoraApiKey]", + "VaikoraAgentId": "[steps('playbooks').vaikora-section.VaikoraAgentId]", + "CrowdStrike_BaseUrl": "[steps('playbooks').crowdstrike-section.CrowdStrike_BaseUrl]", + "CrowdStrike_ClientId": "[steps('playbooks').crowdstrike-section.CrowdStrike_ClientId]", + "CrowdStrike_ClientSecret": "[steps('playbooks').crowdstrike-section.CrowdStrike_ClientSecret]" + } + } +} diff --git a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/mainTemplate.json b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/mainTemplate.json new file mode 100644 index 00000000000..dd2c7e6b9b6 --- /dev/null +++ b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/mainTemplate.json @@ -0,0 +1,471 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Data443 Risk Mitigation, Inc. - support@data443.com", + "comments": "Solution template for Vaikora-CrowdStrike-AIAgentSecurity" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "VaikoraApiKey": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "Vaikora API key (X-API-Key header)" + } + }, + "VaikoraAgentId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Vaikora agent_id to poll for AI signal actions" + } + }, + "CrowdStrike_ClientId": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "CrowdStrike OAuth2 Client ID" + } + }, + "CrowdStrike_ClientSecret": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "CrowdStrike OAuth2 Client Secret" + } + }, + "CrowdStrike_BaseUrl": { + "type": "string", + "defaultValue": "https://api.crowdstrike.com", + "metadata": { + "description": "CrowdStrike API Base URL (e.g. https://api.crowdstrike.com or https://api.us-2.crowdstrike.com)" + } + } + }, + "variables": { + "email": "support@data443.com", + "_email": "[variables('email')]", + "_solutionName": "Vaikora-CrowdStrike-AIAgentSecurity", + "_solutionVersion": "3.0.0", + "solutionId": "data443riskmitigationinc1761580347231.azure-sentinel-solution-vaikora-crowdstrike", + "_solutionId": "[variables('solutionId')]", + "Playbooks": "Playbooks", + "_Playbooks": "[variables('Playbooks')]", + "blanks": "[replace('b', 'b', '')]", + "playbookVersion1": "1.0", + "playbookContentId1": "Playbooks", + "_playbookContentId1": "[variables('playbookContentId1')]", + "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", + "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Playbooks Playbook with template version 1.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion1')]", + "parameters": { + "logicAppName": { + "type": "string", + "defaultValue": "pb-vaikora-to-crowdstrike" + }, + "VaikoraApiKey": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "Vaikora API key (X-API-Key header)" + } + }, + "VaikoraAgentId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Vaikora agent_id to poll for AI signal actions" + } + }, + "CrowdStrike_ClientId": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "CrowdStrike OAuth2 Client ID" + } + }, + "CrowdStrike_ClientSecret": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "CrowdStrike OAuth2 Client Secret" + } + }, + "CrowdStrike_BaseUrl": { + "type": "string", + "defaultValue": "https://api.crowdstrike.com", + "metadata": { + "description": "CrowdStrike API Base URL (e.g. https://api.crowdstrike.com or https://api.us-2.crowdstrike.com)" + } + } + }, + "variables": { + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2019-05-01", + "name": "[[parameters('logicAppName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "state": "Enabled", + "parameters": { + "VaikoraApiKey": { + "value": "[[parameters('VaikoraApiKey')]" + }, + "VaikoraAgentId": { + "value": "[[parameters('VaikoraAgentId')]" + }, + "CrowdStrike_ClientId": { + "value": "[[parameters('CrowdStrike_ClientId')]" + }, + "CrowdStrike_ClientSecret": { + "value": "[[parameters('CrowdStrike_ClientSecret')]" + }, + "CrowdStrike_BaseUrl": { + "value": "[[parameters('CrowdStrike_BaseUrl')]" + } + }, + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Vaikora_BaseUrl": { + "type": "string", + "defaultValue": "https://api.vaikora.com/api/v1" + }, + "VaikoraApiKey": { + "type": "securestring", + "defaultValue": "[variables('blanks')]" + }, + "VaikoraAgentId": { + "type": "string", + "defaultValue": "[variables('blanks')]" + }, + "CrowdStrike_BaseUrl": { + "type": "string", + "defaultValue": "https://api.crowdstrike.com" + }, + "CrowdStrike_ClientId": { + "type": "string", + "defaultValue": "[variables('blanks')]" + }, + "CrowdStrike_ClientSecret": { + "type": "securestring", + "defaultValue": "[variables('blanks')]" + } + }, + "triggers": { + "Recurrence": { + "type": "Recurrence", + "recurrence": { + "frequency": "Hour", + "interval": 6, + "timeZone": "UTC" + } + } + }, + "actions": { + "Get_CrowdStrike_Token": { + "type": "Http", + "runAfter": {}, + "inputs": { + "method": "POST", + "uri": "@{parameters('CrowdStrike_BaseUrl')}/oauth2/token", + "headers": { + "Content-Type": "application/x-www-form-urlencoded", + "User-Agent": "data443-vaikora-crowdstrike/1.0" + }, + "body": "client_id=@{parameters('CrowdStrike_ClientId')}&client_secret=@{parameters('CrowdStrike_ClientSecret')}" + } + }, + "Get_Vaikora_Actions": { + "type": "Http", + "runAfter": { + "Get_CrowdStrike_Token": [ + "Succeeded" + ] + }, + "inputs": { + "method": "GET", + "uri": "@{parameters('Vaikora_BaseUrl')}/actions?agent_id=@{parameters('VaikoraAgentId')}&per_page=100", + "headers": { + "X-API-Key": "@{parameters('VaikoraApiKey')}", + "Accept": "application/json", + "User-Agent": "data443-vaikora-crowdstrike/1.0" + } + } + }, + "Filter_High_Priority_Actions": { + "type": "Query", + "runAfter": { + "Get_Vaikora_Actions": [ + "Succeeded" + ] + }, + "inputs": { + "from": "@body('Get_Vaikora_Actions')", + "where": "@or(or(equals(item()?['risk_level'], 'high'), equals(item()?['risk_level'], 'critical')), equals(item()?['is_anomaly'], true))" + } + }, + "Check_Has_Actions": { + "type": "If", + "runAfter": { + "Filter_High_Priority_Actions": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@length(body('Filter_High_Priority_Actions'))", + 0 + ] + } + ] + }, + "actions": { + "For_Each_Action": { + "type": "Foreach", + "foreach": "@body('Filter_High_Priority_Actions')", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + }, + "actions": { + "Compose_IOC_Value": { + "type": "Compose", + "runAfter": {}, + "inputs": "@coalesce(item()?['ip_address'], item()?['target_ip'], item()?['url'], item()?['target_url'], item()?['target'], item()?['log_hash'])" + }, + "Compose_IOC_Type": { + "type": "Compose", + "runAfter": { + "Compose_IOC_Value": [ + "Succeeded" + ] + }, + "inputs": "@if(or(not(empty(item()?['ip_address'])), not(empty(item()?['target_ip']))), 'ipv4', if(or(not(empty(item()?['url'])), not(empty(item()?['target_url']))), 'url', 'domain'))" + }, + "Compose_CS_Severity": { + "type": "Compose", + "runAfter": {}, + "inputs": "@if(equals(item()?['risk_level'], 'critical'), 'critical', if(equals(item()?['risk_level'], 'high'), 'high', 'medium'))" + }, + "Compose_CS_Action": { + "type": "Compose", + "runAfter": {}, + "inputs": "@if(equals(item()?['risk_level'], 'critical'), 'prevent', 'detect')" + }, + "Compose_Tags": { + "type": "Compose", + "runAfter": {}, + "inputs": "@union(createArray('vaikora', 'ai-agent-security', 'data443'), if(equals(item()?['is_anomaly'], true), createArray('ai-agent-anomaly'), createArray()), if(equals(item()?['threat_detected'], true), createArray('ai-threat-detected'), createArray()))" + }, + "Post_IOC_to_CrowdStrike": { + "type": "Http", + "runAfter": { + "Compose_IOC_Value": [ + "Succeeded" + ], + "Compose_IOC_Type": [ + "Succeeded" + ], + "Compose_CS_Severity": [ + "Succeeded" + ], + "Compose_CS_Action": [ + "Succeeded" + ], + "Compose_Tags": [ + "Succeeded" + ] + }, + "inputs": { + "method": "POST", + "uri": "@{parameters('CrowdStrike_BaseUrl')}/iocs/entities/indicators/v1?ignore_warnings=true", + "headers": { + "Content-Type": "application/json", + "Authorization": "@{concat('Bearer ', body('Get_CrowdStrike_Token')?['access_token'])}", + "User-Agent": "data443-vaikora-crowdstrike/1.0" + }, + "body": { + "indicators": [ + { + "type": "@{outputs('Compose_IOC_Type')}", + "value": "@{outputs('Compose_IOC_Value')}", + "action": "@{outputs('Compose_CS_Action')}", + "severity": "@{outputs('Compose_CS_Severity')}", + "source": "Vaikora AI Agent Security (Data443)", + "description": "Vaikora AI Signal | Agent: @{item()?['agent_id']} | Type: @{item()?['action_type']} | Risk: @{item()?['risk_level']} (@{item()?['risk_score']}) | Anomaly: @{item()?['is_anomaly']} (@{item()?['anomaly_score']}) | Threat: @{item()?['threat_detected']} (@{item()?['threat_score']}) | Policy: @{item()?['policy_decision']} | @{item()?['timestamp']}", + "expiration": "@{addDays(utcNow(), 30)}", + "platforms": [ + "windows", + "mac", + "linux" + ], + "tags": "@outputs('Compose_Tags')", + "applied_globally": true, + "external_id": "@{concat('vaikora-', item()?['id'])}" + } + ] + } + } + } + } + } + }, + "else": { + "actions": {} + } + } + } + } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId1')]", + "contentId": "[variables('_playbookContentId1')]", + "kind": "Playbook", + "version": "[variables('playbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Vaikora-CrowdStrike-AIAgentSecurity", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "[variables('_email')]" + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "support@data443.com", + "tier": "Partner", + "link": "https://www.data443.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId1')]", + "contentKind": "Playbook", + "displayName": "Playbooks", + "contentProductId": "[variables('_playbookcontentProductId1')]", + "id": "[variables('_playbookcontentProductId1')]", + "version": "[variables('playbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Vaikora-CrowdStrike-AIAgentSecurity", + "publisherDisplayName": "Data443 Risk Mitigation, Inc.", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

\u2022 Review the solution Release Notes

\n

\u2022 There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Vaikora CrowdStrike AI Agent Security solution polls Vaikora AI agent signals (high/critical risk actions and anomaly detections) and pushes them as Custom IOCs to CrowdStrike Falcon for detection and prevention.

\n

Playbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "Vaikora-CrowdStrike-AIAgentSecurity", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "[variables('_email')]" + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "support@data443.com", + "tier": "Partner", + "link": "https://www.data443.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "Playbook", + "contentId": "[variables('_Playbooks')]", + "version": "[variables('playbookVersion1')]" + } + ] + }, + "firstPublishDate": "2026-04-02", + "providers": [ + "Data443 Risk Mitigation, Inc.", + "Vaikora" + ], + "categories": { + "domains": [ + "Security - Threat Intelligence" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Playbooks/VaikoraToCrowdStrike_Playbook.json b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Playbooks/VaikoraToCrowdStrike_Playbook.json new file mode 100644 index 00000000000..f2e425dfe97 --- /dev/null +++ b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Playbooks/VaikoraToCrowdStrike_Playbook.json @@ -0,0 +1,275 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "logicAppName": { + "type": "string", + "defaultValue": "pb-vaikora-to-crowdstrike" + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]" + }, + "VaikoraApiKey": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "Vaikora API key (X-API-Key header)" + } + }, + "VaikoraAgentId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Vaikora agent_id to poll for AI signal actions" + } + }, + "CrowdStrike_ClientId": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "CrowdStrike OAuth2 Client ID" + } + }, + "CrowdStrike_ClientSecret": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "CrowdStrike OAuth2 Client Secret" + } + }, + "CrowdStrike_BaseUrl": { + "type": "string", + "defaultValue": "https://api.crowdstrike.com", + "metadata": { + "description": "CrowdStrike API Base URL (e.g. https://api.crowdstrike.com or https://api.us-2.crowdstrike.com)" + } + } + }, + "resources": [ + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2019-05-01", + "name": "[parameters('logicAppName')]", + "location": "[parameters('location')]", + "properties": { + "state": "Enabled", + "parameters": { + "VaikoraApiKey": { + "value": "[parameters('VaikoraApiKey')]" + }, + "VaikoraAgentId": { + "value": "[parameters('VaikoraAgentId')]" + }, + "CrowdStrike_ClientId": { + "value": "[parameters('CrowdStrike_ClientId')]" + }, + "CrowdStrike_ClientSecret": { + "value": "[parameters('CrowdStrike_ClientSecret')]" + }, + "CrowdStrike_BaseUrl": { + "value": "[parameters('CrowdStrike_BaseUrl')]" + } + }, + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Vaikora_BaseUrl": { + "type": "string", + "defaultValue": "https://api.vaikora.com/api/v1" + }, + "VaikoraApiKey": { + "type": "securestring", + "defaultValue": "" + }, + "VaikoraAgentId": { + "type": "string", + "defaultValue": "" + }, + "CrowdStrike_BaseUrl": { + "type": "string", + "defaultValue": "https://api.crowdstrike.com" + }, + "CrowdStrike_ClientId": { + "type": "string", + "defaultValue": "" + }, + "CrowdStrike_ClientSecret": { + "type": "securestring", + "defaultValue": "" + } + }, + "triggers": { + "Recurrence": { + "type": "Recurrence", + "recurrence": { + "frequency": "Hour", + "interval": 6, + "timeZone": "UTC" + } + } + }, + "actions": { + "Get_CrowdStrike_Token": { + "type": "Http", + "runAfter": {}, + "inputs": { + "method": "POST", + "uri": "@{parameters('CrowdStrike_BaseUrl')}/oauth2/token", + "headers": { + "Content-Type": "application/x-www-form-urlencoded", + "User-Agent": "data443-vaikora-crowdstrike/1.0" + }, + "body": "client_id=@{parameters('CrowdStrike_ClientId')}&client_secret=@{parameters('CrowdStrike_ClientSecret')}" + } + }, + "Get_Vaikora_Actions": { + "type": "Http", + "runAfter": { + "Get_CrowdStrike_Token": [ + "Succeeded" + ] + }, + "inputs": { + "method": "GET", + "uri": "@{parameters('Vaikora_BaseUrl')}/actions?agent_id=@{parameters('VaikoraAgentId')}&per_page=100", + "headers": { + "X-API-Key": "@{parameters('VaikoraApiKey')}", + "Accept": "application/json", + "User-Agent": "data443-vaikora-crowdstrike/1.0" + } + } + }, + "Filter_High_Priority_Actions": { + "type": "Query", + "runAfter": { + "Get_Vaikora_Actions": [ + "Succeeded" + ] + }, + "inputs": { + "from": "@body('Get_Vaikora_Actions')", + "where": "@or(or(equals(item()?['risk_level'], 'high'), equals(item()?['risk_level'], 'critical')), equals(item()?['is_anomaly'], true))" + } + }, + "Check_Has_Actions": { + "type": "If", + "runAfter": { + "Filter_High_Priority_Actions": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@length(body('Filter_High_Priority_Actions'))", + 0 + ] + } + ] + }, + "actions": { + "For_Each_Action": { + "type": "Foreach", + "foreach": "@body('Filter_High_Priority_Actions')", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + }, + "actions": { + "Compose_IOC_Value": { + "type": "Compose", + "runAfter": {}, + "inputs": "@coalesce(item()?['ip_address'], item()?['target_ip'], item()?['url'], item()?['target_url'], item()?['target'], item()?['log_hash'])" + }, + "Compose_IOC_Type": { + "type": "Compose", + "runAfter": { + "Compose_IOC_Value": [ + "Succeeded" + ] + }, + "inputs": "@if(or(not(empty(item()?['ip_address'])), not(empty(item()?['target_ip']))), 'ipv4', if(or(not(empty(item()?['url'])), not(empty(item()?['target_url']))), 'url', 'domain'))" + }, + "Compose_CS_Severity": { + "type": "Compose", + "runAfter": {}, + "inputs": "@if(equals(item()?['risk_level'], 'critical'), 'critical', if(equals(item()?['risk_level'], 'high'), 'high', 'medium'))" + }, + "Compose_CS_Action": { + "type": "Compose", + "runAfter": {}, + "inputs": "@if(equals(item()?['risk_level'], 'critical'), 'prevent', 'detect')" + }, + "Compose_Tags": { + "type": "Compose", + "runAfter": {}, + "inputs": "@union(createArray('vaikora', 'ai-agent-security', 'data443'), if(equals(item()?['is_anomaly'], true), createArray('ai-agent-anomaly'), createArray()), if(equals(item()?['threat_detected'], true), createArray('ai-threat-detected'), createArray()))" + }, + "Post_IOC_to_CrowdStrike": { + "type": "Http", + "runAfter": { + "Compose_IOC_Value": [ + "Succeeded" + ], + "Compose_IOC_Type": [ + "Succeeded" + ], + "Compose_CS_Severity": [ + "Succeeded" + ], + "Compose_CS_Action": [ + "Succeeded" + ], + "Compose_Tags": [ + "Succeeded" + ] + }, + "inputs": { + "method": "POST", + "uri": "@{parameters('CrowdStrike_BaseUrl')}/iocs/entities/indicators/v1?ignore_warnings=true", + "headers": { + "Content-Type": "application/json", + "Authorization": "@{concat('Bearer ', body('Get_CrowdStrike_Token')?['access_token'])}", + "User-Agent": "data443-vaikora-crowdstrike/1.0" + }, + "body": { + "indicators": [ + { + "type": "@{outputs('Compose_IOC_Type')}", + "value": "@{outputs('Compose_IOC_Value')}", + "action": "@{outputs('Compose_CS_Action')}", + "severity": "@{outputs('Compose_CS_Severity')}", + "source": "Vaikora AI Agent Security (Data443)", + "description": "Vaikora AI Signal | Agent: @{item()?['agent_id']} | Type: @{item()?['action_type']} | Risk: @{item()?['risk_level']} (@{item()?['risk_score']}) | Anomaly: @{item()?['is_anomaly']} (@{item()?['anomaly_score']}) | Threat: @{item()?['threat_detected']} (@{item()?['threat_score']}) | Policy: @{item()?['policy_decision']} | @{item()?['timestamp']}", + "expiration": "@{addDays(utcNow(), 30)}", + "platforms": [ + "windows", + "mac", + "linux" + ], + "tags": "@outputs('Compose_Tags')", + "applied_globally": true, + "external_id": "@{concat('vaikora-', item()?['id'])}" + } + ] + } + } + } + } + } + }, + "else": { + "actions": {} + } + } + }, + "outputs": {} + } + } + } + ] +} diff --git a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/README.md b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/README.md new file mode 100644 index 00000000000..5c0ed071791 --- /dev/null +++ b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/README.md @@ -0,0 +1,90 @@ +# Vaikora CrowdStrike AI Agent Security + +**Publisher:** Data443 Risk Mitigation, Inc. +**Solution ID:** azure-sentinel-solution-vaikora-crowdstrike +**Version:** 1.0.0 + +## What This Does + +A Microsoft Sentinel Content Hub solution that polls Vaikora for AI agent signals and pushes high-risk actions into CrowdStrike Falcon as Custom IOCs. The Logic App playbook runs every 6 hours, filters to actions where `risk_level` is high or critical, or where `is_anomaly` is true, then calls the CrowdStrike Custom IOC API to create or update indicators. + +## Signal Mapping + +| Vaikora `risk_level` | CrowdStrike `severity` | CrowdStrike `action` | +|----------------------|------------------------|----------------------| +| critical | critical | prevent | +| high | high | detect | +| medium / low | medium | detect | + +Tags added automatically: +- `vaikora`, `ai-agent-security`, `data443` (always) +- `ai-agent-anomaly` — when `is_anomaly` is true +- `ai-threat-detected` — when `threat_detected` is true + +IOC type is resolved from action fields in order: `ip_address` / `target_ip` → `ipv4`, `url` / `target_url` → `url`, fallback → `domain`. + +Each IOC sets `external_id` to `vaikora-{action_id}` for deduplication. + +## Prerequisites + +- Microsoft Sentinel workspace +- Vaikora account with API key and agent ID +- CrowdStrike Falcon API client with **Indicators (IOCs): Write** permission + +## Files + +``` +Playbooks/VaikoraToCrowdStrike_Playbook.json Standalone ARM template for the Logic App +Data/Solution_VaikoraCrowdStrike.json Solution manifest +Package/mainTemplate.json Content Hub deployment template +Package/createUiDefinition.json Deployment wizard UI definition +SolutionMetadata.json Publisher and category metadata +ReleaseNotes.md Change history +``` + +## Deployment + +### Via Content Hub (recommended) + +Install from Microsoft Sentinel Content Hub. Search for "Vaikora CrowdStrike". + +### Via ARM template (standalone) + +```bash +az deployment group create \ + --resource-group \ + --template-file Playbooks/VaikoraToCrowdStrike_Playbook.json \ + --parameters \ + VaikoraApiKey="" \ + VaikoraAgentId="" \ + CrowdStrike_ClientId="" \ + CrowdStrike_ClientSecret="" +``` + +### Via Content Hub package + +```bash +az deployment group create \ + --resource-group \ + --template-file Package/mainTemplate.json \ + --parameters \ + workspace="" \ + VaikoraApiKey="" \ + VaikoraAgentId="" \ + CrowdStrike_ClientId="" \ + CrowdStrike_ClientSecret="" +``` + +## Configuration Parameters + +| Parameter | Type | Default | Description | +|-----------|------|---------|-------------| +| `VaikoraApiKey` | securestring | — | Vaikora API key (X-API-Key header) | +| `VaikoraAgentId` | string | — | Agent ID to poll | +| `CrowdStrike_BaseUrl` | string | https://api.crowdstrike.com | Falcon API base URL | +| `CrowdStrike_ClientId` | securestring | — | OAuth2 client ID | +| `CrowdStrike_ClientSecret` | securestring | — | OAuth2 client secret | + +## Support + +support@data443.com — https://www.data443.com diff --git a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/ReleaseNotes.md b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/ReleaseNotes.md new file mode 100644 index 00000000000..496a2a4c095 --- /dev/null +++ b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/ReleaseNotes.md @@ -0,0 +1,3 @@ +**Version** | **Date Modified (DD-MM-YYYY)**| **ChangeHistory** +|------------|-------------------------------|-------------------------------------------------------------------------------------------| +| 1.0.0 | 02-04-2026 | Initial release. Polls Vaikora AI agent signals every 6 hours and pushes high/critical risk actions and anomaly detections as Custom IOCs to CrowdStrike Falcon. Severity mapping: critical→prevent, high→detect, medium/low→detect. Dynamic IOC type detection (ipv4/url/domain). Conditional tags: ai-agent-anomaly, ai-threat-detected. externalId set to vaikora-{action_id} for deduplication. | diff --git a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/SolutionMetadata.json b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/SolutionMetadata.json new file mode 100644 index 00000000000..34d6c8b48ab --- /dev/null +++ b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/SolutionMetadata.json @@ -0,0 +1,21 @@ +{ + "publisherId": "data443riskmitigationinc1761580347231", + "offerId": "vaikora-crowdstrike-connector", + "firstPublishDate": "2026-04-02", + "providers": [ + "Data443 Risk Mitigation, Inc.", + "Vaikora" + ], + "categories": { + "domains": [ + "Security - Threat Intelligence" + ], + "verticals": [] + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "support@data443.com", + "tier": "Partner", + "link": "https://www.data443.com" + } +} \ No newline at end of file From 15f845d73b413e679b2ffdebfb4cb36c40a36ca9 Mon Sep 17 00:00:00 2001 From: Taz Jack Date: Fri, 3 Apr 2026 11:01:56 -0400 Subject: [PATCH 03/38] feat: add Vaikora AI Agent Signals connector v3.0.0 --- .../Data/Solution_VaikoraSentinelOne.json | 14 + .../Package/3.0.0.zip | Bin 0 -> 6497 bytes .../Package/createUiDefinition.json | 165 ++++++ .../Package/mainTemplate.json | 473 ++++++++++++++++++ .../VaikoraToSentinelOne_Playbook.json | 282 +++++++++++ .../README.md | 60 +++ .../ReleaseNotes.md | 50 ++ .../SolutionMetadata.json | 21 + 8 files changed, 1065 insertions(+) create mode 100644 Solutions/Vaikora-SentinelOne-ThreatIntelligence/Data/Solution_VaikoraSentinelOne.json create mode 100644 Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/3.0.0.zip create mode 100644 Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/createUiDefinition.json create mode 100644 Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/mainTemplate.json create mode 100644 Solutions/Vaikora-SentinelOne-ThreatIntelligence/Playbooks/VaikoraToSentinelOne_Playbook.json create mode 100644 Solutions/Vaikora-SentinelOne-ThreatIntelligence/README.md create mode 100644 Solutions/Vaikora-SentinelOne-ThreatIntelligence/ReleaseNotes.md create mode 100644 Solutions/Vaikora-SentinelOne-ThreatIntelligence/SolutionMetadata.json diff --git a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Data/Solution_VaikoraSentinelOne.json b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Data/Solution_VaikoraSentinelOne.json new file mode 100644 index 00000000000..2f9ea3fbf30 --- /dev/null +++ b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Data/Solution_VaikoraSentinelOne.json @@ -0,0 +1,14 @@ +{ + "Name": "Vaikora-SentinelOne-ThreatIntelligence", + "Author": "Data443 Risk Mitigation, Inc. - support@data443.com", + "Logo": "", + "Description": "The Vaikora SentinelOne Threat Intelligence solution polls the Vaikora AI Agent Security API for high-severity and anomaly actions and pushes indicators of compromise (IOCs) to SentinelOne's Threat Intelligence API for automated detection and response.", + "Playbooks": [ + "Playbooks/VaikoraToSentinelOne_Playbook.json" + ], + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Vaikora-SentinelOne-ThreatIntelligence", + "Version": "1.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1Pconnector": false +} diff --git a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/3.0.0.zip b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/3.0.0.zip new file mode 100644 index 0000000000000000000000000000000000000000..a64f7e6151991825ed78868328040e041ec0e767 GIT binary patch literal 6497 zcmZ`;Wl$W9lEhsXNN{%vzBs|%-GaNb5F8d3*WeJ`3GNUec(BEFaVJQSKybb9y{o#q zs=GJyqid$7tLA4{w}vtz5+NKM92%UMewfLb^2x+GE*u=D9vmG0KU)_I2Ui^%7k6h1 zFPjgJo^GxiCT~7#ZTN3uVC4KZfw2q2lmmLTwan7X-ImL0vaYsySI=j{tZ@1X!hXC` z3W1xq9z?VdYV_dbQ{RmiF#&pysII}Cb5H6%&M$Z;FX;i8O+ULYG~ANu@!woUr_SRu z1b=!q(Od8g^j2___&HbRUtZoW?XT@DrS2?QpQbXK3lwj#7|Ow`jUH{~Mu3l9FkUG! z34E{FVuWmpj%;~W0dM1!oQja3-00WdKK}K7hbHqz`|qfC1)_fOi7dS`ALqlTJP<^I zv%yCRGkBMLu?D$6uA052#K&}QI|&gy`hSHZR~Aag0B|P_;)92-Q-*wf5hm>wAcIL* z>hHPx$HdXdk-XHTzFdcF)DrRyaHCjACYUUQ_-WC4qMkDd;Ny2+(U~vE$xhPY}DZnwYb1;GX-GYn%&Z)Xx3>eqJGFK41ip2HJHi zj^mT0p%K5-9MA|Ck{2|^N!&kN_^%PHEiJf6D1-1EJD&V)Of*7{Uj)LBml7= zC4dC=6ER>y#7&#;Q{&cO|FSd!{7L2PdU)x$N= z`nXTy?@VUZ?6wPLRtmu?zvkqLq0b~9XFz`iK~l&x{tnteRJf&)#&-%l_2=r|uOiUG z`hq(F;FNJ%+vi$XFW$#XF84srdS5h6-{tia_Dz^}hy>5~f;QK1-bUN{Vu+ znRV_em$DKyElB9uC|V7VNJ9JxQ&>@wW}ByOxjA~mXgy&e7Jlx=OYEt}D{qZsFEbJ! zGriAPxUCfKlvB?fj#Tr{RPuwHZ|=vM&qh+Q;;?S;aQNeP(gBmC>#^j9AKQi>2$auC z;I>S-yjgangNr(dDAy(?5aVF7A<~OHkv|b;eP()(+=@@XEOKf6gzBZnHhP7@NQzhQ zm|QQ{&zyy-Imkiw!g;T^FOplOk@)mDCke8**~q8aVIMf2t10YTd;$3C_pqN+Bi`@$ zg_?RBSEvqoa-+@VQ*&OD<{xNx_FiqtZn!WaUncoV3$%zBP&3wX=0mqLjv`@=+)6`o z%5+;6GM2}Kf?TxOB&Q{9J?gTL=%+Pj-{*O zBO3`_pFospJU`A8%Ja>l+wv6QmZQIZu&{TgaVtokE{w+$D$qmpS#|(w45mR0*6;*d z4lOPKN~Wf~1D4O8x>t%AqjO%9m|Y?wI7ygZHg*39VV=i%w#_n>6a#nO87>Ct6$_QU9u2y4^-qd?PJ1I9;DW}mC zOCYGjqw5%x5>3TcXZ!Wk85PFkx@2iMc{1f7O;_X46|jH1NS&#XvR~ISDigF>I<0P~ zx6^Jmnw4>6OuRMCoa>0nL@|4IWjlfODgDi5A|XHRMweCZQJz3qE;DK=qFg+M{wQMp zE)}|3l&;+@)!TYhVmw0fpd{vlggp7ul~uzb8+3C1A$+&7hk-QZ7e@Jv$;tk=bx#FG z5Er(?F}6n0P^_-HsbJ<{sV?prR=c;1SSg*|hlmnNo)o^`tr|YJyrhQ(yx_%OBxi7a zKu7px`z}c!aV1D`6{BuMp8&SK_+9gmdXC5*7V9j(==`a5cyg7&1zp6a;kOuChm!O6 zu+ra{i=@CeEa`3|uYf}Q3-TPv$cG=?D&&}h!&gDdsAV-vt+7L&1f{wRRm96?R8(#@ zjr;go*^9U%?un&OLfS;ICjp)GZ!LP^IRB5 zm)}H|S)?(l1~y5#^wax4UrsutO3r7+>ecrMntJPK%bT$WC8n=#S>fN6FM#21FtMor z7NG}CX5br$do}T(DgSvOgPU_eQZZF&YkMSXSGD|rcAN98&(G^*_*D&iyQxyZ97#J@ zCT1H_!mPn&X_efObG+#Zz%9#&;DJg!747965`zNsqLv=)YcH0<>#6MFY_obINPYaJ z>Y@!A@+pVsH0x|Na=l5ZI&9jf1wKNIxL);Ok30ydk;DRP zPR~{Kozsa{-*paZ^Pg7_Eq&_9Onr6L3sadpaYBnxa`HYOAoY5H?%du$d^6|XD%`{e z1CRJHZ|!{Y5Em=&{)nrK%frq11$ES}?##F)*N>&k$nzAp{z>96i)kXAPr_aJkicG; zS(A>e`m$>O_J@CUUb~!o%C47WREl(M;j7m3$q&~&czeXMrdg-P@!0*<_Q`d%WTUoI zyua36qURJ8`FzOYE04ipX2xzC17Dr}E0P$6L=_AOdW|wQA<>4jvIk!$S}2T^>=q2m z2W8R;DN;4rs>_cVgE^KYR&WMfjUtEik%zWtPv9+Yg02)@3)XRic0}35lbxQ9kROwJ zM>q8^nr(Y-(O&5E8obBya8i2=dyRE{P(BO6f)RDJ0Ba$z1xWgr?9)*W#*RF?!l zil)I|68Y6JEpx55&BYci@xwcK8nNjk(S&iP5XWyayOZxYL~I7KWax`ly;5%m6-rn? zp~wS8E#d5G?oYGo`#eskI`OqAT7ExlAle!~QYxFVc<_l*HPj!U%5zMdSTizu!d@IbXpw~gN9W2&FvExS!XJI_ z8y>tuAEek}4otIT+Wqn>BHhfK?-AnEt;xT}R&IXWvNwe1L@O^D99!Ess}R{ZZlYiX z^0>k^Zmj&GIhf?U@WEB<)P_V-05d?L$##;O|{cCVa z`8Tfl4hK;?n7N6#@7M;(stsaY*6rJ29}(2JJE^+3h>_Amb^&b{Kf+Br2*ST|JW}#E zDBWGSi9uEDk*LhD!b0>gaDvM6YP3PO;mjqr&yBQDcKtf+5-8TaB5XY4SlQ^BNE7c9 zr0fjsPO968#(4G4plsrQXSjO;D^FiYr!`Mpi#hNSytk)$vmn2d!E~cOON?M( z=tp%JBbarxphor8AnD_#%-Zg@ChW(m$w#~1+x4~K19gouk@HRglm@<8w3SB1GtK$W zF&0rAoq5xKUpLljb9~#|hiEuQggB*>-F|gv@@D+fC>#xf|1}nZSok5gsW~x4sV%}2 zoMG)E@<~$TpTEAhw#`VUbMvhIC2yH3iBqG@J9*M?@te)3gQCqQLKP7|@~aB}i+NQ? zHDtZ%;e3(ko4Oz-o16Gh#_Ifof=-;j$^ar{wSC*I$g`I+_eQ0bnbMDosB!t~9p)uO zAE-9kR|s(>yO1i$(K*MYVNBg1+zPe~v8Fslp=mKn_a!C}Ola%JImD6FZ-prPQ!;A1yuQ@1pHJ*GO_Ig36?slrI^tQJc!2 zQOAs@NA7J5PqZKUOBs6LKU3`PDvKIjHHxo(BihTP>B3<-WZ9XC`ysVbc7%j}G02w& zB(Na;#KIi4mb6Ur=X3A5#nO<;vMWA10XuW;=kkAKvq_OR9^$0K~&i0q7& z7Q9ZbQb;yQn?dyvKo;4~g@8dxI^FyS(UXPWOa@AgwPu_e!1vj1XhZB4PwOmo8F20> zUT6`bJUJ+(*D4?@dv#zk40NctS>;N75DE~><^rK2jnEij%JV1||BQ8ZyRQ-Z1CvurM|5 zYJXf=6n!s$v2T!gmr1J|kGq_E*(fD94_7Dm?D$#~RaaTSUf64=UNY_8K~4LX^*eLJ zU4mnnnUE!qIk&Kv*Hf_)7*?vB~Y+!Z%_B##z~R}NntBA zYc`8Xo&>a_&16K=ajsy{{wd3Xlp+JGF&6QgUn-`b>$Lw-@Ra4q{k=+HSlJ_KjosYN zOnR}u>lwd2FlnBBa^1zI{HB_}*sjvuqvQAOEErDXf6M`+9*7A|{6g$!G&neU3OKm; z|Cj?-Ae(<|0bK_f8(Rlg2QLRV*MD0C2L>0QH6Y+EzoPGtFddXh%ezj%=g?tQ^Hil; z=1H|GLWAjWhRqFEbk9mmNA{^kA#qLeD!KK&<`rg@aZs
I?Jvzw-TDOW3 zYen8F=IH?#vi9{S(pTfFQ}s=SI3@RYytFOfV0-|Rt1=9x$kxHa(ry|l1Txh%fNt<) zV;_sA1R@gE4$>5DKF4v@D>jo(PX$#&^p11PS9-c9i%^DyQfUl3?&Rdcj;ior*?FQA zT7T~P4cb4#CYtGlaZ&*I-8An6@7TtoX8~WtC_Xx8EK>yJk&BM+rtZNUBlCpoEF(;T zLkEJx7~qEkvpV8ujDtzX^CJEPU4*OGTiElvV8-w|fbQF?fBs~1cQ@EW7U%AEhJ?-l zKtGy-Rw}54E~z|4Y&P#4@y>b-S&}amgSTA$+GotL=uAW=8}=6bikwGQ&?a6S=c#qI zRJ>p2Hp!{F|taRd0-k(REvK7qfA+?f?05<}&YNDJraXxD@XtL7yo_rC^bSpYK9i38yq>tQuNfb2A}->WWGlwgwMRd;zoL4i z*auiQLvZ39slLZ()UZp&^ilK(EhKgm!U#mB}~BE-qGJAY%# z#};3fad)Rh+@2kVSTLpDwZ0|-9aB?*!;24OYBIuO$N1(^+clqKJb@)fes1Lf^C>*o zZuX51xuqg#3+%IP5<_I*eEo7dE0L5LdAe^Vnf%ncDjap6YOv-o3X+}60KEsoU}DF= zktHuXWw5IYaA8zcey+lIIsJ<@{boHJ1c~aO(TF=q*geLf)Dgoap{X~x9BFRuYGIB% zzL$Y-55Wy@cjj;AaI3EJUM(WtzoR0~qAOTbct#+HBO&x3xCb!@_&&R#>|@~orglNg zepV0&*GcADOd!^-CAOy%l-N>uNz_V>RM3$6BPVt#04`MNHUlkY%L2s$Xrb(Jp2>2Q zIkb(tivE!}QXo4poVAn2|B`=B8ebu)XP2o@Q)i2MQ@XGEq(i{oLD)D_jld+F0fMR}6p~KjMh7>Y9fFbiK2t z6G=t*K}?ml9d9K^#4gCJNK1_sq8D%e8gW0f>}_{3I?)9OW`uvFKQ=b0x^1<}7us0j z_v?38vDG1|eo7B(nM;BVjpEQc8&WZYsynG$n>TGGo&gg3odIEo3=`fo3cT|O&d7^a z`uv^gshRv}lEERiO6}S>+Q4!A2t+I5RS8=l-AZMMi~M_4bh}j0ho-$5KYkpVx5?xE zz-V7F@^Jg6@RlupaLz3D`B#LfMj)fm9vN|aES9ib$x)47OBF~So`5~5N6aF^-+r?Y z%`V%|dY&Grl&Sn_9S$Tk$|uf?3I9io^^WYCV&d6!e8Xp|{+-@d4$5{+ZK1dWDKY%o zq3bOFpiNXgP1yIY94@SshQx*JTw%_16o#N(mcj zui#!oXhR|J8p^Jre}1y2d33HBT(5_nCGe^U#Pxn6$p92G29LRQ`5361@laizB+@Oi z6Rd&G@;}V+9!_ccg?IX_{qo^(_ek}+pk1D|YMueDRzVqUN4wGO=`tet%QIsWK; zre^`W+E{iFzd%S6Z~d6u&83(MC2IS$HD33=q7Ch04A13>@AU_CJ&#fqgSbHLOIJ9z z;Vy)Q*VX=!qhEy9xN+XaIBHTxf7SGbuV@XbC#kou=X5oXj3cfBp}GqLn;>U`UoAx% z-5hg+R7=Cd=U|Ry^9U#%j^eDS!V_0WcCr|8!QsV7m|XC-Yxqh)p;E?Y_*)W%B>Wb( z6_-Kvujo^IeT&NMW5)gY>=f(z00lP*Qpje0fha9oFtcW-1sT6{vig8-v@>cHFa#I! za)?^wvcmNiPNF%8*AH?|YP|tkYVhnn3>TKz+854Yp+ZjB2KiG1h z-H}fode%Nkr(WomSK$5SGmz*OUA5}fMnJHfyyqVa7MK80lw6jmKUO4H7Ys^YR^PP+ z#a7c`YB>7)Tbn*>v?jk`D34P|7Me;p$H)8YT% J2=TwB{{n#(TsHs! literal 0 HcmV?d00001 diff --git a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/createUiDefinition.json b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/createUiDefinition.json new file mode 100644 index 00000000000..ec6937a12f1 --- /dev/null +++ b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/createUiDefinition.json @@ -0,0 +1,165 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Vaikora-SentinelOne-ThreatIntelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Vaikora SentinelOne Threat Intelligence solution polls the Vaikora AI Agent Security API for high-severity and anomaly agent actions, then pushes indicators of compromise (IOCs) to SentinelOne's Threat Intelligence API for automated detection and response.\n\n**Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "playbooks", + "label": "Playbooks", + "subLabel": { + "preValidation": "Configure the playbooks", + "postValidation": "Done" + }, + "bladeTitle": "Playbooks", + "elements": [ + { + "name": "playbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub." + } + }, + { + "name": "playbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "VaikoraApiKey", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "Vaikora API Key", + "confirmPassword": "Confirm Vaikora API Key" + }, + "toolTip": "The Vaikora API Key used for X-API-Key authentication when polling agent actions.", + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": true + }, + "visible": true + }, + { + "name": "VaikoraAgentId", + "type": "Microsoft.Common.TextBox", + "label": "Vaikora Agent ID", + "defaultValue": "", + "toolTip": "The Vaikora Agent ID to poll for security actions.", + "constraints": { + "required": true, + "regex": "^[a-zA-Z0-9_-]+$", + "validationMessage": "Agent ID must contain only alphanumeric characters, hyphens, or underscores." + }, + "visible": true + }, + { + "name": "SentinelOne_BaseUrl", + "type": "Microsoft.Common.TextBox", + "label": "SentinelOne Console URL", + "defaultValue": "", + "toolTip": "Your SentinelOne console URL (e.g. https://usea1-021.sentinelone.net). Log in to SentinelOne and copy the URL from your browser address bar.", + "constraints": { + "required": true, + "regex": "^https://.*sentinelone\\.net$", + "validationMessage": "Enter the full SentinelOne console URL (e.g. https://usea1-021.sentinelone.net)." + }, + "visible": true + }, + { + "name": "SentinelOne_ApiToken", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SentinelOne API Token", + "confirmPassword": "Confirm SentinelOne API Token" + }, + "toolTip": "SentinelOne API Token for authenticating IOC push requests.", + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": true + }, + "visible": true + }, + { + "name": "SentinelOne_AccountId", + "type": "Microsoft.Common.TextBox", + "label": "SentinelOne Account ID", + "defaultValue": "", + "toolTip": "SentinelOne Account ID. Required for all IOC push requests (filter.accountIds).", + "constraints": { + "required": true, + "regex": "^[0-9]+$", + "validationMessage": "Account ID must be numeric." + }, + "visible": true + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]", + "VaikoraApiKey": "[steps('playbooks').VaikoraApiKey]", + "VaikoraAgentId": "[steps('playbooks').VaikoraAgentId]", + "SentinelOne_BaseUrl": "[steps('playbooks').SentinelOne_BaseUrl]", + "SentinelOne_ApiToken": "[steps('playbooks').SentinelOne_ApiToken]", + "SentinelOne_AccountId": "[steps('playbooks').SentinelOne_AccountId]" + } + } +} diff --git a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/mainTemplate.json b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/mainTemplate.json new file mode 100644 index 00000000000..2d492330bfe --- /dev/null +++ b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/mainTemplate.json @@ -0,0 +1,473 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Data443 Risk Mitigation, Inc. - support@data443.com", + "comments": "Solution template for Vaikora-SentinelOne-ThreatIntelligence" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "VaikoraApiKey": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "Vaikora API Key for X-API-Key authentication" + } + }, + "VaikoraAgentId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Vaikora Agent ID to poll for actions" + } + }, + "SentinelOne_ApiToken": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "SentinelOne API Token" + } + }, + "SentinelOne_BaseUrl": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "SentinelOne console URL (e.g. https://usea1-021.sentinelone.net)" + } + }, + "SentinelOne_AccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "SentinelOne Account ID" + } + } + }, + "variables": { + "email": "support@data443.com", + "_email": "[variables('email')]", + "_solutionName": "Vaikora-SentinelOne-ThreatIntelligence", + "_solutionVersion": "3.0.0", + "solutionId": "data443riskmitigationinc1761580347231.azure-sentinel-solution-vaikora-sentinelone", + "_solutionId": "[variables('solutionId')]", + "Playbooks": "Playbooks", + "_Playbooks": "[variables('Playbooks')]", + "blanks": "[replace('b', 'b', '')]", + "playbookVersion1": "3.0.0", + "playbookContentId1": "Playbooks", + "_playbookContentId1": "[variables('playbookContentId1')]", + "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", + "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Playbooks Playbook with template version 1.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion1')]", + "parameters": { + "logicAppName": { + "type": "string", + "defaultValue": "pb-vaikora-to-sentinelone" + }, + "VaikoraApiKey": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "Vaikora API Key for X-API-Key authentication" + } + }, + "VaikoraAgentId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Vaikora Agent ID to poll for actions" + } + }, + "SentinelOne_ApiToken": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "SentinelOne API Token" + } + }, + "SentinelOne_BaseUrl": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Your SentinelOne console URL (e.g. https://usea1-021.sentinelone.net)." + } + }, + "SentinelOne_AccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "SentinelOne Account ID" + } + }, + "workspace": { + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics" + } + } + }, + "variables": { + "workspaceResourceId": "[[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace'))]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]" + }, + "resources": [ + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2019-05-01", + "name": "[[parameters('logicAppName')]", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "VaikoraToSentinelOne", + "hidden-SentinelTemplateVersion": "3.0.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "properties": { + "state": "Enabled", + "parameters": { + "VaikoraApiKey": { + "value": "[[parameters('VaikoraApiKey')]" + }, + "VaikoraAgentId": { + "value": "[[parameters('VaikoraAgentId')]" + }, + "SentinelOne_ApiToken": { + "value": "[[parameters('SentinelOne_ApiToken')]" + }, + "SentinelOne_BaseUrl": { + "value": "[[parameters('SentinelOne_BaseUrl')]" + }, + "SentinelOne_AccountId": { + "value": "[[parameters('SentinelOne_AccountId')]" + } + }, + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Vaikora_ApiBaseUrl": { + "type": "string", + "defaultValue": "https://api.vaikora.com/api/v1" + }, + "VaikoraApiKey": { + "type": "securestring", + "defaultValue": "[variables('blanks')]" + }, + "VaikoraAgentId": { + "type": "string", + "defaultValue": "[variables('blanks')]" + }, + "SentinelOne_BaseUrl": { + "type": "string", + "defaultValue": "" + }, + "SentinelOne_ApiToken": { + "type": "securestring", + "defaultValue": "[variables('blanks')]" + }, + "SentinelOne_AccountId": { + "type": "string", + "defaultValue": "[variables('blanks')]" + } + }, + "triggers": { + "Recurrence": { + "type": "Recurrence", + "recurrence": { + "frequency": "Hour", + "interval": 6, + "timeZone": "UTC" + } + } + }, + "actions": { + "Get_Vaikora_Actions": { + "type": "Http", + "inputs": { + "method": "GET", + "uri": "@{concat(parameters('Vaikora_ApiBaseUrl'), '/actions?agent_id=', encodeUriComponent(parameters('VaikoraAgentId')), '&per_page=100')}", + "headers": { + "X-API-Key": "@{parameters('VaikoraApiKey')}", + "Accept": "application/json", + "User-Agent": "Microsoft-Sentinel-Vaikora-SentinelOne/1.0" + } + } + }, + "Filter_High_Severity_Or_Anomaly": { + "type": "Query", + "runAfter": { + "Get_Vaikora_Actions": [ + "Succeeded" + ] + }, + "inputs": { + "from": "@body('Get_Vaikora_Actions')", + "where": "@or(or(equals(toLower(coalesce(item()?['severity'], '')), 'high'), equals(toLower(coalesce(item()?['severity'], '')), 'critical')), equals(item()?['is_anomaly'], true))" + } + }, + "List_STAR_Rules": { + "type": "Http", + "runAfter": { + "Filter_High_Severity_Or_Anomaly": [ + "Succeeded" + ] + }, + "inputs": { + "method": "GET", + "uri": "@{parameters('SentinelOne_BaseUrl')}/web/api/v2.1/cloud-detection/rules?accountIds=@{parameters('SentinelOne_AccountId')}", + "headers": { + "Content-Type": "application/json", + "Authorization": "@{concat('ApiToken ', parameters('SentinelOne_ApiToken'))}" + } + } + }, + "Check_Rule_Exists": { + "type": "If", + "runAfter": { + "List_STAR_Rules": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@contains(string(body('List_STAR_Rules')), 'Vaikora IOC Detection')", + false + ] + } + ] + }, + "actions": { + "Create_STAR_Rule": { + "type": "Http", + "inputs": { + "method": "POST", + "uri": "@{parameters('SentinelOne_BaseUrl')}/web/api/v2.1/cloud-detection/rules", + "headers": { + "Content-Type": "application/json", + "Authorization": "@{concat('ApiToken ', parameters('SentinelOne_ApiToken'))}" + }, + "body": { + "filter": { + "accountIds": [ + "@{parameters('SentinelOne_AccountId')}" + ] + }, + "data": { + "name": "Vaikora IOC Detection", + "s1ql": "IndicatorSource = \"Vaikora AI Agent Security (Data443)\"", + "queryType": "events", + "severity": "High", + "status": "Active", + "expirationMode": "Permanent", + "treatAsThreat": "Suspicious" + } + } + } + } + } + }, + "Check_Has_Actions": { + "type": "If", + "runAfter": { + "Check_Rule_Exists": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@length(body('Filter_High_Severity_Or_Anomaly'))", + 0 + ] + } + ] + }, + "actions": { + "For_Each_Action": { + "type": "Foreach", + "foreach": "@body('Filter_High_Severity_Or_Anomaly')", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + }, + "actions": { + "Post_IOC_to_SentinelOne": { + "type": "Http", + "inputs": { + "method": "POST", + "uri": "@{parameters('SentinelOne_BaseUrl')}/web/api/v2.1/threat-intelligence/iocs", + "headers": { + "Content-Type": "application/json", + "Authorization": "@{concat('ApiToken ', parameters('SentinelOne_ApiToken'))}" + }, + "body": { + "filter": { + "accountIds": [ + "@{parameters('SentinelOne_AccountId')}" + ] + }, + "data": [ + { + "value": "@{coalesce(item()?['log_hash'], concat('vaikora-', item()?['agent_id'], '-', item()?['action_type']))}", + "type": "SHA256", + "source": "Vaikora AI Agent Security (Data443)", + "method": "EQUALS", + "validUntil": "@{addDays(utcNow(), 90)}", + "externalId": "@{concat('vaikora-', item()?['agent_id'], '-', item()?['action_type'], '-', item()?['timestamp'])}", + "description": "@{concat('Vaikora Agent=', coalesce(item()?['agent_id'], 'N/A'), ' | ActionType=', coalesce(item()?['action_type'], 'N/A'), ' | RiskScore=', coalesce(string(item()?['risk_score']), 'N/A'), ' | RiskLevel=', coalesce(item()?['risk_level'], 'N/A'), ' | Severity=', coalesce(item()?['severity'], 'N/A'), ' | ThreatDetected=', coalesce(string(item()?['threat_detected']), 'N/A'), ' | ThreatScore=', coalesce(string(item()?['threat_score']), 'N/A'), ' | Anomaly=', coalesce(string(item()?['is_anomaly']), 'N/A'), ' | AnomalyScore=', coalesce(string(item()?['anomaly_score']), 'N/A'), ' | PolicyDecision=', coalesce(item()?['policy_decision'], 'N/A'), ' | Timestamp=', coalesce(item()?['timestamp'], 'N/A'))}", + "severity": "@{if(greaterOrEquals(coalesce(item()?['risk_score'], 0), 96), 7, if(greaterOrEquals(coalesce(item()?['risk_score'], 0), 86), 6, if(greaterOrEquals(coalesce(item()?['risk_score'], 0), 71), 5, if(greaterOrEquals(coalesce(item()?['risk_score'], 0), 51), 4, if(greaterOrEquals(coalesce(item()?['risk_score'], 0), 31), 3, 2)))))}" + } + ] + } + } + } + } + } + } + } + }, + "outputs": {} + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", + "properties": { + "parentId": "[[variables('playbookId1')]", + "contentId": "[[variables('_playbookContentId1')]", + "kind": "Playbook", + "version": "[[variables('playbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Vaikora-SentinelOne-ThreatIntelligence", + "sourceId": "[[variables('_solutionId')]" + }, + "author": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "[[variables('_email')]" + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "support@data443.com", + "tier": "Partner", + "link": "https://www.data443.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId1')]", + "contentKind": "Playbook", + "displayName": "Playbooks", + "contentProductId": "[variables('_playbookcontentProductId1')]", + "id": "[variables('_playbookcontentProductId1')]", + "version": "[variables('playbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Vaikora-SentinelOne-ThreatIntelligence", + "publisherDisplayName": "Data443 Risk Mitigation, Inc.", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

\u2022 Review the solution Release Notes

\n

\u2022 There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Vaikora SentinelOne Threat Intelligence solution polls the Vaikora AI Agent Security API for high-severity and anomaly agent actions, then pushes indicators of compromise (IOCs) to SentinelOne's Threat Intelligence API for automated detection and response.

\n

Playbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "Vaikora-SentinelOne-ThreatIntelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "[variables('_email')]" + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "support@data443.com", + "tier": "Partner", + "link": "https://www.data443.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "Playbook", + "contentId": "[variables('_Playbooks')]", + "version": "[variables('playbookVersion1')]" + } + ] + }, + "firstPublishDate": "2026-04-02", + "providers": [ + "Data443 Risk Mitigation, Inc.", + "Vaikora" + ], + "categories": { + "domains": [ + "Security - Threat Intelligence" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Playbooks/VaikoraToSentinelOne_Playbook.json b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Playbooks/VaikoraToSentinelOne_Playbook.json new file mode 100644 index 00000000000..ff9d0303640 --- /dev/null +++ b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Playbooks/VaikoraToSentinelOne_Playbook.json @@ -0,0 +1,282 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "logicAppName": { + "type": "string", + "defaultValue": "pb-vaikora-to-sentinelone" + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]" + }, + "VaikoraApiKey": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "Vaikora API Key for authentication (X-API-Key header)" + } + }, + "VaikoraAgentId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Vaikora Agent ID to poll for actions" + } + }, + "SentinelOne_ApiToken": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "SentinelOne API Token" + } + }, + "SentinelOne_BaseUrl": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Your SentinelOne console URL (e.g. https://usea1-021.sentinelone.net). Log in to SentinelOne and copy the URL from your browser address bar." + } + }, + "SentinelOne_AccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "SentinelOne Account ID" + } + }, + "workspace": { + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics" + } + } + }, + "variables": { + "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace'))]" + }, + "resources": [ + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2019-05-01", + "name": "[parameters('logicAppName')]", + "location": "[parameters('location')]", + "tags": { + "hidden-SentinelTemplateName": "VaikoraToSentinelOne", + "hidden-SentinelTemplateVersion": "1.0.0", + "hidden-SentinelWorkspaceId": "[variables('workspaceResourceId')]" + }, + "properties": { + "state": "Enabled", + "parameters": { + "VaikoraApiKey": { + "value": "[parameters('VaikoraApiKey')]" + }, + "VaikoraAgentId": { + "value": "[parameters('VaikoraAgentId')]" + }, + "SentinelOne_ApiToken": { + "value": "[parameters('SentinelOne_ApiToken')]" + }, + "SentinelOne_BaseUrl": { + "value": "[parameters('SentinelOne_BaseUrl')]" + }, + "SentinelOne_AccountId": { + "value": "[parameters('SentinelOne_AccountId')]" + } + }, + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Vaikora_ApiBaseUrl": { + "type": "string", + "defaultValue": "https://api.vaikora.com/api/v1" + }, + "VaikoraApiKey": { + "type": "string", + "defaultValue": "" + }, + "VaikoraAgentId": { + "type": "string", + "defaultValue": "" + }, + "SentinelOne_BaseUrl": { + "type": "string", + "defaultValue": "" + }, + "SentinelOne_ApiToken": { + "type": "string", + "defaultValue": "" + }, + "SentinelOne_AccountId": { + "type": "string", + "defaultValue": "" + } + }, + "triggers": { + "Recurrence": { + "type": "Recurrence", + "recurrence": { + "frequency": "Hour", + "interval": 6, + "timeZone": "UTC" + } + } + }, + "actions": { + "Get_Vaikora_Actions": { + "type": "Http", + "inputs": { + "method": "GET", + "uri": "@{concat(parameters('Vaikora_ApiBaseUrl'), '/actions?agent_id=', encodeUriComponent(parameters('VaikoraAgentId')), '&per_page=100')}", + "headers": { + "X-API-Key": "@{parameters('VaikoraApiKey')}", + "Accept": "application/json", + "User-Agent": "Microsoft-Sentinel-Vaikora-SentinelOne/1.0" + } + } + }, + "Filter_High_Severity_Or_Anomaly": { + "type": "Query", + "runAfter": { + "Get_Vaikora_Actions": [ + "Succeeded" + ] + }, + "inputs": { + "from": "@body('Get_Vaikora_Actions')", + "where": "@or(or(equals(toLower(coalesce(item()?['severity'], '')), 'high'), equals(toLower(coalesce(item()?['severity'], '')), 'critical')), equals(item()?['is_anomaly'], true))" + } + }, + "List_STAR_Rules": { + "type": "Http", + "runAfter": { + "Filter_High_Severity_Or_Anomaly": [ + "Succeeded" + ] + }, + "inputs": { + "method": "GET", + "uri": "@{parameters('SentinelOne_BaseUrl')}/web/api/v2.1/cloud-detection/rules?accountIds=@{parameters('SentinelOne_AccountId')}", + "headers": { + "Content-Type": "application/json", + "Authorization": "@{concat('ApiToken ', parameters('SentinelOne_ApiToken'))}" + } + } + }, + "Check_Rule_Exists": { + "type": "If", + "runAfter": { + "List_STAR_Rules": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@contains(string(body('List_STAR_Rules')), 'Vaikora IOC Detection')", + false + ] + } + ] + }, + "actions": { + "Create_STAR_Rule": { + "type": "Http", + "inputs": { + "method": "POST", + "uri": "@{parameters('SentinelOne_BaseUrl')}/web/api/v2.1/cloud-detection/rules", + "headers": { + "Content-Type": "application/json", + "Authorization": "@{concat('ApiToken ', parameters('SentinelOne_ApiToken'))}" + }, + "body": { + "filter": { + "accountIds": [ + "@{parameters('SentinelOne_AccountId')}" + ] + }, + "data": { + "name": "Vaikora IOC Detection", + "s1ql": "IndicatorSource = \"Vaikora AI Agent Security (Data443)\"", + "queryType": "events", + "severity": "High", + "status": "Active", + "expirationMode": "Permanent", + "treatAsThreat": "Suspicious" + } + } + } + } + } + }, + "Check_Has_Actions": { + "type": "If", + "runAfter": { + "Check_Rule_Exists": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@length(body('Filter_High_Severity_Or_Anomaly'))", + 0 + ] + } + ] + }, + "actions": { + "For_Each_Action": { + "type": "Foreach", + "foreach": "@body('Filter_High_Severity_Or_Anomaly')", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + }, + "actions": { + "Post_IOC_to_SentinelOne": { + "type": "Http", + "inputs": { + "method": "POST", + "uri": "@{parameters('SentinelOne_BaseUrl')}/web/api/v2.1/threat-intelligence/iocs", + "headers": { + "Content-Type": "application/json", + "Authorization": "@{concat('ApiToken ', parameters('SentinelOne_ApiToken'))}" + }, + "body": { + "filter": { + "accountIds": [ + "@{parameters('SentinelOne_AccountId')}" + ] + }, + "data": [ + { + "value": "@{coalesce(item()?['log_hash'], concat('vaikora-', item()?['agent_id'], '-', item()?['action_type']))}", + "type": "SHA256", + "source": "Vaikora AI Agent Security (Data443)", + "method": "EQUALS", + "validUntil": "@{addDays(utcNow(), 90)}", + "externalId": "@{concat('vaikora-', item()?['agent_id'], '-', item()?['action_type'], '-', item()?['timestamp'])}", + "description": "@{concat('Vaikora Agent=', coalesce(item()?['agent_id'], 'N/A'), ' | ActionType=', coalesce(item()?['action_type'], 'N/A'), ' | RiskScore=', coalesce(string(item()?['risk_score']), 'N/A'), ' | RiskLevel=', coalesce(item()?['risk_level'], 'N/A'), ' | Severity=', coalesce(item()?['severity'], 'N/A'), ' | ThreatDetected=', coalesce(string(item()?['threat_detected']), 'N/A'), ' | ThreatScore=', coalesce(string(item()?['threat_score']), 'N/A'), ' | Anomaly=', coalesce(string(item()?['is_anomaly']), 'N/A'), ' | AnomalyScore=', coalesce(string(item()?['anomaly_score']), 'N/A'), ' | PolicyDecision=', coalesce(item()?['policy_decision'], 'N/A'), ' | Timestamp=', coalesce(item()?['timestamp'], 'N/A'))}", + "severity": "@{if(greaterOrEquals(coalesce(item()?['risk_score'], 0), 96), 7, if(greaterOrEquals(coalesce(item()?['risk_score'], 0), 86), 6, if(greaterOrEquals(coalesce(item()?['risk_score'], 0), 71), 5, if(greaterOrEquals(coalesce(item()?['risk_score'], 0), 51), 4, if(greaterOrEquals(coalesce(item()?['risk_score'], 0), 31), 3, 2)))))}" + } + ] + } + } + } + } + } + } + } + }, + "outputs": {} + } + } + } + ] +} diff --git a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/README.md b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/README.md new file mode 100644 index 00000000000..31bafc3484b --- /dev/null +++ b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/README.md @@ -0,0 +1,60 @@ +# Vaikora SentinelOne Threat Intelligence + +**Publisher:** Data443 Risk Mitigation, Inc. +**Solution ID:** `azure-sentinel-solution-vaikora-sentinelone` + +## Overview + +This Microsoft Sentinel solution connects Vaikora AI Agent Security to SentinelOne's Threat Intelligence API. Every 6 hours it polls the Vaikora actions endpoint for high-severity and anomaly detections, maps them to IOCs, and pushes them to SentinelOne for detection and response. + +## How it works + +1. Logic App fires on a 6-hour recurrence +2. Calls `GET https://api.vaikora.com/api/v1/actions?agent_id=&per_page=100` with `X-API-Key` auth +3. Filters to actions where `severity` is High or Critical, or `is_anomaly` is true +4. On first run, creates a STAR detection rule in SentinelOne scoped to your account +5. Posts each filtered action as an IOC to `/web/api/v2.1/threat-intelligence/iocs` + +## IOC Mapping + +| Vaikora field | SentinelOne field | Notes | +|--------------------|--------------------|--------------------------------------------| +| `log_hash` | `value` | Falls back to `agent_id + action_type` | +| (fixed) | `type` | SHA256 | +| (fixed) | `source` | Vaikora AI Agent Security (Data443) | +| (fixed) | `method` | EQUALS | +| `risk_score` | `severity` | 0-30→2, 31-50→3, 51-70→4, 71-85→5, 86-95→6, 96-100→7 | +| `agent_id` + `action_type` + `timestamp` | `externalId` | Prefixed with `vaikora-` | +| All fields | `description` | Pipe-delimited context string | +| (computed) | `validUntil` | 90 days from push time | + +## Parameters + +| Parameter | Type | Required | Description | +|-----------------------|--------------|----------|------------------------------------------------------| +| `VaikoraApiKey` | securestring | Yes | Vaikora API key sent as `X-API-Key` | +| `VaikoraAgentId` | string | Yes | Agent ID to poll | +| `SentinelOne_BaseUrl` | string | Yes | Console URL, e.g. `https://usea1-021.sentinelone.net`| +| `SentinelOne_ApiToken`| securestring | Yes | SentinelOne API token | +| `SentinelOne_AccountId`| string | Yes | Account ID for `filter.accountIds` in all S1 calls | +| `workspace` | string | Yes | Log Analytics workspace name | + +## Deployment + +Deploy via Microsoft Sentinel Content Hub or use the ARM template directly: + +```bash +az deployment group create \ + --resource-group \ + --template-file Package/mainTemplate.json \ + --parameters workspace= \ + VaikoraApiKey= \ + VaikoraAgentId= \ + SentinelOne_BaseUrl=https://usea1-021.sentinelone.net \ + SentinelOne_ApiToken= \ + SentinelOne_AccountId= +``` + +## Support + +Data443 Risk Mitigation, Inc. — support@data443.com — https://www.data443.com diff --git a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/ReleaseNotes.md b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/ReleaseNotes.md new file mode 100644 index 00000000000..d840de58bc1 --- /dev/null +++ b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/ReleaseNotes.md @@ -0,0 +1,50 @@ +# Vaikora-SentinelOne Threat Intelligence - Release Notes + +## Version 1.0.0 (2026-04-02) + +### Initial Release + +**Solution Overview:** +Polls the Vaikora AI Agent Security API every 6 hours for high-severity and anomaly agent actions, then pushes indicators of compromise (IOCs) to SentinelOne's Threat Intelligence API for automated detection and response. + +**Features:** +- **Vaikora Action Polling:** Polls `/api/v1/actions` every 6 hours with `per_page=100` — no pagination token needed +- **Smart Filtering:** Only processes actions where `severity == High/Critical` or `is_anomaly == true` +- **SentinelOne IOC Push:** Maps Vaikora actions to SentinelOne IOC format (SHA256 type using `log_hash`) and pushes via the Threat Intelligence API +- **STAR Rule Auto-Creation:** Creates a SentinelOne STAR detection rule for Vaikora indicators on first run +- **Risk Score Severity Mapping:** Maps `risk_score` (0-100) to SentinelOne severity (2-7) +- **Content Hub Ready:** Packaged as a Microsoft Sentinel Solution with Content Hub support + +**Playbook: pb-vaikora-to-sentinelone** +- Recurrence: Every 6 hours (UTC) +- Vaikora API: `https://api.vaikora.com/api/v1/actions` +- Auth: `X-API-Key` header +- Filter: `severity` in (High, Critical) OR `is_anomaly == true` +- SentinelOne API: `/web/api/v2.1/threat-intelligence/iocs` +- IOC Type: SHA256 (from `log_hash` field) +- IOC Validity: 90 days +- IOC Source: `Vaikora AI Agent Security (Data443)` + +**Severity Mapping:** + +| risk_score | SentinelOne severity | +|------------|---------------------| +| 0 - 30 | 2 | +| 31 - 50 | 3 | +| 51 - 70 | 4 | +| 71 - 85 | 5 | +| 86 - 95 | 6 | +| 96 - 100 | 7 | + +**Parameters Required:** +- `VaikoraApiKey` - Vaikora API key (used as `X-API-Key` header) +- `VaikoraAgentId` - Vaikora Agent ID to poll +- `SentinelOne_ApiToken` - SentinelOne API token +- `SentinelOne_BaseUrl` - SentinelOne console URL +- `SentinelOne_AccountId` - SentinelOne account ID (required in all IOC push requests) + +**Known Limitations:** +- Fetches up to 100 actions per run (`per_page=100`) — no cursor-based pagination +- IOC type fixed to SHA256 using `log_hash`; IP/URL extraction from action content not yet implemented +- Per-record POST to SentinelOne (batch optimization planned for v1.1) +- No automatic retry for SentinelOne rate limiting (uses Logic App default retry policy) diff --git a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/SolutionMetadata.json b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/SolutionMetadata.json new file mode 100644 index 00000000000..c76f5dbfeab --- /dev/null +++ b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/SolutionMetadata.json @@ -0,0 +1,21 @@ +{ + "publisherId": "data443riskmitigationinc1761580347231", + "offerId": "vaikora-sentinelone-connector", + "firstPublishDate": "2026-04-02", + "providers": [ + "Data443 Risk Mitigation, Inc.", + "Vaikora" + ], + "categories": { + "domains": [ + "Security - Threat Intelligence" + ], + "verticals": [] + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "support@data443.com", + "tier": "Partner", + "link": "https://www.data443.com" + } +} \ No newline at end of file From 28cac8de438859dc7aa75eddec8e4acaa2800bcf Mon Sep 17 00:00:00 2001 From: Taz Jack Date: Fri, 3 Apr 2026 11:01:58 -0400 Subject: [PATCH 04/38] feat: add Vaikora AI Agent Signals connector v3.0.0 --- .../Vaikora - Anomaly Detection.yaml | 68 ++ .../Vaikora - Feed Outage Detection.yaml | 33 + ...ikora - High Severity Security Alerts.yaml | 82 ++ .../Data/Solution_VaikoraSecurityCenter.json | 19 + .../Package/3.0.0.zip | Bin 0 -> 8244 bytes .../Package/createUiDefinition.json | 242 ++++++ .../Package/mainTemplate.json | 732 ++++++++++++++++++ .../azuredeploy.json | 281 +++++++ .../Vaikora-AzureSecurityCenter/README.md | 78 ++ .../ReleaseNotes.md | 10 + .../SolutionMetadata.json | 20 + 11 files changed, 1565 insertions(+) create mode 100644 Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Anomaly Detection.yaml create mode 100644 Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Feed Outage Detection.yaml create mode 100644 Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - High Severity Security Alerts.yaml create mode 100644 Solutions/Vaikora-AzureSecurityCenter/Data/Solution_VaikoraSecurityCenter.json create mode 100644 Solutions/Vaikora-AzureSecurityCenter/Package/3.0.0.zip create mode 100644 Solutions/Vaikora-AzureSecurityCenter/Package/createUiDefinition.json create mode 100644 Solutions/Vaikora-AzureSecurityCenter/Package/mainTemplate.json create mode 100644 Solutions/Vaikora-AzureSecurityCenter/Playbooks/VaikoraToAzureSecurityCenter/azuredeploy.json create mode 100644 Solutions/Vaikora-AzureSecurityCenter/README.md create mode 100644 Solutions/Vaikora-AzureSecurityCenter/ReleaseNotes.md create mode 100644 Solutions/Vaikora-AzureSecurityCenter/SolutionMetadata.json diff --git a/Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Anomaly Detection.yaml b/Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Anomaly Detection.yaml new file mode 100644 index 00000000000..2d83789158b --- /dev/null +++ b/Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Anomaly Detection.yaml @@ -0,0 +1,68 @@ +id: b2c3d4e5-f6a7-8901-bcde-f12345678901 +name: Vaikora - Anomaly Detection +description: | + Detects actions flagged as anomalies or confirmed threats by the Vaikora AI signal + exchange platform. This rule catches behavioral anomalies that may not trigger a + high/critical severity classification but still represent statistically unusual activity + worthy of investigation. +severity: Medium +requiredDataConnectors: + - connectorId: VaikoraSecurityCenter + dataTypes: + - Vaikora_SecurityAlerts_CL +queryFrequency: 6h +queryPeriod: 6h +triggerOperator: gt +triggerThreshold: 0 +status: Available +tactics: + - Discovery + - LateralMovement + - Collection + - Exfiltration +relevantTechniques: [] +query: | + Vaikora_SecurityAlerts_CL + | where TimeGenerated >= ago(6h) + | where IsAnomaly_b == true or ThreatDetected_b == true + | where Severity_s !in ("high", "critical") + | extend + AlertId = AlertId_s, + AgentId = AgentId_s, + ActionType = ActionType_s, + Severity = Severity_s, + Title = Title_s, + Description = Description_s, + SourceIP = SourceIP_s, + DestinationIP = DestinationIP_s, + SourceHost = SourceHost_s, + DestHost = DestinationHost_s, + ProcessName = ProcessName_s, + UserName = UserName_s, + FilePath = FilePath_s, + Confidence = ConfidenceScore_d, + ThreatFlag = ThreatDetected_b, + AnomalyFlag = IsAnomaly_b + | project + TimeGenerated, AlertId, AgentId, ActionType, Severity, Title, Description, + SourceIP, DestinationIP, SourceHost, DestHost, ProcessName, UserName, FilePath, + Confidence, ThreatFlag, AnomalyFlag + | order by Confidence desc, TimeGenerated desc +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: SourceIP + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: SourceHost + - entityType: Account + fieldMappings: + - identifier: Name + columnName: UserName +alertDetailsOverride: + alertDisplayNameFormat: "Vaikora Anomaly: {{Title_s}} (confidence: {{ConfidenceScore_d}})" + alertDescriptionFormat: "Vaikora AI detected an anomaly or threat on agent {{AgentId_s}}. IsAnomaly={{IsAnomaly_b}}, ThreatDetected={{ThreatDetected_b}}. {{Description_s}}" +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Feed Outage Detection.yaml b/Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Feed Outage Detection.yaml new file mode 100644 index 00000000000..7d462250850 --- /dev/null +++ b/Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Feed Outage Detection.yaml @@ -0,0 +1,33 @@ +id: c3d4e5f6-a7b8-9012-cdef-012345678902 +name: Vaikora - Feed Outage Detection +description: | + Fires when no Vaikora security alert data has arrived in the Vaikora_SecurityAlerts_CL + table for 12 or more hours. This typically means the Logic App playbook has failed, + the Vaikora API key has expired, or there is a connectivity issue between Azure and + the Vaikora API endpoint. +severity: Low +requiredDataConnectors: + - connectorId: VaikoraSecurityCenter + dataTypes: + - Vaikora_SecurityAlerts_CL +queryFrequency: 12h +queryPeriod: 12h +triggerOperator: lt +triggerThreshold: 1 +status: Available +tactics: [] +relevantTechniques: [] +query: | + Vaikora_SecurityAlerts_CL + | where TimeGenerated >= ago(12h) + | summarize Count = count() + | where Count == 0 + | extend + Alert = "No Vaikora data ingested in the last 12 hours", + Suggestion = "Check the VaikoraToAzureSecurityCenter Logic App run history and verify the Vaikora API key is valid." + | project Alert, Suggestion +alertDetailsOverride: + alertDisplayNameFormat: "Vaikora Feed Outage - No data ingested in 12 hours" + alertDescriptionFormat: "The Vaikora_SecurityAlerts_CL table has received no records in the last 12 hours. Check the Logic App playbook and API connectivity." +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - High Severity Security Alerts.yaml b/Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - High Severity Security Alerts.yaml new file mode 100644 index 00000000000..fae40fd60e1 --- /dev/null +++ b/Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - High Severity Security Alerts.yaml @@ -0,0 +1,82 @@ +id: a1b2c3d4-e5f6-7890-abcd-ef1234567890 +name: Vaikora - High Severity Security Alerts +description: | + Detects high or critical severity security alerts ingested from the Vaikora AI signal + exchange platform in the last 6 hours. These alerts indicate active threats detected + by Vaikora agents including malware activity, intrusion attempts, and policy violations. +severity: High +requiredDataConnectors: + - connectorId: VaikoraSecurityCenter + dataTypes: + - Vaikora_SecurityAlerts_CL +queryFrequency: 6h +queryPeriod: 6h +triggerOperator: gt +triggerThreshold: 0 +status: Available +tactics: + - InitialAccess + - Execution + - Persistence + - DefenseEvasion + - CredentialAccess + - Discovery + - LateralMovement + - Collection + - CommandAndControl + - Exfiltration + - Impact +relevantTechniques: [] +query: | + Vaikora_SecurityAlerts_CL + | where TimeGenerated >= ago(6h) + | where Severity_s in ("high", "critical") + | extend + AlertId = AlertId_s, + AgentId = AgentId_s, + ActionType = ActionType_s, + Severity = Severity_s, + Title = Title_s, + Description = Description_s, + SourceIP = SourceIP_s, + DestinationIP = DestinationIP_s, + SourceHost = SourceHost_s, + DestHost = DestinationHost_s, + ProcessName = ProcessName_s, + UserName = UserName_s, + FilePath = FilePath_s, + Confidence = ConfidenceScore_d, + ThreatFlag = ThreatDetected_b, + AnomalyFlag = IsAnomaly_b + | project + TimeGenerated, AlertId, AgentId, ActionType, Severity, Title, Description, + SourceIP, DestinationIP, SourceHost, DestHost, ProcessName, UserName, FilePath, + Confidence, ThreatFlag, AnomalyFlag + | order by TimeGenerated desc +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: SourceIP + - entityType: IP + fieldMappings: + - identifier: Address + columnName: DestinationIP + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: SourceHost + - entityType: Account + fieldMappings: + - identifier: Name + columnName: UserName + - entityType: Process + fieldMappings: + - identifier: ProcessId + columnName: ProcessName +alertDetailsOverride: + alertDisplayNameFormat: "Vaikora {{Severity_s}} Alert: {{Title_s}}" + alertDescriptionFormat: "Vaikora detected a {{Severity_s}} severity event on agent {{AgentId_s}}. {{Description_s}}" + alertSeverityColumnName: Severity_s +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Vaikora-AzureSecurityCenter/Data/Solution_VaikoraSecurityCenter.json b/Solutions/Vaikora-AzureSecurityCenter/Data/Solution_VaikoraSecurityCenter.json new file mode 100644 index 00000000000..1c31883a25e --- /dev/null +++ b/Solutions/Vaikora-AzureSecurityCenter/Data/Solution_VaikoraSecurityCenter.json @@ -0,0 +1,19 @@ +{ + "Name": "VaikoraSecurityCenter", + "Author": "Data443 Risk Mitigation, Inc. - support@data443.com", + "Logo": "", + "Description": "The Vaikora Security Center solution integrates [Vaikora](https://vaikora.com) AI-driven security signal detection with Microsoft Sentinel and Azure Defender for Cloud. A Logic App playbook polls the Vaikora API every 6 hours, filters high-severity actions, anomalies, and threat detections, and writes them to a custom Log Analytics table (Vaikora_SecurityAlerts_CL). Analytic rules then surface these signals in Sentinel for investigation.", + "Playbooks": [ + "Playbooks/VaikoraToAzureSecurityCenter/azuredeploy.json" + ], + "Analytic Rules": [ + "Analytic Rules/Vaikora - High Severity Security Alerts.yaml", + "Analytic Rules/Vaikora - Anomaly Detection.yaml", + "Analytic Rules/Vaikora - Feed Outage Detection.yaml" + ], + "Metadata": "SolutionMetadata.json", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\VaikoraSecurityCenter", + "Version": "1.0.0", + "TemplateSpec": true, + "Is1Pconnector": false +} diff --git a/Solutions/Vaikora-AzureSecurityCenter/Package/3.0.0.zip b/Solutions/Vaikora-AzureSecurityCenter/Package/3.0.0.zip new file mode 100644 index 0000000000000000000000000000000000000000..f60dde2c2dba13a852a3c45c728d5814aa34bd1e GIT binary patch literal 8244 zcmZ{JWl$UdlO+-$xLa^{hoA!lhath;8C-+AySoN=cN=tY_uvk}Ex5zw+pD^|s@?7W z(NgdIfBjk!2>S^K3JU5o6hI?Lmts(VVB_D&oD2np`EP4$WND{rYWvg1$k~+D%E{jD zT<^nattIgT;0G7`U}iEM-aos7OKu*%!y-2Tp+pftmrJO}CsO|lFU-^7!z@aNrb-)0Wi9rEvlS(*zYn3s~teB8<6Re0GCE9J{7MQ-Cy)Bp%MHITmz zB66yqa`sY>Vc~zoOK5dAcTr`wsne^`3@~8wUV)}!?^Kctq7CiC?HX`G2)vfXErX52 zF#b>j1;5+pe^5*IWM9*s-AE?G<)Esae+=9U(p{~8u6Sz+@*NyOmyINe!;(CPDcrg! z{F6Em8)e(OXMg0o(}Da4`_IlmPY|BDY?H~L0(wG~p+gPX%9gaSn2V?0fHtn70*7AU zS22)IP@MY|H>DW(o{}pb#`|Rw7Y^`eI_I7UY)_vhM4q?x^gKvVN69VjdtD|hs{aS4Ns6ue9JQz zI~j-Pr)Sd5Pk11bi({5+WBc_Jqg0I;5~InJClc zy~rAHvxBK(CaTkah6c@d>VG%Q2g({*Ls-#TYE2o8iXYb-Z=*Dun;Pyf##8W-!e4A4 zEK_PQQRm7v&Avym`ef1iK8>v(*LUuI$zCvDcS`#3sLwjGuz&qjx6zmeZl(TKc8u{ZftfUBt!;2SbTgql;9OrAU9x5Zp7O+oD zc3?E>e$~9puc8`L&IgN$oXG(zivPsyS0f@1BA5+yQT9f+`6PGzpxZ1f1T>dCS5&l} z(%{rb{VK>|v;!-iv8!|d_xX?uycoCep6}p;OWjF9X_4kdkt^)l{k?X*K}S8rm%Vk> zEhGr+Vp>NZRC_JPz#Sbb0YhCQJ-ltwb1f{73?|759ffQiUCPRehrbJ?`ylpD45-Wa z$&F4qjs2Dcm5mi*m5wmBfDxV9=(ricitL4t)8uM6kZvRh*a7+OjUGs;YNxPFWv5OE-;m9~CXVVgHQ@jOemK z(t32!)_Bp7$RG8X0ucPEzXq8dfhVo6{>#UCeBti1aX#m5zCj|AaN&9?;r6fTx^O*F zw%^#WpWS$yY9E(7VD4LY)Zg+3!AgUO+_P4^;F3T|7Z3ly|~ZP>JQPMW;7n6txOXxSaUVksS+u&C4%#K)2jNLp>BOZ^ptmz zXG5~ihh8&NtoSKe)R70n-B|T84?{2fGgiZh-8WZ0N}M=X5kozdPmIMY#fEl^#ja?} zaGAxwZ+=FL$9aD)W?tS0z6v^rHs}sm>v($2GUtVAqTPjKjJU1 zH=p65AlIcl%PmiJRKlt@Q4nDH^0zUUyIKR~Eu7*D@M3l2D(}cTcM%Fxw)GsTp zD<$+`ZAWzs;DtFH)mvwFK{%pDa=wGSzde8E$m%Us+`Bs)UiN+zddgbHEohmfes>Xe zP-094i~Gu`b1$=dY~3Jc&)^=_C1TUV<}^!{jgH8CVVNG_tA85T_Wq3nKWmv0pyPW% zEVHppvl7GI^81_k3EWZp^UXlef~c1Kcp*dZKv_Dq4C0@m->~DNuD@KI6xDlP3r`(% z@uO=V2zzDoSt=HphD1xrIx)ozEpNYA^}jCNycQh06-$$tDZnA0v3nVYcrI{yO{g0t zVbi)CgqAn_1)ztu$b?7WHgUSNv#6Ol?kBsulv$0zafM>ZxVY*OX5JvcbPrSHdmx=P zt1NgqU*8u~oKJ@lx2%&Lfh%B8%KIdF(4k*JiEu!!3Q+`vOA%B%E4MaYu$yg+t| z)qLRHfG0xIhD@S1h1LEAab~5E1%2u>@U=&2#Qp7QSB6cv3+g3&!IDt=6h-|n!&3UO z(Swp70$wk(mPmACQ^b!PUwsLii1(dI$s`G*J4IUz=5#@!Ut?!zubW*&=K}B#suZ7s z($j59lqd4B%`;yN{H!xIQEio&f|D#!n$p3mmDL7=!|a%Z3EnyqOyiDZAqnPYhpU>x z&U(b9%*eRI0l8lA9lzOmf7;LK-ZYK(^%J_lm8qsh(a-fFWQ?gV0#Z$F{N}p0~duw62C5v^KU+qmpJ14m> znbPjh8Pw-WQKz(}$-Ly<;Mvl#@8zwHgIBnn6PSju5#62uY4#A5*Kpkuo{QirZ&O&Cgp1r);Ze z*yHqt!IWCL$_dIttN*CVuq8DMkaBk7f|JvZ3{;f|)%mO>S`g|QphY5K91~(B@6H>W z|I&b^!HO+c)Rwy`UNH_}yUl0#V~Sg5%n{*TkdU>^$o}YTs`m(dg+;UMBlOZ(Y}Hsa z3{MB5N0w=LndL?9$F0ONS-YFochLEiJ?1D2#+7^h#+zyv3qoCjE3+Zv4C&EV6gW(+ zN61d(FqL2}dtsrc=0hXKw|B`KSa85A0bBJaO1bsuk6_I*MV*I<&ag%AG<+ z?>TyN*dcwORJ*@Pp)mU18T2%p%VuTOlyyg~;qru>X%2=}zx{$l2DHEW`T1>b- znJ!n^N;Br6k9YQ)^1103epY(C(G85-{tjr#IJCncV?wfS_32GB*wW#N$9ZFTNohydE>n2a$%(I@3KG(X=fKR=~^V~mq zq0V&6NK)^J*0zG&@hOh0AXC3hhTsJ|pn=_bE?4TnZ3#@3M|Q(ylxQ~88?W({@H z_sK4jZUc?gffZ75_VAmOd_J-5PF!7wyOhbPb+trUU+}WsvKZ?;ie&5A2P=QxS5AGc zN{V}5r6LF05A+d<`hAg|QMg!&zX{kT(| zN#E1cv!xWL{J_&QR@;Z5VgfgxU`zWkTV+!aZUpP{X42bS(xB_^!gC6&E?cZ9lEW3= zpVo?8{7J0K(iUioq2|Z^3%(!kcZ-j6pyQKjL~QFScnB%#{Y1@6vk||-*TLtRDwklE z_=&{kk~_!CM_9HYBZ+!Mid#qmCSE*{C^@V{CK^W0kf1v!iRPSR*CfL)o{(7RwGu)h=_VqFu1#?)Q_LZ%Jx)CL5m#K?l^%o8*IwlZC ze!1tiG;mWP`LaqNY=dqWnav>YC~2;?08O%XTUjc;l$RVr+-vGagC*3J4-4%SGWC4DjW!4w*-=Eu zj~B#ul^qGuWNJ_~)d;Vo&JrUILHQk9xxsuFc~30|q4~y(jteMG(&Ob#Kj=|wCCt?$ z?&L}p3PL+X6j$Le{YaNIuV_ID<}-XO?-H8Avivi}D&?6ddBt0;l3{;1r5FEd86r|w zWaJ1PDkGhD(1u0FTcL$ByH1WjORW6n`z2Q+S8N?L)N!|7mRxP?))e!6%k}io{ik8h+w6pZt z0Iv4rzCPnsF?8SpijdOl!4!oQr8GPIt?Cahx>8k+tZg6X;a4W?4lWTHaE=u)i`j^O zF-u}5f=z_+b~6H`DdNQ_rLRG4{9{U9j{U}AyZpO1R#>u`P>#rLXRvIDl}Fw**0l>O)Ot8CqXKOJOG> zqi^u1vceF?1krKYbS5^PHh=qG7n2U$Vyeeum7NPA;R7HK#>;?SjyS$p$OeGPZ6u!v_knGHcz-# zj7=VDCQm6izvP+hArGE08aGEK(wqAC#hY2 zDkX;7tORLdM%0B5Jr*_#VNA2E9mMnf)Le9kg)sig3El)m zh=InEPb^VL7$fq1v9Q8yx4y{0Z4qSCG{09XblR)Xkf*ghamamNNGM$KCK_%kPXCOa4$zcpe^gM{qrKseWXA<6X|o5|7_SbU-*TVtEq+w^z%Nzs_`l={#5a&Gj~Rv zxQ42(+F!l(d0N@`bA>dT*%HC-nhB|dzN24l^ka=xgMZ`VN8RH9B05$;z#-@L^iujb z-+ctpMh4oZ>p1CO^LxUCFlE;r{-7DiITvw{0PzRP7kf1Bnj!dY5X;IJoGfSG{rXFt2wZ-(+Rz2DjAMA)GIIQixNnUFi8m!#OTrrV@g7!!dGG zS@hEdVRPY|2(Ngvl*8iS!(L5?g((Ox!YHiiPOx`I3LVg>lWf4B055b>(%kA&*aOA~ zEO4d=ytEdzkq8PkRk@7f6mc|Vbf}{D@&`DE!qW#$pWr-ds|w*Hu`Nop%w?EP77*u6!29qa16_0hZQ4bC_m= z1FBHrGT5>EN17(~LvhPr&bZ_QB5Rcz;8wnGV}Az6j;nR7+Aef?q_JjfytBT)i$%m# zlj$6b3Nd4j7e8wv-_Q{Q{VgOP zBR9Jt`9sf?IRd2w(6yp<6Y-$?Xar|=_e$6CJgsplHksss45 z(xCylA!dZtK%o@+b(O;Hh6#CS9EdOaepmVE_6UYJyN+!M)Zc1l$P3qlLl?Ph?mv6E z2X+BO7mQ{+y_p`BvjIZQ4qeg@gxYK=w%6!U88=a#mj_8K=rQ=!~=Ep_pvXcE!qI8iBo!fV= z$&Ipmz1?!3tAXw!jkP;bYU+Gi#8fC6rgHOVW}hZuS+{S2Fbs?>*!!I4X#>>wQ5%Ey zABGxaEl>hmWrky*MGv&>^2KsbVFDcc*K``2K2VNDZr3!|1p+5)PkC=m&*7z)<&b&c zGy(#ldFF?s^T;qIruN8y$S4)d=Ft0AioEaA@w~c9YB1)sMI|<-iSlUueOPF7e_mep zl{^JeLA9-#_jj!!c`1sJ-uf&V zp3fO(3c14I*uSG1jiaXKtYQGki=L0KU4wwOba|J%$2U{QjI*;>W*)!pM%YqJ^GNZb zVIf$SZwma;rZ}Tu8Cv#TP=*6W#2j{=a_89p=js(O|4%)5eTv>-R9npyxEk} zexj|13|L|+<(jGvHK*a?aUUOunOG)7zm`85gjU{ra71nlA`1f~BFN<3Fi3+zEuy&F zyR->6pMsUaOrJZxkyivT^0ovriR)oJknd-heHK#AuA;)x%zuur`NF2(oS~qcFRFL~ zrH)A7q?swdy+Crz)+|3H_9yVwc$v-hF6vd<{Y+mA;=+xmR8V)xUr{r zlsvQJVS-WRG3|2-;;8Ys`nJteN75w&e~E~*3#SYUNwoaQ-#_JN-L0sj)=vHw&%^@4 zLJBS05-aoyFe?lfZ^b!S{o))>AzFDFw3lOmDV{1lqPV}34wpr+7lGTNEM=cC(Kct? zCvU^hx!0tsn-Fz&XJlS#{1Cc4drBwa=`f*{Dk@JmCB?bK0&nmw3(*7574S$`1e6QaPyk8Ol`#7YeF6Le(l3Kg%CY8LEr-53X*B`jt)4c3ch@_@Q27Dp(~PvT~s{3 zOx3GU!!DXpO+ZD%SnmN$zhH*04_s+b7S$PQ-5O09_3?a0-9w=OUIcz4G_p0)A%x(b zO)ZpgVat)X*y>y2u99w#%O6;(I7-#O4C@5M|DZQLW_D|{0e_?krSXp!Kt}ZtX~mWC za0N-bEC09^%|<0J-PpnD`=t-|s}dUukDI9KP@6il$~;c-52_LgN<|eX&?B*9lE5YS;vmBd~4tQlv4FpTILxr>;8~ z>dBXxhz$vt>P-*aJqwf6&5K)836Bct5_XwPCfd~XW=ND~O#yf0rQX~$rD99g% z&G?Q#cGOamXxW%5dhtGQNxiA@m!kKK5gS*{*7eD$-0Fy*bE0E-s@5oWnSO1sE>|^$ z+1kAt2XB=#cpM5XaQ^8U8cy^YOeW&#UNOAuLcTKvENxql%s?)(`6!J=Y9tDOC6r%R zRE~-sYMWVnLl2UTe41pkHk+>4usm~Y#ROddmSfE&2N#NJQIuhJbu*)+-|&`nn}$x+ z_ifX_lP|)ouL2n9YNr8;>@0vQ=fQgT^e%+Pu5TXDFrEL-;d!OERTEv9S_-GskeJG( zE>4!nUrG*t^c{Not&{e3^jDWQLn6l$w_}JTyrNzwJe-6MMV}RIBH}NWFq#^V7|L@+`f-> zK6Gr7bylK#y_t8oZ8e<%wc6!u>2w)7V`i_HR9Wijvm2=6F!`WAsiaZ}xJT3+Q)WAU zLMmJ{ReHXq;FS|za|!1~Nw`+5d;j3FZ{E|6&f+X)2L?ZE7cE>{f)^7YCi$*}Huh{$ z3fV3QgG?4R20YWl^>@}>xSKz3O_5F@k(yWd=muURL?u}v=Y~E)>!j3&00-1saA#9c zb@8f}Jro6Y(}+^r6}z%l&SU@V4j=(?KC?pehf0+*Lu$5x8)-F@EOcuK6ch(-^s#nH zii^p3T+i3kVY>{jjGD#gYxOMGI=`*Mb{?hB_^qD|adiI5T>RH_(6-2}h0i3j7n+od zR$a*4d31~R3n!d&6v^c$(t{XWpbel#~pXID>=_g5Nny*Y^J(g z`V~sjfKkT7c!;-3I3E)chbpxAGq>vNL^otE`eVr_U{_tU87?w^1^sgBjjs)FCrTw_ zr`$aybLpVK`8;-rcU81beajsdTF5=b&4jOUZ_p}Ld);CG{j_{Au&~*fFV;Bu9}94gPM8AhnlH7s(|EYC)?w3zZl?ix3F->E}Mwi zQZ{FG60!3fUT`~A@&w1Riz={p-j=JRK)kJdO%*8>lFzjpgP{b~pt4 zzJ-b*iSae6C5#Y){E5$qXRp~}NYy`C4RExEW}A6lp;lppM{%v|P?$ zM%K0YTjf^_%&+i*72n`?|X$^=cTfs{K-bI7x?#xkJpX$j>df==|o+g z8v!^w#tY0hV9QKelnFeyXff^eYISM7Gf)IV!{EUF@4xwflJvjAKj1&*zkTZefBOF< iXa6r53d%nK1^0gyw~9bG`2PT5{$=pLno0Jb>Hh$5uF?ho literal 0 HcmV?d00001 diff --git a/Solutions/Vaikora-AzureSecurityCenter/Package/createUiDefinition.json b/Solutions/Vaikora-AzureSecurityCenter/Package/createUiDefinition.json new file mode 100644 index 00000000000..42c3f6a3da8 --- /dev/null +++ b/Solutions/Vaikora-AzureSecurityCenter/Package/createUiDefinition.json @@ -0,0 +1,242 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/VaikoraSecurityCenter/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Vaikora Security Center solution integrates [Vaikora](https://vaikora.com) AI-driven security signal detection with Microsoft Sentinel and Azure Defender for Cloud. A Logic App playbook polls the Vaikora API every 6 hours, filters high-severity actions, anomalies, and confirmed threats, and writes them to a custom Log Analytics table (Vaikora_SecurityAlerts_CL). Analytic rules surface these signals for investigation.\n\n**Playbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Logic/workflows", + "Microsoft.Web/connections" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspaces that exist in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "playbooks", + "label": "Playbooks", + "subLabel": { + "preValidation": "Configure the playbooks", + "postValidation": "Done" + }, + "bladeTitle": "Playbooks", + "elements": [ + { + "name": "playbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs a Logic App playbook that polls the Vaikora API and writes security alerts to your Log Analytics workspace. You must supply your Vaikora API credentials and workspace details below." + } + }, + { + "name": "playbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://learn.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook" + } + } + }, + { + "name": "playbook1", + "type": "Microsoft.Common.Section", + "label": "VaikoraToAzureSecurityCenter", + "elements": [ + { + "name": "playbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Polls the Vaikora /api/v1/actions endpoint every 6 hours and forwards high-severity, anomaly, and threat-detected actions to the Vaikora_SecurityAlerts_CL table." + } + }, + { + "name": "PlaybookName", + "type": "Microsoft.Common.TextBox", + "label": "Playbook Name", + "defaultValue": "VaikoraToAzureSecurityCenter", + "toolTip": "Name of the Logic App to deploy", + "constraints": { + "required": true, + "regex": "^[A-Za-z0-9-]{1,80}$", + "validationMessage": "Only alphanumeric characters and hyphens are allowed, up to 80 characters." + } + }, + { + "name": "VaikoraApiKey", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "Vaikora API Key", + "confirmPassword": "Confirm Vaikora API Key" + }, + "toolTip": "Your Vaikora API key, sent as the X-API-Key header", + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": true + } + }, + { + "name": "VaikoraAgentId", + "type": "Microsoft.Common.TextBox", + "label": "Vaikora Agent ID", + "toolTip": "The Vaikora Agent ID to poll for security actions", + "constraints": { + "required": true, + "regex": "^.{1,256}$", + "validationMessage": "Agent ID is required." + } + }, + { + "name": "WorkspaceId", + "type": "Microsoft.Common.TextBox", + "label": "Log Analytics Workspace ID", + "toolTip": "The Workspace ID used to authenticate the Log Analytics Data Collector API", + "constraints": { + "required": true, + "regex": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "validationMessage": "Must be a valid GUID." + } + }, + { + "name": "WorkspaceKey", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "Log Analytics Primary Key", + "confirmPassword": "Confirm Primary Key" + }, + "toolTip": "The Log Analytics Workspace Primary Key used for HMAC-SHA256 signing", + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": true + } + } + ] + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://learn.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "Vaikora - High Severity Security Alerts", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects high or critical severity security alerts ingested from Vaikora in the last 6 hours, including malware activity, intrusion attempts, and policy violations." + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "Vaikora - Anomaly Detection", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects actions flagged as anomalies or confirmed threats by the Vaikora AI engine, even when severity is below the high/critical threshold." + } + } + ] + }, + { + "name": "analytic3", + "type": "Microsoft.Common.Section", + "label": "Vaikora - Feed Outage Detection", + "elements": [ + { + "name": "analytic3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Fires when no Vaikora data has arrived in the custom table for 12 or more hours, indicating a possible connectivity or authentication failure in the Logic App playbook." + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]", + "PlaybookName": "[steps('playbooks').playbook1.PlaybookName]", + "VaikoraApiKey": "[steps('playbooks').playbook1.VaikoraApiKey.password]", + "VaikoraAgentId": "[steps('playbooks').playbook1.VaikoraAgentId]", + "WorkspaceId": "[steps('playbooks').playbook1.WorkspaceId]", + "WorkspaceKey": "[steps('playbooks').playbook1.WorkspaceKey.password]" + } + } +} diff --git a/Solutions/Vaikora-AzureSecurityCenter/Package/mainTemplate.json b/Solutions/Vaikora-AzureSecurityCenter/Package/mainTemplate.json new file mode 100644 index 00000000000..d501d025559 --- /dev/null +++ b/Solutions/Vaikora-AzureSecurityCenter/Package/mainTemplate.json @@ -0,0 +1,732 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Data443 Risk Mitigation, Inc. - support@data443.com", + "comments": "Solution template for VaikoraSecurityCenter" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "PlaybookName": { + "defaultValue": "VaikoraToAzureSecurityCenter", + "type": "string", + "metadata": { + "description": "Name of the Logic App playbook" + } + }, + "VaikoraApiKey": { + "type": "securestring", + "metadata": { + "description": "Vaikora API key (X-API-Key header)" + } + }, + "VaikoraAgentId": { + "type": "string", + "metadata": { + "description": "Vaikora Agent ID to poll" + } + }, + "WorkspaceId": { + "type": "string", + "metadata": { + "description": "Log Analytics Workspace ID for Data Collector API" + } + }, + "WorkspaceKey": { + "type": "securestring", + "metadata": { + "description": "Log Analytics Primary Key for Data Collector API signing" + } + } + }, + "variables": { + "email": "support@data443.com", + "_email": "[variables('email')]", + "_solutionName": "VaikoraSecurityCenter", + "_solutionVersion": "3.0.0", + "solutionId": "data443riskmitigationinc1761580347231.azure-sentinel-solution-vaikora-security-center", + "_solutionId": "[variables('solutionId')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "logAnalyticsConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]", + + "playbookVersion1": "1.0", + "playbookContentId1": "VaikoraToAzureSecurityCenter", + "_playbookContentId1": "[variables('playbookContentId1')]", + "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", + "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", + "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", + + "analyticRuleObject1": { + "analyticRuleVersion1": "3.0.0", + "_analyticRulecontentId1": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a1b2c3d4-e5f6-7890-abcd-ef1234567890')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a1b2c3d4-e5f6-7890-abcd-ef1234567890')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a1b2c3d4-e5f6-7890-abcd-ef1234567890','-', '3.0.0')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "3.0.0", + "_analyticRulecontentId2": "b2c3d4e5-f6a7-8901-bcde-f12345678901", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b2c3d4e5-f6a7-8901-bcde-f12345678901')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b2c3d4e5-f6a7-8901-bcde-f12345678901')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b2c3d4e5-f6a7-8901-bcde-f12345678901','-', '3.0.0')))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "3.0.0", + "_analyticRulecontentId3": "c3d4e5f6-a7b8-9012-cdef-012345678902", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c3d4e5f6-a7b8-9012-cdef-012345678902')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c3d4e5f6-a7b8-9012-cdef-012345678902')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c3d4e5f6-a7b8-9012-cdef-012345678902','-', '3.0.0')))]" + }, + + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "VaikoraToAzureSecurityCenter Playbook with template version 1.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion1')]", + "parameters": { + "PlaybookName": { + "defaultValue": "VaikoraToAzureSecurityCenter", + "type": "string" + }, + "VaikoraApiKey": { + "type": "securestring" + }, + "VaikoraAgentId": { + "type": "string" + }, + "WorkspaceId": { + "type": "string" + }, + "WorkspaceKey": { + "type": "securestring" + } + }, + "variables": { + "logAnalyticsConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('logAnalyticsConnectionName')]", + "location": "[[resourceGroup().location]", + "properties": { + "displayName": "Vaikora Log Analytics Data Collector", + "customParameterValues": {}, + "api": { + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]" + }, + "parameterValues": { + "username": "[[parameters('WorkspaceId')]", + "password": "[[parameters('WorkspaceKey')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2019-05-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "VaikoraToAzureSecurityCenter", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('logAnalyticsConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "VaikoraApiKey": { + "type": "securestring" + }, + "VaikoraAgentId": { + "type": "string", + "defaultValue": "[[parameters('VaikoraAgentId')]" + }, + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "type": "Recurrence", + "recurrence": { + "frequency": "Hour", + "interval": 6, + "timeZone": "UTC" + } + } + }, + "actions": { + "Poll_Vaikora_Actions": { + "type": "Http", + "inputs": { + "method": "GET", + "uri": "https://api.vaikora.com/api/v1/actions", + "queries": { + "agent_id": "@parameters('VaikoraAgentId')", + "per_page": "100" + }, + "headers": { + "X-API-Key": "@parameters('VaikoraApiKey')", + "Accept": "application/json" + } + }, + "runAfter": {} + }, + "Parse_Response": { + "type": "ParseJson", + "inputs": { + "content": "@body('Poll_Vaikora_Actions')", + "schema": { + "type": "object", + "properties": { + "data": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { "type": "string" }, + "agent_id": { "type": "string" }, + "action_type": { "type": "string" }, + "severity": { "type": "string" }, + "title": { "type": "string" }, + "description": { "type": "string" }, + "source_ip": { "type": "string" }, + "destination_ip": { "type": "string" }, + "source_host": { "type": "string" }, + "destination_host": { "type": "string" }, + "process_name": { "type": "string" }, + "user_name": { "type": "string" }, + "file_path": { "type": "string" }, + "threat_detected": { "type": "boolean" }, + "is_anomaly": { "type": "boolean" }, + "confidence_score": { "type": "number" }, + "created_at": { "type": "string" }, + "updated_at": { "type": "string" } + } + } + } + } + } + }, + "runAfter": { + "Poll_Vaikora_Actions": ["Succeeded"] + } + }, + "Filter_High_Risk_Actions": { + "type": "Query", + "inputs": { + "from": "@body('Parse_Response')?['data']", + "where": "@or(or(equals(item()?['severity'], 'high'), equals(item()?['severity'], 'critical')), or(equals(item()?['is_anomaly'], true), equals(item()?['threat_detected'], true)))" + }, + "runAfter": { + "Parse_Response": ["Succeeded"] + } + }, + "For_Each_Security_Alert": { + "type": "Foreach", + "foreach": "@body('Filter_High_Risk_Actions')", + "actions": { + "Send_to_Log_Analytics": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs", + "body": "@{json(concat('{\"TimeGenerated\":\"', items('For_Each_Security_Alert')?['created_at'], '\",\"AlertId\":\"', items('For_Each_Security_Alert')?['id'], '\",\"AgentId\":\"', items('For_Each_Security_Alert')?['agent_id'], '\",\"ActionType\":\"', items('For_Each_Security_Alert')?['action_type'], '\",\"Severity\":\"', items('For_Each_Security_Alert')?['severity'], '\",\"Title\":\"', replace(items('For_Each_Security_Alert')?['title'], '\"', '\\\"'), '\",\"Description\":\"', replace(items('For_Each_Security_Alert')?['description'], '\"', '\\\"'), '\",\"SourceIP\":\"', items('For_Each_Security_Alert')?['source_ip'], '\",\"DestinationIP\":\"', items('For_Each_Security_Alert')?['destination_ip'], '\",\"SourceHost\":\"', items('For_Each_Security_Alert')?['source_host'], '\",\"DestinationHost\":\"', items('For_Each_Security_Alert')?['destination_host'], '\",\"ProcessName\":\"', items('For_Each_Security_Alert')?['process_name'], '\",\"UserName\":\"', items('For_Each_Security_Alert')?['user_name'], '\",\"FilePath\":\"', items('For_Each_Security_Alert')?['file_path'], '\",\"ThreatDetected\":', string(items('For_Each_Security_Alert')?['threat_detected']), ',\"IsAnomaly\":', string(items('For_Each_Security_Alert')?['is_anomaly']), ',\"ConfidenceScore\":', string(items('For_Each_Security_Alert')?['confidence_score']), ',\"UpdatedAt\":\"', items('For_Each_Security_Alert')?['updated_at'], '\"}'))}", + "headers": { + "Log-Type": "Vaikora_SecurityAlerts" + } + } + } + }, + "runAfter": { + "Filter_High_Risk_Actions": ["Succeeded"] + } + } + } + }, + "parameters": { + "VaikoraApiKey": { + "value": "[[parameters('VaikoraApiKey')]" + }, + "VaikoraAgentId": { + "value": "[[parameters('VaikoraAgentId')]" + }, + "$connections": { + "value": { + "azureloganalyticsdatacollector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('logAnalyticsConnectionName'))]", + "connectionName": "[[variables('logAnalyticsConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]" + } + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(resourceId('Microsoft.Logic/workflows', parameters('PlaybookName')),'/'))))]", + "dependsOn": [ + "[[resourceId('Microsoft.Logic/workflows', parameters('PlaybookName'))]" + ], + "properties": { + "parentId": "[[resourceId('Microsoft.Logic/workflows', parameters('PlaybookName'))]", + "contentId": "[variables('_playbookContentId1')]", + "kind": "Playbook", + "version": "[variables('playbookVersion1')]", + "source": { + "kind": "Solution", + "name": "VaikoraSecurityCenter", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "[variables('_email')]" + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "[variables('_email')]", + "tier": "Partner", + "link": "https://www.data443.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId1')]", + "contentKind": "Playbook", + "displayName": "VaikoraToAzureSecurityCenter", + "contentProductId": "[variables('_playbookcontentProductId1')]", + "id": "[variables('_playbookcontentProductId1')]", + "version": "[variables('playbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Vaikora - High Severity Security Alerts analytic rule with template version 1.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects high or critical severity security alerts ingested from the Vaikora AI signal exchange platform in the last 6 hours.", + "displayName": "Vaikora - High Severity Security Alerts", + "enabled": false, + "query": "Vaikora_SecurityAlerts_CL\n| where TimeGenerated >= ago(6h)\n| where Severity_s in (\"high\", \"critical\")\n| extend AlertId=AlertId_s, AgentId=AgentId_s, ActionType=ActionType_s, Severity=Severity_s, Title=Title_s, Description=Description_s, SourceIP=SourceIP_s, DestinationIP=DestinationIP_s, SourceHost=SourceHost_s, DestHost=DestinationHost_s, ProcessName=ProcessName_s, UserName=UserName_s, FilePath=FilePath_s, Confidence=ConfidenceScore_d, ThreatFlag=ThreatDetected_b, AnomalyFlag=IsAnomaly_b\n| project TimeGenerated, AlertId, AgentId, ActionType, Severity, Title, Description, SourceIP, DestinationIP, SourceHost, DestHost, ProcessName, UserName, FilePath, Confidence, ThreatFlag, AnomalyFlag\n| order by TimeGenerated desc", + "queryFrequency": "PT6H", + "queryPeriod": "PT6H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "VaikoraSecurityCenter", + "dataTypes": ["Vaikora_SecurityAlerts_CL"] + } + ], + "tactics": [ + "InitialAccess", + "Execution", + "Persistence", + "DefenseEvasion", + "CredentialAccess", + "LateralMovement", + "Exfiltration", + "Impact" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [{ "identifier": "Address", "columnName": "SourceIP" }] + }, + { + "entityType": "IP", + "fieldMappings": [{ "identifier": "Address", "columnName": "DestinationIP" }] + }, + { + "entityType": "Host", + "fieldMappings": [{ "identifier": "HostName", "columnName": "SourceHost" }] + }, + { + "entityType": "Account", + "fieldMappings": [{ "identifier": "Name", "columnName": "UserName" }] + } + ], + "alertDetailsOverride": { + "alertDisplayNameFormat": "Vaikora {{Severity_s}} Alert: {{Title_s}}", + "alertDescriptionFormat": "Vaikora detected a {{Severity_s}} severity event on agent {{AgentId_s}}. {{Description_s}}", + "alertSeverityColumnName": "Severity_s" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "properties": { + "description": "Vaikora Security Center Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "source": { + "kind": "Solution", + "name": "VaikoraSecurityCenter", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "[variables('_email')]" + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "[variables('_email')]", + "tier": "Partner", + "link": "https://www.data443.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "Vaikora - High Severity Security Alerts", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Vaikora - Anomaly Detection analytic rule with template version 1.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects actions flagged as anomalies or confirmed threats by the Vaikora AI engine, even when severity is below high/critical.", + "displayName": "Vaikora - Anomaly Detection", + "enabled": false, + "query": "Vaikora_SecurityAlerts_CL\n| where TimeGenerated >= ago(6h)\n| where IsAnomaly_b == true or ThreatDetected_b == true\n| where Severity_s !in (\"high\", \"critical\")\n| extend AlertId=AlertId_s, AgentId=AgentId_s, ActionType=ActionType_s, Severity=Severity_s, Title=Title_s, Description=Description_s, SourceIP=SourceIP_s, DestinationIP=DestinationIP_s, SourceHost=SourceHost_s, UserName=UserName_s, Confidence=ConfidenceScore_d, ThreatFlag=ThreatDetected_b, AnomalyFlag=IsAnomaly_b\n| project TimeGenerated, AlertId, AgentId, ActionType, Severity, Title, Description, SourceIP, DestinationIP, SourceHost, UserName, Confidence, ThreatFlag, AnomalyFlag\n| order by Confidence desc, TimeGenerated desc", + "queryFrequency": "PT6H", + "queryPeriod": "PT6H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "VaikoraSecurityCenter", + "dataTypes": ["Vaikora_SecurityAlerts_CL"] + } + ], + "tactics": [ + "Discovery", + "LateralMovement", + "Collection", + "Exfiltration" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [{ "identifier": "Address", "columnName": "SourceIP" }] + }, + { + "entityType": "Host", + "fieldMappings": [{ "identifier": "HostName", "columnName": "SourceHost" }] + }, + { + "entityType": "Account", + "fieldMappings": [{ "identifier": "Name", "columnName": "UserName" }] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", + "properties": { + "description": "Vaikora Security Center Analytics Rule 2", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "source": { + "kind": "Solution", + "name": "VaikoraSecurityCenter", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "[variables('_email')]" + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "[variables('_email')]", + "tier": "Partner", + "link": "https://www.data443.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "contentKind": "AnalyticsRule", + "displayName": "Vaikora - Anomaly Detection", + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Vaikora - Feed Outage Detection analytic rule with template version 1.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Fires when no Vaikora data has arrived in the custom table for 12 or more hours, indicating a possible Logic App failure or API authentication issue.", + "displayName": "Vaikora - Feed Outage Detection", + "enabled": false, + "query": "Vaikora_SecurityAlerts_CL\n| where TimeGenerated >= ago(12h)\n| summarize Count = count()\n| where Count == 0\n| extend Alert=\"No Vaikora data ingested in the last 12 hours\", Suggestion=\"Check the VaikoraToAzureSecurityCenter Logic App run history and verify the Vaikora API key is valid.\"\n| project Alert, Suggestion", + "queryFrequency": "PT12H", + "queryPeriod": "PT12H", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "LessThan", + "triggerThreshold": 1, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "VaikoraSecurityCenter", + "dataTypes": ["Vaikora_SecurityAlerts_CL"] + } + ], + "tactics": [] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", + "properties": { + "description": "Vaikora Security Center Analytics Rule 3", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "source": { + "kind": "Solution", + "name": "VaikoraSecurityCenter", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "[variables('_email')]" + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "[variables('_email')]", + "tier": "Partner", + "link": "https://www.data443.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "contentKind": "AnalyticsRule", + "displayName": "Vaikora - Feed Outage Detection", + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "[variables('_solutionVersion')]", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Vaikora Security Center", + "publisherDisplayName": "Data443 Risk Mitigation, Inc.", + "descriptionHtml": "

The Vaikora Security Center solution integrates Vaikora AI-driven security signal detection with Microsoft Sentinel and Azure Defender for Cloud via a Logic App playbook that polls the Vaikora API and writes qualifying alerts to the Vaikora_SecurityAlerts_CL custom table.

", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "VaikoraSecurityCenter", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "[variables('_email')]" + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "[variables('_email')]", + "tier": "Partner", + "link": "https://www.data443.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "Playbook", + "contentId": "[variables('_playbookContentId1')]", + "version": "[variables('playbookVersion1')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + } + ] + }, + "firstPublishDate": "2026-04-02", + "providers": ["Data443 Risk Mitigation, Inc."], + "categories": { + "domains": ["Security - Threat Protection"], + "verticals": [] + } + } + } + ], + "outputs": {} +} diff --git a/Solutions/Vaikora-AzureSecurityCenter/Playbooks/VaikoraToAzureSecurityCenter/azuredeploy.json b/Solutions/Vaikora-AzureSecurityCenter/Playbooks/VaikoraToAzureSecurityCenter/azuredeploy.json new file mode 100644 index 00000000000..ae02dff9b5f --- /dev/null +++ b/Solutions/Vaikora-AzureSecurityCenter/Playbooks/VaikoraToAzureSecurityCenter/azuredeploy.json @@ -0,0 +1,281 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Vaikora to Azure Security Center", + "description": "This playbook polls the Vaikora AI signal exchange API every 6 hours, filters actions with high/critical severity, anomaly flags, or threat detections, and writes them to the Vaikora_SecurityAlerts_CL custom Log Analytics table. Sentinel analytic rules then surface these signals in Defender for Cloud.", + "mainSteps": [ + "1. Triggers on a 6-hour recurrence schedule.", + "2. Calls GET /api/v1/actions on the Vaikora API with X-API-Key authentication.", + "3. Filters actions where severity is high or critical, is_anomaly is true, or threat_detected is true.", + "4. Sends each qualifying action to a custom Log Analytics table (Vaikora_SecurityAlerts_CL) via the Data Collector API.", + "5. Sentinel analytic rules query the custom table to generate incidents." + ], + "prerequisites": [ + "1. A valid Vaikora API key (X-API-Key).", + "2. The Vaikora Agent ID to poll.", + "3. Log Analytics Workspace ID and Primary Key (for Data Collector API signing).", + "4. Microsoft Sentinel enabled on the target workspace." + ], + "postDeployment": [ + "1. Open the Logic App in the Azure portal.", + "2. Confirm the VaikoraAgentId parameter is correct.", + "3. Enable the analytic rules deployed with this solution.", + "4. Optionally adjust the recurrence interval." + ], + "lastUpdateTime": "2026-04-02T00:00:00.000Z", + "entities": [], + "tags": [ + "Vaikora", + "SecurityCenter", + "DefenderForCloud", + "ThreatDetection" + ], + "support": { + "tier": "Partner", + "link": "https://www.data443.com" + }, + "author": { + "name": "Data443 Risk Mitigation, Inc." + }, + "releaseNotes": [ + { + "version": "1.0.0", + "title": "Vaikora to Azure Security Center", + "notes": [ + "Initial version" + ] + } + ] + }, + "parameters": { + "PlaybookName": { + "defaultValue": "VaikoraToAzureSecurityCenter", + "type": "string", + "metadata": { + "description": "Name of the Logic App playbook" + } + }, + "VaikoraApiKey": { + "type": "securestring", + "metadata": { + "description": "Vaikora API key (used as X-API-Key header)" + } + }, + "VaikoraAgentId": { + "type": "string", + "metadata": { + "description": "Vaikora Agent ID to poll for security actions" + } + }, + "WorkspaceId": { + "type": "string", + "metadata": { + "description": "Log Analytics Workspace ID (for Data Collector API)" + } + }, + "WorkspaceKey": { + "type": "securestring", + "metadata": { + "description": "Log Analytics Primary Key (for Data Collector API HMAC signing)" + } + } + }, + "variables": { + "logicAppName": "[parameters('PlaybookName')]", + "logAnalyticsConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('logAnalyticsConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "Vaikora Log Analytics Data Collector", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]" + }, + "parameterValues": { + "username": "[parameters('WorkspaceId')]", + "password": "[parameters('WorkspaceKey')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2019-05-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "VaikoraToAzureSecurityCenter", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('logAnalyticsConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "VaikoraApiKey": { + "type": "securestring" + }, + "VaikoraAgentId": { + "type": "string", + "defaultValue": "[parameters('VaikoraAgentId')]" + }, + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "type": "Recurrence", + "recurrence": { + "frequency": "Hour", + "interval": 6, + "timeZone": "UTC" + } + } + }, + "actions": { + "Poll_Vaikora_Actions": { + "type": "Http", + "inputs": { + "method": "GET", + "uri": "https://api.vaikora.com/api/v1/actions", + "queries": { + "agent_id": "@parameters('VaikoraAgentId')", + "per_page": "100" + }, + "headers": { + "X-API-Key": "@parameters('VaikoraApiKey')", + "Accept": "application/json" + } + }, + "runAfter": {} + }, + "Parse_Response": { + "type": "ParseJson", + "inputs": { + "content": "@body('Poll_Vaikora_Actions')", + "schema": { + "type": "object", + "properties": { + "data": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { "type": "string" }, + "agent_id": { "type": "string" }, + "action_type": { "type": "string" }, + "severity": { "type": "string" }, + "title": { "type": "string" }, + "description": { "type": "string" }, + "source_ip": { "type": "string" }, + "destination_ip": { "type": "string" }, + "source_host": { "type": "string" }, + "destination_host": { "type": "string" }, + "process_name": { "type": "string" }, + "user_name": { "type": "string" }, + "file_path": { "type": "string" }, + "threat_detected": { "type": "boolean" }, + "is_anomaly": { "type": "boolean" }, + "confidence_score": { "type": "number" }, + "tags": { + "type": "array", + "items": { "type": "string" } + }, + "raw_data": { "type": "object" }, + "created_at": { "type": "string" }, + "updated_at": { "type": "string" } + } + } + }, + "meta": { + "type": "object", + "properties": { + "total": { "type": "integer" }, + "per_page": { "type": "integer" }, + "current_page": { "type": "integer" } + } + } + } + } + }, + "runAfter": { + "Poll_Vaikora_Actions": ["Succeeded"] + } + }, + "Filter_High_Risk_Actions": { + "type": "Query", + "inputs": { + "from": "@body('Parse_Response')?['data']", + "where": "@or(or(equals(item()?['severity'], 'high'), equals(item()?['severity'], 'critical')), or(equals(item()?['is_anomaly'], true), equals(item()?['threat_detected'], true)))" + }, + "runAfter": { + "Parse_Response": ["Succeeded"] + } + }, + "For_Each_Security_Alert": { + "type": "Foreach", + "foreach": "@body('Filter_High_Risk_Actions')", + "actions": { + "Send_to_Log_Analytics": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs", + "body": "@{json(concat('{\"TimeGenerated\":\"', items('For_Each_Security_Alert')?['created_at'], '\",\"AlertId\":\"', items('For_Each_Security_Alert')?['id'], '\",\"AgentId\":\"', items('For_Each_Security_Alert')?['agent_id'], '\",\"ActionType\":\"', items('For_Each_Security_Alert')?['action_type'], '\",\"Severity\":\"', items('For_Each_Security_Alert')?['severity'], '\",\"Title\":\"', replace(items('For_Each_Security_Alert')?['title'], '\"', '\\\"'), '\",\"Description\":\"', replace(items('For_Each_Security_Alert')?['description'], '\"', '\\\"'), '\",\"SourceIP\":\"', items('For_Each_Security_Alert')?['source_ip'], '\",\"DestinationIP\":\"', items('For_Each_Security_Alert')?['destination_ip'], '\",\"SourceHost\":\"', items('For_Each_Security_Alert')?['source_host'], '\",\"DestinationHost\":\"', items('For_Each_Security_Alert')?['destination_host'], '\",\"ProcessName\":\"', items('For_Each_Security_Alert')?['process_name'], '\",\"UserName\":\"', items('For_Each_Security_Alert')?['user_name'], '\",\"FilePath\":\"', items('For_Each_Security_Alert')?['file_path'], '\",\"ThreatDetected\":', string(items('For_Each_Security_Alert')?['threat_detected']), ',\"IsAnomaly\":', string(items('For_Each_Security_Alert')?['is_anomaly']), ',\"ConfidenceScore\":', string(items('For_Each_Security_Alert')?['confidence_score']), ',\"UpdatedAt\":\"', items('For_Each_Security_Alert')?['updated_at'], '\"}'))}", + "headers": { + "Log-Type": "Vaikora_SecurityAlerts" + } + } + } + }, + "runAfter": { + "Filter_High_Risk_Actions": ["Succeeded"] + } + } + } + }, + "parameters": { + "VaikoraApiKey": { + "value": "[parameters('VaikoraApiKey')]" + }, + "VaikoraAgentId": { + "value": "[parameters('VaikoraAgentId')]" + }, + "$connections": { + "value": { + "azureloganalyticsdatacollector": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('logAnalyticsConnectionName'))]", + "connectionName": "[variables('logAnalyticsConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]" + } + } + } + } + } + } + ], + "outputs": { + "logicAppId": { + "type": "string", + "value": "[resourceId('Microsoft.Logic/workflows', variables('logicAppName'))]" + } + } +} diff --git a/Solutions/Vaikora-AzureSecurityCenter/README.md b/Solutions/Vaikora-AzureSecurityCenter/README.md new file mode 100644 index 00000000000..c4ab4c020a3 --- /dev/null +++ b/Solutions/Vaikora-AzureSecurityCenter/README.md @@ -0,0 +1,78 @@ +# Vaikora Security Center — Microsoft Sentinel Content Hub Solution + +Integrates [Vaikora](https://vaikora.com) AI-driven security signal detection with Microsoft Sentinel and Azure Defender for Cloud. + +## How it works + +A Logic App playbook (`VaikoraToAzureSecurityCenter`) runs on a 6-hour schedule. Each run: + +1. Calls `GET https://api.vaikora.com/api/v1/actions?agent_id={id}&per_page=100` using your Vaikora API key. +2. Filters the response to actions that are `high` or `critical` severity, flagged as anomalies, or flagged as confirmed threats. +3. Writes each matching action to the `Vaikora_SecurityAlerts_CL` custom table in your Log Analytics workspace using the Data Collector API. + +Three Sentinel analytic rules query that table to generate incidents: + +| Rule | Severity | Fires when | +|------|----------|-----------| +| Vaikora - High Severity Security Alerts | High | Any `high`/`critical` action in the last 6 hours | +| Vaikora - Anomaly Detection | Medium | Any anomaly or threat-detected action below high/critical | +| Vaikora - Feed Outage Detection | Low | No data ingested in the last 12 hours | + +## Prerequisites + +- Microsoft Sentinel workspace (Log Analytics workspace with Sentinel enabled) +- Vaikora account with API access +- Vaikora API key and Agent ID + +## Installation + +Deploy through the Microsoft Sentinel Content Hub. During installation you will be prompted for: + +| Parameter | Description | +|-----------|-------------| +| Workspace | The Log Analytics workspace where Sentinel is running | +| Playbook Name | Name for the Logic App (default: `VaikoraToAzureSecurityCenter`) | +| Vaikora API Key | Your Vaikora API key (stored securely, not logged) | +| Vaikora Agent ID | The Agent ID to poll for security actions | +| Log Analytics Workspace ID | The workspace GUID (found in Workspace Settings) | +| Log Analytics Primary Key | The workspace primary key used for HMAC-SHA256 signing | + +After deployment, enable the three analytic rules from **Sentinel → Analytics → Rule Templates**. + +## Custom log table + +The playbook creates the `Vaikora_SecurityAlerts_CL` table automatically on first successful write. Fields ingested: + +| Field | Type | Description | +|-------|------|-------------| +| AlertId_s | string | Vaikora action/alert ID | +| AgentId_s | string | Vaikora agent that generated the alert | +| ActionType_s | string | Action category | +| Severity_s | string | `low`, `medium`, `high`, `critical` | +| Title_s | string | Short alert title | +| Description_s | string | Full alert description | +| SourceIP_s | string | Source IP address | +| DestinationIP_s | string | Destination IP address | +| SourceHost_s | string | Source hostname | +| DestinationHost_s | string | Destination hostname | +| ProcessName_s | string | Process involved | +| UserName_s | string | User account involved | +| FilePath_s | string | File path involved | +| ConfidenceScore_d | double | Model confidence score (0–1) | +| IsAnomaly_b | bool | Vaikora anomaly flag | +| ThreatDetected_b | bool | Vaikora confirmed-threat flag | +| TimeGenerated | datetime | Event timestamp | + +## Troubleshooting + +**No data in `Vaikora_SecurityAlerts_CL`:** +- Open the Logic App run history in the Azure portal and check for failed runs. +- Verify the Vaikora API key is valid by calling the API manually. +- Confirm the Workspace ID and Primary Key are correct. + +**Feed Outage alert fires after install:** +- The table is empty until the first playbook run. Wait up to 6 hours for the first poll, or trigger the Logic App manually. + +## Support + +Provided by [Data443 Risk Mitigation, Inc.](https://data443.com). Open an issue or contact support@data443.com. diff --git a/Solutions/Vaikora-AzureSecurityCenter/ReleaseNotes.md b/Solutions/Vaikora-AzureSecurityCenter/ReleaseNotes.md new file mode 100644 index 00000000000..5bff0d169d4 --- /dev/null +++ b/Solutions/Vaikora-AzureSecurityCenter/ReleaseNotes.md @@ -0,0 +1,10 @@ +# Vaikora Security Center — Release Notes + +## Version 1.0.0 (2026-04-02) + +**Initial release.** + +- Logic App playbook (`VaikoraToAzureSecurityCenter`) polls the Vaikora `/api/v1/actions` endpoint every 6 hours and writes high-severity, anomaly, and threat-detected actions to `Vaikora_SecurityAlerts_CL` via the Log Analytics Data Collector API. +- Analytic rule: **Vaikora - High Severity Security Alerts** — fires on any `high` or `critical` severity event ingested in the last 6 hours. +- Analytic rule: **Vaikora - Anomaly Detection** — fires on actions flagged `is_anomaly` or `threat_detected` that fall below the high/critical severity threshold. +- Analytic rule: **Vaikora - Feed Outage Detection** — fires when the custom table receives no records for 12 or more hours, signaling a broken playbook or expired API key. diff --git a/Solutions/Vaikora-AzureSecurityCenter/SolutionMetadata.json b/Solutions/Vaikora-AzureSecurityCenter/SolutionMetadata.json new file mode 100644 index 00000000000..d6539a91086 --- /dev/null +++ b/Solutions/Vaikora-AzureSecurityCenter/SolutionMetadata.json @@ -0,0 +1,20 @@ +{ + "publisherId": "data443riskmitigationinc1761580347231", + "offerId": "vaikora-security-center-connector", + "firstPublishDate": "2026-04-02", + "providers": [ + "Data443 Risk Mitigation, Inc." + ], + "categories": { + "domains": [ + "Security - Threat Protection" + ], + "verticals": [] + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "support@data443.com", + "tier": "Partner", + "link": "https://www.data443.com" + } +} \ No newline at end of file From 65bbf3fb3ea12c745696193d36a2bfe9e64799c2 Mon Sep 17 00:00:00 2001 From: Taz Jack Date: Fri, 3 Apr 2026 11:02:01 -0400 Subject: [PATCH 05/38] feat: add Vaikora AI Agent Signals connector v3.0.0 --- .../Vaikora - Agent Policy Violation.yaml | 64 ++ ...Vaikora - Behavioral Anomaly Detected.yaml | 62 ++ .../Vaikora - High Risk AI Agent Action.yaml | 65 ++ .../Vaikora_ConnectorDefinition.json | 107 +++ .../VaikoraSentinel_CCF/Vaikora_DCR.json | 50 + .../Vaikora_PollerConfig.json | 54 ++ .../VaikoraSentinel_CCF/Vaikora_Table.json | 33 + .../Data/Solution_Vaikora.json | 23 + Solutions/Vaikora-Sentinel/Package/3.0.0.zip | Bin 0 -> 9788 bytes .../Package/createUiDefinition.json | 206 +++++ .../Package/mainTemplate.json | 868 ++++++++++++++++++ Solutions/Vaikora-Sentinel/README.md | 79 ++ Solutions/Vaikora-Sentinel/ReleaseNotes.md | 3 + .../Vaikora-Sentinel/SolutionMetadata.json | 22 + .../VaikoraAgentSignalsDashboard.json | 202 ++++ 15 files changed, 1838 insertions(+) create mode 100644 Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Agent Policy Violation.yaml create mode 100644 Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Behavioral Anomaly Detected.yaml create mode 100644 Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - High Risk AI Agent Action.yaml create mode 100644 Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_ConnectorDefinition.json create mode 100644 Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_DCR.json create mode 100644 Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_PollerConfig.json create mode 100644 Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_Table.json create mode 100644 Solutions/Vaikora-Sentinel/Data/Solution_Vaikora.json create mode 100644 Solutions/Vaikora-Sentinel/Package/3.0.0.zip create mode 100644 Solutions/Vaikora-Sentinel/Package/createUiDefinition.json create mode 100644 Solutions/Vaikora-Sentinel/Package/mainTemplate.json create mode 100644 Solutions/Vaikora-Sentinel/README.md create mode 100644 Solutions/Vaikora-Sentinel/ReleaseNotes.md create mode 100644 Solutions/Vaikora-Sentinel/SolutionMetadata.json create mode 100644 Solutions/Vaikora-Sentinel/Workbooks/VaikoraAgentSignalsDashboard.json diff --git a/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Agent Policy Violation.yaml b/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Agent Policy Violation.yaml new file mode 100644 index 00000000000..77c466267db --- /dev/null +++ b/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Agent Policy Violation.yaml @@ -0,0 +1,64 @@ +id: c3d4e5f6-a7b8-9012-cdef-123456789012 +name: Vaikora - Agent Policy Violation +description: | + 'Detects AI agent actions that were explicitly blocked by a Vaikora policy. + Blocked actions indicate the agent attempted something the configured policy prohibits. Repeated violations from the same agent may indicate prompt injection, policy circumvention, or a compromised agent workflow.' +severity: Medium +status: Available +requiredDataConnectors: + - connectorId: VaikoraSentinel + dataTypes: + - Vaikora_AgentSignals_CL +queryFrequency: 15m +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact + - DefenseEvasion +relevantTechniques: + - T1078 + - T1562 +query: | + Vaikora_AgentSignals_CL + | where TimeGenerated > ago(1h) + | where policy_decision_s == "block" + | summarize + ViolationCount = count(), + PolicyIds = make_set(policy_id_s), + ActionTypes = make_set(action_type_s), + ResourceTypes = make_set(resource_type_s), + MaxRiskScore = max(risk_score_d), + Severities = make_set(severity_s), + LogHashes = make_set(log_hash_s) + by AgentId = agent_id_s + | extend + PolicyList = strcat_array(PolicyIds, ", "), + ActionList = strcat_array(ActionTypes, ", "), + ResourceList = strcat_array(ResourceTypes, ", ") + | where ViolationCount >= 1 +suppressionDuration: 15m +suppressionEnabled: false +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: true + reopenClosedIncident: false + lookbackDuration: 1h + matchingMethod: Selected + groupByEntities: + - Account +eventGroupingSettings: + aggregationKind: AlertPerResult +customDetails: + ViolationCount: ViolationCount + PolicyIds: PolicyList + ActionTypes: ActionList + MaxRiskScore: MaxRiskScore +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AgentId +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Behavioral Anomaly Detected.yaml b/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Behavioral Anomaly Detected.yaml new file mode 100644 index 00000000000..0ef5ffcefe7 --- /dev/null +++ b/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Behavioral Anomaly Detected.yaml @@ -0,0 +1,62 @@ +id: b2c3d4e5-f6a7-8901-bcde-f12345678901 +name: Vaikora - Behavioral Anomaly Detected +description: | + 'Detects AI agent behavioral anomalies flagged by the Vaikora anomaly detection engine with a score of 0.7 or above. + A high anomaly score indicates the agent is deviating significantly from its established behavioral baseline, which may signal prompt injection, policy bypass attempts, or unexpected tool use.' +severity: Medium +status: Available +requiredDataConnectors: + - connectorId: VaikoraSentinel + dataTypes: + - Vaikora_AgentSignals_CL +queryFrequency: 30m +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - DefenseEvasion + - Execution +relevantTechniques: + - T1059 + - T1027 +query: | + Vaikora_AgentSignals_CL + | where TimeGenerated > ago(1h) + | where is_anomaly_b == true + | where anomaly_score_d >= 0.7 + | summarize + AnomalyCount = count(), + MaxAnomalyScore = max(anomaly_score_d), + AvgAnomalyScore = avg(anomaly_score_d), + AnomalyReasons = make_set(anomaly_reason_s), + ActionTypes = make_set(action_type_s) + by AgentId = agent_id_s, Severity = severity_s + | extend + ReasonList = strcat_array(AnomalyReasons, "; "), + ActionList = strcat_array(ActionTypes, ", ") +suppressionDuration: 30m +suppressionEnabled: false +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: true + reopenClosedIncident: false + lookbackDuration: 1h + matchingMethod: Selected + groupByEntities: + - Account +eventGroupingSettings: + aggregationKind: AlertPerResult +customDetails: + MaxAnomalyScore: MaxAnomalyScore + AvgAnomalyScore: AvgAnomalyScore + AnomalyCount: AnomalyCount + AnomalyReasons: ReasonList + ActionTypes: ActionList +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AgentId +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - High Risk AI Agent Action.yaml b/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - High Risk AI Agent Action.yaml new file mode 100644 index 00000000000..0041d56cf5f --- /dev/null +++ b/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - High Risk AI Agent Action.yaml @@ -0,0 +1,65 @@ +id: a1b2c3d4-e5f6-7890-abcd-ef1234567890 +name: Vaikora - High Risk AI Agent Action +description: | + 'Detects high-risk AI agent actions from Vaikora where the risk score is 75 or above and severity is high or critical. + These events may indicate an AI agent behaving outside safe operational parameters, attempting unauthorized resource access, or triggering policy thresholds that warrant immediate investigation.' +severity: High +status: Available +requiredDataConnectors: + - connectorId: VaikoraSentinel + dataTypes: + - Vaikora_AgentSignals_CL +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact + - Execution + - PrivilegeEscalation +relevantTechniques: + - T1059 + - T1078 + - T1548 +query: | + Vaikora_AgentSignals_CL + | where TimeGenerated > ago(1h) + | where risk_score_d >= 75 + | where severity_s in ("high", "critical") + | summarize + ActionCount = count(), + MaxRiskScore = max(risk_score_d), + Actions = make_set(action_type_s), + PolicyDecisions = make_set(policy_decision_s), + ResourceTypes = make_set(resource_type_s) + by AgentId = agent_id_s, RiskLevel = risk_level_s, Severity = severity_s + | extend + ActionList = strcat_array(Actions, ", "), + PolicyList = strcat_array(PolicyDecisions, ", "), + ResourceList = strcat_array(ResourceTypes, ", ") +suppressionDuration: 1h +suppressionEnabled: false +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: true + reopenClosedIncident: false + lookbackDuration: 1h + matchingMethod: Selected + groupByEntities: + - Account +eventGroupingSettings: + aggregationKind: AlertPerResult +customDetails: + MaxRiskScore: MaxRiskScore + ActionCount: ActionCount + Actions: ActionList + PolicyDecisions: PolicyList + ResourceTypes: ResourceList +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AgentId +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_ConnectorDefinition.json b/Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_ConnectorDefinition.json new file mode 100644 index 00000000000..56f1f7fc4c0 --- /dev/null +++ b/Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_ConnectorDefinition.json @@ -0,0 +1,107 @@ +{ + "name": "VaikoraSentinel", + "apiVersion": "2025-09-01", + "type": "Microsoft.SecurityInsights/dataConnectorDefinitions", + "location": "{{location}}", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "VaikoraSentinel", + "connectorId": "VaikoraSentinel", + "title": "Vaikora AI Agent Behavioral Signals", + "publisher": "Data443 Risk Mitigation, Inc.", + "descriptionMarkdown": "Ingest AI agent behavioral signals from the Vaikora API into Microsoft Sentinel using the Codeless Connector Framework (CCF). Monitor agent actions, policy decisions, anomaly scores, and risk levels to detect suspicious AI activity in your environment.", + "graphQueriesTableName": "Vaikora_AgentSignals_CL", + "graphQueries": [ + { + "metricName": "Total Vaikora agent signals received", + "legend": "Vaikora Agent Signals", + "baseQuery": "Vaikora_AgentSignals_CL" + } + ], + "sampleQueries": [ + { + "description": "High-risk agent actions (last 24 hours)", + "query": "Vaikora_AgentSignals_CL | where TimeGenerated >= ago(24h) | where risk_score_d >= 75 | project TimeGenerated, agent_id_s, action_type_s, severity_s, policy_decision_s, risk_score_d, anomaly_score_d" + }, + { + "description": "Anomalous agent behavior (last 7 days)", + "query": "Vaikora_AgentSignals_CL | where TimeGenerated >= ago(7d) | where is_anomaly_b == true | summarize AnomalyCount=count(), AvgAnomalyScore=avg(anomaly_score_d) by agent_id_s, action_type_s | order by AnomalyCount desc" + }, + { + "description": "Blocked policy decisions (last 48 hours)", + "query": "Vaikora_AgentSignals_CL | where TimeGenerated >= ago(48h) | where policy_decision_s == 'block' | project TimeGenerated, agent_id_s, action_type_s, resource_type_s, policy_id_s, log_hash_s" + } + ], + "dataTypes": [ + { + "name": "Vaikora_AgentSignals_CL", + "lastDataReceivedQuery": "Vaikora_AgentSignals_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "status": "Available", + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": false + } + } + ], + "customs": [ + { + "name": "Vaikora API Key", + "description": "A Vaikora API key (vk_xxxxx) with read access to the actions endpoint. Obtain this from your Vaikora dashboard under Settings > API Keys." + } + ] + }, + "instructionSteps": [ + { + "title": "Connect Vaikora AI Agent Behavioral Signals", + "description": "To enable the Vaikora connector, provide your Vaikora API key and the agent ID you want to monitor, then click Connect.\n\nYour API key is available in the [Vaikora dashboard](https://app.vaikora.com) under **Settings > API Keys**. The agent ID is the UUID shown on your agent's detail page.", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Vaikora API Key", + "placeholder": "vk_xxxxxxxxxxxxxxxxxxxxxxxx", + "type": "password", + "name": "vaikoraApiKey" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Vaikora Agent ID", + "placeholder": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "type": "text", + "name": "vaikoraAgentId" + } + }, + { + "type": "ConnectionToggleButton", + "parameters": { + "connectLabel": "Connect", + "name": "connect" + } + } + ] + } + ] + } + } +} diff --git a/Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_DCR.json b/Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_DCR.json new file mode 100644 index 00000000000..fcacf1d5079 --- /dev/null +++ b/Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_DCR.json @@ -0,0 +1,50 @@ +{ + "name": "dcr-vaikora-agent-signals", + "apiVersion": "2024-03-11", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "{{location}}", + "properties": { + "dataCollectionEndpointId": "{{dataCollectionEndpointId}}", + "streamDeclarations": { + "Custom-Vaikora_AgentSignals_CL": { + "columns": [ + { "name": "TimeGenerated", "type": "datetime" }, + { "name": "payload", "type": "dynamic" }, + { "name": "timestamp", "type": "datetime" }, + { "name": "action_type_s", "type": "string" }, + { "name": "agent_id_s", "type": "string" }, + { "name": "status_s", "type": "string" }, + { "name": "severity_s", "type": "string" }, + { "name": "policy_decision_s", "type": "string" }, + { "name": "policy_id_s", "type": "string" }, + { "name": "risk_score_d", "type": "int" }, + { "name": "risk_level_s", "type": "string" }, + { "name": "is_anomaly_b", "type": "boolean" }, + { "name": "anomaly_score_d", "type": "real" }, + { "name": "anomaly_reason_s", "type": "string" }, + { "name": "threat_detected_b", "type": "boolean" }, + { "name": "threat_score_d", "type": "int" }, + { "name": "log_hash_s", "type": "string" }, + { "name": "resource_type_s", "type": "string" }, + { "name": "action_id_s", "type": "string" } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "{{workspaceResourceId}}", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ "Custom-Vaikora_AgentSignals_CL" ], + "destinations": [ "clv2ws1" ], + "transformKql": "source | extend p=todynamic(payload) | extend TimeGenerated=todatetime(timestamp), action_type_s=tostring(p.action_type), agent_id_s=tostring(p.agent_id), status_s=tostring(p.status), severity_s=tostring(p.severity), policy_decision_s=tostring(p.policy_decision), policy_id_s=tostring(p.policy_id), risk_score_d=toint(p.risk_score), risk_level_s=tostring(p.risk_level), is_anomaly_b=tobool(p.is_anomaly), anomaly_score_d=toreal(p.anomaly_score), anomaly_reason_s=tostring(p.anomaly_reason), threat_detected_b=tobool(p.threat_detected), threat_score_d=toint(p.threat_score), log_hash_s=tostring(p.log_hash), resource_type_s=tostring(p.resource_type), action_id_s=tostring(p.id) | project TimeGenerated, action_type_s, agent_id_s, status_s, severity_s, policy_decision_s, policy_id_s, risk_score_d, risk_level_s, is_anomaly_b, anomaly_score_d, anomaly_reason_s, threat_detected_b, threat_score_d, log_hash_s, resource_type_s, action_id_s", + "outputStream": "Custom-Vaikora_AgentSignals_CL" + } + ] + } +} diff --git a/Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_PollerConfig.json b/Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_PollerConfig.json new file mode 100644 index 00000000000..0f1b824cba4 --- /dev/null +++ b/Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_PollerConfig.json @@ -0,0 +1,54 @@ +[ + { + "name": "VaikoraAgentSignals", + "apiVersion": "2025-09-01", + "type": "Microsoft.SecurityInsights/dataConnectors", + "location": "{{location}}", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "VaikoraSentinel", + "dataType": "Vaikora_AgentSignals_CL", + "dcrConfig": { + "streamName": "Custom-Vaikora_AgentSignals_CL", + "dataCollectionEndpoint": "{{dataCollectionEndpoint}}", + "dataCollectionRuleImmutableId": "{{vaikoraDcrImmutableId}}" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "X-API-Key", + "ApiKey": "{{vaikoraApiKey}}" + }, + "request": { + "apiEndpoint": "https://api.vaikora.com/api/v1/actions", + "httpMethod": "GET", + "queryParameters": { + "agent_id": "{{vaikoraAgentId}}", + "per_page": 100, + "page": 1 + }, + "queryWindowInMin": 360, + "rateLimitQps": 1, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Microsoft-Sentinel-Vaikora/1.0" + } + }, + "paging": { + "pagingType": "PageNumber", + "pageSize": 100, + "pageSizeParaName": "per_page", + "pageNumberParaName": "page", + "pageNumberStart": 1, + "hasNextPageFilter": "$.actions | length > 0" + }, + "response": { + "eventsJsonPaths": [ + "$.actions" + ], + "format": "json" + } + } + } +] diff --git a/Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_Table.json b/Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_Table.json new file mode 100644 index 00000000000..db016bfccb2 --- /dev/null +++ b/Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_Table.json @@ -0,0 +1,33 @@ +{ + "name": "Vaikora_AgentSignals_CL", + "apiVersion": "2025-07-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "{{location}}", + "properties": { + "retentionInDays": 30, + "totalRetentionInDays": 90, + "plan": "Analytics", + "schema": { + "name": "Vaikora_AgentSignals_CL", + "columns": [ + { "name": "TimeGenerated", "type": "datetime" }, + { "name": "action_type_s", "type": "string" }, + { "name": "agent_id_s", "type": "string" }, + { "name": "status_s", "type": "string" }, + { "name": "severity_s", "type": "string" }, + { "name": "policy_decision_s", "type": "string" }, + { "name": "policy_id_s", "type": "string" }, + { "name": "risk_score_d", "type": "int" }, + { "name": "risk_level_s", "type": "string" }, + { "name": "is_anomaly_b", "type": "boolean" }, + { "name": "anomaly_score_d", "type": "real" }, + { "name": "anomaly_reason_s", "type": "string" }, + { "name": "threat_detected_b", "type": "boolean" }, + { "name": "threat_score_d", "type": "int" }, + { "name": "log_hash_s", "type": "string" }, + { "name": "resource_type_s", "type": "string" }, + { "name": "action_id_s", "type": "string" } + ] + } + } +} diff --git a/Solutions/Vaikora-Sentinel/Data/Solution_Vaikora.json b/Solutions/Vaikora-Sentinel/Data/Solution_Vaikora.json new file mode 100644 index 00000000000..ff7d285ced7 --- /dev/null +++ b/Solutions/Vaikora-Sentinel/Data/Solution_Vaikora.json @@ -0,0 +1,23 @@ +{ + "Name": "VaikoraSentinel", + "Author": "Data443 Risk Mitigation, Inc. - support@data443.com", + "Logo": "", + "Description": "The [Vaikora AI Agent Behavioral Signals](https://vaikora.com) solution provides the capability to ingest AI agent behavioral data from the Vaikora API into Microsoft Sentinel using the Codeless Connector Framework (CCF). This solution deploys a REST API poller connector, a custom log table, data collection rules, analytics rules, and a visualization workbook to help security teams monitor AI agent activity, detect behavioral anomalies, and investigate policy violations.", + "Data Connectors": [ + "Data Connectors/VaikoraSentinel_CCF/Vaikora_ConnectorDefinition.json" + ], + "Analytic Rules": [ + "Analytic Rules/Vaikora - High Risk AI Agent Action.yaml", + "Analytic Rules/Vaikora - Behavioral Anomaly Detected.yaml", + "Analytic Rules/Vaikora - Agent Policy Violation.yaml" + ], + "Workbooks": [ + "Workbooks/VaikoraAgentSignalsDashboard.json" + ], + "WorkbookDescription": "This workbook provides visualization and monitoring for Vaikora AI agent behavioral signals including action timelines, severity breakdowns, anomaly detection, and policy violations.", + "Metadata": "SolutionMetadata.json", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\VaikoraSentinel", + "Version": "1.0.0", + "TemplateSpec": true, + "Is1Pconnector": false +} diff --git a/Solutions/Vaikora-Sentinel/Package/3.0.0.zip b/Solutions/Vaikora-Sentinel/Package/3.0.0.zip new file mode 100644 index 0000000000000000000000000000000000000000..1f055043aaa477c928d64aca08932a53d3f368d5 GIT binary patch literal 9788 zcmZ{qRZty3x21vL?ry;e?he5%NN_#4AKcx7y9Xz@2X}XOIM~76-DUFMTQfCPGq?L; z*Y4`|w7aTT_qUbhzd&O{KtRAl2x$iEt@2kXzYsw{q<2F=VEkLPHL|i(GqZI78o8J; zTRYp^o$G%(uQerpcKX9e`Et|=qyk6XvK~$*THWSeG8+79*ESTg9O*GrwNwk`l-<_5 z-Y%P??4f18=TiyD>h9aUFgn$0G2$Yf!698uPs3ZiM}<)Gqv{wWES1vHoK>9LUKa|W z&Kb%Kb27E{lFeti^#d6uDI!_TE1a}@y}x%z-Zgr&MO?a*Ov6O? zm?O`La05{Y1 zoaU9JnyPRc@0V#YKRRTtseZk*rM4KeH_#`TBjczeVhWSaPH3CZ+dxiVgb^c?kRaQG zk8tByLT8t^UrFBGm8|YECB4EK!LQtKi*oLRxA*h6Xsto}9-iDzG7e{WJUzWs@|#!M zJ`WJ{S3`m6TgrOOj)R1;6h+2xv+}NMP7L4kIAuOkL*c^Z^JiC@uj(O4qDmcxxwM$a zFid$x>XnPcNp~c?Mz=57vy{}R@Jo~AEb5F#jgg$PN7fAbr?q{GTivY2 z4yna5Z_m{)O@PPs0!oANHtdItMehAG^*`3&``!I=RTjhAPuPhsFl2;geGD36chhvN>Va%#wd0W1oiM zcD5KZo=q!-Rm&*RzqgGa?j`>dS`s=+ujn!Vmeij@<5j>1Yp*uT-6wDB>Y4ekv7uv7ZcLPAq)AjsB+wtrQ3;4UPi(demT zaacPe=yu{}cb6l#x*8}}>&6>%mxSd-QoW%SB11K-QPj$JaVPItY^U(8trHpM(x$L z;!V@FhXv~{amePX=K?wX%zTdo*&Ogtjf&CQYM5K&*LJf?b~l}Sa)db|8aUJ=!9t>Q zNMyKcGLseFO&AjrQC3yMD0cU-8Gkxh|+V zey#Heutp1iK%E~K8y{FcD(vjfrBkfZeq}|@go?KcpP3o&+nPeTedc@~ zec+CZ@Sm@4+8pBGoUf+dHr45Ho{JMi+ugyG@HRRi#$!>59vCvd5oo9`+J;ydrU?{&H2StEg1aYLe{3B z;NE#unT5-MXb_3`P}j7Z`~Mb#<4oHp31`>c+(o+1xvl4j*VKFC>_zhsVyjXD^cZg( z6hbW*;T6)dgdR`r)b}i%LYYtQGi@mE9||Te+=I2Fv`V%P>ej1Pc$`-OET8BMLG8VB zsn1c^;;g?*Ab&;`#Ed~O$f?|`6SYbZY1g?B;k4-5o5ZBHY>W+!Hd&d9ngq^d@O1QY zo$W17TxqRQa^$0xeLL?%=@yKLiErti-^AJSvPhg?`@NBpj5((53ZFivMW+Y5v{7ef zXdeuKom%tS#colhD3xjrSF|LoB~t|>yoI6Wks6!t`Z?9Hti)ecv3m zDts_;$)*AGhO3(KXe5#P`38?(>qJ&7wagou<_br_-03U+YCJ?}eiOA(e4{os6@>`|)K_z2pX2YQFkcrN|)p zgR7uRBBT-VGlneL^!$NYWQ$BHe!sbVNidZ;CBMJ@qW;GB69brMg=Fw`HJ?IQOFR4y zv|g4dJ!+CJw3oB;xSyNcPQ!?vH=!zQl1Pd06a^ygRCp8K4OA7xYc7zOtb6$^QIlX9 ztpnW^4(be9#rupJr^+J)$6(1+nF1g&o$Z z;%FX3t&P6rFP@`9$WCJOYrNAc7tQODga^H*cbD{&y`{`EC*Lj}$MmucNV>D8iw-mv zMAE2l=2$guc-3$WOkrHY=DKE5PO`E>v6~&TRU7~aAy5fs-dX*OHoGuzkOj*@ui7#0 zxPF%&FH2=KxIJ0l)0R}tUXKN?^hoS*Q$-U{*7qsjh1j963^PAyK7~tK_e7j{E-6Uo z?X4mKNm6?&U)6rw-aSfXW>PLvBA`BO6@AP(hzkk( ztV9$E+AyLDLXlJ5f$2A}$;$UpDu>=mWGgj~IfSA5^_fd=*PK(r+A>%Jtx0TXfo9a>eh0(_*NH$rNEd!bztVf4{wtVcY1bw_PWKZ4#P} zXeoL+0^;?k4xlj%bihWNSi$koyhXE{C60=ek9}nn=Mg0BC%=NV&3fMzGgKKIrwCm_ z82i>>BzV=I_?$OH7k;6pwPY1cdku)BMZD$;#E?nTqJ_L&*c9UwsiQ;UUT@C7Y9m%p zy=g!=h+mElolhS>=;Wp*@+m1SNLfqm|*9n8me7PxR1sKQv@t}utl0#_JZ~! zT?=RI*cBXOg-T$camA%_=p(d2=TaT3K*3@*clKPTz-c6YZR4C7qntZW(-nv5qR%Mg zhVYFE#32{XHp#u2dYtkX#4xT)bmpOB1eJt#h>y@5!YE!K61@s$-<@|sU(N$(s#pQlj(zKfRKs?S|EJy}PW+~LCO!B6fA&eKf3SA~o# zx1veXQ3;n=w8iGS0^dv@=B@)v=M=2bvYbS@FV^nu7yiV4&4PUUz=%Y1guTsl7XKow z10n?4+iNmae*ZE5B4}iD;p-e2&jgh;tL-z=5}t$VeK1%bw6|WmXbhKG{Ab#COGbx~ z#uNTkQ;d-(%WUisd1x#-MZ5tr8|ErYIs>tQ6;$%gqw-%lOUL-W3LWE*mSxllV|dO@ zvRRyAGz(A0Vvn9E-gv5JvBYfJdc?Z;=bkc=Z;<8Aup$iT9g$EPqc!h}D|J3;!=t(g zawNajbHX4|*xIIm;m`A7I)KkmEi8thYg11QMxS+4N;DrX zlYGcWGd_4?*N_{pQ)_M1#;Q;pf~tHJ=aR`iNO4n0Sf6$;�qEJ?%UmaIVU_p@*fM1# znKkvWokx_-(D|e@>~36}Sfleby_IuT)X!wIpz+R{)XHPq%HjM;a;18OI!IV?(u^tVbmyL)DtMK=$N^$YjYtX$7f)B zv;wTJvqh3%=kcE70su1vI&ous5TUIBYz9#lndV)=_d3F07b?-;E-7i5OMtrI_;C|2 zw>(IDNa%fW$*=m&qeVWb62U5*mvd%XqYbQo_^d#=g$ASx=2cqQSx2Wx8Xk`R zez$VhtBO1E-B$KcuPTNjc}7WfcSkz}>ij4k(n>n%2Ri5-`00(?(6cfj=Ja(rOhSCbrMY~>y_Q4{)5pKpo z$JB^!z4skoLaC%_c;B0gU=D66z^=;~M!Qy+w(b7uepUCdLOo14gjwZS`8hPquJHOa zNyvPcSN^m?2L!$PNe*X8iXi}-rW-Js{bvx=ER&I&S>{;|d#LYHTqU|eZicJhcP7qH z(V`JFp^fG39FPs@(P+w?Xy4Y{#HrEO4QbtfCbaL}{>W2e8zYaKQuKY6VA>8$zWHeW z(vZzJz%|Qcv83hnV*%Rv4gqa<`V5|HxPQ00GH&|x%KNpcnPfqO2$q5IH4?WV+U9-j z5YLW12gRRT1Whvd2p|a$cRF0gy7GWnzZ4*DZ!s)Qg`j7Y)eYI*qda|~IIqd(6$PeM zykLqhH5l4$dE!yBJZp`xOo$Rk9vQ7a|q@H^T~?|@2Mrj!Qem~yK`^m2^%OK7kE+_94i^Z9$v(X-3BOCEqBQG#+iuc zhl-29=PgZ|1!?c#)7ldZ`P-jsJ$6*ngOnoKt8id^$X74e_c4t1br;fCwGo8P5JS_# zY2nlQH|vjs65zrNIvm_}3k>an0Imnbu3_$$=$ojU{IfPjV|&nLJWto49**etUXW>+`xbqlp`Jk89%NzYxlaNDm?$uIFKa8veo6Or;xbG~g*oqDES**fTC;0Uq zkKa7P^N6t~ z5KZE4gcSyRg1C()n(j3w&)!yRr+|C)+0~3PS-C7wKNH1=fI|&~!Kr4Tf_ysoHHOl) z1o~vft|Y1>AF}u+(CxFh%B!Wm^W?!(C?8y3e+Ah4g4ovKv@{I^d|N2iu{+U~M)<8rHxa{A< z&1@Uj*I9vZ7`~_GQvC@ns!CVwN9Sk$5yV?@!6iF!@0}$VeWj5*A2}~h~X3;6<4+X4CnD6<2HrGXlMe!?Y|H2y0XZ5bc zN9a2TLu^4#xia~6oCPXPYxh#*S6l!YCJry5xpD@KY>?iBZg+#2rOi5of5X!5P06d6B^HDwDHKPN-$xX&g2sA z=6YmY>8LjuU)U4GJK%-k{+s|2zAQ>=g!thRNc#ISwurzXUHq-xk{$?p-5|){L`LFf z2krUV?nxY6e5lTBmBUon`@VI~ZiS{&dVXZj7=nDODH2F{6HcLnI0(NITL3l+n6+^t z&U+GOT;MBY99vb%Yj@5v&RozqwbrSnp~#x5Ef+mlIhaXy$g(Su@q1p#&XW2DYeu#^@GG4o(mV zaHYrCIWbE^q-wexln7XI4QyW7^Vgyw}oP^@!tK2Zo$B0q;jI@O&wu9 zeAkRPo9d5C6LocW2MD28zD7!2FSrr}kuBe=bxFC2NSZ$W0`z0X33sFXhIW|Z10K!)ARm7NdmSS4+zx8yKx%x3kLqb}A~f~&NxUJZHD1l1#4l z{Eh>b_zsBg4q6a!UBh1z>s7H#)?-u577l6wK|I6aSr!KrK z!olW8l_MKiW$=54yh(hFpXi27)*UC}P5$dGeB& z9F62sRLUDdllvkkB<_XCwJO%N4_<*<#dYhS@@7seS(bUpHJDn6OmQX!V)Tyd;PsfH z1DG?^)>zRzV5@atln?iZ#Kg}lmnCcFsj;lat1IpX>&4xrqBzFgJ}Gxjo zsp(BPrcLzt74ufPcOb*F{=nLYt-}Wsk@SQ|FG6(=K=uF!hZ~6Qj4&kSbBXS(Airj@ z6n-ZNEv)aNI<$}9)Bq<$pH9yU8@oyS_qW#SpUYf`?NUZ~gp&ST*tiTtJso=OIK5&D zAWH`Ab4=+Xb6@}6EO{auxuL#JMIACUoFDgivag^ZRdpow>gTL+d=X@z^$L+32%S0` z1geOk*9Rzc1ECoR;h1%9k!p;6PTqb*0zA02U3{Z9-=d4Gx8f)`x?{A*)zx#G!$xS* zrGB$~b6^hwDH~CgI(~8xe3x*>GIRgEs5x!~-f1R~si~LvVMB&dH92;hmLeZ3G#Rk% z9-R1u23bZPC&IF5>a_B5Qg<(|p}ZFa($Q~fV%BvO9YzLpLW(sAKGnm;?b8JsToFrS zu)IGXDhP{sd8YS$8f<~IQfBgKxc7rvu_9{c|5)@uQuJ7ZnR^8^;$S)lE&xp%!C9q9 z%o!~d$YiM~D^=VB3j>ecv?VicRq(N^*F3_!9^9nsn?$w%9W9pDkx24{L#y$>gX2nn zb*FbvUtHnC!Z5!Nu}oA**eKY6QT)TV+2XgYeDzkXzG2n*x_Q*FP%UT{65Xipv!5_N zJ4v$rs?{|(@6CPNZP2q2Q`nQ9VO6}p;kePG)oI1c*L2%zW``4Y;ti&NO;bOf|KW6c zl;)q%<=dku8Sjf;@^HA??4^>!IIOe-6~W}%BUWGGR$0w{$!*jz>~TEw&RP7G_a%Q$ z)9JR%r1R6IEvmq?JXhIBs;l`=nZB;7iuCtt_CX?RD@=iu!f)q2uS%jK_s(DXP7dfV z15s3RDLh$CuqU4zqHF!q(Y#F8NnH(gOg6SnJkQ6%n4)iyQ{wb~=hoMVX#RYq3fZ;6 zTQtF|f5A&LfAjtKdsx@KdwB-plz0s0kdt0-qJq_)Cmk-bbv=OtEO*5EJzKdnZa!-c zrF9-EPthD`^cua>&=j?aZ%(mzA|ze$716T*WhcUFt@wu?Zp>N(ZGeNM{4AoFnPtVE zUcc?sb*!50#!E}F*P2?!q?ma4{-&#QK>yyT1oX~~HFj|~Hq(7~%vEk=3DyV=aX_i) zo0*sK@_)6~o^MfH(7b5%V8_K>VhY|i(u*$sLi&2Lc=hnpbIn#-GJ*uhv);C*sh3+~ z6kT*AKszj6zqZt01g`&FyG4z_qVi?13b!~OnIpmf54I{&-Vzb1?PB^zC+cE>V2A&J z5DHwL>dnKMnN}Us)5?+gQAnW31m?__(y3r?)8qSxey>-f&i5^1rnrvDJcsKPHv-a& zT{ZRZe*3-%WC54QfqccB{a9R=Z-d>drs?}?S&h?5KyHQZT{}hbO&pU8WTE?Ed*t8_2FXD?D_TJ5u^s32FyA~pEqMHmcAHm`hw*JLn`vWxw!^c)--QOj1sh6 zwnlzT({6on(3oAEU`*rC7c2^@VU{QpwGwu$yD#w55seVcM!J^M;WSu%do|=Rev!%1 z^_)^GRSUbi9^KSGoerrn@~e3}2kjG3JrNyI#6P{fZ-7I^bIAR|>hUC2nWo1U^gJd_6qol2 zht+LWr6mrky|Yq?PIJP_!L7LL^fna~xBDIU3H3O}?ODY}LOPaaQcYL0XtXI{^()L4 zI4=K8Rf34iFMg5RPPvqvA{_f0_j)f#*j%=gz>TwCWzy|SSCIDFuUhB&XXQm<0?kjg ztL@7O#bM*k+&;2EbB8`Mx?G3Nu(5>@g9FXdWR;PjxKc-%2p#>$YUn;r*BViun_OR3k|{g zH(!gH`ds}&!JWc+7q@w6k*(oA9E)`9WZTskYLbj>lvrLK=~EZ`q_0ob z#u5>-nJ|9(CRe1JTtA2S#WD7WxYV^fyuV^>EuHh9;u=isEMZVt)BG=ik4c_5X6%0t zh4dVhWjPu<$cMOYrj4CLu@RT;jLpsLeT(P!*XcSjqG9L9y$@eE$GZ4bu40o$I=4!7 z*+>rHa1oo9rVWj=MluJriN*@EaZWFBacHrG9)4$XgiKzv?$I3EltW`tG>ob-!jvFa zpSa<~mLLr{$E?+D0)Cz7)WxkDg-vd3`Lt&4K*cI&Ih+LX2$kzwM5>vK^t2((ZziNR zV%`AJW$mjX!2=d0QM?n(f%OuK9psB=oxFJv!?bP3sI+MYc``bTANRT(lc>^y93g7+?Qfa&Y zO%4CnLYa2Rzl(@orkug@C;vynPpv-~5H_%4``gBp>_aGQ3(zpef$`zDEw~}@SqOt3 zZ{GAqo20nva)xq%NJFH`y%}{PODRXT`Ik9{(Z$uTFfhKJ$1V`{MS1$Ca~{^Z4$u@K zG=tR0e|whJqGpEU0f_#Y^M^s1f)cQ~Kk+ZWHGdI6dm{9ve1KcqpZmRc(2wGPMG^?y7T2$BC}P2VM?I!+A%YUg1XcWD4H~qG$z;C}X>smhflV6& z36infu?THQk_2X@nv09+-2#XaVl|P4lY|&qBW?7&3ci`fp>lg=y2t{>M6ncY83E8yYXDNad&ui!M|@IwmDh{I z=k|x`Ct1=vocD|ys9^Whx4A8I4Rw|*4@Ho@jaN*_28%%$E3(uZLz#||u|ZC(#N#YG z2zr^tef$<-fLaZxsX|X>{G@YO4ik)vcox=6en&O+5E?E6aE9UWZZ_+{hlNKKXGMN& z3)m!*l&2u8kF*=e@jD!cqgwtmKixa4=6&^OIdRem7>W7LnyhG=gO*{!5Q^jWu#pSn zor{u_h4L^IJ@Qt@wkALnJq-&;`T$o5)d*h(C2d8&q^&2bc-1TREP19-mwJE`spu|k z5iMB)VoOIzALb^ol?EbQ05O^Hl9mTeNHZF3=b9&wggwo6?WlT0$h71ikYyiEuM!|b z-OM(4GrM-^c&bEziT^Dkd{yrK*2TluE~09}`tWz@w4)klSeH5to0fUd$_ybaz%^`c z9)jy9Zf!7M-kP;oCv(%WUcX6T38bLbNb}=WiFw)0lwC=Zhet=f-6 zcNJNe1ftTurW^a3n2=c*NGJOz^16B05{@oXbrjIriIUbNwKRBy`h6ZyjqM<%3;N0i z({fq;aM+fn#XFY;g9|>t2;OW>P4VLT?KCKC;#V_UVLh;L_MfFRq-Bl{i(anSK)Gt3 z`z^jgJsb$=!O{7j&?tKbod)6*YC!tz3E8&yV`p%y)x(IV*0L>P2wB8+7X=a{j|~qn35=9_8(fK>Ln6^FvYOsu=glhJCpOJ;3pPWxy}!OG zK|Ndu^?@PRGR8@swwE$sXx(zCKkkM_AGSeID_xFcnGC3J)C<&2w6PuR+9M9oLLH!l zw+w9^l>7H1$6!~ra)|pEm%Q>`f)o9jkX5zX$i&%eNV@k_a{Sa1z<#k5!nm z=2;RnvA`^r4~rw8JAxSk_M>rD9bf%84G|_*GGC^iO6M{%#!AaGmJQsRXe!T=pSr78{&rp;XTBHr{_V1;qqM{0Q20dI zN?It9x@Bn)Rwr8kV)YB&ZCLIxe5&>|4h1y-a;qF0=)M%E+&4XV#S^g0fds-P>&-2I z{ioNhJNsy-z|%FkEgw(ar`vVR`aj)h?yLUda{l={d{Z$g;m2`c=O0a!wImXH?~aM- z>Uw#y;SZ@S4+(|+<$vzc`scp>YXk)TC;UGhTmQHG|L5HPTMPja5J*q_Kl(Ujc^KIL QY=rtZfBlR3)c?u;7x}pm@&Et; literal 0 HcmV?d00001 diff --git a/Solutions/Vaikora-Sentinel/Package/createUiDefinition.json b/Solutions/Vaikora-Sentinel/Package/createUiDefinition.json new file mode 100644 index 00000000000..c4fb814ec6a --- /dev/null +++ b/Solutions/Vaikora-Sentinel/Package/createUiDefinition.json @@ -0,0 +1,206 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Vaikora AI Agent Behavioral Signals](https://vaikora.com) solution ingests AI agent behavioral data from the Vaikora API into Microsoft Sentinel. Deploy this solution to monitor AI agent activity, detect behavioral anomalies, and investigate policy violations.\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": true + }, + "visible": true + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "This Solution installs the data connector for Vaikora. You can get Vaikora AI agent behavioral signals data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "Vaikora - High Risk AI Agent Action", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Detects AI agent actions with a risk score of 75 or above and high or critical severity. Triggered when Vaikora scores an agent action as dangerous, which may indicate prompt injection, unauthorized resource access, or dangerous tool invocations." + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "Vaikora - Behavioral Anomaly Detected", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Detects AI agent behavioral anomalies flagged by the Vaikora anomaly detection engine with a score of 0.7 or above. A high anomaly score indicates the agent is deviating significantly from its established behavioral baseline." + } + } + ] + }, + { + "name": "analytic3", + "type": "Microsoft.Common.Section", + "label": "Vaikora - Agent Policy Violation", + "elements": [ + { + "name": "analytic3-text", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Detects AI agent actions that were explicitly blocked by a Vaikora policy. Repeated violations from the same agent may indicate prompt injection, policy circumvention, or a compromised agent workflow." + } + } + ] + } + ] + }, + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "This solution installs a workbook to visualize Vaikora AI agent behavioral signals in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + } + }, + { + "name": "workbooks-link", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "Vaikora AI Agent Signals Dashboard", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Provides visualization and monitoring for Vaikora AI agent behavioral signals including action timelines, severity breakdowns, anomaly detection, and policy violations." + } + } + ] + } + ] + } + ], + "outputs": { + "workspace": "[basics('workspace')]", + "location": "[location()]" + } + } +} diff --git a/Solutions/Vaikora-Sentinel/Package/mainTemplate.json b/Solutions/Vaikora-Sentinel/Package/mainTemplate.json new file mode 100644 index 00000000000..379eeca86c2 --- /dev/null +++ b/Solutions/Vaikora-Sentinel/Package/mainTemplate.json @@ -0,0 +1,868 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Data443 Risk Mitigation, Inc. - support@data443.com", + "comments": "Solution template for VaikoraSentinel" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "Subscription id where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Vaikora AI Agent Behavioral Signals Dashboard", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } + }, + "variables": { + "email": "support@data443.com", + "_email": "[variables('email')]", + "_solutionName": "VaikoraSentinel", + "_solutionVersion": "3.0.0", + "solutionId": "data443riskmitigationinc1761580347231.azure-sentinel-solution-vaikora-sentinel", + "_solutionId": "[variables('solutionId')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "dataConnectorCCPVersion": "3.0.0", + "_dataConnectorContentIdConnectorDefinition1": "VaikoraSentinel", + "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]", + "_dataConnectorContentIdConnections1": "VaikoraSentinelConnections", + "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]", + "dataCollectionEndpointId1": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", + "blanks": "[replace('b', 'b', '')]", + "analyticRuleObject1": { + "analyticRuleVersion1": "3.0.0", + "_analyticRulecontentId1": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a1b2c3d4-e5f6-7890-abcd-ef1234567890')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a1b2c3d4-e5f6-7890-abcd-ef1234567890')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a1b2c3d4-e5f6-7890-abcd-ef1234567890','-', '3.0.0')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "3.0.0", + "_analyticRulecontentId2": "b2c3d4e5-f6a7-8901-bcde-f12345678901", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b2c3d4e5-f6a7-8901-bcde-f12345678901')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b2c3d4e5-f6a7-8901-bcde-f12345678901')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b2c3d4e5-f6a7-8901-bcde-f12345678901','-', '3.0.0')))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "3.0.0", + "_analyticRulecontentId3": "c3d4e5f6-a7b8-9012-cdef-123456789012", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c3d4e5f6-a7b8-9012-cdef-123456789012')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c3d4e5f6-a7b8-9012-cdef-123456789012')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c3d4e5f6-a7b8-9012-cdef-123456789012','-', '3.0.0')))]" + }, + "workbookVersion1": "3.0.0", + "workbookContentId1": "VaikoraAgentSignalsDashboard", + "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "displayName": "Vaikora AI Agent Behavioral Signals", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "VaikoraSentinel", + "connectorId": "VaikoraSentinel", + "title": "Vaikora AI Agent Behavioral Signals", + "publisher": "Data443 Risk Mitigation, Inc.", + "descriptionMarkdown": "Ingest AI agent behavioral signals from the Vaikora API into Microsoft Sentinel using the Codeless Connector Framework (CCF). Monitor agent actions, policy decisions, anomaly scores, and risk levels to detect suspicious AI activity in your environment.", + "graphQueriesTableName": "Vaikora_AgentSignals_CL", + "graphQueries": [ + { + "metricName": "Total Vaikora agent signals received", + "legend": "Vaikora Agent Signals", + "baseQuery": "Vaikora_AgentSignals_CL" + } + ], + "sampleQueries": [ + { + "description": "High-risk agent actions (last 24 hours)", + "query": "Vaikora_AgentSignals_CL | where TimeGenerated >= ago(24h) | where risk_score_d >= 75 | project TimeGenerated, agent_id_s, action_type_s, severity_s, policy_decision_s, risk_score_d, anomaly_score_d" + }, + { + "description": "Anomalous agent behavior (last 7 days)", + "query": "Vaikora_AgentSignals_CL | where TimeGenerated >= ago(7d) | where is_anomaly_b == true | summarize AnomalyCount=count(), AvgAnomalyScore=avg(anomaly_score_d) by agent_id_s, action_type_s | order by AnomalyCount desc" + }, + { + "description": "Blocked policy decisions (last 48 hours)", + "query": "Vaikora_AgentSignals_CL | where TimeGenerated >= ago(48h) | where policy_decision_s == 'block' | project TimeGenerated, agent_id_s, action_type_s, resource_type_s, policy_id_s, log_hash_s" + } + ], + "dataTypes": [ + { + "name": "Vaikora_AgentSignals_CL", + "lastDataReceivedQuery": "Vaikora_AgentSignals_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "status": "Available", + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": false + } + } + ], + "customs": [ + { + "name": "Vaikora API Key", + "description": "A Vaikora API key (vk_xxxxx) with read access to the actions endpoint. Obtain this from your Vaikora dashboard under Settings > API Keys." + } + ] + }, + "instructionSteps": [ + { + "title": "Connect Vaikora AI Agent Behavioral Signals", + "description": "To enable the Vaikora connector, provide your Vaikora API key and the agent ID you want to monitor, then click Connect.\n\nYour API key is available in the Vaikora dashboard under **Settings > API Keys**. The agent ID is the UUID shown on your agent's detail page.", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Vaikora API Key", + "placeholder": "vk_xxxxxxxxxxxxxxxxxxxxxxxx", + "type": "password", + "name": "vaikoraApiKey" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Vaikora Agent ID", + "placeholder": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "type": "text", + "name": "vaikoraAgentId" + } + }, + { + "type": "ConnectionToggleButton", + "parameters": { + "connectLabel": "Connect", + "name": "connect" + } + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "[variables('_email')]" + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "support@data443.com", + "tier": "Partner", + "link": "https://www.data443.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "name": "dcr-vaikora-agent-signals", + "apiVersion": "2022-06-01", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": "[variables('blanks')]", + "properties": { + "dataCollectionEndpointId": "[variables('dataCollectionEndpointId1')]", + "streamDeclarations": { + "Custom-Vaikora_AgentSignals_CL": { + "columns": [ + { "name": "TimeGenerated", "type": "datetime" }, + { "name": "payload", "type": "dynamic" }, + { "name": "timestamp", "type": "datetime" }, + { "name": "action_type_s", "type": "string" }, + { "name": "agent_id_s", "type": "string" }, + { "name": "status_s", "type": "string" }, + { "name": "severity_s", "type": "string" }, + { "name": "policy_decision_s", "type": "string" }, + { "name": "policy_id_s", "type": "string" }, + { "name": "risk_score_d", "type": "int" }, + { "name": "risk_level_s", "type": "string" }, + { "name": "is_anomaly_b", "type": "boolean" }, + { "name": "anomaly_score_d", "type": "real" }, + { "name": "anomaly_reason_s", "type": "string" }, + { "name": "threat_detected_b", "type": "boolean" }, + { "name": "threat_score_d", "type": "int" }, + { "name": "log_hash_s", "type": "string" }, + { "name": "resource_type_s", "type": "string" }, + { "name": "action_id_s", "type": "string" } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ "Custom-Vaikora_AgentSignals_CL" ], + "destinations": [ "clv2ws1" ], + "transformKql": "source | extend p=todynamic(payload) | extend TimeGenerated=todatetime(timestamp), action_type_s=tostring(p.action_type), agent_id_s=tostring(p.agent_id), status_s=tostring(p.status), severity_s=tostring(p.severity), policy_decision_s=tostring(p.policy_decision), policy_id_s=tostring(p.policy_id), risk_score_d=toint(p.risk_score), risk_level_s=tostring(p.risk_level), is_anomaly_b=tobool(p.is_anomaly), anomaly_score_d=toreal(p.anomaly_score), anomaly_reason_s=tostring(p.anomaly_reason), threat_detected_b=tobool(p.threat_detected), threat_score_d=toint(p.threat_score), log_hash_s=tostring(p.log_hash), resource_type_s=tostring(p.resource_type), action_id_s=tostring(p.id) | project TimeGenerated, action_type_s, agent_id_s, status_s, severity_s, policy_decision_s, policy_id_s, risk_score_d, risk_level_s, is_anomaly_b, anomaly_score_d, anomaly_reason_s, threat_detected_b, threat_score_d, log_hash_s, resource_type_s, action_id_s", + "outputStream": "Custom-Vaikora_AgentSignals_CL" + } + ] + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "displayName": "Vaikora AI Agent Behavioral Signals - Connections", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": { + "connectorDefinitionName": { + "defaultValue": "VaikoraSentinel", + "type": "string" + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrImmutableId": { + "defaultValue": "", + "type": "string" + }, + "dataCollectionEndpoint": { + "defaultValue": "", + "type": "string" + }, + "vaikoraApiKey": { + "defaultValue": "", + "type": "securestring" + }, + "vaikoraAgentId": { + "defaultValue": "", + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/VaikoraAgentSignals')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "VaikoraSentinel", + "dataType": "Vaikora_AgentSignals_CL", + "dcrConfig": { + "streamName": "Custom-Vaikora_AgentSignals_CL", + "dataCollectionEndpoint": "[parameters('dataCollectionEndpoint')]", + "dataCollectionRuleImmutableId": "[parameters('dcrImmutableId')]" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "X-API-Key", + "ApiKey": "[parameters('vaikoraApiKey')]" + }, + "request": { + "apiEndpoint": "https://api.vaikora.com/api/v1/actions", + "httpMethod": "GET", + "queryParameters": { + "agent_id": "[parameters('vaikoraAgentId')]", + "per_page": 100, + "page": 1 + }, + "queryWindowInMin": 360, + "rateLimitQps": 1, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "User-Agent": "Microsoft-Sentinel-Vaikora/1.0" + } + }, + "paging": { + "pagingType": "PageNumber", + "pageSize": 100, + "pageSizeParaName": "per_page", + "pageNumberParaName": "page", + "pageNumberStart": 1, + "hasNextPageFilter": "$.actions | length > 0" + }, + "response": { + "eventsJsonPaths": [ + "$.actions" + ], + "format": "json" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "displayName": "Vaikora - High Risk AI Agent Action", + "contentKind": "AnalyticsRule", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects high-risk AI agent actions from Vaikora where the risk score is 75 or above and severity is high or critical. These events may indicate an AI agent behaving outside safe operational parameters.", + "displayName": "Vaikora - High Risk AI Agent Action", + "enabled": false, + "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated > ago(1h)\n| where risk_score_d >= 75\n| where severity_s in ('high', 'critical')\n| summarize\n ActionCount = count(),\n MaxRiskScore = max(risk_score_d),\n Actions = make_set(action_type_s),\n PolicyDecisions = make_set(policy_decision_s),\n ResourceTypes = make_set(resource_type_s)\n by AgentId = agent_id_s, RiskLevel = risk_level_s, Severity = severity_s\n| extend\n ActionList = strcat_array(Actions, ', '),\n PolicyList = strcat_array(PolicyDecisions, ', '),\n ResourceList = strcat_array(ResourceTypes, ', ')", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "VaikoraSentinel", + "dataTypes": [ "Vaikora_AgentSignals_CL" ] + } + ], + "tactics": [ "Impact", "Execution", "PrivilegeEscalation" ], + "techniques": [ "T1059", "T1078", "T1548" ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { "identifier": "Name", "columnName": "AgentId" } + ] + } + ], + "customDetails": { + "MaxRiskScore": "MaxRiskScore", + "ActionCount": "ActionCount", + "Actions": "ActionList", + "PolicyDecisions": "PolicyList" + }, + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT1H", + "matchingMethod": "Selected", + "groupByEntities": [ "Account" ] + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "properties": { + "description": "Vaikora Sentinel Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "source": { + "kind": "Solution", + "name": "[variables('_solutionName')]", + "sourceId": "[variables('_solutionId')]" + }, + "author": { "name": "Data443 Risk Mitigation, Inc.", "email": "[variables('_email')]" }, + "support": { "name": "Data443 Risk Mitigation, Inc.", "email": "support@data443.com", "tier": "Partner", "link": "https://www.data443.com" } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "displayName": "Vaikora - Behavioral Anomaly Detected", + "contentKind": "AnalyticsRule", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects AI agent behavioral anomalies flagged by the Vaikora anomaly detection engine with a score of 0.7 or above. A high anomaly score indicates the agent is deviating significantly from its established behavioral baseline.", + "displayName": "Vaikora - Behavioral Anomaly Detected", + "enabled": false, + "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated > ago(1h)\n| where is_anomaly_b == true\n| where anomaly_score_d >= 0.7\n| summarize\n AnomalyCount = count(),\n MaxAnomalyScore = max(anomaly_score_d),\n AvgAnomalyScore = avg(anomaly_score_d),\n AnomalyReasons = make_set(anomaly_reason_s),\n ActionTypes = make_set(action_type_s)\n by AgentId = agent_id_s, Severity = severity_s\n| extend\n ReasonList = strcat_array(AnomalyReasons, '; '),\n ActionList = strcat_array(ActionTypes, ', ')", + "queryFrequency": "PT30M", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT30M", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "VaikoraSentinel", + "dataTypes": [ "Vaikora_AgentSignals_CL" ] + } + ], + "tactics": [ "DefenseEvasion", "Execution" ], + "techniques": [ "T1059", "T1027" ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { "identifier": "Name", "columnName": "AgentId" } + ] + } + ], + "customDetails": { + "MaxAnomalyScore": "MaxAnomalyScore", + "AnomalyCount": "AnomalyCount", + "AnomalyReasons": "ReasonList" + }, + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT1H", + "matchingMethod": "Selected", + "groupByEntities": [ "Account" ] + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", + "properties": { + "description": "Vaikora Sentinel Analytics Rule 2", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "source": { + "kind": "Solution", + "name": "[variables('_solutionName')]", + "sourceId": "[variables('_solutionId')]" + }, + "author": { "name": "Data443 Risk Mitigation, Inc.", "email": "[variables('_email')]" }, + "support": { "name": "Data443 Risk Mitigation, Inc.", "email": "support@data443.com", "tier": "Partner", "link": "https://www.data443.com" } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "displayName": "Vaikora - Agent Policy Violation", + "contentKind": "AnalyticsRule", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects AI agent actions that were explicitly blocked by a Vaikora policy. Repeated violations from the same agent may indicate prompt injection, policy circumvention, or a compromised agent workflow.", + "displayName": "Vaikora - Agent Policy Violation", + "enabled": false, + "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated > ago(1h)\n| where policy_decision_s == 'block'\n| summarize\n ViolationCount = count(),\n PolicyIds = make_set(policy_id_s),\n ActionTypes = make_set(action_type_s),\n ResourceTypes = make_set(resource_type_s),\n MaxRiskScore = max(risk_score_d)\n by AgentId = agent_id_s\n| extend\n PolicyList = strcat_array(PolicyIds, ', '),\n ActionList = strcat_array(ActionTypes, ', '),\n ResourceList = strcat_array(ResourceTypes, ', ')\n| where ViolationCount >= 1", + "queryFrequency": "PT15M", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT15M", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "VaikoraSentinel", + "dataTypes": [ "Vaikora_AgentSignals_CL" ] + } + ], + "tactics": [ "Impact", "DefenseEvasion" ], + "techniques": [ "T1078", "T1562" ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { "identifier": "Name", "columnName": "AgentId" } + ] + } + ], + "customDetails": { + "ViolationCount": "ViolationCount", + "PolicyIds": "PolicyList", + "MaxRiskScore": "MaxRiskScore" + }, + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT1H", + "matchingMethod": "Selected", + "groupByEntities": [ "Account" ] + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", + "properties": { + "description": "Vaikora Sentinel Analytics Rule 3", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "source": { + "kind": "Solution", + "name": "[variables('_solutionName')]", + "sourceId": "[variables('_solutionId')]" + }, + "author": { "name": "Data443 Risk Mitigation, Inc.", "email": "[variables('_email')]" }, + "support": { "name": "Data443 Risk Mitigation, Inc.", "email": "support@data443.com", "tier": "Partner", "link": "https://www.data443.com" } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_workbookContentId1')]", + "displayName": "[parameters('workbook1-name')]", + "contentKind": "Workbook", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Gain insights into Vaikora AI agent behavioral signals including action timelines, severity breakdowns, anomaly detection, and policy violations." + }, + "properties": { + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Vaikora AI Agent Behavioral Signals\\n\\nThis workbook visualizes AI agent behavioral data ingested from Vaikora into Microsoft Sentinel.\"},\"name\":\"header\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Vaikora_AgentSignals_CL\\n| where TimeGenerated > ago(24h)\\n| summarize TotalActions=count(), BlockedActions=countif(policy_decision_s=='block'), Anomalies=countif(is_anomaly_b==true), HighRisk=countif(risk_score_d>=75)\\n| project TotalActions, BlockedActions, Anomalies, HighRisk\",\"size\":4,\"title\":\"Signal Overview (last 24h)\",\"queryType\":0,\"visualization\":\"tiles\"},\"name\":\"overview-tiles\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Vaikora_AgentSignals_CL\\n| where TimeGenerated > ago(24h)\\n| summarize TotalActions=count(), Blocked=countif(policy_decision_s=='block'), Anomalies=countif(is_anomaly_b==true) by bin(TimeGenerated,1h)\\n| order by TimeGenerated asc\",\"size\":0,\"title\":\"Agent Actions Over Time\",\"queryType\":0,\"visualization\":\"timechart\"},\"name\":\"actions-timechart\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Vaikora_AgentSignals_CL\\n| where TimeGenerated > ago(24h)\\n| summarize Count=count() by severity_s\",\"size\":3,\"title\":\"Actions by Severity\",\"queryType\":0,\"visualization\":\"piechart\"},\"name\":\"severity-pie\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Vaikora_AgentSignals_CL\\n| where TimeGenerated > ago(24h)\\n| where is_anomaly_b==true\\n| summarize Count=count() by bin(TimeGenerated,1h)\\n| order by TimeGenerated asc\",\"size\":0,\"title\":\"Anomalies Over Time\",\"queryType\":0,\"visualization\":\"timechart\"},\"name\":\"anomaly-timechart\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Vaikora_AgentSignals_CL\\n| where TimeGenerated > ago(24h)\\n| where risk_score_d>=75 or severity_s in ('high','critical')\\n| project TimeGenerated, agent_id_s, action_type_s, severity_s, risk_score_d, anomaly_score_d, policy_decision_s, anomaly_reason_s\\n| order by TimeGenerated desc\\n| take 50\",\"size\":0,\"title\":\"Recent High-Risk Actions\",\"queryType\":0,\"visualization\":\"table\"},\"name\":\"highrisk-table\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Vaikora_AgentSignals_CL\\n| where TimeGenerated > ago(24h)\\n| where policy_decision_s=='block'\\n| summarize ViolationCount=count(), MaxRiskScore=max(risk_score_d), Actions=make_set(action_type_s), LastSeen=max(TimeGenerated) by agent_id_s, policy_id_s\\n| extend ActionList=strcat_array(Actions,', ')\\n| project agent_id_s, policy_id_s, ViolationCount, MaxRiskScore, ActionList, LastSeen\\n| order by ViolationCount desc\",\"size\":0,\"title\":\"Policy Violations by Agent\",\"queryType\":0,\"visualization\":\"table\"},\"name\":\"violations-table\"}],\"styleSettings\":{},\"fromTemplateId\":\"sentinel-VaikoraAgentSignalsDashboard\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "properties": { + "description": "Vaikora Sentinel Workbook", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "[variables('_solutionName')]", + "sourceId": "[variables('_solutionId')]" + }, + "author": { "name": "Data443 Risk Mitigation, Inc.", "email": "[variables('_email')]" }, + "support": { "name": "Data443 Risk Mitigation, Inc.", "email": "support@data443.com", "tier": "Partner", "link": "https://www.data443.com" } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('workbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "[variables('_solutionVersion')]", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Vaikora AI Agent Behavioral Signals", + "publisherDisplayName": "Data443 Risk Mitigation, Inc.", + "descriptionHtml": "

The Vaikora AI Agent Behavioral Signals solution provides the capability to ingest AI agent behavioral data from the Vaikora API into Microsoft Sentinel using the Codeless Connector Framework (CCF). This solution deploys a REST API poller connector, a custom log table, data collection rules, analytics rules, and a visualization workbook to help security teams monitor AI agent activity, detect behavioral anomalies, and investigate policy violations.

", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "VaikoraSentinel", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "[variables('_email')]" + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "support@data443.com", + "tier": "Partner", + "link": "https://www.data443.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "version": "[variables('dataConnectorCCPVersion')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" + } + ] + }, + "providers": [ "Data443 Risk Mitigation, Inc." ], + "categories": { + "domains": [ "Security - Others" ], + "verticals": [] + } + } + } + ], + "outputs": {} +} diff --git a/Solutions/Vaikora-Sentinel/README.md b/Solutions/Vaikora-Sentinel/README.md new file mode 100644 index 00000000000..4fb522e8ee3 --- /dev/null +++ b/Solutions/Vaikora-Sentinel/README.md @@ -0,0 +1,79 @@ +# Vaikora AI Agent Behavioral Signals — Microsoft Sentinel Solution + +This solution ingests AI agent behavioral data from the [Vaikora](https://vaikora.com) API into Microsoft Sentinel. It deploys a REST API poller connector, a custom log table, data collection rules, analytics rules, and a visualization workbook. + +## What Gets Deployed + +| Component | Description | +|-----------|-------------| +| Data connector | REST API poller — polls `https://api.vaikora.com/api/v1/actions` every 6 hours | +| Custom table | `Vaikora_AgentSignals_CL` — 17-column schema for agent signals | +| Analytic rule | Vaikora - High Risk AI Agent Action | +| Analytic rule | Vaikora - Behavioral Anomaly Detected | +| Analytic rule | Vaikora - Agent Policy Violation | +| Workbook | Vaikora AI Agent Signals Dashboard | + +## Prerequisites + +- Microsoft Sentinel workspace +- Vaikora API key (obtain from your Vaikora account) +- Agent ID from your Vaikora deployment + +## Data Connector Setup + +After deploying the solution: + +1. Go to **Microsoft Sentinel > Data connectors** +2. Find **Vaikora AI Agent Behavioral Signals** and open it +3. Click **Open connector page** +4. Enter your Vaikora API key and agent ID +5. Click **Connect** + +The connector polls the Vaikora API every 6 hours. Data appears in `Vaikora_AgentSignals_CL` within the first polling window. + +## Custom Table Schema + +| Column | Type | Description | +|--------|------|-------------| +| TimeGenerated | datetime | Timestamp of the agent action | +| action_id_s | string | Unique action identifier | +| action_type_s | string | Type of action performed | +| agent_id_s | string | Agent identifier | +| status_s | string | Action status (success, failure, blocked) | +| severity_s | string | Severity level (low, medium, high, critical) | +| policy_decision_s | string | Policy enforcement decision (allow, block, warn) | +| policy_id_s | string | Policy that evaluated the action | +| risk_score_d | int | Risk score 0-100 | +| risk_level_s | string | Risk level label | +| is_anomaly_b | bool | Whether Vaikora flagged this as anomalous | +| anomaly_score_d | real | Anomaly score 0.0-1.0 | +| anomaly_reason_s | string | Human-readable anomaly explanation | +| threat_detected_b | bool | Whether a threat was detected | +| threat_score_d | int | Threat score 0-100 | +| resource_type_s | string | Type of resource the agent accessed | +| log_hash_s | string | Unique hash for deduplication | + +## Analytic Rules + +All three rules are deployed in disabled state. Enable them from **Analytics > Rule templates** after confirming data is flowing. + +**Vaikora - High Risk AI Agent Action** — fires when an action has `risk_score_d >= 75` and severity is `high` or `critical`. Severity: High. Frequency: 1h. + +**Vaikora - Behavioral Anomaly Detected** — fires when `is_anomaly_b == true` and `anomaly_score_d >= 0.7`. Severity: Medium. Frequency: 30m. + +**Vaikora - Agent Policy Violation** — fires when `policy_decision_s == 'block'`. Severity: Medium. Frequency: 15m. + +## Workbook + +The **Vaikora AI Agent Signals Dashboard** workbook is available under **Workbooks** after deployment. It includes: + +- Signal overview tiles (total actions, blocked, anomalies, high-risk, critical) +- Actions over time chart +- Severity and policy decision breakdowns +- Anomaly timeline +- Recent high-risk actions table (top 50) +- Policy violations by agent and policy + +## Support + +Data443 Risk Mitigation, Inc. — support@data443.com — https://data443.com/support diff --git a/Solutions/Vaikora-Sentinel/ReleaseNotes.md b/Solutions/Vaikora-Sentinel/ReleaseNotes.md new file mode 100644 index 00000000000..4d0c3dae92f --- /dev/null +++ b/Solutions/Vaikora-Sentinel/ReleaseNotes.md @@ -0,0 +1,3 @@ +| Version | Date | Comments | +|---------|------|----------| +| 1.0.0 | 2026-04-03 | Initial release — REST API poller connector, custom Vaikora_AgentSignals_CL table, 3 analytic rules (High Risk Action, Behavioral Anomaly, Policy Violation), and AI agent signals dashboard workbook. | diff --git a/Solutions/Vaikora-Sentinel/SolutionMetadata.json b/Solutions/Vaikora-Sentinel/SolutionMetadata.json new file mode 100644 index 00000000000..909bb8f12ca --- /dev/null +++ b/Solutions/Vaikora-Sentinel/SolutionMetadata.json @@ -0,0 +1,22 @@ +{ + "publisherId": "data443riskmitigationinc1761580347231", + "offerId": "vaikora-sentinel-connector", + "firstPublishDate": "2026-04-03", + "lastPublishDate": "2026-04-03", + "providers": [ + "Data443 Risk Mitigation, Inc." + ], + "categories": { + "domains": [ + "Security - Threat Intelligence", + "Security - Others" + ], + "verticals": [] + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "support@data443.com", + "tier": "Partner", + "link": "https://data443.com/support" + } +} \ No newline at end of file diff --git a/Solutions/Vaikora-Sentinel/Workbooks/VaikoraAgentSignalsDashboard.json b/Solutions/Vaikora-Sentinel/Workbooks/VaikoraAgentSignalsDashboard.json new file mode 100644 index 00000000000..7b6d75f8f51 --- /dev/null +++ b/Solutions/Vaikora-Sentinel/Workbooks/VaikoraAgentSignalsDashboard.json @@ -0,0 +1,202 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "## Vaikora AI Agent Behavioral Signals\n\nThis workbook visualizes AI agent behavioral data ingested from Vaikora into Microsoft Sentinel. Use it to monitor agent activity, detect anomalies, and investigate policy violations." + }, + "name": "header" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "timeRange", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "label": "Time Range", + "type": 4, + "value": { + "durationMs": 86400000 + }, + "typeSettings": { + "selectableValues": [ + { "durationMs": 3600000 }, + { "durationMs": 14400000 }, + { "durationMs": 43200000 }, + { "durationMs": 86400000 }, + { "durationMs": 259200000 }, + { "durationMs": 604800000 }, + { "durationMs": 2592000000 } + ] + } + }, + { + "id": "agentId", + "version": "KqlParameterItem/1.0", + "name": "AgentId", + "label": "Agent ID", + "type": 2, + "query": "Vaikora_AgentSignals_CL | summarize by agent_id_s | project value=agent_id_s, label=agent_id_s", + "typeSettings": { + "additionalResourceOptions": [ "value::all" ], + "showDefault": false + }, + "defaultValue": "value::all", + "queryType": 0 + } + ], + "style": "pills" + }, + "name": "parameters" + }, + { + "type": 1, + "content": { + "json": "### Summary" + }, + "name": "summary-header" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated {TimeRange}\n| where agent_id_s == '{AgentId}' or '{AgentId}' == 'value::all'\n| summarize\n TotalActions = count(),\n BlockedActions = countif(policy_decision_s == 'block'),\n Anomalies = countif(is_anomaly_b == true),\n HighRisk = countif(risk_score_d >= 75),\n CriticalSeverity = countif(severity_s == 'critical')\n| project TotalActions, BlockedActions, Anomalies, HighRisk, CriticalSeverity", + "size": 4, + "title": "Signal Overview", + "queryType": 0, + "visualization": "tiles", + "tileSettings": { + "showBorder": true, + "titleContent": { "columnMatch": "", "formatter": 1 }, + "leftContent": { "columnMatch": "TotalActions", "formatter": 12, "formatOptions": { "palette": "blue" } } + } + }, + "name": "overview-tiles" + }, + { + "type": 1, + "content": { + "json": "### Actions Over Time" + }, + "name": "timechart-header" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated {TimeRange}\n| where agent_id_s == '{AgentId}' or '{AgentId}' == 'value::all'\n| summarize\n TotalActions = count(),\n Blocked = countif(policy_decision_s == 'block'),\n Anomalies = countif(is_anomaly_b == true)\n by bin(TimeGenerated, 1h)\n| order by TimeGenerated asc", + "size": 0, + "title": "Agent Actions Over Time", + "queryType": 0, + "visualization": "timechart" + }, + "name": "actions-timechart" + }, + { + "type": 1, + "content": { + "json": "### Actions by Severity" + }, + "name": "severity-header" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated {TimeRange}\n| where agent_id_s == '{AgentId}' or '{AgentId}' == 'value::all'\n| summarize Count = count() by severity_s\n| order by Count desc", + "size": 3, + "title": "Actions by Severity", + "queryType": 0, + "visualization": "piechart" + }, + "name": "severity-pie" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated {TimeRange}\n| where agent_id_s == '{AgentId}' or '{AgentId}' == 'value::all'\n| summarize Count = count() by policy_decision_s\n| order by Count desc", + "size": 3, + "title": "Actions by Policy Decision", + "queryType": 0, + "visualization": "piechart" + }, + "name": "policy-pie" + }, + { + "type": 1, + "content": { + "json": "### Anomaly Detection" + }, + "name": "anomaly-header" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated {TimeRange}\n| where agent_id_s == '{AgentId}' or '{AgentId}' == 'value::all'\n| where is_anomaly_b == true\n| summarize Count = count() by bin(TimeGenerated, 1h)\n| order by TimeGenerated asc", + "size": 0, + "title": "Anomalies Over Time", + "queryType": 0, + "visualization": "timechart", + "chartSettings": { + "seriesLabelSettings": [ + { "seriesName": "Count", "color": "orange" } + ] + } + }, + "name": "anomaly-timechart" + }, + { + "type": 1, + "content": { + "json": "### Recent High-Risk Actions" + }, + "name": "highrisk-header" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated {TimeRange}\n| where agent_id_s == '{AgentId}' or '{AgentId}' == 'value::all'\n| where risk_score_d >= 75 or severity_s in ('high', 'critical')\n| project TimeGenerated, agent_id_s, action_type_s, severity_s, risk_score_d, anomaly_score_d, policy_decision_s, status_s, resource_type_s, anomaly_reason_s\n| order by TimeGenerated desc\n| take 50", + "size": 0, + "title": "Recent High-Risk Actions (top 50)", + "queryType": 0, + "visualization": "table", + "gridSettings": { + "formatters": [ + { "columnMatch": "severity_s", "formatter": 18, "formatOptions": { "thresholdsOptions": "colors", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "critical", "representation": "red", "text": "{0}" }, { "operator": "==", "thresholdValue": "high", "representation": "orange", "text": "{0}" }, { "operator": "Default", "thresholdValue": null, "representation": "blue", "text": "{0}" } ] } }, + { "columnMatch": "policy_decision_s", "formatter": 18, "formatOptions": { "thresholdsOptions": "colors", "thresholdsGrid": [ { "operator": "==", "thresholdValue": "block", "representation": "red", "text": "{0}" }, { "operator": "Default", "thresholdValue": null, "representation": "green", "text": "{0}" } ] } } + ] + } + }, + "name": "highrisk-table" + }, + { + "type": 1, + "content": { + "json": "### Policy Violations" + }, + "name": "violations-header" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated {TimeRange}\n| where agent_id_s == '{AgentId}' or '{AgentId}' == 'value::all'\n| where policy_decision_s == 'block'\n| summarize\n ViolationCount = count(),\n MaxRiskScore = max(risk_score_d),\n Actions = make_set(action_type_s),\n Resources = make_set(resource_type_s),\n LastSeen = max(TimeGenerated)\n by AgentId = agent_id_s, PolicyId = policy_id_s\n| extend ActionList = strcat_array(Actions, ', '), ResourceList = strcat_array(Resources, ', ')\n| project AgentId, PolicyId, ViolationCount, MaxRiskScore, ActionList, ResourceList, LastSeen\n| order by ViolationCount desc", + "size": 0, + "title": "Policy Violations by Agent and Policy", + "queryType": 0, + "visualization": "table" + }, + "name": "violations-table" + } + ], + "styleSettings": {}, + "fromTemplateId": "sentinel-VaikoraAgentSignalsDashboard", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} From b9ddbf8ebb05bd99d3c5b76376b9dec0dcddd749 Mon Sep 17 00:00:00 2001 From: Taz Jack Date: Fri, 3 Apr 2026 12:13:09 -0400 Subject: [PATCH 06/38] =?UTF-8?q?fix:=20add=20missing=20parameters=20(cont?= =?UTF-8?q?entProductId,=20dcrImmutableId,=20vaikoraApiKey)=20=E2=80=94=20?= =?UTF-8?q?ARM=20validates=20clean?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Solutions/Vaikora-Sentinel/Package/3.0.0.zip | Bin 9788 -> 9946 bytes .../Package/mainTemplate.json | 282 ++++++++++++++---- 2 files changed, 229 insertions(+), 53 deletions(-) diff --git a/Solutions/Vaikora-Sentinel/Package/3.0.0.zip b/Solutions/Vaikora-Sentinel/Package/3.0.0.zip index 1f055043aaa477c928d64aca08932a53d3f368d5..88b5daba9c5eb729761376524fc1c1c794f51bf0 100644 GIT binary patch delta 7467 zcmV+`9n|8yOxjI@6aWAK2mq8}gIqBFV7QnZ000=!000pH003=aX>L?yZE$R1 zbY(7Tb8l|#J^gdrHnP9>ufXVTMs~-NzmhoZt258Flh&_E>xTNygZEbHxbdqGZ2zN%ulO!l;|96(9|LAOB z|6!IE@ah+uvp7p}nC<=+{!hFf(;|q10>}Rge#4VsT8y$B0gvGMlPA06ZOpF7o4AOF zK>>YikmEFe?2{g0)5#>ui~o)U9OB12<)e-fA%@+YX2}%WkwT(JF0-8c62w~1+f9~Vu}Kipp2G1rax;p<5s4XzXdYj~h?jXb=HRanh;Go4SbyaI{V3O_-d`KC zRtY$NCz;*>AHra3-M4hec_AZ$ZwXWEp;m;E9`F`LK0scW$MGFO|q{;I|zDPYLC{dG1Z2WgPp7IDa6^=M9EM}>LDvde;~O@Ir^ zXfd6*=U}nykI?lZ>sDiY#BpAxe=GYSL+nI75$=kT_a&YRGegEW6t7r3)^W6q4lNm>djYQ1UGu1=le=O2}zE1cqYd zC}5*O1~O!p2y7?L6vv`0Q4?@a5BoaI61gE?rqLve)8Z4z57hkQxX_ocGNg9#CtzNoy_nfW;!H>fHcs!mK!62c>(WjUaVy#9b$484IelUrD zptnwhX$U&R9iy%J^W>P|xQ(bG1Ah`?YOMH{0b;^oGtSbu0JX-=$;&VI7phmG#9Rk? zjJ+8;45)2!!u#^8O&1#Io$g_+%O7@swG``Is3TLJ0iCKYRfRK@zg?~Rq3o6K`J6iv zpB%Kku~zotG~C{Mw*B<^*6x$No!xDriuRZss;9c>$yL^GYDkDd%z2e>jLGSPTAeYn zU9Nwwb;n8)_kWtuoZ}fJ$0>`4qk?VfO0hHrS(4?4hbKONT3y(H zLaRQG^phic83T(!)9r>Ou{u%eIxeHHAEh^W=CRT3MPaYIF-_w?rgC?$86=(qYaoij zVvX$poVjLcyly*T-POHLl#gOf(0zCvM;0#KO;e*_o3_$vzC#2zEzPP5T~pq8lS!Uk z$DqTrO|4z@H6y!mtaj|=>Om5Jq*qLC9H4nf*SZ7P4&pCky9H7yeLGF)PlMlKsBKgJ znXl!}*sg93WET@IRK(|y!S-M$+>M^}=+nz*y}jpOZS{gd81?Ao_Rj8;r_b<7*^$|g zS`2gNmsC2%^DHiIHMI^BnitqkaT#v^Zkyq|rh;f9r_NP!~ktzd8PyayQV^Z>`po`K_z zk9T*M=iN5Lx8~j52jbm!lW5PoyARL1t)?`Cca>Yfrx0j>LrW9*#jpdV^P=jz&@G$K ze!Z*;99hnwMSXlzH&SmO#O`dMEwM6KLIE|D?SdVGK zje|HMw|lX}q93hymbcMd#-+ue;m73wxjJ3A=^Q zPH*cgm+;XomXLuKvL$M)KFESnL$|+@Yy4PQcL_l;|)S zJkw!wGm;U1r$y$9_DvZa{v7%+izsk7Bbr~xE93%Pf3kLX_-egR-iU~U96JzBND%8; z5{I`WqG8O$lOWB;pr{iTX0TiFcSO($PZD}f0Y@GxFJKhHrfd?2aW-XqQqbi!>^;Dj z+`=X&G`)`VEah^`O{ifWOh*5j(j1uT47si%elJXa<^1CC_3U11VnzLNaUyRGdnJ!U zHSk$hz;Y<+3tFkg$!SP2xxtAA?<=9uAhLLm_t3;`yx|~V6lZYTGGp0-aE#us0@tA%`Qy?b7cT_9(3oG(yD<4*?sjfcmD-WC^X zTi_#e6unE-1JB~PXWy2_2Yd|NUbeuHMBXD&aC?6w-it~K$LvB)ctG~|Ns&(}ykyhy z7>?IJDG{jN9%j?D*bnjVHP8$Xu7~o)DUxY_Ke!&QRS36^!DR2Ez!+H$ry&BFLlC6Y zz0mwyI4Q4y2vxZ#Y5wH-Ju~)`=LTcfxDaXI9UzL`g;-pvU;2R@K>#P&@M09O(FI#p z)}Zck216_$XVL|Z0NxPS2M_DFQcTa1rxyPr3CTVg2OrifYMNUh%`juIxaAP*%aTZc zsy6({JOr@=q9>T2T1vnCK46y7vGfWC*Fl^FgE#^7Jc=BiDMe6Bd0g*6z&jL22^zB# zsU&|*E@1_z1I)R1JD_!rW5#!(9}~sdCsKd*lG0C1q2sF7tyOj}N7|?#2?O&COmdO3 z7DQaNy1}(41|SLWNTYvDV$))wjh2d?V%MqCoPsjHsSLEAUrDk zJ@dYUs0|#dxV%Rn_lQ3(7WY4QGC%H4ZVLIuS0fjtRVRW>M`|E&_2jnHE zKH#5qauXLLl5_qEL)7{~BS$MhsbDJqtWSO#6ai@C#VD4h1=q_}*OBselWB^7XY460 zz_1uH@Iv2@P=b~4m89O~ z`|?Z20)F{rpPZSfK#$nT&p*R|zu5>ZQ<6z@je~SCg&UYAArtuRmp00UhlU+eb2&9Ya%EsZllk_b7z1-tMp+`y0JZ5He`fWhriO|4a9H@QMhUNkhMhUt z(8ed|yecsMc`U0T*>TS0P_*wk{+f4P3OtDCToaix`XGx^rjDIu!(l>yznvBZ2&+3= zBPrZotEH0TwIz{kz94NpZ(QezM~SUHt3uhoE30u|&S#alXX)nE2-{*gkp{9ZxAgXX zxutc=^V|+%pkW!bdGN@T&%M6P;?&pXUV>G+>#G^@CJlJKRIo>OA{NKz)wi;veL+4~ zzvgapwG+vyo|cLND!N^Nmp=}Ha>^TY$YkKB8d~h_leUM??&_=kuO={bwNv&~c+F*TUgpxlWth9ctNu z4zz$qUN?iUj~2*Gg4-ku+M#g^jbcwgVL2>tcB}}-lZPgU6$xmAjJ#uZAE@X6#lzwu zyw?wog$_GDEFQIgVAG>O=i#};jQh611TP)m7aBYTC0FUBABr8VwwJQrTr>gu;Z>5|_$KQO z*P|KHq~y=CAKYu}38Ge3&O2r!k$jyOd62TpEFb^yhwy2L3NZgB+_M;w$$pVZy?#xa z0_){l%Thr|sd=wyeSN)>JOe=ThRmdIyjVB$Z7dl16abW-X}%WE*3GOl>$QBk?np&5 z;VLiJt&ARj2O!7C)Mx+(BrO1x4;6$|Hq2hi=Ky5t0RV)j2Y{4M*K1jF0ENddQpbE@ z0IJi|qNMe19V4fe!>t^>@~Q-`PSNy>PWPs;`BE;8n7k1axG7naw_5I@z?COp8-4pgLbKB8TeI zv?@z0ey=ZFkcPDFOvJ5~AF4j)I*8{oMg8*Bdq?9R=ktE6W^=gOmDBQ+-x=|g6ybo& zI7-zh&I@kcYC)Es&ZfY-o&8ofgRC++|H1dnq%(PSzwB|{FLU_#7r0kOdc^3j;g*>v zP+&BF_*}1>S#rF*Bvb}WE7b_g)o>TI^Ij-wGdP%MoLPyk)u6S?ad$OITcm=Hv60X%nt z9AA%yx4$A;lTKOCm-0+hdk^*b0O3j z50CqDJbtdj@6GG&&7h`j7+qo8H?$aKoa*1bJadEbi%%!BQx0|f&r1j)VEqm@yjO95 zfeFgc!}ive4@d&IY(@VBeub@`-5jTHVw4uU&z!w?&}@GlkK^KBJa>KD4MdAv+*iY% zJP9^q3a0OIdWzL~BJ9gE;)n)OBUKN=kWTno2a`z>3u(5A8kvuZKQo&5II%6U+fzbF z34zURFcKH`-@-EBN#|ix@m7ho6Euf^r{jSy)d-jLH2$+;-8Bd@qS}_4UA!&CpjMj} z@TWz<6SdsSKML57U?Aa~Ud2fvGO7OASJyQDO%h%dnYbiG4n?Or%3Ld@28u$ML zD}E9bBfrbFM8dVI?)zZqX$?4^aE_|uyYjWjCM#ddC-Aix_&Z95cGvrjbu(9g9+5lq zh`6cmDZtvsGtwhiT0o?=YA?w_SQQ2pUx-y(?(gLSna#hduGl9p!BgMuEy^v{&7$_Z zwgunFKIbBxdhO0rUB8RE&6Zob_1*1d>Zn7D5I)~^F%R=I`q)KhPPms{8#t(O4xIwIw} zGWLe|FxR?BS6*0D(zVO`(FFz0Q$$Y8OH{1bC#o!lc=smwfJEShF=XX`0dsr>b|4u6 zA+G2Jqs5vPD^zeNJotB{%T*ZgwNRmIqmC$EsljYf3E-_GI9A{gb{W~X;*&Uw*BDxa z=XRX&RPo`yK|Umt2*R5ad>u0+5i4@w#ET%$gWI(ORig;$Y|qmLUZH^9Oik6*&?19u z=Hf-pX|K51orav{PR_P}zxP6(z=Vax>;qFoK^WW>PMGNgBpSbRe>BatbnWxv*$BqKYnjl*VTH9U3!$qDR4P}@mC~|6g)q{l zJ_(t#4pY1QCWmd+DR4h~)0R5NV>ox**DyOTKfrP95uNb*B#*CuW2{N_l7WN@-1noL zDA8~vYQp-kI@{iQ`jvZBc(wQ3_v-1B=j~9y1uSmg1d|EgXrGTKL|f%kI0(7m^|8Wb zOp|EFIR3GC7jQhnh?nxN6hHAAvgpK33w18exKq4LGM$U8qOQdezvA!BrZbNwuKt<7 z-Hy%jpc5o7e>T8>vl15NvWJOnvCf5`J_FkMO}MVZKXd_WtcoOf{iefVPQ_h1ZCs#^ z3*sCOifPhv%s34>TL{;CDY-ot+feEr%O)LvF_g|w&Z14Xmipu`uL5Ei)VlOA$rz0c z96YB6Z<1u$)c`Ea7Dp0?9|uJ^0<=pn@+tpvp7)lJnCQ2Ew=Z!kH`S{n^<~3^ss#@;i=0?mvPCNv0FKS2zGK7#_lCA!p zjv@5Pfe0H|mEd)lfEl$7`4``>;{YvcUMD@i1emmcfJQuW5d-3Qol4Zxk4)ULaR z&KiTuZhYO(Ck-FCie#5>E7xo=z5qmb1r5wP*N&)xSy5XC4yrY^RqVhnzm0x-M*;2) zYuLB^(vKZ)sN4s#Lld>&fgPS`3>~xz5D1K%0RjtUIP?CibokE-D=gyd-`#q1N8bK7 zG>WHxE^XZJ@AnM8a`=C44*w&13F;wzc^xpXfn7TOKZ!qoXK&@S{~I{%O<^zn_SPe} zE8aM6gpzFhZfYULZilDED-peN$gdpoD~G&n@mL)4RZ|g+rBCOO-*G7d?H%$C+?RF8 z&t*g2i$lJh?Jj#=IpkLk`ISTdkvrtu?C6z$L%xB4yE7c}yDNwMJv!ufy+`71JBPf; z;}wZHoq;as(?uAJ8373i$oI@aF5!w}x>ZPRD3f^QY*4 z$tSP_5IzPYQuc*JxlFQ~`CRTZx3=!$lX}~mzK!Vcs%ymEeswXu z*SEY8(BMk1`pjo#$-_kL{P=m?OutSx80{nH0@!FvW@x!^xH7kpFB zeZ@V0cmDT=r1@t%EC2gr_rKdhjqeM8`-yXLwK(qBdF@W%#=QKM<9+3LUpd}Ii^t-4 zuiAxR8GSm(`|fg%cL(mvI^O3p81KdL-p){$y{;VZE64lF@&3pi?`?MU%JFV}$6x>| zORXf1M%qaJN`)NGo z7QZ2OEgj>t)_S=;rQ0iggN;CibGX85asgE2=gw~~YE8S1miZkp6Nx2h;2%X+e(v6p zkuE<834mcTjW8=*xJC&UI>dBu<1+?i0LI=`l-*$NZY@)NgO{?A{_WC9-mf07HI-tv z9=+h+(;YDU2x$`kDZFUd$6x1v>cl$le0|>eF)Jwcf`t>$I~(VnxS(SOuigP5avuD1 z8y?GD0>9un?jqj$AOA2(>?;#~exAbr&qgsL3TYq{n{ve5*9CCVVP!x7qEFo_EyNdA z?*(mB^v^pV0Z*g_M@OHDe=P}$uZ1b6M{Qx`5RvZpg9D8u=8ZJer~z< z$yrtei7Y6vue|!?TM>M*p2wHQP55}zywrbiGP>wtykQf*mF zWfrz#e8qU{*6TE;Aqe`SvQ{$Q*t6b0p5@|>PPI-*FymH-L8)DvQj$ghuI_`hq|zjI z5=jl(gZGbtKK0u{g6n1x?~WN#-xa$vW)#zTT+CRn}j$^0sl{ne$~mz5kJZK__bYFb}Z&G`EwxT56gmVdF|(h$WDo+v$0YENvkwkwXR zZT0AfzHoXy{qk`vwO{yG_Lm)wDNhqKin3oX!>35M?+f;m*Ki1*QkwF{7RG!Vo2+AG z6r7hadn5Y3@2r4-C*tQOdwM$EsLaxy-G(txiMGvgmDoIIIWL=4lR}uzPgsJ{N?l*G z+IvKxxJ{@ESs|BUBh+D)8G0N^>2DV=H<{}wV5316?zBeZ34FqHo-~;3ql&q+Jx*2rT*g#r}egf<@_q`jAcJY*}<%#VJ1>; z6k%!x)GET$Rg38l?x+>z=KVbeaU2evvTslD#=>pBAk9oqmG0uo?{U&F9wk!n2B%Y!IrszMa}x`dU)O;H*r*qp!>b2lMnE7L{UiT-!96{a|rp= zR(}hpCfKY2YO&mujXbxKXKDpbrEURrskIVk4(?XkmKuGQlGdo4wO7hMT0$7}185r7 z&7)3cWW*o*cvJ}|gOtFa+w8cmViMmsaaD(Zi+$nO{Bol^%sc-_o#ryX+oi@6aWAK2mn1-gIwA=tx)L?yZE$R1 zbY(7Tb8l|#UH^02wvzw7e+5Q;GqO9DY{_<<_Ug>JcGCKqw0^PM-c6iwDH4`gQ>02z zcHF-F@3)I@1V})lBs)o4;15*5FjtjpW3C!aSZxaauoQ1(`A$ZIQvWAStC0 zjYyG^Nx&Eh@^PmqZlL9?AiutpRdmir*))kdP_*+6?R*#HQJ6uoU%TWNO5&6iG>DKX zDMpn1dY9!lY!ZaDqh$P*+>PRJL}ErFn#Z?L<8_{mIr+;Yq6@U7)bIKKzL$Md=hsB7 zRRu18sHQhyhfvu@`!yYMTgZs8Tf&ris2*XY1GYuc4$xMxVMhNp(fDNcCP{FB3#CVHbeY_$2qw(hHc z)|GM$($ZVi8KX*POmVw8; ztLi8gom(M;ep3@dRARQPd}B0DyCXG{WVu}b+-Q%Ly>)+_(45N|B&R8hhogdRYbV3n zTg3E*nzdp0yw%59nu7Dp^5f$(pRTTdY(lYiIF0m^6M7w|F^bZg(IplWwJ5=E^zl)% zgQp!^?M@VS+FR2!{(VZtpxH1~ynxi86vM=3mIHF;YNheIX@fPZM{Ovt#cH4+Pvo5W zJdGwU}*;=#PWnpsJqfj?LF{Wb~>-1I@*x3zhOYWzZY+ z!`*1FL-((rbPk?=xzh;-Vbr15z5edr{u6vsGBWw7&M-%QsikuoPV>09*V;NtXkK7B zWo0=0+fAx(o712vf#P&Np&@pESu;c3o*`s=Yp$6GdDYAtHo}_CT|IJ^XVEmQ8hH`i zP-`TaZh32e2W4t+wS&CP{~$uNb0M1K;VsUK>g65E(w6L+G)Yw0=Ef%4XRRXYw%ea$ zyZy$t%PED3biZ@`Bsl1RM7<8kNIQm%J)iCNSGV0J)i<`?{ztOiW{qfnZoB=DZ@Z0} zw6N{&&avIy#y|cSz8@WUqS+aB+ z6}Ve(V~v)$-pa2r9j`uX{7dJbe$&MIEYhaH&&A#e}Abet1*h+G%?e+ zHWz#I=e_mLLL2RWS9N!x{{3nFdbshsH2P#W*zJ7!ot-aT&PSJ6!3SExmZGtGB};k@ zUH(Rz?eUZq**N|K)m5kR3`WzggseZsAog`UbdmvK9QhGRAJ5a~Ws0~+mKeikOQ(Y* zW+OU(Z`EDiKdhq${4;sjirK`9QCTLgN4b5P5Ec1q&3$Xt6GQwEbi zr#{Xi3Kq_YwiogOtpNLCEs={xXT9c~tu zL6HsI>KHXL6DJ6}g5Upbj$U*loe8 za~v~13jLBO%RZCqXRj*#$`or{Rl4z#-D{Dy=qDn;ynv8gB<2JWUs~N^-xGt71URLC z(chvGrrv(HSLq?t{iCNd} zM!ec=Jf<;sGM{pR&kH(PVxG`pp7eQS*>KOL|BDQ?h~CT!#&k5gMdZ-46{`9Qhc)jI zF2?BzQjxm={)V0!i#TixDN+)`^n0Viw(ezmnf@PgRGgsS0_9ix zHOOfOC0`5-XtLNC6m?*3$|y_Z9H0iBTYFZevVT{4jt|v;x3Z&sn|v<5 z=4f-36UnKbl1c+=cf0O?9DcVvIpu7Ll4c3y->j5#=C0-4-Cft@+^E%J2b-p$&wb!XS{f#K2>Vw;EH|8G%J&S$%9NEu zv;mz3@SI1Q3ZpRBrz&`Vtk7YesLDAZJ?R+9shYAr5qZ+hF=y-%w?55|6v^sN@_AF7 zFOA=Ac#d>`pX)6k-XEXPFbTw5=p7?s54Yn(PrdkA2o7{SGnD(YGzAMHZEcm^2<@T; zylnZGy9S#{aGzv>&EOth#$mJaSQ9IP@nm@sEPUK#BM*EvW1<0n_hmT<9Cd~Adh2Rg z4z;a@6&bCf4Rfc>bqtp7uJOdFBOVUfvsY(q|Qo8?<;?nFvCUv22wY_qa$3q&$Ed(t&t zY??d07L9xg1ZrL}UyEm(X1;^BBJ^EAQa;_RuA8(qQ z?q<#E>1J)u-cpMBsx+Hw55(O5eAxnahJcwopsZ(ZYK)adVCTu0{b_ext&i$`;ZS&0 zt)>DU`3;tTcXtoxY+6jF#W{B-t*_>Kl184t>h~%U*JmzD!!yFlnCDA>Uqv_SB%UL={AL_I@SsQkfHMe|i!C$9OBB6w5l`70?z>!nyjkYe7-1Hg=Dg0xTeExgIgzME zWQfB2bUdCGs9tWqa|KzkJ}0{M`1RUb=c`qRK7}q)=}`HGhi;_t>ytfZ<2Xy}v|85$ z+W#O2XdV$e2A5la&7Gme*SAQTpPQ+9ss`s>bf&FA-XLWbUBc``IwH7Mg3MVHdvk!D zUcgp=wwuhm;aA@kuw7e)x#js9Z^7aIpieQ%Adk*YefdN!;enL${Oi4 zMT6*GMFqk$~2%qF9N=M@9zFlzuB}N_z7$=q+CF`ajU)XF)OYsf%)K9 zCe%lJgX^*C5liz?+rVxl&&4A@o!ST87y#)@Q64KxyhYf^uF^_o$9) zKO%WD&9!&(vMkA;&mB5N9uJ2!7Yh;b<%e%^FO=pNqrf>FWr>Rs)Pcunpok+tYIuxS zp8~C%G+roaV~HDGNaZ}aALweBm*WU#S_O{MQ1U+=!`x9|I?(fXFo6nZ2c4M5w=v%F z@tlDN5q;}sM#GV~Q%~@JyXfuge~BF6kAtV;kNv%;?!u^w;{FxH>v)!LG3|=7DsYD2 zpW_T3rC!H0iRRS9>%uF0kn^?72Iq6cmdY7bGloLIS4x?3DMXybJ>ka^y*X2+d*(|Z z^S2v!E1kViR{3)VJu7L^H@QhGu8lhY?FXBM^?bhPmvck!sDqttKL-nc?ys@nN5q2r-Wj6b3=1|g z*W`U|~s$_SllH?0w1=nXw`TyGcFzCADq060}LDa1*QLE2j_;NCu_5&|&ieN(Ve_ zUUexE;_79W3M97g#YBMCaWm$YRqbnjCc*}mE5{{l47!FA+c@-0jJOdJEF^Lw!IsD{ z=lxfS?9RiFmqB%RcV0aZtow>a@zix0f*;uRRK7-kc0WaA_k>=<5|2K=4VVOVON4h} zD7SyGMsOb#!8M(t1aYlLZd}%I%VIHU{GL@px~CRT;Z?3|jn1yoS@my?&ORzSTMd*T zRQPb{Y~M8vHb-Y2vagEHE)+pM3Od^?a+O@y=`7AbkvxlH`R-xlXdX#qigExkFpC_@L11tS{I&AXY878)OyDJB?iF zvItx*1b{A@RNF8Qcm}Ro1yJYZ#zI5wtk^}c(D^qD;vPP zT)P#)LQU6bD_QLlN2O+cf8(4>8*56&!o5yf9}g8w^%qI|*Md`33stW9oXZ$L3~XxI z8%oy@C7svTtBomLUQNGj1S=W`E?V<{3$S8*>ikTKUU)WHbbX88{EVe);Ey6Rzl~YT zRaKw2hsY+GMwl-ua593|P+=mdasM+JKtyvBWp|j>SIc4D;_d4uf@wxuUpUK>-u#Fhldh>K*lf3t3+!}Zru%kh~Y7i;c0zb+G#2ivVC@VurDOk zSEL*ARpm13EctRpF@&*OU+ux4{NuD-XF^TnN6;`%_3|_FTqjz&7ot~o;I}ddK5{sN zA_kXL>C;Sd>*$w%k-mMvPDPM?5U2L%+P8XAo-D^t;sS{+b-+Tit9Gn^t}^d7VZ6t9 z>BjvurXe``qS9A#^QmLK|8%;Gqj{>IP+>;Cx1p(BTT@a;K&~>y8)|71JC&p=?ZEp_ zK|l3#1H$U&Der*|QlBDuFk=+W`Lv9&ewhz?WZWKgU*col;bVF2%7-nC^9+@bT$rD; zus>H(`y_?qYZujH7qj|*7nf%IeG%MHvcKc+?AJ6z_k%M^N8Gj~23gY{$E9s`>IYuf zypDePX>_&U`B%o5z2{KQCgxVbVf`j1rMg4k&M$chlkhpEDKBhE%!jdQI>z?$Wx0WC zY{ecrFF_KUsit{)m~K^CX}506sHha%wz$ehEjKx@nN>3cnBJ^^Ucu1HwZ1mBw3+b-N*~H6|@qvaeVw@6EDJzSt+B~)LoIK9Phkq&tZaScQNdVBJ0#-`E? z!#>NiXd1c}5=xgRc%v8MCPu0oRu5vo`1+XHEqpo-t2^_N4wVW z0dHAh`&jK=?5d@QJGc0;+Pl~ZriaTATCBa^AbaIVeu=0SES37gsE z3Z`S`d;i)01GC2* lg$WKlSA$&II;~Lp8vp>Azmr-fPXQ^DswOH1q9p(T005nBWTOB8 diff --git a/Solutions/Vaikora-Sentinel/Package/mainTemplate.json b/Solutions/Vaikora-Sentinel/Package/mainTemplate.json index 379eeca86c2..f2c70dd180c 100644 --- a/Solutions/Vaikora-Sentinel/Package/mainTemplate.json +++ b/Solutions/Vaikora-Sentinel/Package/mainTemplate.json @@ -49,6 +49,38 @@ "metadata": { "description": "Name for the workbook" } + }, + "dataCollectionEndpoint": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Data collection endpoint for DCR ingestion (auto-managed by Sentinel)" + } + }, + "vaikoraDcrImmutableId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "DCR immutable ID (auto-managed by Sentinel)" + } + }, + "vaikoraApiKey": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "Vaikora API Key" + } + }, + "vaikoraAgentId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Vaikora Agent ID to monitor" + } + }, + "dcrImmutableId": { + "type": "string", + "defaultValue": "" } }, "variables": { @@ -267,25 +299,82 @@ "streamDeclarations": { "Custom-Vaikora_AgentSignals_CL": { "columns": [ - { "name": "TimeGenerated", "type": "datetime" }, - { "name": "payload", "type": "dynamic" }, - { "name": "timestamp", "type": "datetime" }, - { "name": "action_type_s", "type": "string" }, - { "name": "agent_id_s", "type": "string" }, - { "name": "status_s", "type": "string" }, - { "name": "severity_s", "type": "string" }, - { "name": "policy_decision_s", "type": "string" }, - { "name": "policy_id_s", "type": "string" }, - { "name": "risk_score_d", "type": "int" }, - { "name": "risk_level_s", "type": "string" }, - { "name": "is_anomaly_b", "type": "boolean" }, - { "name": "anomaly_score_d", "type": "real" }, - { "name": "anomaly_reason_s", "type": "string" }, - { "name": "threat_detected_b", "type": "boolean" }, - { "name": "threat_score_d", "type": "int" }, - { "name": "log_hash_s", "type": "string" }, - { "name": "resource_type_s", "type": "string" }, - { "name": "action_id_s", "type": "string" } + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "payload", + "type": "dynamic" + }, + { + "name": "timestamp", + "type": "datetime" + }, + { + "name": "action_type_s", + "type": "string" + }, + { + "name": "agent_id_s", + "type": "string" + }, + { + "name": "status_s", + "type": "string" + }, + { + "name": "severity_s", + "type": "string" + }, + { + "name": "policy_decision_s", + "type": "string" + }, + { + "name": "policy_id_s", + "type": "string" + }, + { + "name": "risk_score_d", + "type": "int" + }, + { + "name": "risk_level_s", + "type": "string" + }, + { + "name": "is_anomaly_b", + "type": "boolean" + }, + { + "name": "anomaly_score_d", + "type": "real" + }, + { + "name": "anomaly_reason_s", + "type": "string" + }, + { + "name": "threat_detected_b", + "type": "boolean" + }, + { + "name": "threat_score_d", + "type": "int" + }, + { + "name": "log_hash_s", + "type": "string" + }, + { + "name": "resource_type_s", + "type": "string" + }, + { + "name": "action_id_s", + "type": "string" + } ] } }, @@ -299,8 +388,12 @@ }, "dataFlows": [ { - "streams": [ "Custom-Vaikora_AgentSignals_CL" ], - "destinations": [ "clv2ws1" ], + "streams": [ + "Custom-Vaikora_AgentSignals_CL" + ], + "destinations": [ + "clv2ws1" + ], "transformKql": "source | extend p=todynamic(payload) | extend TimeGenerated=todatetime(timestamp), action_type_s=tostring(p.action_type), agent_id_s=tostring(p.agent_id), status_s=tostring(p.status), severity_s=tostring(p.severity), policy_decision_s=tostring(p.policy_decision), policy_id_s=tostring(p.policy_id), risk_score_d=toint(p.risk_score), risk_level_s=tostring(p.risk_level), is_anomaly_b=tobool(p.is_anomaly), anomaly_score_d=toreal(p.anomaly_score), anomaly_reason_s=tostring(p.anomaly_reason), threat_detected_b=tobool(p.threat_detected), threat_score_d=toint(p.threat_score), log_hash_s=tostring(p.log_hash), resource_type_s=tostring(p.resource_type), action_id_s=tostring(p.id) | project TimeGenerated, action_type_s, agent_id_s, status_s, severity_s, policy_decision_s, policy_id_s, risk_score_d, risk_level_s, is_anomaly_b, anomaly_score_d, anomaly_reason_s, threat_detected_b, threat_score_d, log_hash_s, resource_type_s, action_id_s", "outputStream": "Custom-Vaikora_AgentSignals_CL" } @@ -314,7 +407,8 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "version": "[variables('dataConnectorCCPVersion')]" + "version": "[variables('dataConnectorCCPVersion')]", + "contentProductId": "[concat('vaikora-sentinel-connector', '.', variables('_solutionId'))]" } }, { @@ -419,7 +513,8 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "version": "[variables('dataConnectorCCPVersion')]" + "version": "[variables('dataConnectorCCPVersion')]", + "contentProductId": "[concat('vaikora-sentinel-connector', '.', variables('_solutionId'))]" } }, { @@ -462,16 +557,29 @@ "requiredDataConnectors": [ { "connectorId": "VaikoraSentinel", - "dataTypes": [ "Vaikora_AgentSignals_CL" ] + "dataTypes": [ + "Vaikora_AgentSignals_CL" + ] } ], - "tactics": [ "Impact", "Execution", "PrivilegeEscalation" ], - "techniques": [ "T1059", "T1078", "T1548" ], + "tactics": [ + "Impact", + "Execution", + "PrivilegeEscalation" + ], + "techniques": [ + "T1059", + "T1078", + "T1548" + ], "entityMappings": [ { "entityType": "Account", "fieldMappings": [ - { "identifier": "Name", "columnName": "AgentId" } + { + "identifier": "Name", + "columnName": "AgentId" + } ] } ], @@ -491,7 +599,9 @@ "reopenClosedIncident": false, "lookbackDuration": "PT1H", "matchingMethod": "Selected", - "groupByEntities": [ "Account" ] + "groupByEntities": [ + "Account" + ] } } } @@ -511,8 +621,16 @@ "name": "[variables('_solutionName')]", "sourceId": "[variables('_solutionId')]" }, - "author": { "name": "Data443 Risk Mitigation, Inc.", "email": "[variables('_email')]" }, - "support": { "name": "Data443 Risk Mitigation, Inc.", "email": "support@data443.com", "tier": "Partner", "link": "https://www.data443.com" } + "author": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "[variables('_email')]" + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "support@data443.com", + "tier": "Partner", + "link": "https://www.data443.com" + } } } ] @@ -522,7 +640,8 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "contentProductId": "[concat('vaikora-sentinel-connector', '.', variables('_solutionId'))]" } }, { @@ -565,16 +684,27 @@ "requiredDataConnectors": [ { "connectorId": "VaikoraSentinel", - "dataTypes": [ "Vaikora_AgentSignals_CL" ] + "dataTypes": [ + "Vaikora_AgentSignals_CL" + ] } ], - "tactics": [ "DefenseEvasion", "Execution" ], - "techniques": [ "T1059", "T1027" ], + "tactics": [ + "DefenseEvasion", + "Execution" + ], + "techniques": [ + "T1059", + "T1027" + ], "entityMappings": [ { "entityType": "Account", "fieldMappings": [ - { "identifier": "Name", "columnName": "AgentId" } + { + "identifier": "Name", + "columnName": "AgentId" + } ] } ], @@ -593,7 +723,9 @@ "reopenClosedIncident": false, "lookbackDuration": "PT1H", "matchingMethod": "Selected", - "groupByEntities": [ "Account" ] + "groupByEntities": [ + "Account" + ] } } } @@ -613,8 +745,16 @@ "name": "[variables('_solutionName')]", "sourceId": "[variables('_solutionId')]" }, - "author": { "name": "Data443 Risk Mitigation, Inc.", "email": "[variables('_email')]" }, - "support": { "name": "Data443 Risk Mitigation, Inc.", "email": "support@data443.com", "tier": "Partner", "link": "https://www.data443.com" } + "author": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "[variables('_email')]" + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "support@data443.com", + "tier": "Partner", + "link": "https://www.data443.com" + } } } ] @@ -624,7 +764,8 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "contentProductId": "[concat('vaikora-sentinel-connector', '.', variables('_solutionId'))]" } }, { @@ -667,16 +808,27 @@ "requiredDataConnectors": [ { "connectorId": "VaikoraSentinel", - "dataTypes": [ "Vaikora_AgentSignals_CL" ] + "dataTypes": [ + "Vaikora_AgentSignals_CL" + ] } ], - "tactics": [ "Impact", "DefenseEvasion" ], - "techniques": [ "T1078", "T1562" ], + "tactics": [ + "Impact", + "DefenseEvasion" + ], + "techniques": [ + "T1078", + "T1562" + ], "entityMappings": [ { "entityType": "Account", "fieldMappings": [ - { "identifier": "Name", "columnName": "AgentId" } + { + "identifier": "Name", + "columnName": "AgentId" + } ] } ], @@ -695,7 +847,9 @@ "reopenClosedIncident": false, "lookbackDuration": "PT1H", "matchingMethod": "Selected", - "groupByEntities": [ "Account" ] + "groupByEntities": [ + "Account" + ] } } } @@ -715,8 +869,16 @@ "name": "[variables('_solutionName')]", "sourceId": "[variables('_solutionId')]" }, - "author": { "name": "Data443 Risk Mitigation, Inc.", "email": "[variables('_email')]" }, - "support": { "name": "Data443 Risk Mitigation, Inc.", "email": "support@data443.com", "tier": "Partner", "link": "https://www.data443.com" } + "author": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "[variables('_email')]" + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "support@data443.com", + "tier": "Partner", + "link": "https://www.data443.com" + } } } ] @@ -726,7 +888,8 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "contentProductId": "[concat('vaikora-sentinel-connector', '.', variables('_solutionId'))]" } }, { @@ -779,8 +942,16 @@ "name": "[variables('_solutionName')]", "sourceId": "[variables('_solutionId')]" }, - "author": { "name": "Data443 Risk Mitigation, Inc.", "email": "[variables('_email')]" }, - "support": { "name": "Data443 Risk Mitigation, Inc.", "email": "support@data443.com", "tier": "Partner", "link": "https://www.data443.com" } + "author": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "[variables('_email')]" + }, + "support": { + "name": "Data443 Risk Mitigation, Inc.", + "email": "support@data443.com", + "tier": "Partner", + "link": "https://www.data443.com" + } } } ] @@ -790,7 +961,8 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "version": "[variables('workbookVersion1')]" + "version": "[variables('workbookVersion1')]", + "contentProductId": "[concat('vaikora-sentinel-connector', '.', variables('_solutionId'))]" } }, { @@ -856,13 +1028,17 @@ } ] }, - "providers": [ "Data443 Risk Mitigation, Inc." ], + "providers": [ + "Data443 Risk Mitigation, Inc." + ], "categories": { - "domains": [ "Security - Others" ], + "domains": [ + "Security - Others" + ], "verticals": [] } } } ], "outputs": {} -} +} \ No newline at end of file From bca066e4ec3ac470c395a8dfdace57a91d51a234 Mon Sep 17 00:00:00 2001 From: Taz Jack Date: Fri, 3 Apr 2026 17:56:41 -0400 Subject: [PATCH 07/38] fix: correct solutionId to vaikora-sentinel-connector (matched Partner Center offer ID) --- Solutions/Vaikora-Sentinel/Package/3.0.0.zip | Bin 9946 -> 9942 bytes .../Package/mainTemplate.json | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/Vaikora-Sentinel/Package/3.0.0.zip b/Solutions/Vaikora-Sentinel/Package/3.0.0.zip index 88b5daba9c5eb729761376524fc1c1c794f51bf0..6d3ed5daeb27b5679add71648cae5e2ae86bf948 100644 GIT binary patch delta 6543 zcmV;A8F1#>P1a2pP)h>@6aWAK2mlF>gIubVH=>jr000WH7nB2k?Y>;i9+QLh;9yT- zBLZ!!!-{UrnUrsg>FA?bohq_ju79p|$4d70f11#oV-_UGDT{}rf^F&pmvuLYsTb(3 zjYB}nEs6Bu;faqr7dD{KqmLu~MFt6Kxv#e@qL@i}C$J=h67Dy|eq|=`(y%c4YRW7Q@{6C6!L`1dEGXO|653<^{G>T!!1f+h+K#sS=tPsGd$I zG{hxq$EcePNOm`7vU!kK*}UZ>EX~%nA}4tkO~Wda7r_;^c9JQUH=b@GPTh@ekazh% zh(PUBpeFl&@HXd7wW))+bY*vKrX&XJa%L0rvkvMy@9xat-JRCF%OM4d^l9(%S+Lgw zjJA7#BkdVDZu@w5XL;UjGkj~_-FYD1Z8wSbyu0)8yxVF@bMx-*4Bp*s&AS{@pa^>_ z*c&|W0Y*DL!11zY;JD-C-QDGRx6Saad3X1Lc(>huB--=t?!)tLt0~RkUF8VyDFhne z(9#5cF)TmnuBdt|bj#+mUoWcyN0u{aQ6Jybjnvx*Io)ptO-ig2aZ@dKQ}*4Ax!2p@ zg+_2QSeP?^m1u|#W>G+l;+UgizzUJnc-2WRFh`awJVzDisL!zmOI&Z|sCON&1=}ieK-I~j8A(I$$ znaj|%w{2DpSHX}n4{ssom9dfcdRo8`fL0NI8=fluT&osUX)~99p`;&DFlMltw-u*V zlW*H>EfM-5P9x<5KCF12INUghQ^hydl3h2uI}rNOdT03;?N@bi zq5k}3{kpsTyRi4kp0Hc^?DV$2atR;ZVhI^&AzPxx>VqsOHFWzc$+m}6R%GM&Pb61= z9m=yAO}-Mi{u~3^m+{aE27qzo_elEsJZ|5nh>K)_J#5Z&I!IzRqOlz*A#H%!SMn{ zA#BPfaTsS)#wP_`Uc=r4e90|razfMVIL}fpx7>sp=D}q2uPM!esm_q=D&qITRL(CB zU(fEPCRWrR7bo)8uvhXpR0E%71uTc6zMz#_oScRf(;1vt@V*iX4I+#8cn?i~+{POY z0!DELw@s6GHvZ^%`rb(<7QmT67p7AsjP*T8t{!I#i=oIGM!d<+6EXr8VC()V|1o2_ zg{1RO^f{y|6T*l@ZfqVUz{SD_Jix;T7_`y z7(Vtc3XGBEa2g_zIRrsU-3!gXg_H6Mh)|V_lIBmI-!o%Bd2TRvjSG=~_T2%Z*jr0&*r@;0WLiaeeTxek;ZFEO~12FOrb#lX382 z&7!8c1=0+21dCe^vA!&cq-w*D%tH`6AbNuNsipMG?*nET9ZRoZa2>=+Fo+XC&!foU znNkGBl*jcB1iV9Wl%O$xJCREA*W?mbfI7gOd$$8x=Qw737y2<#oP8qoXD=!J#1uNN zYTa68_j06-`jId&&%h)XNoqmFRjV6Zdtv~R0FN~K$287qf!_bStmDfF(NtVpD;wNA2f2b0+b4-GS2$sr$G^bHeQTk zX~D zx#yz)Sq4<(*>0wPF{Z824I;OmO;EK~xUKnus1z@NA~ym2yUg|4K!}utaQt2=v#o!g zo~QqZJ*u8y-2x?8313O-UA`~BbS&VPU-rqFi3;?Ho&5YW{F{xyG9{Tb*EmQQleU3r z5;B3`e(7T_VAC#X+9$^Gg;H^leQ4MrHJ4KZBv%FoG?{OI4~j7`H)WJ1@(fU$&hckf zPiktIY7d8n-)fZbN@&=*k_~Nqg3hY~C7TnvBtP-V5^c6?)8LRXGo&XFVf1RYTSf zB2T(G=8WBA=+j(Ck*w|npLN9f()its=ScVWiQWS2{qYeElR%t>-aR5>xILfu)aySB zL4b~b8%?x{@KIto?--e6c-{cO+|_&z+&6mX;wa;>y_jg0FpOkCVk_@x|wfd!N{io zp!7`hwRpB}W}R8D<-}HC2)1R=HqoU^~oGrJzcM5 zPFX}TUzKcAU4fYMpD$<2&eJkexD@xyOi;9Px$JC3b3N^atF2LeEgS@|lGP-jBg<^| z`O?Xz#bjEXask!(dJ#EPm!?%&TJd{*;es@zZD%5Gt^82+G1oynmnrI(r`|h%8vi(- z_ggia!_}^wmZ$vAh^M3o2VBNcszz~MaO?U@v*6v%eyf{7R$-j~;Cp7$nY_AR_PFks zIeh#J+$$qJV)WN=%ghrfFdBTW*Uc(Sn*bd*hSa;@tC z-T5SUCGRmz2qL!to;yK~uSdh%Uy-aysuoup^`!~}yv6MZ6ba4uF@;w^Au>bpc4h#0 zrGQOrH<&lKqaFaZMO&qFOY*hOw!l;nA7KKP5bBJF$Er#qKiA>+=JobwP}4SyuCVPJT8uJI_3vJuxxx6wr<2(! zhdTb}C4>;Leg_-gtGK`fW$0mhYs&{D0bI7Ce*(Y4R?lvZ(>F0ni`{3=-aBZvzmCUo z@h_gczU>C0MK12EVNafa1e-Ah)Au+%#p*l}_T?FIM1!c2ss~|6Cw#4g$s~z|G}}at z%tyta8O?i~*p}GsDIuhUz~(j>i3|I0VHxnG^RTIStHjy~n#0raz?W)-OL`jr*|6>! z1Q}6nOU*9c7GhAVO$+$bBH)Qy?&Ti^>_;$=a89q{q!5`@|Lm)OYa0J12`__8UJwU$ z-8-I5prtnjk6vR{`~QIzKM9JF-{o2&;aXMqeK7R22AoegN7eCN`C4R?m9OO!_*xA7 z9VJ7%>;1;MnJbUToq0su)b|u%ZQ~i~5iBhr(pt5b^P87CRUDQvg6`{C2uquZGt)yWb@h2Xg^`i2rJ-xX zC?$d4+EiOZTtvs~dmNa@UhqQS-cy2wT?W}T<#!KNoCx1x-}n}Dr$Hx7_;o-=iO?0u zIKX->5o(LrwpyGf9TLz^8Qyec!6hYGDYFdm zBJjc(vhsjAz5+XtjDQeV^n%f1&59K&xDy`yJJRJU4ES28P_l za0t7M>|61FNu0%N3@yTQJI;8j_;BAKACgG~;mrxYjv11O6*+L?MUdyg?b?B=QG|51 z=jj5kP{3}crs`^FkwG?d@gnE6SKRDQL(Xz1XWQR?R1Y_W}Olab;!djMv z&{YL0l`G~-X<48`7->_Vgv?oosa<}P!?x-axSzdgOP%8}oICDon4Om&;5hb(PI!Hi z$Ja5|qU1aGv@ z#}lG|t@0@xgk13YSm83JNi<^||5&^WI38idOL|IFWR$7XrZ36hsT8{k<9i*nh+#I{)H!cU(8?ffQO*Wn+!fHhV{ z61;xX;V`G-E}b?mP{##v4hO|FX*p(`hMX;bgzLSO+@6bVD0Pozla9X_N@pl%(WYBV zee#!A0Wl0}U3!>gj7A0yo>PN2NwVx}02XG8BZG!SrSMu=c%6(YFD5W$Z3NZe@`A~3QhWm#Bq zB$LzsQ-TCl4pyHO`@Dk$EjdT_`8frD30!64#Z3+9iCiXNw~BA^nl%DdEq8HqBj%qY z9)h?RH6#NWLdY)3R)0^&5c=dmgbl1p@H$MujM|3$8}HX~fEG2clOA6JOjgh)&?pX31bP8vU!DTnT?&p(+4_rmE%eR$lHW*(3qPv0yW}RzC)WEENs4W8r z)tcHWc3_v^M!&tI0QZJ9>|1{6$Bs8t?gQDOiCXZ$4o@_O4q62W1V+vPfrT=hdH+>9 z{AYy~7IF6PZoRo9Z~q$_#Z#9y?)Ue5246Y+KR1W}5xoTUkiNVQnAgBA9si%ipTD!W za@zk5oc5-$mwtQek=qq-95+ILNj82rwUA=B!_(rGh+aA5R}T4=LteIcEDrgqsR+i> zr*p{fxDYn+m%XkW@+*h@$|3*A9rA5<^vWUMK)~G@4*A`c zL;fBe^1I$6akrgAUgYtL#2oTVoXKpn{}5k%m3d{u-Ot+>-;!x$pP!|FFJ7hT7o(sc zH|XZ2AMoyFj2`fT{FESm;81(yMKX4uyaidr9m&^fvlw50WiSspf|Z~T=#D1^{Qg~d z^Y!Oj!#EG8W3;OIQ}pB$*Z~M1gApnFLZVzI+0A?|_nBK;ckxNR?M>fCba>S@;%>jX znBH;ZN}NYu^;|yhdDH8ETiyt0aHUs$=CiWoVWM_^{5xjpJ%g`Y@SmFtzA5Lv;-0@d|9eBy{Ii{v|NXK1-)*7B_l5n$xwu*!ckH}&Cvan4 z{>t&ba=fn`@1n(HalBXULa>ZJo#TCXImf#L_hlXLa~X{H;&^X=XQ<0wSC03U<9+3L zf8>t$HamLdc(=Y|FaVXMRuac@l&>7@WVtfIip;t~@Qkv+H6ml7ZOo^p%d5WAL+@mXuV+@8|ymA=77pu#y^;WfDcD)MvZHy5?0-A2p& z4w#9=k~Hv-A}c?CckjqZm!E_Lz%ZFcm=!KuqXY{bV!F5S83Qr^WA7@;ZZLPZmZ`qM zOW8>OcIhPVSC7}4N-QKdUNr3EuXA-`op-)I@BEk*6nnwKiRYb- z^G;mQF@sm{01!D3{<#g0- zo&x~GQZ1-|g=#3%OaEej@2S90f9b=(uZov3X4x+%6vN0x=j$i%Pq6zFL4H9d@)J-P zk9x9(hA81Q(ZoFytFi^Z6+7^q!#gNq5LuNq&17#q{qk?Jws*Lw7*`p@>6-mjmTieo zmIKoxh>dl?LUXCMtfevwTQR<3ymjk!8q*L2eNkC|D;aO>S??dua&bqeS|=o!ajV0i z)UHh_Nh1JP_d!}xX%ah$qz3K5`^P|^`t2aWb+d?f#|)|OirpDAis?KqW~^6oLy3$L zad!nbvw)i=wJYCeGHxwZzSU%YmC63Ow*{_%3Q>5GX1^dZs zID}6rO?hJrW4?_|)-f^)&dZp+5q;lxR=^YSbCW$ioo-ZSY0qxM7^pafZTJ&vUGw~LpX%yks7(I5-*h@&TM zVZq(f7#_yOXgc7wuhxb)56XJ#J!K{Kl;zDff!hX~U?qbEAq{42LiUAH|8a)XdfRe- zm3GFmAEWGG*3d8$DL0BRH3MoD;pwWy^app;igNS*9)mazhfdkICwODwHeZltrl(4O zcX8$SIB6J<*LIe>N48$YTUPOwRlMa<#ao(p?%y}Aq5=U+g;nnEdym!GFCB>SMJzna zJcC~wL~nZzoBut%pwX4 z$<&7KQ+u}M3V_&a$ArBKTA%=SsEkmR(kz^HN4-D zVF73D8!=X#UgOushdfQb7Bu)~bMm4giq^o`wrq3lnJQpq^Tdm{48>OZCLRw7%R_@h z^Wdg0OqD64x$K8qEe9C86MyUPI4R@gbvDezxAI`iT)?7ceRe%O?~t1~Dn`)#-qXnk z_&K5|r1WnW<>onrd}^z|g;NuMY}Np^SZ>Njo?FQ?wF0M7w}86TT8T3UcPnj6jXq0B zYgEqKD`g)oA&mI}G!5(KQ71Dp;tzg2s)Un4N?_1!c3f96iSL`Zs>8*;@N0g#(H-WU z|D#TGncwYF;_j_H?Ojx;eBk-cS3&L$E&xC9eCNBRcL#Y_3(eQ-Ran|ebuo`=Gq0Vf z%!-Ownjwxg B&tU)n delta 6560 zcmV;R8DHksP1;QtP)h>@6aWAK2mq8}gIqBFV7QnZ000=V7nB2kZJ~jC7y6DMO z)^BP^h(XMGm2Zs6>4RFGF|u8*f39`MN)q>fn$Vo%86?Lki-)6vZR+EfbvKBqCFrh= zBSA{BGzD3b<%fqSK3ZMafI_Q2j`WiwdKm+YLDTJqC9yhD>N+l?uOFp1dFHXv?L}d) zyD?4UKc;ebuNfqNo&#$jios%y?Esv)W@)@`J7L|`y-t*mVolI}cpXO;F5OL2qhOo1 z(rLa!1UD_sstR3G-guKqo?XYF!?R7TUGz00yK$^`?Bwb}5~Np5ZXBR_NY}ap*bd?^ zW4i@XDSbOl=ud;+VW@3W{+X}k&e*PQ4P+M+E>y(lkiqtUU?<#-p7iL`%V)j4=U;90 zf-I>qxWE^alo4icId*iLa7ZvSqZ;k%}SXkwsx zI-SrEm#iJ5ZZ;s<-I&SdL0)C^mXombT-S=6buY_o6ml|tO^`i&Y(qod{Z}4Zy)4zzZoQ&&6-_Z|1MjWQ}UaYxgSo6{} zcrHLNH_%Vf0YdgcUen`QX!D`-C zTv$z>ZnL#S=!ZCslt);PX~K(4QueHjm(U;r3LevhQD&*S!OinvG?*u&;br-LMBBRV_lz}?>P|Gx?H zt0=qSOLNS_K!{Gj(HWHJFd014VRJK*5vN7wiuO$z9R3{oFpDT~I3t>0$SdRmTz|55 zc=&3)Pu_@#gB&{$PDl{zSrUi0B%)z|%*2x*&Bmap6BcH$Tk&^9&I+(_#mQ+%F}cBs1@9}N&>*sSkN41j#BIFc zAYc?{aN9I_XXB5Kr|+F)VgZ~9bYVJGf?D5$ryJRu`s0k-a+@*gv% zOa3k6+-LEaen(T3nlvIW_F=$mZRg2oT|*!m7o1%$IKbXhcm?7L-57TB4T0@N99q}VBT;aBe$g%&&yuGW{~`&=J{boe z)+}n8TOiFaW3ag85bMj5NUApc$UFqG1EMFGpIS=4{61io(XsRj2G>EH1cNvM^gN0j zo+(98OnF@IK)^c`M+q8#vlFQ#e@!l71*ikexpzCDb&g}kccC8>#n~rPfA*5nPfVfX zs@APlb}vWTs2>Rf^9)RKk+K#E33Ghgxe@x??MsCHag6)xQyXu64rnVq{ zC+(pXIwvibLN?*^0w6pp{5|u&gQyK0s<^yIANPnqE*AGccQQYJ?oMtB`NdZw7o}Av zf=owhAaM2Mw+w(QdP~->uP#2|pLKE*7bB8${s}|W`avT{D?q7WD*vocei{@3Xye5w zmZk;Q%T?Er@^+JHif8O8Ex@oCGV(%U%=&II;-zNmJ&jq#`IIAkTF}V?=Y%%%q|76W zntLw#pJhNrp8IBh8e`fT-5_%7*#uQZ0GTZv+ z>3RBp*rVzR)-6zimGG6M-sSu9OUD9!`DLG+nW#XI*vZd7!@t=GEK`z6bB%*^F@+nL zCLt5}?Uz300ygcErhQ@@Unms^*@uQ5Qgb;qKyqbZK$H1@_MjL8b5llHBF_M|=^TG% z^`xeTiT7|=_^n0>uY`u3IoZ(0C+NH?F#dTgt0CEO&gD?F?>YXOcU=lRi051rnKJqy zi&CbJon^yeLcg6B1qiD$LH0zvZH-LK3BiyZgaI0$*G=}iUKOSU6(%&xm(^Tbk0O!vw-K{nJ<5# z6XshXC-d>|6FYy(f29R%W`6LV1bLBC7i;0^9;a7-X4LZL=B97<+-lY$f=$!VCq8f| zE$k+_3;tI~EVi9x%6CJ@ij|c>v>iHg_;c>*D2&2f->TrYLXUZ@D(8XptY;*rYRLLQ zo7^30*?|tUfJR<7gRhSk$V`IUBn#T1aSM%NPe5TgEO2(L2*#6# zCWjRXXoHNrV|E{?=m5pT;vu}(4~~TnJ3cHPwP4euK>O! zVg`fTU^2+Ega!`Pe0fx=QTP_vz(JbaCo0f?KYRGyQ;YzQ;zA_q(CEPzO5*eI+sKG< zKde--Bk>P>APe2#j%2O#xid7>(lTU4oHlE{u&VlY$^6!#?~ZpR#lHg5Xv}H1XmY)C z!?u^Q-dr>R`{7lR-S{T!4cDU?(WKj|P(R?a(SBawWa7kQAf%Pb%N@Q3h! zX^09i|0dkC7?H_-kx9LNO_~DhQ82JHz?R zrw4$PPuFW%asY+LFH*;RVF0Sr)1st*^==&_ruBW|lwKb}*g@fQ#vYG^RWSPxA zUpm>em`saPE}%MJFCvHP(zGf|D}JvpT#$ye?M%e2l^?1;<~oSyGDZFJ)O$yN;~(eq zeye74xZ0J|@|52h@st$dfXg^a)hNyjZry4@mY&Y0z`LFORyTvJGCBXj_spa-d3C?+ zaosO-`1lvNS4Mio=&#|HnI}+SH27Svn^|(ayd+cxOe@t0%hhlfwDVplYBYH&in+6< zqjzNY?sEnm=E1>RI?Rj6lH<*PD!O-15}NO03a@}dWQOAH z%mDC80h`!vFmG;0JpgQrwo2!g_2lM)EN(t`*J*fuEX!m>+Q{;rfnEqVcR#f7-gL5-@QC@gYk<` zC$m!yb^Omu2q9qo4mP}3ae)cS(8KoDmJdh*xNJrL1b&6Bp4}X$Z(@`dyU(1xchGEq z9gpMUUp#kx+YLmET-;ZG!=5||He(8=?{RvH)p;W9%QNDL22mqb55ka6_*w^(NfHZb zwuu^x|iM10nho|F#FVzT_^fdmn zVcj(dGNRg+nq9mt#GqE27VxJo9%e6$pwW{v>VCZQLIG=Eis^h!zwa6wbU&|-( zwHWw2N``jV`;B!oS00f&^N6^q?%|Tkh}W0-4Rf zs;<~4FTqpa?JdfGE!NGV_Pe$P-^f1aH!pRnI4olX-Pf}amNpY-riWIl?DKdEBO_f) zL)V5;N&>&NskVl=h>q9yI53aB;Dx@urvwYT46~gHD+6>wt_B zp(~Jafc07;)E2RAwKz>WB%qx#yy?h-OG>g*W*Oqim2SR&-1gSJh+CMrZv57-17cRW zh4a)?Z-JLv*dDEy0QEW|<-0QWhW9Ynx=2@ESX9!r%lpv<18(YNL)QUa7%sQ3>F! zBRE#z5Ox`V*|*}8IE&X9T7>6zobgog;l4pWB$Eijn-hE;Gb9l!a^S>^AkTx_wF6b7 z29u8?P6cO=_t?w{@s!Q{;QQ+K;vc=g5#=vWt(8OVd zwJZyvs|r*qSIm{tvOt9}(xyHMnX?X4yZk1HZPh7oKYP=bI>%!;cih)7J1;-LaqJPD z@cJZ=uVbu9^^$>v3f%XjoG8(7Bx=I?usYk`dis@nRCu-b-1q9~ljrSFzy&OB-vpBh z-e{kHk0(T1^V@~#v=@fxz|#7zrzF3z}9yi78k zi>#uq#Sy>a@6Dz&k0!4EnZMnR&GMiVBrkt9z_St-<+6u~ZL!XUpFRWH`AxX4!#{KZ zYpjYSc>SisVNS(eI&EB_jtk-(4vJ~ga?Ch?4LMr~*Lx|sJr~K@A`9e**D&QQ*x zO}Cc%15{DlLMK}VqOE2;%|8k!9mXMg} zx3@2GD>v1vBjpBPVyi57L+)N~Q_p{?`;PCdTP8K$SvS6HH<$Se2HXb!?w#}U`kXd@ zld>ap70mK8hBy|f-!UYWo9FZ5KHsJ8CGA?nPW8DoG@!?SxTrrt_S$^QyLR8&DWw*_ z&)xDCc`FgTy5;?_x4c&o0oi2Ph`?eydKDsQAmGl75W&tWL~xHGf*tRXxYI5~U}R0o zvasYxCa3?W1PQ7ftUf9Bc?Stva*phO^K%LkxXQ+hn;Os)xlF)r6<_8xYXquV?&9V~ z%s);%1aU8FNCq;5kX@3k{+^B@^vQt;8(5X#b(nw|wGH_f->>5UEoxpTJ-!5(w17rD zauEaKc%4er(~nHtvE(`E6wVrh%Wiz#&nFEZxQb+#Z!6bqFunjpcLfd1I@gYWsDW8g zTLuoQHMLdjz%IXyetSm&?hR|$xBSwN9dD@I2eLyGwcvpro@fjmvv=r!H;W@9*~vzH<0~ZVvw=dI{iH}9P%rNylnAU9P(9D z5salz=aAoVDFW>s@($dWb;!?UL*9!+zMbtZdtEu?R}T4=L;jIFIpmi(li6nfA-?!3^U8+1pSLf*CDX`%K0ixeyh_tA zMnOSt(9KIf;N8m@J>UcRDM9?eq4vm&Wb8h93$lnilCRZfF~0uFU>(94_aUM>`XjSv4=*cIr0}wt2BU1K-M7d0|oB3SsGq<+x;*)yYo4$?c@TzOX z-F|g3z2nH0IFG*SxqRM#^QPCgyb;jgO0W9NXJyI5MD6_edEDg-rqq{9S6Pb}`|hkQ zXTJT@2Xw)E24A`0KQ|YAQ_g+GJ%4xp_lBhTXFDtZ`(yXN+d_@+3;T(4akV(^*m>SWn$NTPbj&}#{%R1iYG8pfF#qr+GP?x=~9PcZ~ z`^xeD$Q|!(cJ#{eZhgmK04htZB#z}MUpd&xa%F-QnRSKW8D)WMM8?M3y|ljRDsJ>& zCG6kJgRW+%uC2@{_xou)$&VYjOcp`)0Iqo9f`XB!=N$e|s6MlZ4!vD`kF(V3TAQPK% z#N5{faM599Kmejo-6}1_7gp~DZBz8mJ0Ag0qy^6_sLmS1c@vtu&=!OA>@Q-PuW(uaXx6)$7VvR_UphLMZT*H7S|VD~42{DMs6 zC!jDM^<)hVQNn4WiF+niWea{QcHldQcTmJ2vMOtu$=-VU<=(=WurXdJ_`l7N{GTzv;-anq@;*L(WPDn80 zR);~UU7J#pMgXqvgS4d5Bz6)>4cdeEkAXh*+d+csW)bg>8B*UByEA4K(|KIXSg+)U z5*Z`n?h0;Z0XIu(SH90=+*+!9tI7N-ll|4D+Lx6aA8o2$u4-CeRL%JNBDkXD>6U-7 z-_j6&#Sfk+JyB{;Y_hg1j;d|-=!d>=dOiK}aV)i8_*eFq9gZna6EljkUoXR_NVo3` z_LJ9e2%l1#^2Qd%d>fmrV`LPZmoa-I`o8b1fG6VTCVP51-Kfmcp52BqP>Ht9ah2FS zXE`sMRg*%P&QDl^(Mnxkv)X$^ptwz_3Rxk4mtiB+VU-zr97*YK7cV!N>nLEOK^Ei@ zM^Dvi825}q?ow9FF@W#Szz97wi zOiz{W;>z!F(l8#c?JReXY`u!Ntl}-Jc*~=Tw>0nEzi(Vc1p<}|tK8l99;>roIuPTF zSa_Cs2ER6l-u4_e|A!DQ-k*vRBKeWsOnY=g~QSwbdMmfFQFO@*! z`$*@V7cDUTW;1v}6b*^wHc=-f3?{*UAWqQTU1ZYv>UYlS3~)W@$+6EjOQsC{>j-_A zMHCj2sSihjwfhQr1-XQ*9Ui_~$FlD+D{&N297Y22_T}jrA7;WoYDV-f-M}1jp819! z_a$5x-wu`2gOKZu~crSX@3YM9T6CKJNswjc$5mYj^UG)CNit@Qe9 zc)uaT0?yhuVyrm5#;=VJd76AJXzEABO&2tF()K-6g3#TU7tO07V+?0(xw~}XS1x}@I0d=Xh5@!zXR@#;t zeU_5esGPM|%05~`81n;Y8rIFDPG)4pAN+V!2`7V;z@XdgxUOOn-#2kphl_pT*Zgv$ zJIp)(N1f&}zuTq6-CKFuyQon4!1JB2g4`Wk0Dj>4&UZ`i4)U%Rny=SVtFW}|Vjk0G zUOQ2l6&0~GLmX?!_vX1OJarDi7-g8yQ%`B>D5HY($WNdJ=GNEzta}Vd10Lkyy%>|R z&8#nEvraZGCeuPB*nIKv{{c`-0|b+SCK|Kh9A^m)lwpHhF#ce;m>d8A7?V{dPy)vs SliwT}lfWhr20$hN0000M>H1Ru diff --git a/Solutions/Vaikora-Sentinel/Package/mainTemplate.json b/Solutions/Vaikora-Sentinel/Package/mainTemplate.json index f2c70dd180c..88c51701dab 100644 --- a/Solutions/Vaikora-Sentinel/Package/mainTemplate.json +++ b/Solutions/Vaikora-Sentinel/Package/mainTemplate.json @@ -88,7 +88,7 @@ "_email": "[variables('email')]", "_solutionName": "VaikoraSentinel", "_solutionVersion": "3.0.0", - "solutionId": "data443riskmitigationinc1761580347231.azure-sentinel-solution-vaikora-sentinel", + "solutionId": "data443riskmitigationinc1761580347231.vaikora-sentinel-connector", "_solutionId": "[variables('solutionId')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "dataConnectorCCPVersion": "3.0.0", From d8cd1933880101f351baf5ad5d050d998a4e8feb Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:08 -0400 Subject: [PATCH 08/38] =?UTF-8?q?fix:=20remove=20stray=20solutions=20?= =?UTF-8?q?=E2=80=94=20keep=20only=20Vaikora-Sentinel?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Vaikora - Anomaly Detection.yaml | 68 ------------------- 1 file changed, 68 deletions(-) delete mode 100644 Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Anomaly Detection.yaml diff --git a/Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Anomaly Detection.yaml b/Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Anomaly Detection.yaml deleted file mode 100644 index 2d83789158b..00000000000 --- a/Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Anomaly Detection.yaml +++ /dev/null @@ -1,68 +0,0 @@ -id: b2c3d4e5-f6a7-8901-bcde-f12345678901 -name: Vaikora - Anomaly Detection -description: | - Detects actions flagged as anomalies or confirmed threats by the Vaikora AI signal - exchange platform. This rule catches behavioral anomalies that may not trigger a - high/critical severity classification but still represent statistically unusual activity - worthy of investigation. -severity: Medium -requiredDataConnectors: - - connectorId: VaikoraSecurityCenter - dataTypes: - - Vaikora_SecurityAlerts_CL -queryFrequency: 6h -queryPeriod: 6h -triggerOperator: gt -triggerThreshold: 0 -status: Available -tactics: - - Discovery - - LateralMovement - - Collection - - Exfiltration -relevantTechniques: [] -query: | - Vaikora_SecurityAlerts_CL - | where TimeGenerated >= ago(6h) - | where IsAnomaly_b == true or ThreatDetected_b == true - | where Severity_s !in ("high", "critical") - | extend - AlertId = AlertId_s, - AgentId = AgentId_s, - ActionType = ActionType_s, - Severity = Severity_s, - Title = Title_s, - Description = Description_s, - SourceIP = SourceIP_s, - DestinationIP = DestinationIP_s, - SourceHost = SourceHost_s, - DestHost = DestinationHost_s, - ProcessName = ProcessName_s, - UserName = UserName_s, - FilePath = FilePath_s, - Confidence = ConfidenceScore_d, - ThreatFlag = ThreatDetected_b, - AnomalyFlag = IsAnomaly_b - | project - TimeGenerated, AlertId, AgentId, ActionType, Severity, Title, Description, - SourceIP, DestinationIP, SourceHost, DestHost, ProcessName, UserName, FilePath, - Confidence, ThreatFlag, AnomalyFlag - | order by Confidence desc, TimeGenerated desc -entityMappings: - - entityType: IP - fieldMappings: - - identifier: Address - columnName: SourceIP - - entityType: Host - fieldMappings: - - identifier: HostName - columnName: SourceHost - - entityType: Account - fieldMappings: - - identifier: Name - columnName: UserName -alertDetailsOverride: - alertDisplayNameFormat: "Vaikora Anomaly: {{Title_s}} (confidence: {{ConfidenceScore_d}})" - alertDescriptionFormat: "Vaikora AI detected an anomaly or threat on agent {{AgentId_s}}. IsAnomaly={{IsAnomaly_b}}, ThreatDetected={{ThreatDetected_b}}. {{Description_s}}" -version: 1.0.0 -kind: Scheduled From 18b6f1ceeee3bb6bf942c9dc426b7c33f671b6a8 Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:08 -0400 Subject: [PATCH 09/38] =?UTF-8?q?fix:=20remove=20stray=20solutions=20?= =?UTF-8?q?=E2=80=94=20keep=20only=20Vaikora-Sentinel?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Vaikora - Feed Outage Detection.yaml | 33 ------------------- 1 file changed, 33 deletions(-) delete mode 100644 Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Feed Outage Detection.yaml diff --git a/Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Feed Outage Detection.yaml b/Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Feed Outage Detection.yaml deleted file mode 100644 index 7d462250850..00000000000 --- a/Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Feed Outage Detection.yaml +++ /dev/null @@ -1,33 +0,0 @@ -id: c3d4e5f6-a7b8-9012-cdef-012345678902 -name: Vaikora - Feed Outage Detection -description: | - Fires when no Vaikora security alert data has arrived in the Vaikora_SecurityAlerts_CL - table for 12 or more hours. This typically means the Logic App playbook has failed, - the Vaikora API key has expired, or there is a connectivity issue between Azure and - the Vaikora API endpoint. -severity: Low -requiredDataConnectors: - - connectorId: VaikoraSecurityCenter - dataTypes: - - Vaikora_SecurityAlerts_CL -queryFrequency: 12h -queryPeriod: 12h -triggerOperator: lt -triggerThreshold: 1 -status: Available -tactics: [] -relevantTechniques: [] -query: | - Vaikora_SecurityAlerts_CL - | where TimeGenerated >= ago(12h) - | summarize Count = count() - | where Count == 0 - | extend - Alert = "No Vaikora data ingested in the last 12 hours", - Suggestion = "Check the VaikoraToAzureSecurityCenter Logic App run history and verify the Vaikora API key is valid." - | project Alert, Suggestion -alertDetailsOverride: - alertDisplayNameFormat: "Vaikora Feed Outage - No data ingested in 12 hours" - alertDescriptionFormat: "The Vaikora_SecurityAlerts_CL table has received no records in the last 12 hours. Check the Logic App playbook and API connectivity." -version: 1.0.0 -kind: Scheduled From 13f8f42ae4c635e9c2c0dbdafbb145707111ec3d Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:09 -0400 Subject: [PATCH 10/38] =?UTF-8?q?fix:=20remove=20stray=20solutions=20?= =?UTF-8?q?=E2=80=94=20keep=20only=20Vaikora-Sentinel?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...ikora - High Severity Security Alerts.yaml | 82 ------------------- 1 file changed, 82 deletions(-) delete mode 100644 Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - High Severity Security Alerts.yaml diff --git a/Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - High Severity Security Alerts.yaml b/Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - High Severity Security Alerts.yaml deleted file mode 100644 index fae40fd60e1..00000000000 --- a/Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - High Severity Security Alerts.yaml +++ /dev/null @@ -1,82 +0,0 @@ -id: a1b2c3d4-e5f6-7890-abcd-ef1234567890 -name: Vaikora - High Severity Security Alerts -description: | - Detects high or critical severity security alerts ingested from the Vaikora AI signal - exchange platform in the last 6 hours. These alerts indicate active threats detected - by Vaikora agents including malware activity, intrusion attempts, and policy violations. -severity: High -requiredDataConnectors: - - connectorId: VaikoraSecurityCenter - dataTypes: - - Vaikora_SecurityAlerts_CL -queryFrequency: 6h -queryPeriod: 6h -triggerOperator: gt -triggerThreshold: 0 -status: Available -tactics: - - InitialAccess - - Execution - - Persistence - - DefenseEvasion - - CredentialAccess - - Discovery - - LateralMovement - - Collection - - CommandAndControl - - Exfiltration - - Impact -relevantTechniques: [] -query: | - Vaikora_SecurityAlerts_CL - | where TimeGenerated >= ago(6h) - | where Severity_s in ("high", "critical") - | extend - AlertId = AlertId_s, - AgentId = AgentId_s, - ActionType = ActionType_s, - Severity = Severity_s, - Title = Title_s, - Description = Description_s, - SourceIP = SourceIP_s, - DestinationIP = DestinationIP_s, - SourceHost = SourceHost_s, - DestHost = DestinationHost_s, - ProcessName = ProcessName_s, - UserName = UserName_s, - FilePath = FilePath_s, - Confidence = ConfidenceScore_d, - ThreatFlag = ThreatDetected_b, - AnomalyFlag = IsAnomaly_b - | project - TimeGenerated, AlertId, AgentId, ActionType, Severity, Title, Description, - SourceIP, DestinationIP, SourceHost, DestHost, ProcessName, UserName, FilePath, - Confidence, ThreatFlag, AnomalyFlag - | order by TimeGenerated desc -entityMappings: - - entityType: IP - fieldMappings: - - identifier: Address - columnName: SourceIP - - entityType: IP - fieldMappings: - - identifier: Address - columnName: DestinationIP - - entityType: Host - fieldMappings: - - identifier: HostName - columnName: SourceHost - - entityType: Account - fieldMappings: - - identifier: Name - columnName: UserName - - entityType: Process - fieldMappings: - - identifier: ProcessId - columnName: ProcessName -alertDetailsOverride: - alertDisplayNameFormat: "Vaikora {{Severity_s}} Alert: {{Title_s}}" - alertDescriptionFormat: "Vaikora detected a {{Severity_s}} severity event on agent {{AgentId_s}}. {{Description_s}}" - alertSeverityColumnName: Severity_s -version: 1.0.0 -kind: Scheduled From 02402f76057eef9b2e70b68c6884db01388ab1b4 Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:10 -0400 Subject: [PATCH 11/38] =?UTF-8?q?fix:=20remove=20stray=20solutions=20?= =?UTF-8?q?=E2=80=94=20keep=20only=20Vaikora-Sentinel?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Data/Solution_VaikoraSecurityCenter.json | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 Solutions/Vaikora-AzureSecurityCenter/Data/Solution_VaikoraSecurityCenter.json diff --git a/Solutions/Vaikora-AzureSecurityCenter/Data/Solution_VaikoraSecurityCenter.json b/Solutions/Vaikora-AzureSecurityCenter/Data/Solution_VaikoraSecurityCenter.json deleted file mode 100644 index 1c31883a25e..00000000000 --- a/Solutions/Vaikora-AzureSecurityCenter/Data/Solution_VaikoraSecurityCenter.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "Name": "VaikoraSecurityCenter", - "Author": "Data443 Risk Mitigation, Inc. - support@data443.com", - "Logo": "", - "Description": "The Vaikora Security Center solution integrates [Vaikora](https://vaikora.com) AI-driven security signal detection with Microsoft Sentinel and Azure Defender for Cloud. A Logic App playbook polls the Vaikora API every 6 hours, filters high-severity actions, anomalies, and threat detections, and writes them to a custom Log Analytics table (Vaikora_SecurityAlerts_CL). Analytic rules then surface these signals in Sentinel for investigation.", - "Playbooks": [ - "Playbooks/VaikoraToAzureSecurityCenter/azuredeploy.json" - ], - "Analytic Rules": [ - "Analytic Rules/Vaikora - High Severity Security Alerts.yaml", - "Analytic Rules/Vaikora - Anomaly Detection.yaml", - "Analytic Rules/Vaikora - Feed Outage Detection.yaml" - ], - "Metadata": "SolutionMetadata.json", - "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\VaikoraSecurityCenter", - "Version": "1.0.0", - "TemplateSpec": true, - "Is1Pconnector": false -} From 02f5e431673acf03b28ccaac1567a0a168690d39 Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:11 -0400 Subject: [PATCH 12/38] =?UTF-8?q?fix:=20remove=20stray=20solutions=20?= =?UTF-8?q?=E2=80=94=20keep=20only=20Vaikora-Sentinel?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Package/3.0.0.zip | Bin 8244 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 Solutions/Vaikora-AzureSecurityCenter/Package/3.0.0.zip diff --git a/Solutions/Vaikora-AzureSecurityCenter/Package/3.0.0.zip b/Solutions/Vaikora-AzureSecurityCenter/Package/3.0.0.zip deleted file mode 100644 index f60dde2c2dba13a852a3c45c728d5814aa34bd1e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8244 zcmZ{JWl$UdlO+-$xLa^{hoA!lhath;8C-+AySoN=cN=tY_uvk}Ex5zw+pD^|s@?7W z(NgdIfBjk!2>S^K3JU5o6hI?Lmts(VVB_D&oD2np`EP4$WND{rYWvg1$k~+D%E{jD zT<^nattIgT;0G7`U}iEM-aos7OKu*%!y-2Tp+pftmrJO}CsO|lFU-^7!z@aNrb-)0Wi9rEvlS(*zYn3s~teB8<6Re0GCE9J{7MQ-Cy)Bp%MHITmz zB66yqa`sY>Vc~zoOK5dAcTr`wsne^`3@~8wUV)}!?^Kctq7CiC?HX`G2)vfXErX52 zF#b>j1;5+pe^5*IWM9*s-AE?G<)Esae+=9U(p{~8u6Sz+@*NyOmyINe!;(CPDcrg! z{F6Em8)e(OXMg0o(}Da4`_IlmPY|BDY?H~L0(wG~p+gPX%9gaSn2V?0fHtn70*7AU zS22)IP@MY|H>DW(o{}pb#`|Rw7Y^`eI_I7UY)_vhM4q?x^gKvVN69VjdtD|hs{aS4Ns6ue9JQz zI~j-Pr)Sd5Pk11bi({5+WBc_Jqg0I;5~InJClc zy~rAHvxBK(CaTkah6c@d>VG%Q2g({*Ls-#TYE2o8iXYb-Z=*Dun;Pyf##8W-!e4A4 zEK_PQQRm7v&Avym`ef1iK8>v(*LUuI$zCvDcS`#3sLwjGuz&qjx6zmeZl(TKc8u{ZftfUBt!;2SbTgql;9OrAU9x5Zp7O+oD zc3?E>e$~9puc8`L&IgN$oXG(zivPsyS0f@1BA5+yQT9f+`6PGzpxZ1f1T>dCS5&l} z(%{rb{VK>|v;!-iv8!|d_xX?uycoCep6}p;OWjF9X_4kdkt^)l{k?X*K}S8rm%Vk> zEhGr+Vp>NZRC_JPz#Sbb0YhCQJ-ltwb1f{73?|759ffQiUCPRehrbJ?`ylpD45-Wa z$&F4qjs2Dcm5mi*m5wmBfDxV9=(ricitL4t)8uM6kZvRh*a7+OjUGs;YNxPFWv5OE-;m9~CXVVgHQ@jOemK z(t32!)_Bp7$RG8X0ucPEzXq8dfhVo6{>#UCeBti1aX#m5zCj|AaN&9?;r6fTx^O*F zw%^#WpWS$yY9E(7VD4LY)Zg+3!AgUO+_P4^;F3T|7Z3ly|~ZP>JQPMW;7n6txOXxSaUVksS+u&C4%#K)2jNLp>BOZ^ptmz zXG5~ihh8&NtoSKe)R70n-B|T84?{2fGgiZh-8WZ0N}M=X5kozdPmIMY#fEl^#ja?} zaGAxwZ+=FL$9aD)W?tS0z6v^rHs}sm>v($2GUtVAqTPjKjJU1 zH=p65AlIcl%PmiJRKlt@Q4nDH^0zUUyIKR~Eu7*D@M3l2D(}cTcM%Fxw)GsTp zD<$+`ZAWzs;DtFH)mvwFK{%pDa=wGSzde8E$m%Us+`Bs)UiN+zddgbHEohmfes>Xe zP-094i~Gu`b1$=dY~3Jc&)^=_C1TUV<}^!{jgH8CVVNG_tA85T_Wq3nKWmv0pyPW% zEVHppvl7GI^81_k3EWZp^UXlef~c1Kcp*dZKv_Dq4C0@m->~DNuD@KI6xDlP3r`(% z@uO=V2zzDoSt=HphD1xrIx)ozEpNYA^}jCNycQh06-$$tDZnA0v3nVYcrI{yO{g0t zVbi)CgqAn_1)ztu$b?7WHgUSNv#6Ol?kBsulv$0zafM>ZxVY*OX5JvcbPrSHdmx=P zt1NgqU*8u~oKJ@lx2%&Lfh%B8%KIdF(4k*JiEu!!3Q+`vOA%B%E4MaYu$yg+t| z)qLRHfG0xIhD@S1h1LEAab~5E1%2u>@U=&2#Qp7QSB6cv3+g3&!IDt=6h-|n!&3UO z(Swp70$wk(mPmACQ^b!PUwsLii1(dI$s`G*J4IUz=5#@!Ut?!zubW*&=K}B#suZ7s z($j59lqd4B%`;yN{H!xIQEio&f|D#!n$p3mmDL7=!|a%Z3EnyqOyiDZAqnPYhpU>x z&U(b9%*eRI0l8lA9lzOmf7;LK-ZYK(^%J_lm8qsh(a-fFWQ?gV0#Z$F{N}p0~duw62C5v^KU+qmpJ14m> znbPjh8Pw-WQKz(}$-Ly<;Mvl#@8zwHgIBnn6PSju5#62uY4#A5*Kpkuo{QirZ&O&Cgp1r);Ze z*yHqt!IWCL$_dIttN*CVuq8DMkaBk7f|JvZ3{;f|)%mO>S`g|QphY5K91~(B@6H>W z|I&b^!HO+c)Rwy`UNH_}yUl0#V~Sg5%n{*TkdU>^$o}YTs`m(dg+;UMBlOZ(Y}Hsa z3{MB5N0w=LndL?9$F0ONS-YFochLEiJ?1D2#+7^h#+zyv3qoCjE3+Zv4C&EV6gW(+ zN61d(FqL2}dtsrc=0hXKw|B`KSa85A0bBJaO1bsuk6_I*MV*I<&ag%AG<+ z?>TyN*dcwORJ*@Pp)mU18T2%p%VuTOlyyg~;qru>X%2=}zx{$l2DHEW`T1>b- znJ!n^N;Br6k9YQ)^1103epY(C(G85-{tjr#IJCncV?wfS_32GB*wW#N$9ZFTNohydE>n2a$%(I@3KG(X=fKR=~^V~mq zq0V&6NK)^J*0zG&@hOh0AXC3hhTsJ|pn=_bE?4TnZ3#@3M|Q(ylxQ~88?W({@H z_sK4jZUc?gffZ75_VAmOd_J-5PF!7wyOhbPb+trUU+}WsvKZ?;ie&5A2P=QxS5AGc zN{V}5r6LF05A+d<`hAg|QMg!&zX{kT(| zN#E1cv!xWL{J_&QR@;Z5VgfgxU`zWkTV+!aZUpP{X42bS(xB_^!gC6&E?cZ9lEW3= zpVo?8{7J0K(iUioq2|Z^3%(!kcZ-j6pyQKjL~QFScnB%#{Y1@6vk||-*TLtRDwklE z_=&{kk~_!CM_9HYBZ+!Mid#qmCSE*{C^@V{CK^W0kf1v!iRPSR*CfL)o{(7RwGu)h=_VqFu1#?)Q_LZ%Jx)CL5m#K?l^%o8*IwlZC ze!1tiG;mWP`LaqNY=dqWnav>YC~2;?08O%XTUjc;l$RVr+-vGagC*3J4-4%SGWC4DjW!4w*-=Eu zj~B#ul^qGuWNJ_~)d;Vo&JrUILHQk9xxsuFc~30|q4~y(jteMG(&Ob#Kj=|wCCt?$ z?&L}p3PL+X6j$Le{YaNIuV_ID<}-XO?-H8Avivi}D&?6ddBt0;l3{;1r5FEd86r|w zWaJ1PDkGhD(1u0FTcL$ByH1WjORW6n`z2Q+S8N?L)N!|7mRxP?))e!6%k}io{ik8h+w6pZt z0Iv4rzCPnsF?8SpijdOl!4!oQr8GPIt?Cahx>8k+tZg6X;a4W?4lWTHaE=u)i`j^O zF-u}5f=z_+b~6H`DdNQ_rLRG4{9{U9j{U}AyZpO1R#>u`P>#rLXRvIDl}Fw**0l>O)Ot8CqXKOJOG> zqi^u1vceF?1krKYbS5^PHh=qG7n2U$Vyeeum7NPA;R7HK#>;?SjyS$p$OeGPZ6u!v_knGHcz-# zj7=VDCQm6izvP+hArGE08aGEK(wqAC#hY2 zDkX;7tORLdM%0B5Jr*_#VNA2E9mMnf)Le9kg)sig3El)m zh=InEPb^VL7$fq1v9Q8yx4y{0Z4qSCG{09XblR)Xkf*ghamamNNGM$KCK_%kPXCOa4$zcpe^gM{qrKseWXA<6X|o5|7_SbU-*TVtEq+w^z%Nzs_`l={#5a&Gj~Rv zxQ42(+F!l(d0N@`bA>dT*%HC-nhB|dzN24l^ka=xgMZ`VN8RH9B05$;z#-@L^iujb z-+ctpMh4oZ>p1CO^LxUCFlE;r{-7DiITvw{0PzRP7kf1Bnj!dY5X;IJoGfSG{rXFt2wZ-(+Rz2DjAMA)GIIQixNnUFi8m!#OTrrV@g7!!dGG zS@hEdVRPY|2(Ngvl*8iS!(L5?g((Ox!YHiiPOx`I3LVg>lWf4B055b>(%kA&*aOA~ zEO4d=ytEdzkq8PkRk@7f6mc|Vbf}{D@&`DE!qW#$pWr-ds|w*Hu`Nop%w?EP77*u6!29qa16_0hZQ4bC_m= z1FBHrGT5>EN17(~LvhPr&bZ_QB5Rcz;8wnGV}Az6j;nR7+Aef?q_JjfytBT)i$%m# zlj$6b3Nd4j7e8wv-_Q{Q{VgOP zBR9Jt`9sf?IRd2w(6yp<6Y-$?Xar|=_e$6CJgsplHksss45 z(xCylA!dZtK%o@+b(O;Hh6#CS9EdOaepmVE_6UYJyN+!M)Zc1l$P3qlLl?Ph?mv6E z2X+BO7mQ{+y_p`BvjIZQ4qeg@gxYK=w%6!U88=a#mj_8K=rQ=!~=Ep_pvXcE!qI8iBo!fV= z$&Ipmz1?!3tAXw!jkP;bYU+Gi#8fC6rgHOVW}hZuS+{S2Fbs?>*!!I4X#>>wQ5%Ey zABGxaEl>hmWrky*MGv&>^2KsbVFDcc*K``2K2VNDZr3!|1p+5)PkC=m&*7z)<&b&c zGy(#ldFF?s^T;qIruN8y$S4)d=Ft0AioEaA@w~c9YB1)sMI|<-iSlUueOPF7e_mep zl{^JeLA9-#_jj!!c`1sJ-uf&V zp3fO(3c14I*uSG1jiaXKtYQGki=L0KU4wwOba|J%$2U{QjI*;>W*)!pM%YqJ^GNZb zVIf$SZwma;rZ}Tu8Cv#TP=*6W#2j{=a_89p=js(O|4%)5eTv>-R9npyxEk} zexj|13|L|+<(jGvHK*a?aUUOunOG)7zm`85gjU{ra71nlA`1f~BFN<3Fi3+zEuy&F zyR->6pMsUaOrJZxkyivT^0ovriR)oJknd-heHK#AuA;)x%zuur`NF2(oS~qcFRFL~ zrH)A7q?swdy+Crz)+|3H_9yVwc$v-hF6vd<{Y+mA;=+xmR8V)xUr{r zlsvQJVS-WRG3|2-;;8Ys`nJteN75w&e~E~*3#SYUNwoaQ-#_JN-L0sj)=vHw&%^@4 zLJBS05-aoyFe?lfZ^b!S{o))>AzFDFw3lOmDV{1lqPV}34wpr+7lGTNEM=cC(Kct? zCvU^hx!0tsn-Fz&XJlS#{1Cc4drBwa=`f*{Dk@JmCB?bK0&nmw3(*7574S$`1e6QaPyk8Ol`#7YeF6Le(l3Kg%CY8LEr-53X*B`jt)4c3ch@_@Q27Dp(~PvT~s{3 zOx3GU!!DXpO+ZD%SnmN$zhH*04_s+b7S$PQ-5O09_3?a0-9w=OUIcz4G_p0)A%x(b zO)ZpgVat)X*y>y2u99w#%O6;(I7-#O4C@5M|DZQLW_D|{0e_?krSXp!Kt}ZtX~mWC za0N-bEC09^%|<0J-PpnD`=t-|s}dUukDI9KP@6il$~;c-52_LgN<|eX&?B*9lE5YS;vmBd~4tQlv4FpTILxr>;8~ z>dBXxhz$vt>P-*aJqwf6&5K)836Bct5_XwPCfd~XW=ND~O#yf0rQX~$rD99g% z&G?Q#cGOamXxW%5dhtGQNxiA@m!kKK5gS*{*7eD$-0Fy*bE0E-s@5oWnSO1sE>|^$ z+1kAt2XB=#cpM5XaQ^8U8cy^YOeW&#UNOAuLcTKvENxql%s?)(`6!J=Y9tDOC6r%R zRE~-sYMWVnLl2UTe41pkHk+>4usm~Y#ROddmSfE&2N#NJQIuhJbu*)+-|&`nn}$x+ z_ifX_lP|)ouL2n9YNr8;>@0vQ=fQgT^e%+Pu5TXDFrEL-;d!OERTEv9S_-GskeJG( zE>4!nUrG*t^c{Not&{e3^jDWQLn6l$w_}JTyrNzwJe-6MMV}RIBH}NWFq#^V7|L@+`f-> zK6Gr7bylK#y_t8oZ8e<%wc6!u>2w)7V`i_HR9Wijvm2=6F!`WAsiaZ}xJT3+Q)WAU zLMmJ{ReHXq;FS|za|!1~Nw`+5d;j3FZ{E|6&f+X)2L?ZE7cE>{f)^7YCi$*}Huh{$ z3fV3QgG?4R20YWl^>@}>xSKz3O_5F@k(yWd=muURL?u}v=Y~E)>!j3&00-1saA#9c zb@8f}Jro6Y(}+^r6}z%l&SU@V4j=(?KC?pehf0+*Lu$5x8)-F@EOcuK6ch(-^s#nH zii^p3T+i3kVY>{jjGD#gYxOMGI=`*Mb{?hB_^qD|adiI5T>RH_(6-2}h0i3j7n+od zR$a*4d31~R3n!d&6v^c$(t{XWpbel#~pXID>=_g5Nny*Y^J(g z`V~sjfKkT7c!;-3I3E)chbpxAGq>vNL^otE`eVr_U{_tU87?w^1^sgBjjs)FCrTw_ zr`$aybLpVK`8;-rcU81beajsdTF5=b&4jOUZ_p}Ld);CG{j_{Au&~*fFV;Bu9}94gPM8AhnlH7s(|EYC)?w3zZl?ix3F->E}Mwi zQZ{FG60!3fUT`~A@&w1Riz={p-j=JRK)kJdO%*8>lFzjpgP{b~pt4 zzJ-b*iSae6C5#Y){E5$qXRp~}NYy`C4RExEW}A6lp;lppM{%v|P?$ zM%K0YTjf^_%&+i*72n`?|X$^=cTfs{K-bI7x?#xkJpX$j>df==|o+g z8v!^w#tY0hV9QKelnFeyXff^eYISM7Gf)IV!{EUF@4xwflJvjAKj1&*zkTZefBOF< iXa6r53d%nK1^0gyw~9bG`2PT5{$=pLno0Jb>Hh$5uF?ho From cc0ccc6976fcd65b8b6237aa0bcde0520cc98829 Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:11 -0400 Subject: [PATCH 13/38] =?UTF-8?q?fix:=20remove=20stray=20solutions=20?= =?UTF-8?q?=E2=80=94=20keep=20only=20Vaikora-Sentinel?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Package/createUiDefinition.json | 242 ------------------ 1 file changed, 242 deletions(-) delete mode 100644 Solutions/Vaikora-AzureSecurityCenter/Package/createUiDefinition.json diff --git a/Solutions/Vaikora-AzureSecurityCenter/Package/createUiDefinition.json b/Solutions/Vaikora-AzureSecurityCenter/Package/createUiDefinition.json deleted file mode 100644 index 42c3f6a3da8..00000000000 --- a/Solutions/Vaikora-AzureSecurityCenter/Package/createUiDefinition.json +++ /dev/null @@ -1,242 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", - "handler": "Microsoft.Azure.CreateUIDef", - "version": "0.1.2-preview", - "parameters": { - "config": { - "isWizard": false, - "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/VaikoraSecurityCenter/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Vaikora Security Center solution integrates [Vaikora](https://vaikora.com) AI-driven security signal detection with Microsoft Sentinel and Azure Defender for Cloud. A Logic App playbook polls the Vaikora API every 6 hours, filters high-severity actions, anomalies, and confirmed threats, and writes them to a custom Log Analytics table (Vaikora_SecurityAlerts_CL). Analytic rules surface these signals for investigation.\n\n**Playbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", - "subscription": { - "resourceProviders": [ - "Microsoft.OperationsManagement/solutions", - "Microsoft.OperationalInsights/workspaces/providers/alertRules", - "Microsoft.Logic/workflows", - "Microsoft.Web/connections" - ] - }, - "location": { - "metadata": { - "hidden": "Hiding location, we get it from the log analytics workspace" - }, - "visible": false - }, - "resourceGroup": { - "allowExisting": true - } - } - }, - "basics": [ - { - "name": "getLAWorkspace", - "type": "Microsoft.Solutions.ArmApiControl", - "toolTip": "This filters by workspaces that exist in the Resource Group selected", - "condition": "[greater(length(resourceGroup().name),0)]", - "request": { - "method": "GET", - "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" - } - }, - { - "name": "workspace", - "type": "Microsoft.Common.DropDown", - "label": "Workspace", - "placeholder": "Select a workspace", - "toolTip": "This dropdown will list only workspaces that exist in the Resource Group selected", - "constraints": { - "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", - "required": true - }, - "visible": true - } - ], - "steps": [ - { - "name": "playbooks", - "label": "Playbooks", - "subLabel": { - "preValidation": "Configure the playbooks", - "postValidation": "Done" - }, - "bladeTitle": "Playbooks", - "elements": [ - { - "name": "playbooks-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs a Logic App playbook that polls the Vaikora API and writes security alerts to your Log Analytics workspace. You must supply your Vaikora API credentials and workspace details below." - } - }, - { - "name": "playbooks-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://learn.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook" - } - } - }, - { - "name": "playbook1", - "type": "Microsoft.Common.Section", - "label": "VaikoraToAzureSecurityCenter", - "elements": [ - { - "name": "playbook1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Polls the Vaikora /api/v1/actions endpoint every 6 hours and forwards high-severity, anomaly, and threat-detected actions to the Vaikora_SecurityAlerts_CL table." - } - }, - { - "name": "PlaybookName", - "type": "Microsoft.Common.TextBox", - "label": "Playbook Name", - "defaultValue": "VaikoraToAzureSecurityCenter", - "toolTip": "Name of the Logic App to deploy", - "constraints": { - "required": true, - "regex": "^[A-Za-z0-9-]{1,80}$", - "validationMessage": "Only alphanumeric characters and hyphens are allowed, up to 80 characters." - } - }, - { - "name": "VaikoraApiKey", - "type": "Microsoft.Common.PasswordBox", - "label": { - "password": "Vaikora API Key", - "confirmPassword": "Confirm Vaikora API Key" - }, - "toolTip": "Your Vaikora API key, sent as the X-API-Key header", - "constraints": { - "required": true - }, - "options": { - "hideConfirmation": true - } - }, - { - "name": "VaikoraAgentId", - "type": "Microsoft.Common.TextBox", - "label": "Vaikora Agent ID", - "toolTip": "The Vaikora Agent ID to poll for security actions", - "constraints": { - "required": true, - "regex": "^.{1,256}$", - "validationMessage": "Agent ID is required." - } - }, - { - "name": "WorkspaceId", - "type": "Microsoft.Common.TextBox", - "label": "Log Analytics Workspace ID", - "toolTip": "The Workspace ID used to authenticate the Log Analytics Data Collector API", - "constraints": { - "required": true, - "regex": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", - "validationMessage": "Must be a valid GUID." - } - }, - { - "name": "WorkspaceKey", - "type": "Microsoft.Common.PasswordBox", - "label": { - "password": "Log Analytics Primary Key", - "confirmPassword": "Confirm Primary Key" - }, - "toolTip": "The Log Analytics Workspace Primary Key used for HMAC-SHA256 signing", - "constraints": { - "required": true - }, - "options": { - "hideConfirmation": true - } - } - ] - } - ] - }, - { - "name": "analytics", - "label": "Analytics", - "subLabel": { - "preValidation": "Configure the analytics", - "postValidation": "Done" - }, - "bladeTitle": "Analytics", - "elements": [ - { - "name": "analytics-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." - } - }, - { - "name": "analytics-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://learn.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" - } - } - }, - { - "name": "analytic1", - "type": "Microsoft.Common.Section", - "label": "Vaikora - High Severity Security Alerts", - "elements": [ - { - "name": "analytic1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Detects high or critical severity security alerts ingested from Vaikora in the last 6 hours, including malware activity, intrusion attempts, and policy violations." - } - } - ] - }, - { - "name": "analytic2", - "type": "Microsoft.Common.Section", - "label": "Vaikora - Anomaly Detection", - "elements": [ - { - "name": "analytic2-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Detects actions flagged as anomalies or confirmed threats by the Vaikora AI engine, even when severity is below the high/critical threshold." - } - } - ] - }, - { - "name": "analytic3", - "type": "Microsoft.Common.Section", - "label": "Vaikora - Feed Outage Detection", - "elements": [ - { - "name": "analytic3-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Fires when no Vaikora data has arrived in the custom table for 12 or more hours, indicating a possible connectivity or authentication failure in the Logic App playbook." - } - } - ] - } - ] - } - ], - "outputs": { - "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", - "location": "[location()]", - "workspace": "[basics('workspace')]", - "PlaybookName": "[steps('playbooks').playbook1.PlaybookName]", - "VaikoraApiKey": "[steps('playbooks').playbook1.VaikoraApiKey.password]", - "VaikoraAgentId": "[steps('playbooks').playbook1.VaikoraAgentId]", - "WorkspaceId": "[steps('playbooks').playbook1.WorkspaceId]", - "WorkspaceKey": "[steps('playbooks').playbook1.WorkspaceKey.password]" - } - } -} From f69375cdb0e6d422038f7e9a2797427d4f3ee231 Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:12 -0400 Subject: [PATCH 14/38] =?UTF-8?q?fix:=20remove=20stray=20solutions=20?= =?UTF-8?q?=E2=80=94=20keep=20only=20Vaikora-Sentinel?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Package/mainTemplate.json | 732 ------------------ 1 file changed, 732 deletions(-) delete mode 100644 Solutions/Vaikora-AzureSecurityCenter/Package/mainTemplate.json diff --git a/Solutions/Vaikora-AzureSecurityCenter/Package/mainTemplate.json b/Solutions/Vaikora-AzureSecurityCenter/Package/mainTemplate.json deleted file mode 100644 index d501d025559..00000000000 --- a/Solutions/Vaikora-AzureSecurityCenter/Package/mainTemplate.json +++ /dev/null @@ -1,732 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "author": "Data443 Risk Mitigation, Inc. - support@data443.com", - "comments": "Solution template for VaikoraSecurityCenter" - }, - "parameters": { - "location": { - "type": "string", - "minLength": 1, - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" - } - }, - "workspace-location": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" - } - }, - "workspace": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" - } - }, - "PlaybookName": { - "defaultValue": "VaikoraToAzureSecurityCenter", - "type": "string", - "metadata": { - "description": "Name of the Logic App playbook" - } - }, - "VaikoraApiKey": { - "type": "securestring", - "metadata": { - "description": "Vaikora API key (X-API-Key header)" - } - }, - "VaikoraAgentId": { - "type": "string", - "metadata": { - "description": "Vaikora Agent ID to poll" - } - }, - "WorkspaceId": { - "type": "string", - "metadata": { - "description": "Log Analytics Workspace ID for Data Collector API" - } - }, - "WorkspaceKey": { - "type": "securestring", - "metadata": { - "description": "Log Analytics Primary Key for Data Collector API signing" - } - } - }, - "variables": { - "email": "support@data443.com", - "_email": "[variables('email')]", - "_solutionName": "VaikoraSecurityCenter", - "_solutionVersion": "3.0.0", - "solutionId": "data443riskmitigationinc1761580347231.azure-sentinel-solution-vaikora-security-center", - "_solutionId": "[variables('solutionId')]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "logAnalyticsConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]", - - "playbookVersion1": "1.0", - "playbookContentId1": "VaikoraToAzureSecurityCenter", - "_playbookContentId1": "[variables('playbookContentId1')]", - "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", - "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", - "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", - - "analyticRuleObject1": { - "analyticRuleVersion1": "3.0.0", - "_analyticRulecontentId1": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a1b2c3d4-e5f6-7890-abcd-ef1234567890')]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a1b2c3d4-e5f6-7890-abcd-ef1234567890')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a1b2c3d4-e5f6-7890-abcd-ef1234567890','-', '3.0.0')))]" - }, - "analyticRuleObject2": { - "analyticRuleVersion2": "3.0.0", - "_analyticRulecontentId2": "b2c3d4e5-f6a7-8901-bcde-f12345678901", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b2c3d4e5-f6a7-8901-bcde-f12345678901')]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b2c3d4e5-f6a7-8901-bcde-f12345678901')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b2c3d4e5-f6a7-8901-bcde-f12345678901','-', '3.0.0')))]" - }, - "analyticRuleObject3": { - "analyticRuleVersion3": "3.0.0", - "_analyticRulecontentId3": "c3d4e5f6-a7b8-9012-cdef-012345678902", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c3d4e5f6-a7b8-9012-cdef-012345678902')]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c3d4e5f6-a7b8-9012-cdef-012345678902')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c3d4e5f6-a7b8-9012-cdef-012345678902','-', '3.0.0')))]" - }, - - "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "VaikoraToAzureSecurityCenter Playbook with template version 1.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion1')]", - "parameters": { - "PlaybookName": { - "defaultValue": "VaikoraToAzureSecurityCenter", - "type": "string" - }, - "VaikoraApiKey": { - "type": "securestring" - }, - "VaikoraAgentId": { - "type": "string" - }, - "WorkspaceId": { - "type": "string" - }, - "WorkspaceKey": { - "type": "securestring" - } - }, - "variables": { - "logAnalyticsConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]" - }, - "resources": [ - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('logAnalyticsConnectionName')]", - "location": "[[resourceGroup().location]", - "properties": { - "displayName": "Vaikora Log Analytics Data Collector", - "customParameterValues": {}, - "api": { - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]" - }, - "parameterValues": { - "username": "[[parameters('WorkspaceId')]", - "password": "[[parameters('WorkspaceKey')]" - } - } - }, - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[resourceGroup().location]", - "tags": { - "hidden-SentinelTemplateName": "VaikoraToAzureSecurityCenter", - "hidden-SentinelTemplateVersion": "1.0" - }, - "identity": { - "type": "SystemAssigned" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('logAnalyticsConnectionName'))]" - ], - "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "VaikoraApiKey": { - "type": "securestring" - }, - "VaikoraAgentId": { - "type": "string", - "defaultValue": "[[parameters('VaikoraAgentId')]" - }, - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Recurrence": { - "type": "Recurrence", - "recurrence": { - "frequency": "Hour", - "interval": 6, - "timeZone": "UTC" - } - } - }, - "actions": { - "Poll_Vaikora_Actions": { - "type": "Http", - "inputs": { - "method": "GET", - "uri": "https://api.vaikora.com/api/v1/actions", - "queries": { - "agent_id": "@parameters('VaikoraAgentId')", - "per_page": "100" - }, - "headers": { - "X-API-Key": "@parameters('VaikoraApiKey')", - "Accept": "application/json" - } - }, - "runAfter": {} - }, - "Parse_Response": { - "type": "ParseJson", - "inputs": { - "content": "@body('Poll_Vaikora_Actions')", - "schema": { - "type": "object", - "properties": { - "data": { - "type": "array", - "items": { - "type": "object", - "properties": { - "id": { "type": "string" }, - "agent_id": { "type": "string" }, - "action_type": { "type": "string" }, - "severity": { "type": "string" }, - "title": { "type": "string" }, - "description": { "type": "string" }, - "source_ip": { "type": "string" }, - "destination_ip": { "type": "string" }, - "source_host": { "type": "string" }, - "destination_host": { "type": "string" }, - "process_name": { "type": "string" }, - "user_name": { "type": "string" }, - "file_path": { "type": "string" }, - "threat_detected": { "type": "boolean" }, - "is_anomaly": { "type": "boolean" }, - "confidence_score": { "type": "number" }, - "created_at": { "type": "string" }, - "updated_at": { "type": "string" } - } - } - } - } - } - }, - "runAfter": { - "Poll_Vaikora_Actions": ["Succeeded"] - } - }, - "Filter_High_Risk_Actions": { - "type": "Query", - "inputs": { - "from": "@body('Parse_Response')?['data']", - "where": "@or(or(equals(item()?['severity'], 'high'), equals(item()?['severity'], 'critical')), or(equals(item()?['is_anomaly'], true), equals(item()?['threat_detected'], true)))" - }, - "runAfter": { - "Parse_Response": ["Succeeded"] - } - }, - "For_Each_Security_Alert": { - "type": "Foreach", - "foreach": "@body('Filter_High_Risk_Actions')", - "actions": { - "Send_to_Log_Analytics": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" - } - }, - "method": "post", - "path": "/api/logs", - "body": "@{json(concat('{\"TimeGenerated\":\"', items('For_Each_Security_Alert')?['created_at'], '\",\"AlertId\":\"', items('For_Each_Security_Alert')?['id'], '\",\"AgentId\":\"', items('For_Each_Security_Alert')?['agent_id'], '\",\"ActionType\":\"', items('For_Each_Security_Alert')?['action_type'], '\",\"Severity\":\"', items('For_Each_Security_Alert')?['severity'], '\",\"Title\":\"', replace(items('For_Each_Security_Alert')?['title'], '\"', '\\\"'), '\",\"Description\":\"', replace(items('For_Each_Security_Alert')?['description'], '\"', '\\\"'), '\",\"SourceIP\":\"', items('For_Each_Security_Alert')?['source_ip'], '\",\"DestinationIP\":\"', items('For_Each_Security_Alert')?['destination_ip'], '\",\"SourceHost\":\"', items('For_Each_Security_Alert')?['source_host'], '\",\"DestinationHost\":\"', items('For_Each_Security_Alert')?['destination_host'], '\",\"ProcessName\":\"', items('For_Each_Security_Alert')?['process_name'], '\",\"UserName\":\"', items('For_Each_Security_Alert')?['user_name'], '\",\"FilePath\":\"', items('For_Each_Security_Alert')?['file_path'], '\",\"ThreatDetected\":', string(items('For_Each_Security_Alert')?['threat_detected']), ',\"IsAnomaly\":', string(items('For_Each_Security_Alert')?['is_anomaly']), ',\"ConfidenceScore\":', string(items('For_Each_Security_Alert')?['confidence_score']), ',\"UpdatedAt\":\"', items('For_Each_Security_Alert')?['updated_at'], '\"}'))}", - "headers": { - "Log-Type": "Vaikora_SecurityAlerts" - } - } - } - }, - "runAfter": { - "Filter_High_Risk_Actions": ["Succeeded"] - } - } - } - }, - "parameters": { - "VaikoraApiKey": { - "value": "[[parameters('VaikoraApiKey')]" - }, - "VaikoraAgentId": { - "value": "[[parameters('VaikoraAgentId')]" - }, - "$connections": { - "value": { - "azureloganalyticsdatacollector": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('logAnalyticsConnectionName'))]", - "connectionName": "[[variables('logAnalyticsConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]" - } - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(resourceId('Microsoft.Logic/workflows', parameters('PlaybookName')),'/'))))]", - "dependsOn": [ - "[[resourceId('Microsoft.Logic/workflows', parameters('PlaybookName'))]" - ], - "properties": { - "parentId": "[[resourceId('Microsoft.Logic/workflows', parameters('PlaybookName'))]", - "contentId": "[variables('_playbookContentId1')]", - "kind": "Playbook", - "version": "[variables('playbookVersion1')]", - "source": { - "kind": "Solution", - "name": "VaikoraSecurityCenter", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Data443 Risk Mitigation, Inc.", - "email": "[variables('_email')]" - }, - "support": { - "name": "Data443 Risk Mitigation, Inc.", - "email": "[variables('_email')]", - "tier": "Partner", - "link": "https://www.data443.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId1')]", - "contentKind": "Playbook", - "displayName": "VaikoraToAzureSecurityCenter", - "contentProductId": "[variables('_playbookcontentProductId1')]", - "id": "[variables('_playbookcontentProductId1')]", - "version": "[variables('playbookVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Vaikora - High Severity Security Alerts analytic rule with template version 1.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Detects high or critical severity security alerts ingested from the Vaikora AI signal exchange platform in the last 6 hours.", - "displayName": "Vaikora - High Severity Security Alerts", - "enabled": false, - "query": "Vaikora_SecurityAlerts_CL\n| where TimeGenerated >= ago(6h)\n| where Severity_s in (\"high\", \"critical\")\n| extend AlertId=AlertId_s, AgentId=AgentId_s, ActionType=ActionType_s, Severity=Severity_s, Title=Title_s, Description=Description_s, SourceIP=SourceIP_s, DestinationIP=DestinationIP_s, SourceHost=SourceHost_s, DestHost=DestinationHost_s, ProcessName=ProcessName_s, UserName=UserName_s, FilePath=FilePath_s, Confidence=ConfidenceScore_d, ThreatFlag=ThreatDetected_b, AnomalyFlag=IsAnomaly_b\n| project TimeGenerated, AlertId, AgentId, ActionType, Severity, Title, Description, SourceIP, DestinationIP, SourceHost, DestHost, ProcessName, UserName, FilePath, Confidence, ThreatFlag, AnomalyFlag\n| order by TimeGenerated desc", - "queryFrequency": "PT6H", - "queryPeriod": "PT6H", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "VaikoraSecurityCenter", - "dataTypes": ["Vaikora_SecurityAlerts_CL"] - } - ], - "tactics": [ - "InitialAccess", - "Execution", - "Persistence", - "DefenseEvasion", - "CredentialAccess", - "LateralMovement", - "Exfiltration", - "Impact" - ], - "entityMappings": [ - { - "entityType": "IP", - "fieldMappings": [{ "identifier": "Address", "columnName": "SourceIP" }] - }, - { - "entityType": "IP", - "fieldMappings": [{ "identifier": "Address", "columnName": "DestinationIP" }] - }, - { - "entityType": "Host", - "fieldMappings": [{ "identifier": "HostName", "columnName": "SourceHost" }] - }, - { - "entityType": "Account", - "fieldMappings": [{ "identifier": "Name", "columnName": "UserName" }] - } - ], - "alertDetailsOverride": { - "alertDisplayNameFormat": "Vaikora {{Severity_s}} Alert: {{Title_s}}", - "alertDescriptionFormat": "Vaikora detected a {{Severity_s}} severity event on agent {{AgentId_s}}. {{Description_s}}", - "alertSeverityColumnName": "Severity_s" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", - "properties": { - "description": "Vaikora Security Center Analytics Rule 1", - "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", - "source": { - "kind": "Solution", - "name": "VaikoraSecurityCenter", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Data443 Risk Mitigation, Inc.", - "email": "[variables('_email')]" - }, - "support": { - "name": "Data443 Risk Mitigation, Inc.", - "email": "[variables('_email')]", - "tier": "Partner", - "link": "https://www.data443.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "contentKind": "AnalyticsRule", - "displayName": "Vaikora - High Severity Security Alerts", - "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Vaikora - Anomaly Detection analytic rule with template version 1.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Detects actions flagged as anomalies or confirmed threats by the Vaikora AI engine, even when severity is below high/critical.", - "displayName": "Vaikora - Anomaly Detection", - "enabled": false, - "query": "Vaikora_SecurityAlerts_CL\n| where TimeGenerated >= ago(6h)\n| where IsAnomaly_b == true or ThreatDetected_b == true\n| where Severity_s !in (\"high\", \"critical\")\n| extend AlertId=AlertId_s, AgentId=AgentId_s, ActionType=ActionType_s, Severity=Severity_s, Title=Title_s, Description=Description_s, SourceIP=SourceIP_s, DestinationIP=DestinationIP_s, SourceHost=SourceHost_s, UserName=UserName_s, Confidence=ConfidenceScore_d, ThreatFlag=ThreatDetected_b, AnomalyFlag=IsAnomaly_b\n| project TimeGenerated, AlertId, AgentId, ActionType, Severity, Title, Description, SourceIP, DestinationIP, SourceHost, UserName, Confidence, ThreatFlag, AnomalyFlag\n| order by Confidence desc, TimeGenerated desc", - "queryFrequency": "PT6H", - "queryPeriod": "PT6H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "VaikoraSecurityCenter", - "dataTypes": ["Vaikora_SecurityAlerts_CL"] - } - ], - "tactics": [ - "Discovery", - "LateralMovement", - "Collection", - "Exfiltration" - ], - "entityMappings": [ - { - "entityType": "IP", - "fieldMappings": [{ "identifier": "Address", "columnName": "SourceIP" }] - }, - { - "entityType": "Host", - "fieldMappings": [{ "identifier": "HostName", "columnName": "SourceHost" }] - }, - { - "entityType": "Account", - "fieldMappings": [{ "identifier": "Name", "columnName": "UserName" }] - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", - "properties": { - "description": "Vaikora Security Center Analytics Rule 2", - "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", - "source": { - "kind": "Solution", - "name": "VaikoraSecurityCenter", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Data443 Risk Mitigation, Inc.", - "email": "[variables('_email')]" - }, - "support": { - "name": "Data443 Risk Mitigation, Inc.", - "email": "[variables('_email')]", - "tier": "Partner", - "link": "https://www.data443.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "contentKind": "AnalyticsRule", - "displayName": "Vaikora - Anomaly Detection", - "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Vaikora - Feed Outage Detection analytic rule with template version 1.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Fires when no Vaikora data has arrived in the custom table for 12 or more hours, indicating a possible Logic App failure or API authentication issue.", - "displayName": "Vaikora - Feed Outage Detection", - "enabled": false, - "query": "Vaikora_SecurityAlerts_CL\n| where TimeGenerated >= ago(12h)\n| summarize Count = count()\n| where Count == 0\n| extend Alert=\"No Vaikora data ingested in the last 12 hours\", Suggestion=\"Check the VaikoraToAzureSecurityCenter Logic App run history and verify the Vaikora API key is valid.\"\n| project Alert, Suggestion", - "queryFrequency": "PT12H", - "queryPeriod": "PT12H", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "LessThan", - "triggerThreshold": 1, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "VaikoraSecurityCenter", - "dataTypes": ["Vaikora_SecurityAlerts_CL"] - } - ], - "tactics": [] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", - "properties": { - "description": "Vaikora Security Center Analytics Rule 3", - "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", - "source": { - "kind": "Solution", - "name": "VaikoraSecurityCenter", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Data443 Risk Mitigation, Inc.", - "email": "[variables('_email')]" - }, - "support": { - "name": "Data443 Risk Mitigation, Inc.", - "email": "[variables('_email')]", - "tier": "Partner", - "link": "https://www.data443.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "contentKind": "AnalyticsRule", - "displayName": "Vaikora - Feed Outage Detection", - "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", - "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]", - "location": "[parameters('workspace-location')]", - "properties": { - "version": "[variables('_solutionVersion')]", - "kind": "Solution", - "contentSchemaVersion": "3.0.0", - "displayName": "Vaikora Security Center", - "publisherDisplayName": "Data443 Risk Mitigation, Inc.", - "descriptionHtml": "

The Vaikora Security Center solution integrates Vaikora AI-driven security signal detection with Microsoft Sentinel and Azure Defender for Cloud via a Logic App playbook that polls the Vaikora API and writes qualifying alerts to the Vaikora_SecurityAlerts_CL custom table.

", - "contentProductId": "[variables('_solutioncontentProductId')]", - "id": "[variables('_solutioncontentProductId')]", - "icon": "", - "contentId": "[variables('_solutionId')]", - "parentId": "[variables('_solutionId')]", - "source": { - "kind": "Solution", - "name": "VaikoraSecurityCenter", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Data443 Risk Mitigation, Inc.", - "email": "[variables('_email')]" - }, - "support": { - "name": "Data443 Risk Mitigation, Inc.", - "email": "[variables('_email')]", - "tier": "Partner", - "link": "https://www.data443.com" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "kind": "Playbook", - "contentId": "[variables('_playbookContentId1')]", - "version": "[variables('playbookVersion1')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" - } - ] - }, - "firstPublishDate": "2026-04-02", - "providers": ["Data443 Risk Mitigation, Inc."], - "categories": { - "domains": ["Security - Threat Protection"], - "verticals": [] - } - } - } - ], - "outputs": {} -} From 0faba1a5ed99c7844e4b6d4707098c1cd7234bf5 Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:13 -0400 Subject: [PATCH 15/38] =?UTF-8?q?fix:=20remove=20stray=20solutions=20?= =?UTF-8?q?=E2=80=94=20keep=20only=20Vaikora-Sentinel?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../azuredeploy.json | 281 ------------------ 1 file changed, 281 deletions(-) delete mode 100644 Solutions/Vaikora-AzureSecurityCenter/Playbooks/VaikoraToAzureSecurityCenter/azuredeploy.json diff --git a/Solutions/Vaikora-AzureSecurityCenter/Playbooks/VaikoraToAzureSecurityCenter/azuredeploy.json b/Solutions/Vaikora-AzureSecurityCenter/Playbooks/VaikoraToAzureSecurityCenter/azuredeploy.json deleted file mode 100644 index ae02dff9b5f..00000000000 --- a/Solutions/Vaikora-AzureSecurityCenter/Playbooks/VaikoraToAzureSecurityCenter/azuredeploy.json +++ /dev/null @@ -1,281 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "title": "Vaikora to Azure Security Center", - "description": "This playbook polls the Vaikora AI signal exchange API every 6 hours, filters actions with high/critical severity, anomaly flags, or threat detections, and writes them to the Vaikora_SecurityAlerts_CL custom Log Analytics table. Sentinel analytic rules then surface these signals in Defender for Cloud.", - "mainSteps": [ - "1. Triggers on a 6-hour recurrence schedule.", - "2. Calls GET /api/v1/actions on the Vaikora API with X-API-Key authentication.", - "3. Filters actions where severity is high or critical, is_anomaly is true, or threat_detected is true.", - "4. Sends each qualifying action to a custom Log Analytics table (Vaikora_SecurityAlerts_CL) via the Data Collector API.", - "5. Sentinel analytic rules query the custom table to generate incidents." - ], - "prerequisites": [ - "1. A valid Vaikora API key (X-API-Key).", - "2. The Vaikora Agent ID to poll.", - "3. Log Analytics Workspace ID and Primary Key (for Data Collector API signing).", - "4. Microsoft Sentinel enabled on the target workspace." - ], - "postDeployment": [ - "1. Open the Logic App in the Azure portal.", - "2. Confirm the VaikoraAgentId parameter is correct.", - "3. Enable the analytic rules deployed with this solution.", - "4. Optionally adjust the recurrence interval." - ], - "lastUpdateTime": "2026-04-02T00:00:00.000Z", - "entities": [], - "tags": [ - "Vaikora", - "SecurityCenter", - "DefenderForCloud", - "ThreatDetection" - ], - "support": { - "tier": "Partner", - "link": "https://www.data443.com" - }, - "author": { - "name": "Data443 Risk Mitigation, Inc." - }, - "releaseNotes": [ - { - "version": "1.0.0", - "title": "Vaikora to Azure Security Center", - "notes": [ - "Initial version" - ] - } - ] - }, - "parameters": { - "PlaybookName": { - "defaultValue": "VaikoraToAzureSecurityCenter", - "type": "string", - "metadata": { - "description": "Name of the Logic App playbook" - } - }, - "VaikoraApiKey": { - "type": "securestring", - "metadata": { - "description": "Vaikora API key (used as X-API-Key header)" - } - }, - "VaikoraAgentId": { - "type": "string", - "metadata": { - "description": "Vaikora Agent ID to poll for security actions" - } - }, - "WorkspaceId": { - "type": "string", - "metadata": { - "description": "Log Analytics Workspace ID (for Data Collector API)" - } - }, - "WorkspaceKey": { - "type": "securestring", - "metadata": { - "description": "Log Analytics Primary Key (for Data Collector API HMAC signing)" - } - } - }, - "variables": { - "logicAppName": "[parameters('PlaybookName')]", - "logAnalyticsConnectionName": "[concat('azureloganalyticsdatacollector-', parameters('PlaybookName'))]" - }, - "resources": [ - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[variables('logAnalyticsConnectionName')]", - "location": "[resourceGroup().location]", - "properties": { - "displayName": "Vaikora Log Analytics Data Collector", - "customParameterValues": {}, - "api": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]" - }, - "parameterValues": { - "username": "[parameters('WorkspaceId')]", - "password": "[parameters('WorkspaceKey')]" - } - } - }, - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", - "name": "[parameters('PlaybookName')]", - "location": "[resourceGroup().location]", - "tags": { - "hidden-SentinelTemplateName": "VaikoraToAzureSecurityCenter", - "hidden-SentinelTemplateVersion": "1.0" - }, - "identity": { - "type": "SystemAssigned" - }, - "dependsOn": [ - "[resourceId('Microsoft.Web/connections', variables('logAnalyticsConnectionName'))]" - ], - "properties": { - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "VaikoraApiKey": { - "type": "securestring" - }, - "VaikoraAgentId": { - "type": "string", - "defaultValue": "[parameters('VaikoraAgentId')]" - }, - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Recurrence": { - "type": "Recurrence", - "recurrence": { - "frequency": "Hour", - "interval": 6, - "timeZone": "UTC" - } - } - }, - "actions": { - "Poll_Vaikora_Actions": { - "type": "Http", - "inputs": { - "method": "GET", - "uri": "https://api.vaikora.com/api/v1/actions", - "queries": { - "agent_id": "@parameters('VaikoraAgentId')", - "per_page": "100" - }, - "headers": { - "X-API-Key": "@parameters('VaikoraApiKey')", - "Accept": "application/json" - } - }, - "runAfter": {} - }, - "Parse_Response": { - "type": "ParseJson", - "inputs": { - "content": "@body('Poll_Vaikora_Actions')", - "schema": { - "type": "object", - "properties": { - "data": { - "type": "array", - "items": { - "type": "object", - "properties": { - "id": { "type": "string" }, - "agent_id": { "type": "string" }, - "action_type": { "type": "string" }, - "severity": { "type": "string" }, - "title": { "type": "string" }, - "description": { "type": "string" }, - "source_ip": { "type": "string" }, - "destination_ip": { "type": "string" }, - "source_host": { "type": "string" }, - "destination_host": { "type": "string" }, - "process_name": { "type": "string" }, - "user_name": { "type": "string" }, - "file_path": { "type": "string" }, - "threat_detected": { "type": "boolean" }, - "is_anomaly": { "type": "boolean" }, - "confidence_score": { "type": "number" }, - "tags": { - "type": "array", - "items": { "type": "string" } - }, - "raw_data": { "type": "object" }, - "created_at": { "type": "string" }, - "updated_at": { "type": "string" } - } - } - }, - "meta": { - "type": "object", - "properties": { - "total": { "type": "integer" }, - "per_page": { "type": "integer" }, - "current_page": { "type": "integer" } - } - } - } - } - }, - "runAfter": { - "Poll_Vaikora_Actions": ["Succeeded"] - } - }, - "Filter_High_Risk_Actions": { - "type": "Query", - "inputs": { - "from": "@body('Parse_Response')?['data']", - "where": "@or(or(equals(item()?['severity'], 'high'), equals(item()?['severity'], 'critical')), or(equals(item()?['is_anomaly'], true), equals(item()?['threat_detected'], true)))" - }, - "runAfter": { - "Parse_Response": ["Succeeded"] - } - }, - "For_Each_Security_Alert": { - "type": "Foreach", - "foreach": "@body('Filter_High_Risk_Actions')", - "actions": { - "Send_to_Log_Analytics": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" - } - }, - "method": "post", - "path": "/api/logs", - "body": "@{json(concat('{\"TimeGenerated\":\"', items('For_Each_Security_Alert')?['created_at'], '\",\"AlertId\":\"', items('For_Each_Security_Alert')?['id'], '\",\"AgentId\":\"', items('For_Each_Security_Alert')?['agent_id'], '\",\"ActionType\":\"', items('For_Each_Security_Alert')?['action_type'], '\",\"Severity\":\"', items('For_Each_Security_Alert')?['severity'], '\",\"Title\":\"', replace(items('For_Each_Security_Alert')?['title'], '\"', '\\\"'), '\",\"Description\":\"', replace(items('For_Each_Security_Alert')?['description'], '\"', '\\\"'), '\",\"SourceIP\":\"', items('For_Each_Security_Alert')?['source_ip'], '\",\"DestinationIP\":\"', items('For_Each_Security_Alert')?['destination_ip'], '\",\"SourceHost\":\"', items('For_Each_Security_Alert')?['source_host'], '\",\"DestinationHost\":\"', items('For_Each_Security_Alert')?['destination_host'], '\",\"ProcessName\":\"', items('For_Each_Security_Alert')?['process_name'], '\",\"UserName\":\"', items('For_Each_Security_Alert')?['user_name'], '\",\"FilePath\":\"', items('For_Each_Security_Alert')?['file_path'], '\",\"ThreatDetected\":', string(items('For_Each_Security_Alert')?['threat_detected']), ',\"IsAnomaly\":', string(items('For_Each_Security_Alert')?['is_anomaly']), ',\"ConfidenceScore\":', string(items('For_Each_Security_Alert')?['confidence_score']), ',\"UpdatedAt\":\"', items('For_Each_Security_Alert')?['updated_at'], '\"}'))}", - "headers": { - "Log-Type": "Vaikora_SecurityAlerts" - } - } - } - }, - "runAfter": { - "Filter_High_Risk_Actions": ["Succeeded"] - } - } - } - }, - "parameters": { - "VaikoraApiKey": { - "value": "[parameters('VaikoraApiKey')]" - }, - "VaikoraAgentId": { - "value": "[parameters('VaikoraAgentId')]" - }, - "$connections": { - "value": { - "azureloganalyticsdatacollector": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('logAnalyticsConnectionName'))]", - "connectionName": "[variables('logAnalyticsConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureloganalyticsdatacollector')]" - } - } - } - } - } - } - ], - "outputs": { - "logicAppId": { - "type": "string", - "value": "[resourceId('Microsoft.Logic/workflows', variables('logicAppName'))]" - } - } -} From ebda76accf3a2086f70984b9819b019f27f1fed3 Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:14 -0400 Subject: [PATCH 16/38] =?UTF-8?q?fix:=20remove=20stray=20solutions=20?= =?UTF-8?q?=E2=80=94=20keep=20only=20Vaikora-Sentinel?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Vaikora-AzureSecurityCenter/README.md | 78 ------------------- 1 file changed, 78 deletions(-) delete mode 100644 Solutions/Vaikora-AzureSecurityCenter/README.md diff --git a/Solutions/Vaikora-AzureSecurityCenter/README.md b/Solutions/Vaikora-AzureSecurityCenter/README.md deleted file mode 100644 index c4ab4c020a3..00000000000 --- a/Solutions/Vaikora-AzureSecurityCenter/README.md +++ /dev/null @@ -1,78 +0,0 @@ -# Vaikora Security Center — Microsoft Sentinel Content Hub Solution - -Integrates [Vaikora](https://vaikora.com) AI-driven security signal detection with Microsoft Sentinel and Azure Defender for Cloud. - -## How it works - -A Logic App playbook (`VaikoraToAzureSecurityCenter`) runs on a 6-hour schedule. Each run: - -1. Calls `GET https://api.vaikora.com/api/v1/actions?agent_id={id}&per_page=100` using your Vaikora API key. -2. Filters the response to actions that are `high` or `critical` severity, flagged as anomalies, or flagged as confirmed threats. -3. Writes each matching action to the `Vaikora_SecurityAlerts_CL` custom table in your Log Analytics workspace using the Data Collector API. - -Three Sentinel analytic rules query that table to generate incidents: - -| Rule | Severity | Fires when | -|------|----------|-----------| -| Vaikora - High Severity Security Alerts | High | Any `high`/`critical` action in the last 6 hours | -| Vaikora - Anomaly Detection | Medium | Any anomaly or threat-detected action below high/critical | -| Vaikora - Feed Outage Detection | Low | No data ingested in the last 12 hours | - -## Prerequisites - -- Microsoft Sentinel workspace (Log Analytics workspace with Sentinel enabled) -- Vaikora account with API access -- Vaikora API key and Agent ID - -## Installation - -Deploy through the Microsoft Sentinel Content Hub. During installation you will be prompted for: - -| Parameter | Description | -|-----------|-------------| -| Workspace | The Log Analytics workspace where Sentinel is running | -| Playbook Name | Name for the Logic App (default: `VaikoraToAzureSecurityCenter`) | -| Vaikora API Key | Your Vaikora API key (stored securely, not logged) | -| Vaikora Agent ID | The Agent ID to poll for security actions | -| Log Analytics Workspace ID | The workspace GUID (found in Workspace Settings) | -| Log Analytics Primary Key | The workspace primary key used for HMAC-SHA256 signing | - -After deployment, enable the three analytic rules from **Sentinel → Analytics → Rule Templates**. - -## Custom log table - -The playbook creates the `Vaikora_SecurityAlerts_CL` table automatically on first successful write. Fields ingested: - -| Field | Type | Description | -|-------|------|-------------| -| AlertId_s | string | Vaikora action/alert ID | -| AgentId_s | string | Vaikora agent that generated the alert | -| ActionType_s | string | Action category | -| Severity_s | string | `low`, `medium`, `high`, `critical` | -| Title_s | string | Short alert title | -| Description_s | string | Full alert description | -| SourceIP_s | string | Source IP address | -| DestinationIP_s | string | Destination IP address | -| SourceHost_s | string | Source hostname | -| DestinationHost_s | string | Destination hostname | -| ProcessName_s | string | Process involved | -| UserName_s | string | User account involved | -| FilePath_s | string | File path involved | -| ConfidenceScore_d | double | Model confidence score (0–1) | -| IsAnomaly_b | bool | Vaikora anomaly flag | -| ThreatDetected_b | bool | Vaikora confirmed-threat flag | -| TimeGenerated | datetime | Event timestamp | - -## Troubleshooting - -**No data in `Vaikora_SecurityAlerts_CL`:** -- Open the Logic App run history in the Azure portal and check for failed runs. -- Verify the Vaikora API key is valid by calling the API manually. -- Confirm the Workspace ID and Primary Key are correct. - -**Feed Outage alert fires after install:** -- The table is empty until the first playbook run. Wait up to 6 hours for the first poll, or trigger the Logic App manually. - -## Support - -Provided by [Data443 Risk Mitigation, Inc.](https://data443.com). Open an issue or contact support@data443.com. From 52197d388ffaab6eca80c537b463276e9f4ed49e Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:15 -0400 Subject: [PATCH 17/38] =?UTF-8?q?fix:=20remove=20stray=20solutions=20?= =?UTF-8?q?=E2=80=94=20keep=20only=20Vaikora-Sentinel?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Solutions/Vaikora-AzureSecurityCenter/ReleaseNotes.md | 10 ---------- 1 file changed, 10 deletions(-) delete mode 100644 Solutions/Vaikora-AzureSecurityCenter/ReleaseNotes.md diff --git a/Solutions/Vaikora-AzureSecurityCenter/ReleaseNotes.md b/Solutions/Vaikora-AzureSecurityCenter/ReleaseNotes.md deleted file mode 100644 index 5bff0d169d4..00000000000 --- a/Solutions/Vaikora-AzureSecurityCenter/ReleaseNotes.md +++ /dev/null @@ -1,10 +0,0 @@ -# Vaikora Security Center — Release Notes - -## Version 1.0.0 (2026-04-02) - -**Initial release.** - -- Logic App playbook (`VaikoraToAzureSecurityCenter`) polls the Vaikora `/api/v1/actions` endpoint every 6 hours and writes high-severity, anomaly, and threat-detected actions to `Vaikora_SecurityAlerts_CL` via the Log Analytics Data Collector API. -- Analytic rule: **Vaikora - High Severity Security Alerts** — fires on any `high` or `critical` severity event ingested in the last 6 hours. -- Analytic rule: **Vaikora - Anomaly Detection** — fires on actions flagged `is_anomaly` or `threat_detected` that fall below the high/critical severity threshold. -- Analytic rule: **Vaikora - Feed Outage Detection** — fires when the custom table receives no records for 12 or more hours, signaling a broken playbook or expired API key. From 6bbc32c637502eb3d53b532035a470bcd61fcbbb Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:16 -0400 Subject: [PATCH 18/38] =?UTF-8?q?fix:=20remove=20stray=20solutions=20?= =?UTF-8?q?=E2=80=94=20keep=20only=20Vaikora-Sentinel?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../SolutionMetadata.json | 20 ------------------- 1 file changed, 20 deletions(-) delete mode 100644 Solutions/Vaikora-AzureSecurityCenter/SolutionMetadata.json diff --git a/Solutions/Vaikora-AzureSecurityCenter/SolutionMetadata.json b/Solutions/Vaikora-AzureSecurityCenter/SolutionMetadata.json deleted file mode 100644 index d6539a91086..00000000000 --- a/Solutions/Vaikora-AzureSecurityCenter/SolutionMetadata.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "publisherId": "data443riskmitigationinc1761580347231", - "offerId": "vaikora-security-center-connector", - "firstPublishDate": "2026-04-02", - "providers": [ - "Data443 Risk Mitigation, Inc." - ], - "categories": { - "domains": [ - "Security - Threat Protection" - ], - "verticals": [] - }, - "support": { - "name": "Data443 Risk Mitigation, Inc.", - "email": "support@data443.com", - "tier": "Partner", - "link": "https://www.data443.com" - } -} \ No newline at end of file From fcf68285b11908b01f0455ef0cbff0bf7b242413 Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:16 -0400 Subject: [PATCH 19/38] =?UTF-8?q?fix:=20remove=20stray=20solutions=20?= =?UTF-8?q?=E2=80=94=20keep=20only=20Vaikora-Sentinel?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Data/Solution_VaikoraCrowdStrike.json | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Data/Solution_VaikoraCrowdStrike.json diff --git a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Data/Solution_VaikoraCrowdStrike.json b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Data/Solution_VaikoraCrowdStrike.json deleted file mode 100644 index a5bf894f1f9..00000000000 --- a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Data/Solution_VaikoraCrowdStrike.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "Name": "Vaikora-CrowdStrike-AIAgentSecurity", - "Author": "Data443 Risk Mitigation, Inc. - support@data443.com", - "Logo": "", - "Description": "The Vaikora CrowdStrike AI Agent Security solution polls Vaikora AI agent signals (actions with high/critical risk levels or anomaly detections) and pushes them as Custom IOCs to CrowdStrike Falcon for detection and prevention.", - "Playbooks": [ - "Playbooks/VaikoraToCrowdStrike_Playbook.json" - ], - "Metadata": "SolutionMetadata.json", - "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Vaikora-CrowdStrike-AIAgentSecurity", - "Version": "1.0.0", - "TemplateSpec": true, - "Is1Pconnector": false -} From 422e25d950e1bb6cbf16ef3b1bfa96f686a0bc56 Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:17 -0400 Subject: [PATCH 20/38] =?UTF-8?q?fix:=20remove=20stray=20solutions=20?= =?UTF-8?q?=E2=80=94=20keep=20only=20Vaikora-Sentinel?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Package/3.0.0.zip | Bin 6447 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/3.0.0.zip diff --git a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/3.0.0.zip b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/3.0.0.zip deleted file mode 100644 index c1290f65fb56fc86ada62edb715b9e48679a9301..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6447 zcmZ{pWlS7kv+r@2qQw>{?(Rj3@8U&USXkWM-QC^Y-F?yG6!+p3DaGC8_B}VbxydEG# zVY76yvz;Wfa$4iN^72EJadS#EQy6n4?>?rn0GHVaE8;=2oB98^tEUIkW-|sN0-0@( z-hI(O_#rT8XsY(t>HWaQ z@NKZWWM2MJ;eCvZ}bshc1a`+ zO!k;^zvQXdrtv|m$aMLHiiqu3G@6VoPVMvq4<0ansoii-!`OZ>; z%^`!Zce`1=Xi5O5dXMulp^1y)GBB)(IYaFilEN>&-7{)ZWloxhg5F zo3+GC=7imJsnF4_8AqjE!9qCN;CZX`tHh=dI6sH*6aN6ZXU*5{MKr75$JEO%sJ0Ac z+#E{j);!*drsH3TDx--}jkslK;iUELrAPvKD96%2;j@*|q;7>mnI(xaCtr7_raX}6 z+3E~(1D6)VmLZd126(g-^e%mF=k%SM()aHQ;InS+`K|inl)#$;@R_&z{7W{o)5W z;8L)2;wyk~k5##?0Xs>`L20BxiV?MNRn`A9j#3#p|5jxsw#zi z%yEom=(NFmfDb7i1i8dtT2!WEo2^$M3N;bQNV+(*JJ}W}==-3Gk6y+t@pOqURnVUO zl7oYp@Yx5zD^iF3HZZV4&K!D%h^_lwOm}VC<#F)#Z@o zr_-WJq0dTpuY->}V5Y1O0l#RK%6n?3~&;uT_@Y2VxdFUH> zYJB*+p`c%->pN3t_Kk)8L~9O6I39Z8WA<%U&dFu7_H7e~=OwZF)M2)9hyM0q&QZrL z1agux=<-`t+4d&=0xdMF$!yYul=BWElJT{p$^!D^E0yX_I@`>uMgzQmH;}y&&v)3& zP0D-nBVXquePXBuz?i%;nx766zwt(mkVhLVhgkm6F>^#GAG#CHOf4ESf+u`DvpnFj zE>8cy9v4*F9 zCUML{>BEf`tZVK;rvJ39Cb_R3#o6EC({A;H!~x;uTj^KZ_GqU)F#De?bR9JOYE8@q znaw2}L}(!$pa)I>sEGGN2PCxHc9O{g>29}nR?~@kjwM>JUOO7Gmi@S7{ODxas+`u! zniX?)DsR%VxnVP9+jMN@xSBK~s=GbX^o|Ps;eV42;RShi%6L^}j8bQo%-AlbZc9Yv zHP($yEjxX|tYH;}L;Wo5TywM8dgq#`mBYk8!f&#~@@InH+^@g1!b0PCC~IOCn^Knl zQ_aiN(a*Fhh1KL8&wbZ}l>W>g-R5uvaoy~Zm8!(vd7u{%yrh?O{-;jdMkHvf)g|xu z1sUvPA>O<-I$a-C9n#5lZb-}Yx#U%XI>P)|X|j5FYbhPs=`&uTL$J9y_*#Wl z4SDi#6)%otFx2F+vPmb7P^tfoW7UfR-4*YPrn)pOsAHtSPifNT1heI zAU-zKLq+pduD$okL|;)p7np0~LrXjfowuB1*EiZoc9qJFi$4Z@=!lTqOhBwoGt!w~ zBUbMvo4t$d%3Cz|3bW2P;IoRMtfOtnHf|Xy7hfVfq%`Wnmhp$~?cL+{8B-DohiS8g zQl7(6F7^%{jB``aGFKk`|tv{E>&HMh$VL`tE!-j=Q&UdWRTPdwt^Ky zhFIa)WB~L6DQQam_nE%$o8ZtX^?xzU;MQo%>k{&rr+Z9PL%q9^G$ZNF;plkX(^qA% z)v?z+rah&Rqp!v_y^%pj{^KE6mFa#Zs?C-*OS>CYzQ>rJux>ZYMW64*j1s3V<(6yz zn5&_<*OW_Hn!mk|N0-Xr6ss|sKDX!a&9*A?;*NquubgOJaCpJC?cWEbTml*Kh71~n znb?_B8hC`f>{Tnqm6?!L=?WSEa>5XtWRIrAHF%CL`C3&QaES*Wchh zyDhM0;_mNXG>Yi*%YuFpOi;FzT0m{wY9wcXdezV6)gfYW@|zJ9FJIKQeV($X4(9Qc zGQ2q&A|zj+G%p8i!i9gMA*EuYG2n4W;}ud&kz#DO)oOK{OjQ&jivD*M>}~aEb8*6= z9J}dI$NPRB+GQF*?s?%389w*=FKK{2=OHEwhsJc~l0ilK?`T$gPig~ny~Ld1${d0z zQ-a;>L9O{e->eO}M$#y(*a0%nkC?fyDIfxXPrsh)+Bk z&$6;9Ijs>G(WShGW7B%auknL>^!R112~Jv=mHxi^-cKU2e=@skz4a$>Lve@}$)W7L zGfXhe=&bu@Y-@IXX7FBdzKrd2&9;GVORB#JZxKw~ z3YA%)LL3C3s7SFg7BrhczHU+Tnu&yNv-`GfF~Q+n#OY9ICOQP7+R%|v_Uh>KMrz1A zXsJ?3ea?SLvr1Ft%bIFP$DR&q=y-CjSHr8fr4p_2{;Ur#bRG$@)Q{7*5w-aQ^yO=W z^JG+W8ji&IzBd%JMPyug>n{-6P~_@6^YZlefd}xTBDx5Wft0Yar}dD;(ZOm&q_o%F z-kK>Wl#?sLS-_|4`}GY)^;q|*T`alFYe{qQ;{%iumGz?=#3N?^8$)9O)7jm^)XL_%LHkhWT3We*z-v5 z-0XO*Q62i*H0n)8;YPCj%XpZ#+(w{B^VD@#&C)50$jYR-^w&NkonXwQaUPnCDOJ~i zd3B-Y2?tVhTu0{i4+3%`yXh-p&V&KQ+#z}POJX)wE(h}(Aj53;9OdG-Y_rct*>tF5R8B&hXYhPF;Xcp$T5HiFq=wq}W%ny6 z>(AL~8>X8b8V}oF$gi%luN$dPQg=QJ8d^*v$lZe)7-Znqn_Wkz1VNQEOR=wl!7itC zND`B!tmg$qtB;GTqbu2RV2UG=wnJ$L>88r+Wq5Cn-$zXqOkm|e(E zU(T;qA-xO;DJ~EfZoI486kv4)^dYWODWw;Pg$xW*7DyCwV$|iWxXmt1i$0@RWFtU| z!feHygE;O|tQ1z=&o01Cg5l7~h65XH`Y@$Sy|xuadHXXvZ>xib?|`_ghl*%xLm zJU;O0YaXKPgiQV-<9Wikh-SY|#^g2Q?Z_2x*qsw`JzQgw+!4Xx_tlUgeAcToR--4sEYy=Q=fJY53iK_&TSjqM4CjMg~{|IoMcN-Sd0l8v$My#CZ*Y=I4jFxQX5>%-h4-d2TjP{oWEdflzl4Y#z|3SOj?@T z!fh7<6rZ5~TYix$zI8w>1b{jgCclO)favy>-j_8IP5Smwp4_1UgJizhVWDCAl|UUR zcr+6;`@wt{v0qpcol(gfcCzx1i?$rdFZ5Pd(jq0dekE*k^>DmL`wAp)jQS^X2A#K4 zO?oTAf#4_k><|Vj`Ddyfcfne4D}Jz*u)+CaEVB+*$w!bRr(xT`s^}oupW15JQCj8 zo-?iItV3M<7EW|ET&-L-dMkTsO5`5ja1)0nHC_7DBhr}5^Uoo1kA1vk&elZ)c2X!zgRSNB8h(4hIx+E@Xwa}Ex zg|cDKPZQlAmaW##gM9!i&P0C+EYq7PG}BLPN^CjS_KhJ}=gsfDeDvxS}QfAN6* z@5i>J9RzQAWdiAJlw*t0Wba2Lz>ksHXJ{^#18K$O`y>k(B?d#pN}yN*TC4o&Ioac+ zn|P;PAoYk+G@-fQN$rr}{dEp{2Sg9nU96m=6!kK;KdNPF;nG|^8vzwGmPp652>X~V zPZCVU*jq7ca3Lgc#SJ-qj&CCEzJN1-3ud z2?TjY3JcI*lqCPRI5v3$%bS4ul=#6sU_&fhi!t+2T-h$IqwX9>nu487i9{7UurQzj zE80VgQ<@#OQ9NwhG$qmnO`&3)H>&yro@KEdHxqwy30pXF{MQOp!#;!`gOQBo3S<(k zq~pf?fdLI@n1OTD_QHXe_|@_%j|;)v1I6W;sHhRN>ed;CcLfwpCc;0+tO#+j5-SMe zXFOq06kcR$g6$|Jzyu@kUb*{BrIqz54C#AvQ3$1GcqU+bn`iicD;OcnIvAho1C-A4 z8{u$UP>_=npVKGJahQ`9L8xGfRB3#=N_@vC?*c8H#&0)OgP)D#BQU-px{SP{2UC5c*f8Hq}n?o2YHI`#_r#T6)tFuY05()QNG3f}LNF%7Hta7lRBmqu!NP5LwsBDubdE;X z^6rwgkF@|h;Ng)Gk32Y3w10n_uWXVszX`BcXj0UXX!M2c_x+0Tsz-X!EpBf&8m2Ob zxjlIf>yqAI@uZzyDD~ZUz#BVMCC5d=)*r#A)WUFo+p^facTnm4XLb1f#OGX(?oUKq zKY4>UCrGD+tw8t7VdRlLHbL`!86c8V9(a0f#We>Yn)ODiE}T}{39}+qm5edH>lC!d zup~Pbp@wYdVd$m4{Ag-(ur^ZQjRmHYhnTIvIqOuaSgFlLH`fVwmbtWMd1Lrf^~C5} zZh{V;!H5@RUfI(Ncv{oOOye6RY1}gTsnKx4Hja{df}xzLT(5N8W#UXkMGzqzyIDaE z`ZSnq)_2h-ghVQ3+LV$5>S9PQWE}n_Fj5k+fR3{S4n0sggyhDsBT*jhQ~F=R8T8r} zkY_?h&CtoT7Q;=!*5(Kvk$@u3n@YasYR3_nEEcC8r~#rW&gK`ODz$L6KJNFTsArW0 zj6K5y3qw2doh7t?WU(Hjy~WC&8@V7KEX*YRC<{uO~;Xy_+X=3 z>Niz{R`e>DQ$_=+nU5clg+hdJ@bg^Zrz;n0r0Of?I=?4(0-7B_)Mhq%mxg_>>&?_= z_}RM7ZmKx;7Qy}V6fVQj zdV6-4ZPsANfA00-{Y_;1OK4qs>ByENv~27 zPoy^g3269ci8^hVcz~M163jt|3mAI!MY*JlvWWCcFEII2h}K|MRi?49t8e+*vvCCW z`kpuED0v-U7-?3OW(x(x@vv_N0BGIpA_|uid)*OR^nT317a`ZOE9I$zZm*Sx;pkUP zx%^5-?}F|0n6S4=-tC9}jEk)<8B|?8&4~rZM+w8d>^IJ=`)!O}oso#WAV1$k@v42q z#+%CBQiWJ@K>sph{5|WAi~D2CI1QMqP3B%7+bxnIV!IUzwIJc_>O`x^w})c7PTjplRZPSn=K#66A0l z@4Mx(`v`&G;K#auIzRf}^}0mun6qDl!W$Rfb8ULIkuNWI-+TFrk(Tr3)>VMX`8BvI zazHdt<7heNpk{>cSzq&UTQt>!b)=HQC#}$9mWKw=Nw#`-IyJNQvDvrIm$F{mLRUM8 zP%W(9@uy#DbKp;$<(B)CgkKH2h=3EX;AP1h(h{wgxJY)d3AYLc<7DjPQX+Cak*+6x z6?s@VeE9$UEb&i|{FnI${3rakBgOwe{y%A%|2qr=;~#+b;eS;&D)NX(|7nE#=fVGC J3ekVE{{t3xQ4Ih9 From b3f3893bd3815261e442f48ea798b3cd65058db6 Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:18 -0400 Subject: [PATCH 21/38] =?UTF-8?q?fix:=20remove=20stray=20solutions=20?= =?UTF-8?q?=E2=80=94=20keep=20only=20Vaikora-Sentinel?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Package/createUiDefinition.json | 182 ------------------ 1 file changed, 182 deletions(-) delete mode 100644 Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/createUiDefinition.json diff --git a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/createUiDefinition.json b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/createUiDefinition.json deleted file mode 100644 index a0b659aaceb..00000000000 --- a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/createUiDefinition.json +++ /dev/null @@ -1,182 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", - "handler": "Microsoft.Azure.CreateUIDef", - "version": "0.1.2-preview", - "parameters": { - "config": { - "isWizard": false, - "basics": { - "description": "**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Vaikora-CrowdStrike-AIAgentSecurity/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Vaikora CrowdStrike AI Agent Security solution polls Vaikora AI agent signals (high/critical risk actions and anomaly detections) and pushes them as Custom IOCs to CrowdStrike Falcon for detection and prevention.\n\n**Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", - "subscription": { - "resourceProviders": [ - "Microsoft.OperationsManagement/solutions", - "Microsoft.OperationalInsights/workspaces/providers/alertRules", - "Microsoft.Insights/workbooks", - "Microsoft.Logic/workflows" - ] - }, - "location": { - "metadata": { - "hidden": "Hiding location, we get it from the log analytics workspace" - }, - "visible": false - }, - "resourceGroup": { - "allowExisting": true - } - } - }, - "basics": [ - { - "name": "getLAWorkspace", - "type": "Microsoft.Solutions.ArmApiControl", - "toolTip": "This filters by workspaces that exist in the Resource Group selected", - "condition": "[greater(length(resourceGroup().name),0)]", - "request": { - "method": "GET", - "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" - } - }, - { - "name": "workspace", - "type": "Microsoft.Common.DropDown", - "label": "Workspace", - "placeholder": "Select a workspace", - "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", - "constraints": { - "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", - "required": true - }, - "visible": true - } - ], - "steps": [ - { - "name": "playbooks", - "label": "Playbooks", - "subLabel": { - "preValidation": "Configure the playbooks", - "postValidation": "Done" - }, - "bladeTitle": "Playbooks", - "elements": [ - { - "name": "playbooks-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub." - } - }, - { - "name": "playbooks-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" - } - } - }, - { - "name": "vaikora-section", - "type": "Microsoft.Common.Section", - "label": "Vaikora API Settings", - "elements": [ - { - "name": "VaikoraApiKey", - "type": "Microsoft.Common.PasswordBox", - "label": { - "password": "Vaikora API Key", - "confirmPassword": "Confirm Vaikora API Key" - }, - "toolTip": "Vaikora API key used in the X-API-Key request header", - "constraints": { - "required": true - }, - "options": { - "hideConfirmation": true - }, - "visible": true - }, - { - "name": "VaikoraAgentId", - "type": "Microsoft.Common.TextBox", - "label": "Vaikora Agent ID", - "defaultValue": "", - "toolTip": "The agent_id to poll for AI signal actions from the Vaikora API", - "constraints": { - "required": true, - "regex": "^[a-zA-Z0-9_\\-]+$", - "validationMessage": "Agent ID must contain only alphanumeric characters, hyphens, and underscores" - }, - "visible": true - } - ], - "visible": true - }, - { - "name": "crowdstrike-section", - "type": "Microsoft.Common.Section", - "label": "CrowdStrike Falcon API Settings", - "elements": [ - { - "name": "CrowdStrike_BaseUrl", - "type": "Microsoft.Common.TextBox", - "label": "CrowdStrike API Base URL", - "defaultValue": "https://api.crowdstrike.com", - "toolTip": "CrowdStrike Falcon API base URL. Use https://api.us-2.crowdstrike.com for US-2 cloud or https://api.eu-1.crowdstrike.com for EU-1.", - "constraints": { - "required": true - }, - "visible": true - }, - { - "name": "CrowdStrike_ClientId", - "type": "Microsoft.Common.PasswordBox", - "label": { - "password": "CrowdStrike Client ID", - "confirmPassword": "Confirm CrowdStrike Client ID" - }, - "toolTip": "CrowdStrike OAuth2 Client ID with Indicators (IOCs) write permission", - "constraints": { - "required": true - }, - "options": { - "hideConfirmation": true - }, - "visible": true - }, - { - "name": "CrowdStrike_ClientSecret", - "type": "Microsoft.Common.PasswordBox", - "label": { - "password": "CrowdStrike Client Secret", - "confirmPassword": "Confirm CrowdStrike Client Secret" - }, - "toolTip": "CrowdStrike OAuth2 Client Secret corresponding to the Client ID above", - "constraints": { - "required": true - }, - "options": { - "hideConfirmation": true - }, - "visible": true - } - ], - "visible": true - } - ] - } - ], - "outputs": { - "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", - "location": "[location()]", - "workspace": "[basics('workspace')]", - "VaikoraApiKey": "[steps('playbooks').vaikora-section.VaikoraApiKey]", - "VaikoraAgentId": "[steps('playbooks').vaikora-section.VaikoraAgentId]", - "CrowdStrike_BaseUrl": "[steps('playbooks').crowdstrike-section.CrowdStrike_BaseUrl]", - "CrowdStrike_ClientId": "[steps('playbooks').crowdstrike-section.CrowdStrike_ClientId]", - "CrowdStrike_ClientSecret": "[steps('playbooks').crowdstrike-section.CrowdStrike_ClientSecret]" - } - } -} From 9272f79db2055e66c7b8b60982c36e0aeeee3daf Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:19 -0400 Subject: [PATCH 22/38] =?UTF-8?q?fix:=20remove=20stray=20solutions=20?= =?UTF-8?q?=E2=80=94=20keep=20only=20Vaikora-Sentinel?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Package/mainTemplate.json | 471 ------------------ 1 file changed, 471 deletions(-) delete mode 100644 Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/mainTemplate.json diff --git a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/mainTemplate.json b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/mainTemplate.json deleted file mode 100644 index dd2c7e6b9b6..00000000000 --- a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/mainTemplate.json +++ /dev/null @@ -1,471 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "author": "Data443 Risk Mitigation, Inc. - support@data443.com", - "comments": "Solution template for Vaikora-CrowdStrike-AIAgentSecurity" - }, - "parameters": { - "location": { - "type": "string", - "minLength": 1, - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" - } - }, - "workspace-location": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" - } - }, - "workspace": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" - } - }, - "VaikoraApiKey": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Vaikora API key (X-API-Key header)" - } - }, - "VaikoraAgentId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Vaikora agent_id to poll for AI signal actions" - } - }, - "CrowdStrike_ClientId": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "CrowdStrike OAuth2 Client ID" - } - }, - "CrowdStrike_ClientSecret": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "CrowdStrike OAuth2 Client Secret" - } - }, - "CrowdStrike_BaseUrl": { - "type": "string", - "defaultValue": "https://api.crowdstrike.com", - "metadata": { - "description": "CrowdStrike API Base URL (e.g. https://api.crowdstrike.com or https://api.us-2.crowdstrike.com)" - } - } - }, - "variables": { - "email": "support@data443.com", - "_email": "[variables('email')]", - "_solutionName": "Vaikora-CrowdStrike-AIAgentSecurity", - "_solutionVersion": "3.0.0", - "solutionId": "data443riskmitigationinc1761580347231.azure-sentinel-solution-vaikora-crowdstrike", - "_solutionId": "[variables('solutionId')]", - "Playbooks": "Playbooks", - "_Playbooks": "[variables('Playbooks')]", - "blanks": "[replace('b', 'b', '')]", - "playbookVersion1": "1.0", - "playbookContentId1": "Playbooks", - "_playbookContentId1": "[variables('playbookContentId1')]", - "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", - "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", - "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Playbooks Playbook with template version 1.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion1')]", - "parameters": { - "logicAppName": { - "type": "string", - "defaultValue": "pb-vaikora-to-crowdstrike" - }, - "VaikoraApiKey": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Vaikora API key (X-API-Key header)" - } - }, - "VaikoraAgentId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Vaikora agent_id to poll for AI signal actions" - } - }, - "CrowdStrike_ClientId": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "CrowdStrike OAuth2 Client ID" - } - }, - "CrowdStrike_ClientSecret": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "CrowdStrike OAuth2 Client Secret" - } - }, - "CrowdStrike_BaseUrl": { - "type": "string", - "defaultValue": "https://api.crowdstrike.com", - "metadata": { - "description": "CrowdStrike API Base URL (e.g. https://api.crowdstrike.com or https://api.us-2.crowdstrike.com)" - } - } - }, - "variables": { - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", - "name": "[[parameters('logicAppName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "state": "Enabled", - "parameters": { - "VaikoraApiKey": { - "value": "[[parameters('VaikoraApiKey')]" - }, - "VaikoraAgentId": { - "value": "[[parameters('VaikoraAgentId')]" - }, - "CrowdStrike_ClientId": { - "value": "[[parameters('CrowdStrike_ClientId')]" - }, - "CrowdStrike_ClientSecret": { - "value": "[[parameters('CrowdStrike_ClientSecret')]" - }, - "CrowdStrike_BaseUrl": { - "value": "[[parameters('CrowdStrike_BaseUrl')]" - } - }, - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Vaikora_BaseUrl": { - "type": "string", - "defaultValue": "https://api.vaikora.com/api/v1" - }, - "VaikoraApiKey": { - "type": "securestring", - "defaultValue": "[variables('blanks')]" - }, - "VaikoraAgentId": { - "type": "string", - "defaultValue": "[variables('blanks')]" - }, - "CrowdStrike_BaseUrl": { - "type": "string", - "defaultValue": "https://api.crowdstrike.com" - }, - "CrowdStrike_ClientId": { - "type": "string", - "defaultValue": "[variables('blanks')]" - }, - "CrowdStrike_ClientSecret": { - "type": "securestring", - "defaultValue": "[variables('blanks')]" - } - }, - "triggers": { - "Recurrence": { - "type": "Recurrence", - "recurrence": { - "frequency": "Hour", - "interval": 6, - "timeZone": "UTC" - } - } - }, - "actions": { - "Get_CrowdStrike_Token": { - "type": "Http", - "runAfter": {}, - "inputs": { - "method": "POST", - "uri": "@{parameters('CrowdStrike_BaseUrl')}/oauth2/token", - "headers": { - "Content-Type": "application/x-www-form-urlencoded", - "User-Agent": "data443-vaikora-crowdstrike/1.0" - }, - "body": "client_id=@{parameters('CrowdStrike_ClientId')}&client_secret=@{parameters('CrowdStrike_ClientSecret')}" - } - }, - "Get_Vaikora_Actions": { - "type": "Http", - "runAfter": { - "Get_CrowdStrike_Token": [ - "Succeeded" - ] - }, - "inputs": { - "method": "GET", - "uri": "@{parameters('Vaikora_BaseUrl')}/actions?agent_id=@{parameters('VaikoraAgentId')}&per_page=100", - "headers": { - "X-API-Key": "@{parameters('VaikoraApiKey')}", - "Accept": "application/json", - "User-Agent": "data443-vaikora-crowdstrike/1.0" - } - } - }, - "Filter_High_Priority_Actions": { - "type": "Query", - "runAfter": { - "Get_Vaikora_Actions": [ - "Succeeded" - ] - }, - "inputs": { - "from": "@body('Get_Vaikora_Actions')", - "where": "@or(or(equals(item()?['risk_level'], 'high'), equals(item()?['risk_level'], 'critical')), equals(item()?['is_anomaly'], true))" - } - }, - "Check_Has_Actions": { - "type": "If", - "runAfter": { - "Filter_High_Priority_Actions": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "greater": [ - "@length(body('Filter_High_Priority_Actions'))", - 0 - ] - } - ] - }, - "actions": { - "For_Each_Action": { - "type": "Foreach", - "foreach": "@body('Filter_High_Priority_Actions')", - "runtimeConfiguration": { - "concurrency": { - "repetitions": 1 - } - }, - "actions": { - "Compose_IOC_Value": { - "type": "Compose", - "runAfter": {}, - "inputs": "@coalesce(item()?['ip_address'], item()?['target_ip'], item()?['url'], item()?['target_url'], item()?['target'], item()?['log_hash'])" - }, - "Compose_IOC_Type": { - "type": "Compose", - "runAfter": { - "Compose_IOC_Value": [ - "Succeeded" - ] - }, - "inputs": "@if(or(not(empty(item()?['ip_address'])), not(empty(item()?['target_ip']))), 'ipv4', if(or(not(empty(item()?['url'])), not(empty(item()?['target_url']))), 'url', 'domain'))" - }, - "Compose_CS_Severity": { - "type": "Compose", - "runAfter": {}, - "inputs": "@if(equals(item()?['risk_level'], 'critical'), 'critical', if(equals(item()?['risk_level'], 'high'), 'high', 'medium'))" - }, - "Compose_CS_Action": { - "type": "Compose", - "runAfter": {}, - "inputs": "@if(equals(item()?['risk_level'], 'critical'), 'prevent', 'detect')" - }, - "Compose_Tags": { - "type": "Compose", - "runAfter": {}, - "inputs": "@union(createArray('vaikora', 'ai-agent-security', 'data443'), if(equals(item()?['is_anomaly'], true), createArray('ai-agent-anomaly'), createArray()), if(equals(item()?['threat_detected'], true), createArray('ai-threat-detected'), createArray()))" - }, - "Post_IOC_to_CrowdStrike": { - "type": "Http", - "runAfter": { - "Compose_IOC_Value": [ - "Succeeded" - ], - "Compose_IOC_Type": [ - "Succeeded" - ], - "Compose_CS_Severity": [ - "Succeeded" - ], - "Compose_CS_Action": [ - "Succeeded" - ], - "Compose_Tags": [ - "Succeeded" - ] - }, - "inputs": { - "method": "POST", - "uri": "@{parameters('CrowdStrike_BaseUrl')}/iocs/entities/indicators/v1?ignore_warnings=true", - "headers": { - "Content-Type": "application/json", - "Authorization": "@{concat('Bearer ', body('Get_CrowdStrike_Token')?['access_token'])}", - "User-Agent": "data443-vaikora-crowdstrike/1.0" - }, - "body": { - "indicators": [ - { - "type": "@{outputs('Compose_IOC_Type')}", - "value": "@{outputs('Compose_IOC_Value')}", - "action": "@{outputs('Compose_CS_Action')}", - "severity": "@{outputs('Compose_CS_Severity')}", - "source": "Vaikora AI Agent Security (Data443)", - "description": "Vaikora AI Signal | Agent: @{item()?['agent_id']} | Type: @{item()?['action_type']} | Risk: @{item()?['risk_level']} (@{item()?['risk_score']}) | Anomaly: @{item()?['is_anomaly']} (@{item()?['anomaly_score']}) | Threat: @{item()?['threat_detected']} (@{item()?['threat_score']}) | Policy: @{item()?['policy_decision']} | @{item()?['timestamp']}", - "expiration": "@{addDays(utcNow(), 30)}", - "platforms": [ - "windows", - "mac", - "linux" - ], - "tags": "@outputs('Compose_Tags')", - "applied_globally": true, - "external_id": "@{concat('vaikora-', item()?['id'])}" - } - ] - } - } - } - } - } - }, - "else": { - "actions": {} - } - } - } - } - }, - "tags": { - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId1')]", - "contentId": "[variables('_playbookContentId1')]", - "kind": "Playbook", - "version": "[variables('playbookVersion1')]", - "source": { - "kind": "Solution", - "name": "Vaikora-CrowdStrike-AIAgentSecurity", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Data443 Risk Mitigation, Inc.", - "email": "[variables('_email')]" - }, - "support": { - "name": "Data443 Risk Mitigation, Inc.", - "email": "support@data443.com", - "tier": "Partner", - "link": "https://www.data443.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId1')]", - "contentKind": "Playbook", - "displayName": "Playbooks", - "contentProductId": "[variables('_playbookcontentProductId1')]", - "id": "[variables('_playbookcontentProductId1')]", - "version": "[variables('playbookVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", - "apiVersion": "2023-04-01-preview", - "location": "[parameters('workspace-location')]", - "properties": { - "version": "3.0.0", - "kind": "Solution", - "contentSchemaVersion": "3.0.0", - "displayName": "Vaikora-CrowdStrike-AIAgentSecurity", - "publisherDisplayName": "Data443 Risk Mitigation, Inc.", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

\u2022 Review the solution Release Notes

\n

\u2022 There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Vaikora CrowdStrike AI Agent Security solution polls Vaikora AI agent signals (high/critical risk actions and anomaly detections) and pushes them as Custom IOCs to CrowdStrike Falcon for detection and prevention.

\n

Playbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", - "contentKind": "Solution", - "contentProductId": "[variables('_solutioncontentProductId')]", - "id": "[variables('_solutioncontentProductId')]", - "icon": "", - "contentId": "[variables('_solutionId')]", - "parentId": "[variables('_solutionId')]", - "source": { - "kind": "Solution", - "name": "Vaikora-CrowdStrike-AIAgentSecurity", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Data443 Risk Mitigation, Inc.", - "email": "[variables('_email')]" - }, - "support": { - "name": "Data443 Risk Mitigation, Inc.", - "email": "support@data443.com", - "tier": "Partner", - "link": "https://www.data443.com" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "kind": "Playbook", - "contentId": "[variables('_Playbooks')]", - "version": "[variables('playbookVersion1')]" - } - ] - }, - "firstPublishDate": "2026-04-02", - "providers": [ - "Data443 Risk Mitigation, Inc.", - "Vaikora" - ], - "categories": { - "domains": [ - "Security - Threat Intelligence" - ] - } - }, - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" - } - ], - "outputs": {} -} From f467a23e1cc4a88bd197f424da5607670f8a3577 Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:20 -0400 Subject: [PATCH 23/38] =?UTF-8?q?fix:=20remove=20stray=20solutions=20?= =?UTF-8?q?=E2=80=94=20keep=20only=20Vaikora-Sentinel?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../VaikoraToCrowdStrike_Playbook.json | 275 ------------------ 1 file changed, 275 deletions(-) delete mode 100644 Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Playbooks/VaikoraToCrowdStrike_Playbook.json diff --git a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Playbooks/VaikoraToCrowdStrike_Playbook.json b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Playbooks/VaikoraToCrowdStrike_Playbook.json deleted file mode 100644 index f2e425dfe97..00000000000 --- a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Playbooks/VaikoraToCrowdStrike_Playbook.json +++ /dev/null @@ -1,275 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "logicAppName": { - "type": "string", - "defaultValue": "pb-vaikora-to-crowdstrike" - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]" - }, - "VaikoraApiKey": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Vaikora API key (X-API-Key header)" - } - }, - "VaikoraAgentId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Vaikora agent_id to poll for AI signal actions" - } - }, - "CrowdStrike_ClientId": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "CrowdStrike OAuth2 Client ID" - } - }, - "CrowdStrike_ClientSecret": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "CrowdStrike OAuth2 Client Secret" - } - }, - "CrowdStrike_BaseUrl": { - "type": "string", - "defaultValue": "https://api.crowdstrike.com", - "metadata": { - "description": "CrowdStrike API Base URL (e.g. https://api.crowdstrike.com or https://api.us-2.crowdstrike.com)" - } - } - }, - "resources": [ - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", - "name": "[parameters('logicAppName')]", - "location": "[parameters('location')]", - "properties": { - "state": "Enabled", - "parameters": { - "VaikoraApiKey": { - "value": "[parameters('VaikoraApiKey')]" - }, - "VaikoraAgentId": { - "value": "[parameters('VaikoraAgentId')]" - }, - "CrowdStrike_ClientId": { - "value": "[parameters('CrowdStrike_ClientId')]" - }, - "CrowdStrike_ClientSecret": { - "value": "[parameters('CrowdStrike_ClientSecret')]" - }, - "CrowdStrike_BaseUrl": { - "value": "[parameters('CrowdStrike_BaseUrl')]" - } - }, - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Vaikora_BaseUrl": { - "type": "string", - "defaultValue": "https://api.vaikora.com/api/v1" - }, - "VaikoraApiKey": { - "type": "securestring", - "defaultValue": "" - }, - "VaikoraAgentId": { - "type": "string", - "defaultValue": "" - }, - "CrowdStrike_BaseUrl": { - "type": "string", - "defaultValue": "https://api.crowdstrike.com" - }, - "CrowdStrike_ClientId": { - "type": "string", - "defaultValue": "" - }, - "CrowdStrike_ClientSecret": { - "type": "securestring", - "defaultValue": "" - } - }, - "triggers": { - "Recurrence": { - "type": "Recurrence", - "recurrence": { - "frequency": "Hour", - "interval": 6, - "timeZone": "UTC" - } - } - }, - "actions": { - "Get_CrowdStrike_Token": { - "type": "Http", - "runAfter": {}, - "inputs": { - "method": "POST", - "uri": "@{parameters('CrowdStrike_BaseUrl')}/oauth2/token", - "headers": { - "Content-Type": "application/x-www-form-urlencoded", - "User-Agent": "data443-vaikora-crowdstrike/1.0" - }, - "body": "client_id=@{parameters('CrowdStrike_ClientId')}&client_secret=@{parameters('CrowdStrike_ClientSecret')}" - } - }, - "Get_Vaikora_Actions": { - "type": "Http", - "runAfter": { - "Get_CrowdStrike_Token": [ - "Succeeded" - ] - }, - "inputs": { - "method": "GET", - "uri": "@{parameters('Vaikora_BaseUrl')}/actions?agent_id=@{parameters('VaikoraAgentId')}&per_page=100", - "headers": { - "X-API-Key": "@{parameters('VaikoraApiKey')}", - "Accept": "application/json", - "User-Agent": "data443-vaikora-crowdstrike/1.0" - } - } - }, - "Filter_High_Priority_Actions": { - "type": "Query", - "runAfter": { - "Get_Vaikora_Actions": [ - "Succeeded" - ] - }, - "inputs": { - "from": "@body('Get_Vaikora_Actions')", - "where": "@or(or(equals(item()?['risk_level'], 'high'), equals(item()?['risk_level'], 'critical')), equals(item()?['is_anomaly'], true))" - } - }, - "Check_Has_Actions": { - "type": "If", - "runAfter": { - "Filter_High_Priority_Actions": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "greater": [ - "@length(body('Filter_High_Priority_Actions'))", - 0 - ] - } - ] - }, - "actions": { - "For_Each_Action": { - "type": "Foreach", - "foreach": "@body('Filter_High_Priority_Actions')", - "runtimeConfiguration": { - "concurrency": { - "repetitions": 1 - } - }, - "actions": { - "Compose_IOC_Value": { - "type": "Compose", - "runAfter": {}, - "inputs": "@coalesce(item()?['ip_address'], item()?['target_ip'], item()?['url'], item()?['target_url'], item()?['target'], item()?['log_hash'])" - }, - "Compose_IOC_Type": { - "type": "Compose", - "runAfter": { - "Compose_IOC_Value": [ - "Succeeded" - ] - }, - "inputs": "@if(or(not(empty(item()?['ip_address'])), not(empty(item()?['target_ip']))), 'ipv4', if(or(not(empty(item()?['url'])), not(empty(item()?['target_url']))), 'url', 'domain'))" - }, - "Compose_CS_Severity": { - "type": "Compose", - "runAfter": {}, - "inputs": "@if(equals(item()?['risk_level'], 'critical'), 'critical', if(equals(item()?['risk_level'], 'high'), 'high', 'medium'))" - }, - "Compose_CS_Action": { - "type": "Compose", - "runAfter": {}, - "inputs": "@if(equals(item()?['risk_level'], 'critical'), 'prevent', 'detect')" - }, - "Compose_Tags": { - "type": "Compose", - "runAfter": {}, - "inputs": "@union(createArray('vaikora', 'ai-agent-security', 'data443'), if(equals(item()?['is_anomaly'], true), createArray('ai-agent-anomaly'), createArray()), if(equals(item()?['threat_detected'], true), createArray('ai-threat-detected'), createArray()))" - }, - "Post_IOC_to_CrowdStrike": { - "type": "Http", - "runAfter": { - "Compose_IOC_Value": [ - "Succeeded" - ], - "Compose_IOC_Type": [ - "Succeeded" - ], - "Compose_CS_Severity": [ - "Succeeded" - ], - "Compose_CS_Action": [ - "Succeeded" - ], - "Compose_Tags": [ - "Succeeded" - ] - }, - "inputs": { - "method": "POST", - "uri": "@{parameters('CrowdStrike_BaseUrl')}/iocs/entities/indicators/v1?ignore_warnings=true", - "headers": { - "Content-Type": "application/json", - "Authorization": "@{concat('Bearer ', body('Get_CrowdStrike_Token')?['access_token'])}", - "User-Agent": "data443-vaikora-crowdstrike/1.0" - }, - "body": { - "indicators": [ - { - "type": "@{outputs('Compose_IOC_Type')}", - "value": "@{outputs('Compose_IOC_Value')}", - "action": "@{outputs('Compose_CS_Action')}", - "severity": "@{outputs('Compose_CS_Severity')}", - "source": "Vaikora AI Agent Security (Data443)", - "description": "Vaikora AI Signal | Agent: @{item()?['agent_id']} | Type: @{item()?['action_type']} | Risk: @{item()?['risk_level']} (@{item()?['risk_score']}) | Anomaly: @{item()?['is_anomaly']} (@{item()?['anomaly_score']}) | Threat: @{item()?['threat_detected']} (@{item()?['threat_score']}) | Policy: @{item()?['policy_decision']} | @{item()?['timestamp']}", - "expiration": "@{addDays(utcNow(), 30)}", - "platforms": [ - "windows", - "mac", - "linux" - ], - "tags": "@outputs('Compose_Tags')", - "applied_globally": true, - "external_id": "@{concat('vaikora-', item()?['id'])}" - } - ] - } - } - } - } - } - }, - "else": { - "actions": {} - } - } - }, - "outputs": {} - } - } - } - ] -} From d3c587ed8008f2952d57ec7ad520cabc9c10f00a Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:21 -0400 Subject: [PATCH 24/38] =?UTF-8?q?fix:=20remove=20stray=20solutions=20?= =?UTF-8?q?=E2=80=94=20keep=20only=20Vaikora-Sentinel?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../README.md | 90 ------------------- 1 file changed, 90 deletions(-) delete mode 100644 Solutions/Vaikora-CrowdStrike-ThreatIntelligence/README.md diff --git a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/README.md b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/README.md deleted file mode 100644 index 5c0ed071791..00000000000 --- a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/README.md +++ /dev/null @@ -1,90 +0,0 @@ -# Vaikora CrowdStrike AI Agent Security - -**Publisher:** Data443 Risk Mitigation, Inc. -**Solution ID:** azure-sentinel-solution-vaikora-crowdstrike -**Version:** 1.0.0 - -## What This Does - -A Microsoft Sentinel Content Hub solution that polls Vaikora for AI agent signals and pushes high-risk actions into CrowdStrike Falcon as Custom IOCs. The Logic App playbook runs every 6 hours, filters to actions where `risk_level` is high or critical, or where `is_anomaly` is true, then calls the CrowdStrike Custom IOC API to create or update indicators. - -## Signal Mapping - -| Vaikora `risk_level` | CrowdStrike `severity` | CrowdStrike `action` | -|----------------------|------------------------|----------------------| -| critical | critical | prevent | -| high | high | detect | -| medium / low | medium | detect | - -Tags added automatically: -- `vaikora`, `ai-agent-security`, `data443` (always) -- `ai-agent-anomaly` — when `is_anomaly` is true -- `ai-threat-detected` — when `threat_detected` is true - -IOC type is resolved from action fields in order: `ip_address` / `target_ip` → `ipv4`, `url` / `target_url` → `url`, fallback → `domain`. - -Each IOC sets `external_id` to `vaikora-{action_id}` for deduplication. - -## Prerequisites - -- Microsoft Sentinel workspace -- Vaikora account with API key and agent ID -- CrowdStrike Falcon API client with **Indicators (IOCs): Write** permission - -## Files - -``` -Playbooks/VaikoraToCrowdStrike_Playbook.json Standalone ARM template for the Logic App -Data/Solution_VaikoraCrowdStrike.json Solution manifest -Package/mainTemplate.json Content Hub deployment template -Package/createUiDefinition.json Deployment wizard UI definition -SolutionMetadata.json Publisher and category metadata -ReleaseNotes.md Change history -``` - -## Deployment - -### Via Content Hub (recommended) - -Install from Microsoft Sentinel Content Hub. Search for "Vaikora CrowdStrike". - -### Via ARM template (standalone) - -```bash -az deployment group create \ - --resource-group \ - --template-file Playbooks/VaikoraToCrowdStrike_Playbook.json \ - --parameters \ - VaikoraApiKey="" \ - VaikoraAgentId="" \ - CrowdStrike_ClientId="" \ - CrowdStrike_ClientSecret="" -``` - -### Via Content Hub package - -```bash -az deployment group create \ - --resource-group \ - --template-file Package/mainTemplate.json \ - --parameters \ - workspace="" \ - VaikoraApiKey="" \ - VaikoraAgentId="" \ - CrowdStrike_ClientId="" \ - CrowdStrike_ClientSecret="" -``` - -## Configuration Parameters - -| Parameter | Type | Default | Description | -|-----------|------|---------|-------------| -| `VaikoraApiKey` | securestring | — | Vaikora API key (X-API-Key header) | -| `VaikoraAgentId` | string | — | Agent ID to poll | -| `CrowdStrike_BaseUrl` | string | https://api.crowdstrike.com | Falcon API base URL | -| `CrowdStrike_ClientId` | securestring | — | OAuth2 client ID | -| `CrowdStrike_ClientSecret` | securestring | — | OAuth2 client secret | - -## Support - -support@data443.com — https://www.data443.com From d2c203c4bf518c1f5816f61f4cb51a8f44e6a120 Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:21 -0400 Subject: [PATCH 25/38] =?UTF-8?q?fix:=20remove=20stray=20solutions=20?= =?UTF-8?q?=E2=80=94=20keep=20only=20Vaikora-Sentinel?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Vaikora-CrowdStrike-ThreatIntelligence/ReleaseNotes.md | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 Solutions/Vaikora-CrowdStrike-ThreatIntelligence/ReleaseNotes.md diff --git a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/ReleaseNotes.md b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/ReleaseNotes.md deleted file mode 100644 index 496a2a4c095..00000000000 --- a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/ReleaseNotes.md +++ /dev/null @@ -1,3 +0,0 @@ -**Version** | **Date Modified (DD-MM-YYYY)**| **ChangeHistory** -|------------|-------------------------------|-------------------------------------------------------------------------------------------| -| 1.0.0 | 02-04-2026 | Initial release. Polls Vaikora AI agent signals every 6 hours and pushes high/critical risk actions and anomaly detections as Custom IOCs to CrowdStrike Falcon. Severity mapping: critical→prevent, high→detect, medium/low→detect. Dynamic IOC type detection (ipv4/url/domain). Conditional tags: ai-agent-anomaly, ai-threat-detected. externalId set to vaikora-{action_id} for deduplication. | From 94c42e3fd73dc2bb5754f9987f8cedc68df30388 Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:22 -0400 Subject: [PATCH 26/38] =?UTF-8?q?fix:=20remove=20stray=20solutions=20?= =?UTF-8?q?=E2=80=94=20keep=20only=20Vaikora-Sentinel?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../SolutionMetadata.json | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 Solutions/Vaikora-CrowdStrike-ThreatIntelligence/SolutionMetadata.json diff --git a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/SolutionMetadata.json b/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/SolutionMetadata.json deleted file mode 100644 index 34d6c8b48ab..00000000000 --- a/Solutions/Vaikora-CrowdStrike-ThreatIntelligence/SolutionMetadata.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "publisherId": "data443riskmitigationinc1761580347231", - "offerId": "vaikora-crowdstrike-connector", - "firstPublishDate": "2026-04-02", - "providers": [ - "Data443 Risk Mitigation, Inc.", - "Vaikora" - ], - "categories": { - "domains": [ - "Security - Threat Intelligence" - ], - "verticals": [] - }, - "support": { - "name": "Data443 Risk Mitigation, Inc.", - "email": "support@data443.com", - "tier": "Partner", - "link": "https://www.data443.com" - } -} \ No newline at end of file From 7d3db5f20e7df3c8941e50140a863575480afaf0 Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:23 -0400 Subject: [PATCH 27/38] fix: bump version to 3.0.0 --- Solutions/Vaikora-Sentinel/Data/Solution_Vaikora.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/Vaikora-Sentinel/Data/Solution_Vaikora.json b/Solutions/Vaikora-Sentinel/Data/Solution_Vaikora.json index ff7d285ced7..78b3483bf2b 100644 --- a/Solutions/Vaikora-Sentinel/Data/Solution_Vaikora.json +++ b/Solutions/Vaikora-Sentinel/Data/Solution_Vaikora.json @@ -17,7 +17,7 @@ "WorkbookDescription": "This workbook provides visualization and monitoring for Vaikora AI agent behavioral signals including action timelines, severity breakdowns, anomaly detection, and policy violations.", "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\VaikoraSentinel", - "Version": "1.0.0", + "Version": "3.0.0", "TemplateSpec": true, "Is1Pconnector": false } From 7d663af243392197c22e15749fba8d3073d1e449 Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:24 -0400 Subject: [PATCH 28/38] fix: bump version to 3.0.0 --- Solutions/Vaikora-Sentinel/ReleaseNotes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/Vaikora-Sentinel/ReleaseNotes.md b/Solutions/Vaikora-Sentinel/ReleaseNotes.md index 4d0c3dae92f..da0ffabe334 100644 --- a/Solutions/Vaikora-Sentinel/ReleaseNotes.md +++ b/Solutions/Vaikora-Sentinel/ReleaseNotes.md @@ -1,3 +1,3 @@ | Version | Date | Comments | |---------|------|----------| -| 1.0.0 | 2026-04-03 | Initial release — REST API poller connector, custom Vaikora_AgentSignals_CL table, 3 analytic rules (High Risk Action, Behavioral Anomaly, Policy Violation), and AI agent signals dashboard workbook. | +| 3.0.0 | 2026-04-03 | Initial release — REST API poller connector, custom Vaikora_AgentSignals_CL table, 3 analytic rules (High Risk Action, Behavioral Anomaly, Policy Violation), and AI agent signals dashboard workbook. | From 13d0706afed15640993d39782d2d4631f12ca1a3 Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:51 -0400 Subject: [PATCH 29/38] fix: remove stray Vaikora-SentinelOne from Vaikora-Sentinel PR --- .../Data/Solution_VaikoraSentinelOne.json | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 Solutions/Vaikora-SentinelOne-ThreatIntelligence/Data/Solution_VaikoraSentinelOne.json diff --git a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Data/Solution_VaikoraSentinelOne.json b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Data/Solution_VaikoraSentinelOne.json deleted file mode 100644 index 2f9ea3fbf30..00000000000 --- a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Data/Solution_VaikoraSentinelOne.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "Name": "Vaikora-SentinelOne-ThreatIntelligence", - "Author": "Data443 Risk Mitigation, Inc. - support@data443.com", - "Logo": "", - "Description": "The Vaikora SentinelOne Threat Intelligence solution polls the Vaikora AI Agent Security API for high-severity and anomaly actions and pushes indicators of compromise (IOCs) to SentinelOne's Threat Intelligence API for automated detection and response.", - "Playbooks": [ - "Playbooks/VaikoraToSentinelOne_Playbook.json" - ], - "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Vaikora-SentinelOne-ThreatIntelligence", - "Version": "1.0.0", - "Metadata": "SolutionMetadata.json", - "TemplateSpec": true, - "Is1Pconnector": false -} From 42d60cd45de0a33c4c226d36ac9f5f4e91545942 Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:51 -0400 Subject: [PATCH 30/38] fix: remove stray Vaikora-SentinelOne from Vaikora-Sentinel PR --- .../Package/3.0.0.zip | Bin 6497 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/3.0.0.zip diff --git a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/3.0.0.zip b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/3.0.0.zip deleted file mode 100644 index a64f7e6151991825ed78868328040e041ec0e767..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6497 zcmZ`;Wl$W9lEhsXNN{%vzBs|%-GaNb5F8d3*WeJ`3GNUec(BEFaVJQSKybb9y{o#q zs=GJyqid$7tLA4{w}vtz5+NKM92%UMewfLb^2x+GE*u=D9vmG0KU)_I2Ui^%7k6h1 zFPjgJo^GxiCT~7#ZTN3uVC4KZfw2q2lmmLTwan7X-ImL0vaYsySI=j{tZ@1X!hXC` z3W1xq9z?VdYV_dbQ{RmiF#&pysII}Cb5H6%&M$Z;FX;i8O+ULYG~ANu@!woUr_SRu z1b=!q(Od8g^j2___&HbRUtZoW?XT@DrS2?QpQbXK3lwj#7|Ow`jUH{~Mu3l9FkUG! z34E{FVuWmpj%;~W0dM1!oQja3-00WdKK}K7hbHqz`|qfC1)_fOi7dS`ALqlTJP<^I zv%yCRGkBMLu?D$6uA052#K&}QI|&gy`hSHZR~Aag0B|P_;)92-Q-*wf5hm>wAcIL* z>hHPx$HdXdk-XHTzFdcF)DrRyaHCjACYUUQ_-WC4qMkDd;Ny2+(U~vE$xhPY}DZnwYb1;GX-GYn%&Z)Xx3>eqJGFK41ip2HJHi zj^mT0p%K5-9MA|Ck{2|^N!&kN_^%PHEiJf6D1-1EJD&V)Of*7{Uj)LBml7= zC4dC=6ER>y#7&#;Q{&cO|FSd!{7L2PdU)x$N= z`nXTy?@VUZ?6wPLRtmu?zvkqLq0b~9XFz`iK~l&x{tnteRJf&)#&-%l_2=r|uOiUG z`hq(F;FNJ%+vi$XFW$#XF84srdS5h6-{tia_Dz^}hy>5~f;QK1-bUN{Vu+ znRV_em$DKyElB9uC|V7VNJ9JxQ&>@wW}ByOxjA~mXgy&e7Jlx=OYEt}D{qZsFEbJ! zGriAPxUCfKlvB?fj#Tr{RPuwHZ|=vM&qh+Q;;?S;aQNeP(gBmC>#^j9AKQi>2$auC z;I>S-yjgangNr(dDAy(?5aVF7A<~OHkv|b;eP()(+=@@XEOKf6gzBZnHhP7@NQzhQ zm|QQ{&zyy-Imkiw!g;T^FOplOk@)mDCke8**~q8aVIMf2t10YTd;$3C_pqN+Bi`@$ zg_?RBSEvqoa-+@VQ*&OD<{xNx_FiqtZn!WaUncoV3$%zBP&3wX=0mqLjv`@=+)6`o z%5+;6GM2}Kf?TxOB&Q{9J?gTL=%+Pj-{*O zBO3`_pFospJU`A8%Ja>l+wv6QmZQIZu&{TgaVtokE{w+$D$qmpS#|(w45mR0*6;*d z4lOPKN~Wf~1D4O8x>t%AqjO%9m|Y?wI7ygZHg*39VV=i%w#_n>6a#nO87>Ct6$_QU9u2y4^-qd?PJ1I9;DW}mC zOCYGjqw5%x5>3TcXZ!Wk85PFkx@2iMc{1f7O;_X46|jH1NS&#XvR~ISDigF>I<0P~ zx6^Jmnw4>6OuRMCoa>0nL@|4IWjlfODgDi5A|XHRMweCZQJz3qE;DK=qFg+M{wQMp zE)}|3l&;+@)!TYhVmw0fpd{vlggp7ul~uzb8+3C1A$+&7hk-QZ7e@Jv$;tk=bx#FG z5Er(?F}6n0P^_-HsbJ<{sV?prR=c;1SSg*|hlmnNo)o^`tr|YJyrhQ(yx_%OBxi7a zKu7px`z}c!aV1D`6{BuMp8&SK_+9gmdXC5*7V9j(==`a5cyg7&1zp6a;kOuChm!O6 zu+ra{i=@CeEa`3|uYf}Q3-TPv$cG=?D&&}h!&gDdsAV-vt+7L&1f{wRRm96?R8(#@ zjr;go*^9U%?un&OLfS;ICjp)GZ!LP^IRB5 zm)}H|S)?(l1~y5#^wax4UrsutO3r7+>ecrMntJPK%bT$WC8n=#S>fN6FM#21FtMor z7NG}CX5br$do}T(DgSvOgPU_eQZZF&YkMSXSGD|rcAN98&(G^*_*D&iyQxyZ97#J@ zCT1H_!mPn&X_efObG+#Zz%9#&;DJg!747965`zNsqLv=)YcH0<>#6MFY_obINPYaJ z>Y@!A@+pVsH0x|Na=l5ZI&9jf1wKNIxL);Ok30ydk;DRP zPR~{Kozsa{-*paZ^Pg7_Eq&_9Onr6L3sadpaYBnxa`HYOAoY5H?%du$d^6|XD%`{e z1CRJHZ|!{Y5Em=&{)nrK%frq11$ES}?##F)*N>&k$nzAp{z>96i)kXAPr_aJkicG; zS(A>e`m$>O_J@CUUb~!o%C47WREl(M;j7m3$q&~&czeXMrdg-P@!0*<_Q`d%WTUoI zyua36qURJ8`FzOYE04ipX2xzC17Dr}E0P$6L=_AOdW|wQA<>4jvIk!$S}2T^>=q2m z2W8R;DN;4rs>_cVgE^KYR&WMfjUtEik%zWtPv9+Yg02)@3)XRic0}35lbxQ9kROwJ zM>q8^nr(Y-(O&5E8obBya8i2=dyRE{P(BO6f)RDJ0Ba$z1xWgr?9)*W#*RF?!l zil)I|68Y6JEpx55&BYci@xwcK8nNjk(S&iP5XWyayOZxYL~I7KWax`ly;5%m6-rn? zp~wS8E#d5G?oYGo`#eskI`OqAT7ExlAle!~QYxFVc<_l*HPj!U%5zMdSTizu!d@IbXpw~gN9W2&FvExS!XJI_ z8y>tuAEek}4otIT+Wqn>BHhfK?-AnEt;xT}R&IXWvNwe1L@O^D99!Ess}R{ZZlYiX z^0>k^Zmj&GIhf?U@WEB<)P_V-05d?L$##;O|{cCVa z`8Tfl4hK;?n7N6#@7M;(stsaY*6rJ29}(2JJE^+3h>_Amb^&b{Kf+Br2*ST|JW}#E zDBWGSi9uEDk*LhD!b0>gaDvM6YP3PO;mjqr&yBQDcKtf+5-8TaB5XY4SlQ^BNE7c9 zr0fjsPO968#(4G4plsrQXSjO;D^FiYr!`Mpi#hNSytk)$vmn2d!E~cOON?M( z=tp%JBbarxphor8AnD_#%-Zg@ChW(m$w#~1+x4~K19gouk@HRglm@<8w3SB1GtK$W zF&0rAoq5xKUpLljb9~#|hiEuQggB*>-F|gv@@D+fC>#xf|1}nZSok5gsW~x4sV%}2 zoMG)E@<~$TpTEAhw#`VUbMvhIC2yH3iBqG@J9*M?@te)3gQCqQLKP7|@~aB}i+NQ? zHDtZ%;e3(ko4Oz-o16Gh#_Ifof=-;j$^ar{wSC*I$g`I+_eQ0bnbMDosB!t~9p)uO zAE-9kR|s(>yO1i$(K*MYVNBg1+zPe~v8Fslp=mKn_a!C}Ola%JImD6FZ-prPQ!;A1yuQ@1pHJ*GO_Ig36?slrI^tQJc!2 zQOAs@NA7J5PqZKUOBs6LKU3`PDvKIjHHxo(BihTP>B3<-WZ9XC`ysVbc7%j}G02w& zB(Na;#KIi4mb6Ur=X3A5#nO<;vMWA10XuW;=kkAKvq_OR9^$0K~&i0q7& z7Q9ZbQb;yQn?dyvKo;4~g@8dxI^FyS(UXPWOa@AgwPu_e!1vj1XhZB4PwOmo8F20> zUT6`bJUJ+(*D4?@dv#zk40NctS>;N75DE~><^rK2jnEij%JV1||BQ8ZyRQ-Z1CvurM|5 zYJXf=6n!s$v2T!gmr1J|kGq_E*(fD94_7Dm?D$#~RaaTSUf64=UNY_8K~4LX^*eLJ zU4mnnnUE!qIk&Kv*Hf_)7*?vB~Y+!Z%_B##z~R}NntBA zYc`8Xo&>a_&16K=ajsy{{wd3Xlp+JGF&6QgUn-`b>$Lw-@Ra4q{k=+HSlJ_KjosYN zOnR}u>lwd2FlnBBa^1zI{HB_}*sjvuqvQAOEErDXf6M`+9*7A|{6g$!G&neU3OKm; z|Cj?-Ae(<|0bK_f8(Rlg2QLRV*MD0C2L>0QH6Y+EzoPGtFddXh%ezj%=g?tQ^Hil; z=1H|GLWAjWhRqFEbk9mmNA{^kA#qLeD!KK&<`rg@aZs
I?Jvzw-TDOW3 zYen8F=IH?#vi9{S(pTfFQ}s=SI3@RYytFOfV0-|Rt1=9x$kxHa(ry|l1Txh%fNt<) zV;_sA1R@gE4$>5DKF4v@D>jo(PX$#&^p11PS9-c9i%^DyQfUl3?&Rdcj;ior*?FQA zT7T~P4cb4#CYtGlaZ&*I-8An6@7TtoX8~WtC_Xx8EK>yJk&BM+rtZNUBlCpoEF(;T zLkEJx7~qEkvpV8ujDtzX^CJEPU4*OGTiElvV8-w|fbQF?fBs~1cQ@EW7U%AEhJ?-l zKtGy-Rw}54E~z|4Y&P#4@y>b-S&}amgSTA$+GotL=uAW=8}=6bikwGQ&?a6S=c#qI zRJ>p2Hp!{F|taRd0-k(REvK7qfA+?f?05<}&YNDJraXxD@XtL7yo_rC^bSpYK9i38yq>tQuNfb2A}->WWGlwgwMRd;zoL4i z*auiQLvZ39slLZ()UZp&^ilK(EhKgm!U#mB}~BE-qGJAY%# z#};3fad)Rh+@2kVSTLpDwZ0|-9aB?*!;24OYBIuO$N1(^+clqKJb@)fes1Lf^C>*o zZuX51xuqg#3+%IP5<_I*eEo7dE0L5LdAe^Vnf%ncDjap6YOv-o3X+}60KEsoU}DF= zktHuXWw5IYaA8zcey+lIIsJ<@{boHJ1c~aO(TF=q*geLf)Dgoap{X~x9BFRuYGIB% zzL$Y-55Wy@cjj;AaI3EJUM(WtzoR0~qAOTbct#+HBO&x3xCb!@_&&R#>|@~orglNg zepV0&*GcADOd!^-CAOy%l-N>uNz_V>RM3$6BPVt#04`MNHUlkY%L2s$Xrb(Jp2>2Q zIkb(tivE!}QXo4poVAn2|B`=B8ebu)XP2o@Q)i2MQ@XGEq(i{oLD)D_jld+F0fMR}6p~KjMh7>Y9fFbiK2t z6G=t*K}?ml9d9K^#4gCJNK1_sq8D%e8gW0f>}_{3I?)9OW`uvFKQ=b0x^1<}7us0j z_v?38vDG1|eo7B(nM;BVjpEQc8&WZYsynG$n>TGGo&gg3odIEo3=`fo3cT|O&d7^a z`uv^gshRv}lEERiO6}S>+Q4!A2t+I5RS8=l-AZMMi~M_4bh}j0ho-$5KYkpVx5?xE zz-V7F@^Jg6@RlupaLz3D`B#LfMj)fm9vN|aES9ib$x)47OBF~So`5~5N6aF^-+r?Y z%`V%|dY&Grl&Sn_9S$Tk$|uf?3I9io^^WYCV&d6!e8Xp|{+-@d4$5{+ZK1dWDKY%o zq3bOFpiNXgP1yIY94@SshQx*JTw%_16o#N(mcj zui#!oXhR|J8p^Jre}1y2d33HBT(5_nCGe^U#Pxn6$p92G29LRQ`5361@laizB+@Oi z6Rd&G@;}V+9!_ccg?IX_{qo^(_ek}+pk1D|YMueDRzVqUN4wGO=`tet%QIsWK; zre^`W+E{iFzd%S6Z~d6u&83(MC2IS$HD33=q7Ch04A13>@AU_CJ&#fqgSbHLOIJ9z z;Vy)Q*VX=!qhEy9xN+XaIBHTxf7SGbuV@XbC#kou=X5oXj3cfBp}GqLn;>U`UoAx% z-5hg+R7=Cd=U|Ry^9U#%j^eDS!V_0WcCr|8!QsV7m|XC-Yxqh)p;E?Y_*)W%B>Wb( z6_-Kvujo^IeT&NMW5)gY>=f(z00lP*Qpje0fha9oFtcW-1sT6{vig8-v@>cHFa#I! za)?^wvcmNiPNF%8*AH?|YP|tkYVhnn3>TKz+854Yp+ZjB2KiG1h z-H}fode%Nkr(WomSK$5SGmz*OUA5}fMnJHfyyqVa7MK80lw6jmKUO4H7Ys^YR^PP+ z#a7c`YB>7)Tbn*>v?jk`D34P|7Me;p$H)8YT% J2=TwB{{n#(TsHs! From a24eae6b1c1d626bde0a37a2536749fad36ffc45 Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:52 -0400 Subject: [PATCH 31/38] fix: remove stray Vaikora-SentinelOne from Vaikora-Sentinel PR --- .../Package/createUiDefinition.json | 165 ------------------ 1 file changed, 165 deletions(-) delete mode 100644 Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/createUiDefinition.json diff --git a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/createUiDefinition.json b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/createUiDefinition.json deleted file mode 100644 index ec6937a12f1..00000000000 --- a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/createUiDefinition.json +++ /dev/null @@ -1,165 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", - "handler": "Microsoft.Azure.CreateUIDef", - "version": "0.1.2-preview", - "parameters": { - "config": { - "isWizard": false, - "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Vaikora-SentinelOne-ThreatIntelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Vaikora SentinelOne Threat Intelligence solution polls the Vaikora AI Agent Security API for high-severity and anomaly agent actions, then pushes indicators of compromise (IOCs) to SentinelOne's Threat Intelligence API for automated detection and response.\n\n**Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", - "subscription": { - "resourceProviders": [ - "Microsoft.OperationsManagement/solutions", - "Microsoft.OperationalInsights/workspaces/providers/alertRules", - "Microsoft.Insights/workbooks", - "Microsoft.Logic/workflows" - ] - }, - "location": { - "metadata": { - "hidden": "Hiding location, we get it from the log analytics workspace" - }, - "visible": false - }, - "resourceGroup": { - "allowExisting": true - } - } - }, - "basics": [ - { - "name": "getLAWorkspace", - "type": "Microsoft.Solutions.ArmApiControl", - "toolTip": "This filters by workspaces that exist in the Resource Group selected", - "condition": "[greater(length(resourceGroup().name),0)]", - "request": { - "method": "GET", - "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" - } - }, - { - "name": "workspace", - "type": "Microsoft.Common.DropDown", - "label": "Workspace", - "placeholder": "Select a workspace", - "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", - "constraints": { - "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", - "required": true - }, - "visible": true - } - ], - "steps": [ - { - "name": "playbooks", - "label": "Playbooks", - "subLabel": { - "preValidation": "Configure the playbooks", - "postValidation": "Done" - }, - "bladeTitle": "Playbooks", - "elements": [ - { - "name": "playbooks-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub." - } - }, - { - "name": "playbooks-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" - } - } - }, - { - "name": "VaikoraApiKey", - "type": "Microsoft.Common.PasswordBox", - "label": { - "password": "Vaikora API Key", - "confirmPassword": "Confirm Vaikora API Key" - }, - "toolTip": "The Vaikora API Key used for X-API-Key authentication when polling agent actions.", - "constraints": { - "required": true - }, - "options": { - "hideConfirmation": true - }, - "visible": true - }, - { - "name": "VaikoraAgentId", - "type": "Microsoft.Common.TextBox", - "label": "Vaikora Agent ID", - "defaultValue": "", - "toolTip": "The Vaikora Agent ID to poll for security actions.", - "constraints": { - "required": true, - "regex": "^[a-zA-Z0-9_-]+$", - "validationMessage": "Agent ID must contain only alphanumeric characters, hyphens, or underscores." - }, - "visible": true - }, - { - "name": "SentinelOne_BaseUrl", - "type": "Microsoft.Common.TextBox", - "label": "SentinelOne Console URL", - "defaultValue": "", - "toolTip": "Your SentinelOne console URL (e.g. https://usea1-021.sentinelone.net). Log in to SentinelOne and copy the URL from your browser address bar.", - "constraints": { - "required": true, - "regex": "^https://.*sentinelone\\.net$", - "validationMessage": "Enter the full SentinelOne console URL (e.g. https://usea1-021.sentinelone.net)." - }, - "visible": true - }, - { - "name": "SentinelOne_ApiToken", - "type": "Microsoft.Common.PasswordBox", - "label": { - "password": "SentinelOne API Token", - "confirmPassword": "Confirm SentinelOne API Token" - }, - "toolTip": "SentinelOne API Token for authenticating IOC push requests.", - "constraints": { - "required": true - }, - "options": { - "hideConfirmation": true - }, - "visible": true - }, - { - "name": "SentinelOne_AccountId", - "type": "Microsoft.Common.TextBox", - "label": "SentinelOne Account ID", - "defaultValue": "", - "toolTip": "SentinelOne Account ID. Required for all IOC push requests (filter.accountIds).", - "constraints": { - "required": true, - "regex": "^[0-9]+$", - "validationMessage": "Account ID must be numeric." - }, - "visible": true - } - ] - } - ], - "outputs": { - "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", - "location": "[location()]", - "workspace": "[basics('workspace')]", - "VaikoraApiKey": "[steps('playbooks').VaikoraApiKey]", - "VaikoraAgentId": "[steps('playbooks').VaikoraAgentId]", - "SentinelOne_BaseUrl": "[steps('playbooks').SentinelOne_BaseUrl]", - "SentinelOne_ApiToken": "[steps('playbooks').SentinelOne_ApiToken]", - "SentinelOne_AccountId": "[steps('playbooks').SentinelOne_AccountId]" - } - } -} From 2b0b0f0adc757291793c9355b74fa65d9ad3d22a Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:53 -0400 Subject: [PATCH 32/38] fix: remove stray Vaikora-SentinelOne from Vaikora-Sentinel PR --- .../Package/mainTemplate.json | 473 ------------------ 1 file changed, 473 deletions(-) delete mode 100644 Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/mainTemplate.json diff --git a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/mainTemplate.json b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/mainTemplate.json deleted file mode 100644 index 2d492330bfe..00000000000 --- a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/mainTemplate.json +++ /dev/null @@ -1,473 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "author": "Data443 Risk Mitigation, Inc. - support@data443.com", - "comments": "Solution template for Vaikora-SentinelOne-ThreatIntelligence" - }, - "parameters": { - "location": { - "type": "string", - "minLength": 1, - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" - } - }, - "workspace-location": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" - } - }, - "workspace": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" - } - }, - "VaikoraApiKey": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Vaikora API Key for X-API-Key authentication" - } - }, - "VaikoraAgentId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Vaikora Agent ID to poll for actions" - } - }, - "SentinelOne_ApiToken": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "SentinelOne API Token" - } - }, - "SentinelOne_BaseUrl": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "SentinelOne console URL (e.g. https://usea1-021.sentinelone.net)" - } - }, - "SentinelOne_AccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "SentinelOne Account ID" - } - } - }, - "variables": { - "email": "support@data443.com", - "_email": "[variables('email')]", - "_solutionName": "Vaikora-SentinelOne-ThreatIntelligence", - "_solutionVersion": "3.0.0", - "solutionId": "data443riskmitigationinc1761580347231.azure-sentinel-solution-vaikora-sentinelone", - "_solutionId": "[variables('solutionId')]", - "Playbooks": "Playbooks", - "_Playbooks": "[variables('Playbooks')]", - "blanks": "[replace('b', 'b', '')]", - "playbookVersion1": "3.0.0", - "playbookContentId1": "Playbooks", - "_playbookContentId1": "[variables('playbookContentId1')]", - "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", - "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", - "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Playbooks Playbook with template version 1.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion1')]", - "parameters": { - "logicAppName": { - "type": "string", - "defaultValue": "pb-vaikora-to-sentinelone" - }, - "VaikoraApiKey": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Vaikora API Key for X-API-Key authentication" - } - }, - "VaikoraAgentId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Vaikora Agent ID to poll for actions" - } - }, - "SentinelOne_ApiToken": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "SentinelOne API Token" - } - }, - "SentinelOne_BaseUrl": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Your SentinelOne console URL (e.g. https://usea1-021.sentinelone.net)." - } - }, - "SentinelOne_AccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "SentinelOne Account ID" - } - }, - "workspace": { - "type": "string", - "metadata": { - "description": "Workspace name for Log Analytics" - } - } - }, - "variables": { - "workspaceResourceId": "[[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace'))]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]" - }, - "resources": [ - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", - "name": "[[parameters('logicAppName')]", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "VaikoraToSentinelOne", - "hidden-SentinelTemplateVersion": "3.0.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "properties": { - "state": "Enabled", - "parameters": { - "VaikoraApiKey": { - "value": "[[parameters('VaikoraApiKey')]" - }, - "VaikoraAgentId": { - "value": "[[parameters('VaikoraAgentId')]" - }, - "SentinelOne_ApiToken": { - "value": "[[parameters('SentinelOne_ApiToken')]" - }, - "SentinelOne_BaseUrl": { - "value": "[[parameters('SentinelOne_BaseUrl')]" - }, - "SentinelOne_AccountId": { - "value": "[[parameters('SentinelOne_AccountId')]" - } - }, - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Vaikora_ApiBaseUrl": { - "type": "string", - "defaultValue": "https://api.vaikora.com/api/v1" - }, - "VaikoraApiKey": { - "type": "securestring", - "defaultValue": "[variables('blanks')]" - }, - "VaikoraAgentId": { - "type": "string", - "defaultValue": "[variables('blanks')]" - }, - "SentinelOne_BaseUrl": { - "type": "string", - "defaultValue": "" - }, - "SentinelOne_ApiToken": { - "type": "securestring", - "defaultValue": "[variables('blanks')]" - }, - "SentinelOne_AccountId": { - "type": "string", - "defaultValue": "[variables('blanks')]" - } - }, - "triggers": { - "Recurrence": { - "type": "Recurrence", - "recurrence": { - "frequency": "Hour", - "interval": 6, - "timeZone": "UTC" - } - } - }, - "actions": { - "Get_Vaikora_Actions": { - "type": "Http", - "inputs": { - "method": "GET", - "uri": "@{concat(parameters('Vaikora_ApiBaseUrl'), '/actions?agent_id=', encodeUriComponent(parameters('VaikoraAgentId')), '&per_page=100')}", - "headers": { - "X-API-Key": "@{parameters('VaikoraApiKey')}", - "Accept": "application/json", - "User-Agent": "Microsoft-Sentinel-Vaikora-SentinelOne/1.0" - } - } - }, - "Filter_High_Severity_Or_Anomaly": { - "type": "Query", - "runAfter": { - "Get_Vaikora_Actions": [ - "Succeeded" - ] - }, - "inputs": { - "from": "@body('Get_Vaikora_Actions')", - "where": "@or(or(equals(toLower(coalesce(item()?['severity'], '')), 'high'), equals(toLower(coalesce(item()?['severity'], '')), 'critical')), equals(item()?['is_anomaly'], true))" - } - }, - "List_STAR_Rules": { - "type": "Http", - "runAfter": { - "Filter_High_Severity_Or_Anomaly": [ - "Succeeded" - ] - }, - "inputs": { - "method": "GET", - "uri": "@{parameters('SentinelOne_BaseUrl')}/web/api/v2.1/cloud-detection/rules?accountIds=@{parameters('SentinelOne_AccountId')}", - "headers": { - "Content-Type": "application/json", - "Authorization": "@{concat('ApiToken ', parameters('SentinelOne_ApiToken'))}" - } - } - }, - "Check_Rule_Exists": { - "type": "If", - "runAfter": { - "List_STAR_Rules": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "equals": [ - "@contains(string(body('List_STAR_Rules')), 'Vaikora IOC Detection')", - false - ] - } - ] - }, - "actions": { - "Create_STAR_Rule": { - "type": "Http", - "inputs": { - "method": "POST", - "uri": "@{parameters('SentinelOne_BaseUrl')}/web/api/v2.1/cloud-detection/rules", - "headers": { - "Content-Type": "application/json", - "Authorization": "@{concat('ApiToken ', parameters('SentinelOne_ApiToken'))}" - }, - "body": { - "filter": { - "accountIds": [ - "@{parameters('SentinelOne_AccountId')}" - ] - }, - "data": { - "name": "Vaikora IOC Detection", - "s1ql": "IndicatorSource = \"Vaikora AI Agent Security (Data443)\"", - "queryType": "events", - "severity": "High", - "status": "Active", - "expirationMode": "Permanent", - "treatAsThreat": "Suspicious" - } - } - } - } - } - }, - "Check_Has_Actions": { - "type": "If", - "runAfter": { - "Check_Rule_Exists": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "greater": [ - "@length(body('Filter_High_Severity_Or_Anomaly'))", - 0 - ] - } - ] - }, - "actions": { - "For_Each_Action": { - "type": "Foreach", - "foreach": "@body('Filter_High_Severity_Or_Anomaly')", - "runtimeConfiguration": { - "concurrency": { - "repetitions": 1 - } - }, - "actions": { - "Post_IOC_to_SentinelOne": { - "type": "Http", - "inputs": { - "method": "POST", - "uri": "@{parameters('SentinelOne_BaseUrl')}/web/api/v2.1/threat-intelligence/iocs", - "headers": { - "Content-Type": "application/json", - "Authorization": "@{concat('ApiToken ', parameters('SentinelOne_ApiToken'))}" - }, - "body": { - "filter": { - "accountIds": [ - "@{parameters('SentinelOne_AccountId')}" - ] - }, - "data": [ - { - "value": "@{coalesce(item()?['log_hash'], concat('vaikora-', item()?['agent_id'], '-', item()?['action_type']))}", - "type": "SHA256", - "source": "Vaikora AI Agent Security (Data443)", - "method": "EQUALS", - "validUntil": "@{addDays(utcNow(), 90)}", - "externalId": "@{concat('vaikora-', item()?['agent_id'], '-', item()?['action_type'], '-', item()?['timestamp'])}", - "description": "@{concat('Vaikora Agent=', coalesce(item()?['agent_id'], 'N/A'), ' | ActionType=', coalesce(item()?['action_type'], 'N/A'), ' | RiskScore=', coalesce(string(item()?['risk_score']), 'N/A'), ' | RiskLevel=', coalesce(item()?['risk_level'], 'N/A'), ' | Severity=', coalesce(item()?['severity'], 'N/A'), ' | ThreatDetected=', coalesce(string(item()?['threat_detected']), 'N/A'), ' | ThreatScore=', coalesce(string(item()?['threat_score']), 'N/A'), ' | Anomaly=', coalesce(string(item()?['is_anomaly']), 'N/A'), ' | AnomalyScore=', coalesce(string(item()?['anomaly_score']), 'N/A'), ' | PolicyDecision=', coalesce(item()?['policy_decision'], 'N/A'), ' | Timestamp=', coalesce(item()?['timestamp'], 'N/A'))}", - "severity": "@{if(greaterOrEquals(coalesce(item()?['risk_score'], 0), 96), 7, if(greaterOrEquals(coalesce(item()?['risk_score'], 0), 86), 6, if(greaterOrEquals(coalesce(item()?['risk_score'], 0), 71), 5, if(greaterOrEquals(coalesce(item()?['risk_score'], 0), 51), 4, if(greaterOrEquals(coalesce(item()?['risk_score'], 0), 31), 3, 2)))))}" - } - ] - } - } - } - } - } - } - } - }, - "outputs": {} - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", - "properties": { - "parentId": "[[variables('playbookId1')]", - "contentId": "[[variables('_playbookContentId1')]", - "kind": "Playbook", - "version": "[[variables('playbookVersion1')]", - "source": { - "kind": "Solution", - "name": "Vaikora-SentinelOne-ThreatIntelligence", - "sourceId": "[[variables('_solutionId')]" - }, - "author": { - "name": "Data443 Risk Mitigation, Inc.", - "email": "[[variables('_email')]" - }, - "support": { - "name": "Data443 Risk Mitigation, Inc.", - "email": "support@data443.com", - "tier": "Partner", - "link": "https://www.data443.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId1')]", - "contentKind": "Playbook", - "displayName": "Playbooks", - "contentProductId": "[variables('_playbookcontentProductId1')]", - "id": "[variables('_playbookcontentProductId1')]", - "version": "[variables('playbookVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", - "apiVersion": "2023-04-01-preview", - "location": "[parameters('workspace-location')]", - "properties": { - "version": "3.0.0", - "kind": "Solution", - "contentSchemaVersion": "3.0.0", - "displayName": "Vaikora-SentinelOne-ThreatIntelligence", - "publisherDisplayName": "Data443 Risk Mitigation, Inc.", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

\u2022 Review the solution Release Notes

\n

\u2022 There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Vaikora SentinelOne Threat Intelligence solution polls the Vaikora AI Agent Security API for high-severity and anomaly agent actions, then pushes indicators of compromise (IOCs) to SentinelOne's Threat Intelligence API for automated detection and response.

\n

Playbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", - "contentKind": "Solution", - "contentProductId": "[variables('_solutioncontentProductId')]", - "id": "[variables('_solutioncontentProductId')]", - "icon": "", - "contentId": "[variables('_solutionId')]", - "parentId": "[variables('_solutionId')]", - "source": { - "kind": "Solution", - "name": "Vaikora-SentinelOne-ThreatIntelligence", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Data443 Risk Mitigation, Inc.", - "email": "[variables('_email')]" - }, - "support": { - "name": "Data443 Risk Mitigation, Inc.", - "email": "support@data443.com", - "tier": "Partner", - "link": "https://www.data443.com" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "kind": "Playbook", - "contentId": "[variables('_Playbooks')]", - "version": "[variables('playbookVersion1')]" - } - ] - }, - "firstPublishDate": "2026-04-02", - "providers": [ - "Data443 Risk Mitigation, Inc.", - "Vaikora" - ], - "categories": { - "domains": [ - "Security - Threat Intelligence" - ] - } - }, - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" - } - ], - "outputs": {} -} From 089116dd2734d5d0dd2707d80e437534e8d97f22 Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:54 -0400 Subject: [PATCH 33/38] fix: remove stray Vaikora-SentinelOne from Vaikora-Sentinel PR --- .../VaikoraToSentinelOne_Playbook.json | 282 ------------------ 1 file changed, 282 deletions(-) delete mode 100644 Solutions/Vaikora-SentinelOne-ThreatIntelligence/Playbooks/VaikoraToSentinelOne_Playbook.json diff --git a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Playbooks/VaikoraToSentinelOne_Playbook.json b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Playbooks/VaikoraToSentinelOne_Playbook.json deleted file mode 100644 index ff9d0303640..00000000000 --- a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/Playbooks/VaikoraToSentinelOne_Playbook.json +++ /dev/null @@ -1,282 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "logicAppName": { - "type": "string", - "defaultValue": "pb-vaikora-to-sentinelone" - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]" - }, - "VaikoraApiKey": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Vaikora API Key for authentication (X-API-Key header)" - } - }, - "VaikoraAgentId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Vaikora Agent ID to poll for actions" - } - }, - "SentinelOne_ApiToken": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "SentinelOne API Token" - } - }, - "SentinelOne_BaseUrl": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Your SentinelOne console URL (e.g. https://usea1-021.sentinelone.net). Log in to SentinelOne and copy the URL from your browser address bar." - } - }, - "SentinelOne_AccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "SentinelOne Account ID" - } - }, - "workspace": { - "type": "string", - "metadata": { - "description": "Workspace name for Log Analytics" - } - } - }, - "variables": { - "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace'))]" - }, - "resources": [ - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", - "name": "[parameters('logicAppName')]", - "location": "[parameters('location')]", - "tags": { - "hidden-SentinelTemplateName": "VaikoraToSentinelOne", - "hidden-SentinelTemplateVersion": "1.0.0", - "hidden-SentinelWorkspaceId": "[variables('workspaceResourceId')]" - }, - "properties": { - "state": "Enabled", - "parameters": { - "VaikoraApiKey": { - "value": "[parameters('VaikoraApiKey')]" - }, - "VaikoraAgentId": { - "value": "[parameters('VaikoraAgentId')]" - }, - "SentinelOne_ApiToken": { - "value": "[parameters('SentinelOne_ApiToken')]" - }, - "SentinelOne_BaseUrl": { - "value": "[parameters('SentinelOne_BaseUrl')]" - }, - "SentinelOne_AccountId": { - "value": "[parameters('SentinelOne_AccountId')]" - } - }, - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Vaikora_ApiBaseUrl": { - "type": "string", - "defaultValue": "https://api.vaikora.com/api/v1" - }, - "VaikoraApiKey": { - "type": "string", - "defaultValue": "" - }, - "VaikoraAgentId": { - "type": "string", - "defaultValue": "" - }, - "SentinelOne_BaseUrl": { - "type": "string", - "defaultValue": "" - }, - "SentinelOne_ApiToken": { - "type": "string", - "defaultValue": "" - }, - "SentinelOne_AccountId": { - "type": "string", - "defaultValue": "" - } - }, - "triggers": { - "Recurrence": { - "type": "Recurrence", - "recurrence": { - "frequency": "Hour", - "interval": 6, - "timeZone": "UTC" - } - } - }, - "actions": { - "Get_Vaikora_Actions": { - "type": "Http", - "inputs": { - "method": "GET", - "uri": "@{concat(parameters('Vaikora_ApiBaseUrl'), '/actions?agent_id=', encodeUriComponent(parameters('VaikoraAgentId')), '&per_page=100')}", - "headers": { - "X-API-Key": "@{parameters('VaikoraApiKey')}", - "Accept": "application/json", - "User-Agent": "Microsoft-Sentinel-Vaikora-SentinelOne/1.0" - } - } - }, - "Filter_High_Severity_Or_Anomaly": { - "type": "Query", - "runAfter": { - "Get_Vaikora_Actions": [ - "Succeeded" - ] - }, - "inputs": { - "from": "@body('Get_Vaikora_Actions')", - "where": "@or(or(equals(toLower(coalesce(item()?['severity'], '')), 'high'), equals(toLower(coalesce(item()?['severity'], '')), 'critical')), equals(item()?['is_anomaly'], true))" - } - }, - "List_STAR_Rules": { - "type": "Http", - "runAfter": { - "Filter_High_Severity_Or_Anomaly": [ - "Succeeded" - ] - }, - "inputs": { - "method": "GET", - "uri": "@{parameters('SentinelOne_BaseUrl')}/web/api/v2.1/cloud-detection/rules?accountIds=@{parameters('SentinelOne_AccountId')}", - "headers": { - "Content-Type": "application/json", - "Authorization": "@{concat('ApiToken ', parameters('SentinelOne_ApiToken'))}" - } - } - }, - "Check_Rule_Exists": { - "type": "If", - "runAfter": { - "List_STAR_Rules": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "equals": [ - "@contains(string(body('List_STAR_Rules')), 'Vaikora IOC Detection')", - false - ] - } - ] - }, - "actions": { - "Create_STAR_Rule": { - "type": "Http", - "inputs": { - "method": "POST", - "uri": "@{parameters('SentinelOne_BaseUrl')}/web/api/v2.1/cloud-detection/rules", - "headers": { - "Content-Type": "application/json", - "Authorization": "@{concat('ApiToken ', parameters('SentinelOne_ApiToken'))}" - }, - "body": { - "filter": { - "accountIds": [ - "@{parameters('SentinelOne_AccountId')}" - ] - }, - "data": { - "name": "Vaikora IOC Detection", - "s1ql": "IndicatorSource = \"Vaikora AI Agent Security (Data443)\"", - "queryType": "events", - "severity": "High", - "status": "Active", - "expirationMode": "Permanent", - "treatAsThreat": "Suspicious" - } - } - } - } - } - }, - "Check_Has_Actions": { - "type": "If", - "runAfter": { - "Check_Rule_Exists": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "greater": [ - "@length(body('Filter_High_Severity_Or_Anomaly'))", - 0 - ] - } - ] - }, - "actions": { - "For_Each_Action": { - "type": "Foreach", - "foreach": "@body('Filter_High_Severity_Or_Anomaly')", - "runtimeConfiguration": { - "concurrency": { - "repetitions": 1 - } - }, - "actions": { - "Post_IOC_to_SentinelOne": { - "type": "Http", - "inputs": { - "method": "POST", - "uri": "@{parameters('SentinelOne_BaseUrl')}/web/api/v2.1/threat-intelligence/iocs", - "headers": { - "Content-Type": "application/json", - "Authorization": "@{concat('ApiToken ', parameters('SentinelOne_ApiToken'))}" - }, - "body": { - "filter": { - "accountIds": [ - "@{parameters('SentinelOne_AccountId')}" - ] - }, - "data": [ - { - "value": "@{coalesce(item()?['log_hash'], concat('vaikora-', item()?['agent_id'], '-', item()?['action_type']))}", - "type": "SHA256", - "source": "Vaikora AI Agent Security (Data443)", - "method": "EQUALS", - "validUntil": "@{addDays(utcNow(), 90)}", - "externalId": "@{concat('vaikora-', item()?['agent_id'], '-', item()?['action_type'], '-', item()?['timestamp'])}", - "description": "@{concat('Vaikora Agent=', coalesce(item()?['agent_id'], 'N/A'), ' | ActionType=', coalesce(item()?['action_type'], 'N/A'), ' | RiskScore=', coalesce(string(item()?['risk_score']), 'N/A'), ' | RiskLevel=', coalesce(item()?['risk_level'], 'N/A'), ' | Severity=', coalesce(item()?['severity'], 'N/A'), ' | ThreatDetected=', coalesce(string(item()?['threat_detected']), 'N/A'), ' | ThreatScore=', coalesce(string(item()?['threat_score']), 'N/A'), ' | Anomaly=', coalesce(string(item()?['is_anomaly']), 'N/A'), ' | AnomalyScore=', coalesce(string(item()?['anomaly_score']), 'N/A'), ' | PolicyDecision=', coalesce(item()?['policy_decision'], 'N/A'), ' | Timestamp=', coalesce(item()?['timestamp'], 'N/A'))}", - "severity": "@{if(greaterOrEquals(coalesce(item()?['risk_score'], 0), 96), 7, if(greaterOrEquals(coalesce(item()?['risk_score'], 0), 86), 6, if(greaterOrEquals(coalesce(item()?['risk_score'], 0), 71), 5, if(greaterOrEquals(coalesce(item()?['risk_score'], 0), 51), 4, if(greaterOrEquals(coalesce(item()?['risk_score'], 0), 31), 3, 2)))))}" - } - ] - } - } - } - } - } - } - } - }, - "outputs": {} - } - } - } - ] -} From 9266b54a365573106e1460db07a00502850b91d1 Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:55 -0400 Subject: [PATCH 34/38] fix: remove stray Vaikora-SentinelOne from Vaikora-Sentinel PR --- .../README.md | 60 ------------------- 1 file changed, 60 deletions(-) delete mode 100644 Solutions/Vaikora-SentinelOne-ThreatIntelligence/README.md diff --git a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/README.md b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/README.md deleted file mode 100644 index 31bafc3484b..00000000000 --- a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/README.md +++ /dev/null @@ -1,60 +0,0 @@ -# Vaikora SentinelOne Threat Intelligence - -**Publisher:** Data443 Risk Mitigation, Inc. -**Solution ID:** `azure-sentinel-solution-vaikora-sentinelone` - -## Overview - -This Microsoft Sentinel solution connects Vaikora AI Agent Security to SentinelOne's Threat Intelligence API. Every 6 hours it polls the Vaikora actions endpoint for high-severity and anomaly detections, maps them to IOCs, and pushes them to SentinelOne for detection and response. - -## How it works - -1. Logic App fires on a 6-hour recurrence -2. Calls `GET https://api.vaikora.com/api/v1/actions?agent_id=&per_page=100` with `X-API-Key` auth -3. Filters to actions where `severity` is High or Critical, or `is_anomaly` is true -4. On first run, creates a STAR detection rule in SentinelOne scoped to your account -5. Posts each filtered action as an IOC to `/web/api/v2.1/threat-intelligence/iocs` - -## IOC Mapping - -| Vaikora field | SentinelOne field | Notes | -|--------------------|--------------------|--------------------------------------------| -| `log_hash` | `value` | Falls back to `agent_id + action_type` | -| (fixed) | `type` | SHA256 | -| (fixed) | `source` | Vaikora AI Agent Security (Data443) | -| (fixed) | `method` | EQUALS | -| `risk_score` | `severity` | 0-30→2, 31-50→3, 51-70→4, 71-85→5, 86-95→6, 96-100→7 | -| `agent_id` + `action_type` + `timestamp` | `externalId` | Prefixed with `vaikora-` | -| All fields | `description` | Pipe-delimited context string | -| (computed) | `validUntil` | 90 days from push time | - -## Parameters - -| Parameter | Type | Required | Description | -|-----------------------|--------------|----------|------------------------------------------------------| -| `VaikoraApiKey` | securestring | Yes | Vaikora API key sent as `X-API-Key` | -| `VaikoraAgentId` | string | Yes | Agent ID to poll | -| `SentinelOne_BaseUrl` | string | Yes | Console URL, e.g. `https://usea1-021.sentinelone.net`| -| `SentinelOne_ApiToken`| securestring | Yes | SentinelOne API token | -| `SentinelOne_AccountId`| string | Yes | Account ID for `filter.accountIds` in all S1 calls | -| `workspace` | string | Yes | Log Analytics workspace name | - -## Deployment - -Deploy via Microsoft Sentinel Content Hub or use the ARM template directly: - -```bash -az deployment group create \ - --resource-group \ - --template-file Package/mainTemplate.json \ - --parameters workspace= \ - VaikoraApiKey= \ - VaikoraAgentId= \ - SentinelOne_BaseUrl=https://usea1-021.sentinelone.net \ - SentinelOne_ApiToken= \ - SentinelOne_AccountId= -``` - -## Support - -Data443 Risk Mitigation, Inc. — support@data443.com — https://www.data443.com From ee453385dfc6471d1a6e50eb906b75e0adf7734e Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:56 -0400 Subject: [PATCH 35/38] fix: remove stray Vaikora-SentinelOne from Vaikora-Sentinel PR --- .../ReleaseNotes.md | 50 ------------------- 1 file changed, 50 deletions(-) delete mode 100644 Solutions/Vaikora-SentinelOne-ThreatIntelligence/ReleaseNotes.md diff --git a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/ReleaseNotes.md b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/ReleaseNotes.md deleted file mode 100644 index d840de58bc1..00000000000 --- a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/ReleaseNotes.md +++ /dev/null @@ -1,50 +0,0 @@ -# Vaikora-SentinelOne Threat Intelligence - Release Notes - -## Version 1.0.0 (2026-04-02) - -### Initial Release - -**Solution Overview:** -Polls the Vaikora AI Agent Security API every 6 hours for high-severity and anomaly agent actions, then pushes indicators of compromise (IOCs) to SentinelOne's Threat Intelligence API for automated detection and response. - -**Features:** -- **Vaikora Action Polling:** Polls `/api/v1/actions` every 6 hours with `per_page=100` — no pagination token needed -- **Smart Filtering:** Only processes actions where `severity == High/Critical` or `is_anomaly == true` -- **SentinelOne IOC Push:** Maps Vaikora actions to SentinelOne IOC format (SHA256 type using `log_hash`) and pushes via the Threat Intelligence API -- **STAR Rule Auto-Creation:** Creates a SentinelOne STAR detection rule for Vaikora indicators on first run -- **Risk Score Severity Mapping:** Maps `risk_score` (0-100) to SentinelOne severity (2-7) -- **Content Hub Ready:** Packaged as a Microsoft Sentinel Solution with Content Hub support - -**Playbook: pb-vaikora-to-sentinelone** -- Recurrence: Every 6 hours (UTC) -- Vaikora API: `https://api.vaikora.com/api/v1/actions` -- Auth: `X-API-Key` header -- Filter: `severity` in (High, Critical) OR `is_anomaly == true` -- SentinelOne API: `/web/api/v2.1/threat-intelligence/iocs` -- IOC Type: SHA256 (from `log_hash` field) -- IOC Validity: 90 days -- IOC Source: `Vaikora AI Agent Security (Data443)` - -**Severity Mapping:** - -| risk_score | SentinelOne severity | -|------------|---------------------| -| 0 - 30 | 2 | -| 31 - 50 | 3 | -| 51 - 70 | 4 | -| 71 - 85 | 5 | -| 86 - 95 | 6 | -| 96 - 100 | 7 | - -**Parameters Required:** -- `VaikoraApiKey` - Vaikora API key (used as `X-API-Key` header) -- `VaikoraAgentId` - Vaikora Agent ID to poll -- `SentinelOne_ApiToken` - SentinelOne API token -- `SentinelOne_BaseUrl` - SentinelOne console URL -- `SentinelOne_AccountId` - SentinelOne account ID (required in all IOC push requests) - -**Known Limitations:** -- Fetches up to 100 actions per run (`per_page=100`) — no cursor-based pagination -- IOC type fixed to SHA256 using `log_hash`; IP/URL extraction from action content not yet implemented -- Per-record POST to SentinelOne (batch optimization planned for v1.1) -- No automatic retry for SentinelOne rate limiting (uses Logic App default retry policy) From 9e1d98f9149a7a879825defbfbdb307b9edeaa85 Mon Sep 17 00:00:00 2001 From: mazamizo21 <121246886+mazamizo21@users.noreply.github.com> Date: Mon, 6 Apr 2026 06:46:56 -0400 Subject: [PATCH 36/38] fix: remove stray Vaikora-SentinelOne from Vaikora-Sentinel PR --- .../SolutionMetadata.json | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 Solutions/Vaikora-SentinelOne-ThreatIntelligence/SolutionMetadata.json diff --git a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/SolutionMetadata.json b/Solutions/Vaikora-SentinelOne-ThreatIntelligence/SolutionMetadata.json deleted file mode 100644 index c76f5dbfeab..00000000000 --- a/Solutions/Vaikora-SentinelOne-ThreatIntelligence/SolutionMetadata.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "publisherId": "data443riskmitigationinc1761580347231", - "offerId": "vaikora-sentinelone-connector", - "firstPublishDate": "2026-04-02", - "providers": [ - "Data443 Risk Mitigation, Inc.", - "Vaikora" - ], - "categories": { - "domains": [ - "Security - Threat Intelligence" - ], - "verticals": [] - }, - "support": { - "name": "Data443 Risk Mitigation, Inc.", - "email": "support@data443.com", - "tier": "Partner", - "link": "https://www.data443.com" - } -} \ No newline at end of file From e3f8f0998c5e0e220691c8b6174b0ba509a5fe17 Mon Sep 17 00:00:00 2001 From: PR Fixer Date: Wed, 8 Apr 2026 07:25:32 -0400 Subject: [PATCH 37/38] fix: remove Cyren-SentinelOne changes not part of this PR Reverted all Cyren-SentinelOne-ThreatIntelligence files to merge base state and removed 3.0.1.zip. These changes belong in a separate PR. --- .../Package/3.0.1.zip | Bin 7771 -> 0 bytes .../Package/mainTemplate.json | 14 +++++++------- 2 files changed, 7 insertions(+), 7 deletions(-) delete mode 100644 Solutions/Cyren-SentinelOne-ThreatIntelligence/Package/3.0.1.zip diff --git a/Solutions/Cyren-SentinelOne-ThreatIntelligence/Package/3.0.1.zip b/Solutions/Cyren-SentinelOne-ThreatIntelligence/Package/3.0.1.zip deleted file mode 100644 index ea29e778b67f65037c7d2041cffc73df81b4fd65..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 7771 zcmZ{pWl$VYl%*RD4h;bs4GHeSJ;B}GX&PJiRP9d9 z?ACp^?z?}^-&6N|stQQRZvg-R8i0pC(6EGMAi9JI0I;b90Du5;fW0ZyLDRzC$p6gOh z8Ff#Q7NNgfRpvU!Pn1th3geQhM}{t+J_H70CIQ6oX~b5Y^A_yr;$^`NE9XWv!=L-a zD(?99*)As!{S$qr_;FV6iq(9q+FcN>f_3<#BEP?r3yWkkvY1)1_7#2@13!a57Q_jY zKi;Gy3XN9(@Pr6I;}#G6y=mq5%S7c6engRp`w_&>MUwCkc(_ZLKrs{j@EAB~)xJw} znIi4C<=XytYXC=(<^-#Ujzf>1qklzwzMrB90U`&QV+hzU-Q^EJtk88I0Yb>9fqw`- z;f|2_SSwREdy;H}osdIigI?MYD9PEWPlh!_m+vMJ->{t_)H4TL9!TPR!N?s4{;6cX zQ1jd}_9KDx(#2BavvAto^UBpHhDvpZMH09#54qA`?wXK)1~z??%$lWfxl{ov4aUR1 z8tzDjYSQVVMt1f?`dRX0Zh8g--hA3kgF(^ip2x?KC{ZRM79FOjw4Ioa< zCDG^D;G-=WVXt431q!BXbrNBlW|D|RW@EdmYTd&J%b2A34L_VOML#?+ck1GMMx#kk zCX5TP2qYfJW5MB4Hsb6OPx8-ynRayv3$Tr*-k!*o<5K0s9V!0 zfJlReP1(>4L+(duik#NR*#7DSG83o8_xf$Ze+olan|qfZMHb~VVaD*O7F7TUgJPu| zvzd(l)k4t__2&=}Rm7Eg@<3QxosVCFBq6oF`AsSLZ)M3mjd!-42)rTph>JcH`ITbt z-iF2Zwy(m4)rx88Hvvn2_31kq^tSs}Z{lVoagt`rDFf5qlLYtZF}g}1dR}c5PYm@X zdQ$qe^>E3>ZwFbRVbMedGvk@1B78jq)PRgiA%>&0MhbA(SIPDJ;B&(QbssuA-B&Sj zX5ppa$~UAn8gTT+WZ*a-+JN-m=DzT`zUE+4UV-9e$<^blpq_;qm7Zu4k!ya6nIkkL zN|%C#!OFH-9ehFL2imhJ=GmX+#8|g;h<%+wZhA8BJvzda+?u{HH>oea?rR68?K*{R z(0sW3#SJ!Zh+D1bTjce{dklTm#!rId=T%)rM6?CF1+_8b;bCmx7q=&w!&@#; z%lwEYqd8*`Z%k=5XiqH0Be}w+=ZbE5h1wu6kyE?!tbvm#yTCGc>b8uf*#%OciwhYd zoO$e2gQS7$)j+eZh&ToDoa%CfkPZnK@glvSruwvK^&Z)RvFRk_(%$-Nyjuw^2(N({LM(5e8xSWH1s}r zPsMaVrBJ=Xy{a-?F2=?GGov!!@Xb*+jSP|7+rlLo2;Hv67o( zk`#qf2fTba7wiT<_FwL+?paEjmk6@ZUjU4~7*lNCa|;7|_7n=F@eo6u1Pb0Lnjb7g zf1_sqrjSY%ANYw+3bQC>C%kN?>lBs-H8?LPXtnqDz}#FbAEd<6^Kf@9jr&4puP+oJ zaJZ8#*Ufmtnk^rDNRkTnA&R{-BoN^ex4|egY9^+}@<_n3=m(l_cr_x>u*Cu^Hsuj=vm1WbZgJ6tXVtCq; zRka{J`3*YN;g_j9Q&&B?ZwrC^$s2**toZ^j(uE0fu+<>EMFv?JN`g8(@DN?@e$JDX zc3W)vuKsaUYNQh7d)fcIp_}qN$43FA;TDMtD0lgLiB&>4H%)XC{ql$UsY%5ldDpRk1k|Lr?(oeNqYN zJ{|%0W>s}BG(`P(DzJ|S|9u4Ti(1+ew@52O;HkFTR31@=Epi?9Iotjr8+c>H&rm|s z0W`1e>boqv?m*}m-M++2;iSt#3Y&UQZ%30*#==_~|7}Cp90@oIqkc9(9AXpL(!mp1 z3<(=RKCwY&do%jU21Jxf_{yhL{OmdAYk8H8z7k%Oz^`HdDX_tER0J;{rX1YjIf-G%`9d=&bUF);-wson93}gGOD%sfb z_3F4JS8@S_65o?keLpOmkOKC^(f=`RfjMCd2{>nPHkwUWQ-SM~Zqi;FGWPzQvSvc7 zBfrg&zV|ljV951kE?TYN2}FN*yRTstU8-B4eq>gz6;oFh7>9{(r^r&N~yrb6JjHGl<_PyFyb>m7MExPkr;RZG>J7J-ApiI-BP3NMQ- zjD*}O&vWnxJ@mn6m{}yAb90?gWMB_h3mAA?E^L@|$jX#&kQEzVpSk9KbW@y5bi&%; zOUDhq-SPZ^#w?Qcy{;NX>sOb5_E=x!^Ik)5SXR6%;3`K zX7()2CzI?2zh!PI@1`Q)(F0c`6Js83*U*CoLrA5oHc*ibs5MQsoq%Vs#ftfMYZ3kS zb(}X~R$!IZ*A?bqYx8;In3ywN0P=4ttFz}3GNX$yp8A50)&^O)*J9=*`Cv$I*D6dO zkV~O%=K9X;YZ)Y>l-UMlvBcro<}0fFdjF{h$w6eP)covZV8AQ?158E2F)iY4mST2%7 zaLEg5T_wF!n7P|84sEM zVOVb<0w3QaeAMrP02GS!`e)R0ZTyyY*c}EwrYE<0-qz%#qaw0 zcX6BJrxt&6zY*+uv1$nRAQ-JZd{vzCn{L_b-vrO?Z6)U3Ricf~9h2Cv>{9AE_PZ#5 z*M{xh?ZKELGwoi8JwH)o*@)?HX0or;P0MLrofJu2w%8$HAnF}rhw~?c>UeoI#@beM zFgNN?K!k@=`1#zp>M|Nl8L6B+Gam>v%({RrVp-<}LamBh3-`B@%Er9L1OPTkR<1^5 zrZVB{kvb=Hy7q*hyk*+PX4TI23;Q~`yItr7t91B~3k6b`G5;ASbyAi3>L`!83IGT7 zqlf8;FxfP=F)VeL^(N?XZo07eKdO zw`MaO1_^P%xT7F?XNvX_w;@;BbE)eLOtP4lU?~YJHhNoVa$B#_eR3>TnmuE9BuaF+ zGcED=;_Eq*k`-3e+GpU|T8=P=b(hpKJDD#vJ9Bc1j?4#3x<~t)om4fh=ncLbNO9=I zcQK)YyPqBAWcZ^*q;_r6>Lb+zrL|*g;w}3|R;g5U6smM)-G}QvdWu$$cLSY4NBV;d z(}PTWkI5CoZ_ZOEh_ZPc#fydjehQ&D!1j? z>E0B|e9W#wg&x{eKNk+I9*!Ud_lwDE4^Zfxk!LyAoM3R_OXW|5Oa6|1WSJL&t{oke z8Vp060PlLru$$P*qmN!9R2>68mvx?9Pcp}12&6!E5gA}ul}|@t9BXwL;mWg)%ZJwy z=Q?YoITJp{w7Un#w_5&f-&xSYQ?^*X5Z_u%VThMH!heHGt*%hwdWk>NK1hx+Gfyzy zXb#E#MgDYY5^`L4fiaak`;Fg7^skgJ-YiT1TgVbZO0IHejp#a|Spf+8%ltZ)%Qz+K z(&YCLPt*RhH>I5om$y0mV*{up#``#n{E30Sr!%{P?Z@fZT0%3KRr+`f@gQqVD0@I6 zbrL?SYi>{e3`r|&O;D$Ggr=u6UtT1Uk+=Q1Sx39QL@k*5AjBQj(L|Dfi&UO?sig>K zgganEF?uZG@LXJlqQUcCP!l0y?+KV-u>OKc&~;rTC;ge3t8=3BmqXp zsLv~Q9JZ|NklmIa+sKZ{uEVpby;v*V*&0urx?Isw^Hke~hy{IGdpf#4)-G;5F3cSm zwacyOl2ts%&UcQn;xzNl$%Yx3Xm=`1{`qB&&DcSE#`o#(GsV~%-=0GqyuEkzq4)Sc z$7pO6{_C;&mV6zvEz2{NVr;bT;dOB>f#(rEvbh^4(?oN%+F3i+(&y#&!|if zTXKDB<6Qll?5@s_D!aLQc7>F=9otJ8$jr;48(S_k0N%@jTFoUIFJIUZ z*^yv!7eCEYUAH=3GyBk+D=>20o4e|?;mMWxt*$Ru&lB~I751NRzvJI5{94*^M2@d2 z?SwgcyXtOWxi~Pk{pw%migdDXZ1uvwt=ueljJDw^2=^2;aojUHbz>{_@T}VCXeD>; z5}D!olTcT7>0O&C_7>nDarRrkqvuJf^0-yB?#TrWrJ@pdO>t)C2Ue}ZZvJVM@skoB z3i!@`mi!{VMarblXQr;t!O>0ay0--N(0vm_4d4c+%}+FJQqWH=VE>}^=!5SHXE*YN zyS4e$`IX;y(7-JANjKRyo-rIwH!6=7cP+GaHbr}SL_jL{@0`+qBb#t{N3Z?hsqE44 zt*+~7_!HGF-1xGCp&z3uIwqogi<=F|D;Ua$&DE+-T)v$DMDhNn>yo#k~o;DA4$Zie^6W%bHS z4wRA;ywC5Enf3MGeG^!YAa?SpD7nVE$TRYZK_poG5&f;-coiAer7|xlR4ry}b5o(& z_oGzzpIixvZ~UDW4#ddTd89%m20{aS&)C1vgkdpJhK)WxtG>EnINuR! z3Ri61Pm1yB4!;uRd}3$Xlgpk+8<}xFn4i*GON8uPiP3$QFM{>mPBR9`rRMEGLgY|` zc0|F`^V4xkxmwht9VSMrKj!U?+n7i^szVgV3(DM#<{6KPIP)|d(P_CUS#8EzBWT59 zjFEr(NBtSLJ)Cs_VK_b4GF&TMQUy+MPHtXKho^358HiGeBJT$|3rJnTCWb8culX5S zC&*J5V4_>M)*m-X?9Ry($KbJ_|FW%zujqkb!Qr;&!8baNN36K%k%!sFySyK!c|d(% zErl%5wwuwQoaDG;W&E-N*%xj}1q~x^{hXSW2wF6~mOAU^OeWY-jUycm4HqUIuK08# z3gm%Q!+NMV>7|qINkx5&h5IVap-CYE7;;> z{82;590)(yNsCTd==^u6;E$wTcZAkh<_d*gB5Aa)URPF=+I#|OOb3$}o%gY!FI1{0 z7e)LWH-4)yIL8rs6h2X@vVt!&6YFGm{YKjl5xW7Y@|n@FW2{^j+O;VBF! zY#U{a`;7^*Wt?xNz#o5~f!$S&X@kT8l7J8V-!4ErzOJC zFJm|%r{4?xG!I7+Yrrm(T=BDK@3xBO`v}9Oox?7zQ4+9as3*{P8{h99s9sYKrQbE& zad(9d*N##DhLZd?d!-mKgo%n+o>xvjR0Y&_w_7Jz+LK5(-jL=Y|R4enxZ z$UiI_J>$@0#fvqJr%86@P}CAM<)7SIu=OlkIUn%CG)^dEJ|mIF>?gG~x#g*=4xz_(-a;^_O5dX-e4j++u|-YB4k(2BbOgVZ0rifp@& z=viFHke0HTiyC{oXZ(6w3K&Hq9A4J`mSiJ{zh{(N0CpH=@) z-0de9U^ok0)KNnP0PukT0P(-L+swt{U(l@um9(&gIzZi^jt>7f^v?5`gns?k|1I>c z)j4)p=Y9KHSkC_gRTsyck@ce;S_V8bw30I39{sm=w~iyQk1<)0aHB!1E+)9@0#^9fJxR z2w@;%jwFPlYc-gMe@lNIZzN{M_dgBi!%giuVSe1o@n?8h|EYMo5ahMC)W2GD+*?zc$*`U&BDQbF^cA#dSZAsi~8eqe)~Q zR)=om>**aadL&QoI>O4R1gL%!qh6}HZ8``k3fH8{2$Ewg83*}ntIW_#M>w&PR~VCx z5o;jFBdgmaoBp9q0?Umo*%d3OYk_H?x~AtLsqrX{2wPkdT>{0D`$^fd$>9t<%@!L~ z@ToL=TBXj23!xJQ=;igpl>IjXAZ`!XV6w`vy``JgMR@4AD2<~hX(yOg3#r2y)PJh< z8;v}d`cLa=xLWm++QWj#V0i~;cuf({ErM1ONJw<{AOWpa!e7tjk;Ie&ofkpn8scc$ zU||ShS1lOwTz?I46CaUMd>jmerPD~JQglLhSmY|~lO1&-OjST&f6idc2Nxa|U;@$2 z$`+nNm?Jl@p|#l->Ft5fuE@s`qC8&KuH^%|$huO7Sfi=v!;rd9AHzW$^P*F8$u3*3 zbrud|Vo1nVEPMP`aZLv+tM{EP@CIo|j5P`7!b@6YR;^KGGGBc>wrvcKT<*se7oy|&;8QVK9Oj6Dw{MlMPN_eiXv9QSBwNVo+PM$~rd%VAm46NSI$_mu07i9_JMW z#ODu`dlQ~_cnaU4B7k^(nS%y?V(u5Tl>EJM4k~i&+TwPyOri6I^+zwYp7OI0wmKZM z1y?IwhSRBWQ#TR|5&M_xGFtIS(95)+K>~E=+^ifS%Le3uL;(MsY1Xf9cWag7`3}dO z-CHzYxyovnUq;{8OpmYUCkqjn&O9ZTy}LO}@@d?(9DgRjNq*WOE21idFs%K0~zY!G^4y>shPBfXRH#84|Bhh2CZKyW;D`>_w9>1ZfC+ z5k`xj+#I;H|?wxpT!cyc) zUjkRpfoiXT2M-9m5W}M!vQ{YH(Xs(dXlQ`tI{{d)G{u9vtH=p{ivj5Zi{;TZyKmPmw eHNt=5|6zpxLmcIwivj?M|El@lOs4pc?SBCU8O7TG diff --git a/Solutions/Cyren-SentinelOne-ThreatIntelligence/Package/mainTemplate.json b/Solutions/Cyren-SentinelOne-ThreatIntelligence/Package/mainTemplate.json index a538ae42956..38d459febcd 100644 --- a/Solutions/Cyren-SentinelOne-ThreatIntelligence/Package/mainTemplate.json +++ b/Solutions/Cyren-SentinelOne-ThreatIntelligence/Package/mainTemplate.json @@ -33,7 +33,7 @@ "email": "support@data443.com", "_email": "[variables('email')]", "_solutionName": "Cyren-SentinelOne-ThreatIntelligence", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.0.0", "solutionId": "data443riskmitigationinc1761580347231.azure-sentinel-solution-cyren-s1-ioc-automation", "_solutionId": "[variables('solutionId')]", "Playbooks": "Playbooks", @@ -58,7 +58,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "pb-cyren-to-sentinelone Playbook with template version 3.0.1", + "description": "pb-cyren-to-sentinelone Playbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -153,11 +153,11 @@ "defaultValue": "https://api-feeds.cyren.com/v1/feed/data" }, "Cyren_IpReputation_JwtToken": { - "type": "securestring", + "type": "string", "defaultValue": "[variables('blanks')]" }, "Cyren_MalwareUrl_JwtToken": { - "type": "securestring", + "type": "string", "defaultValue": "[variables('blanks')]" }, "SentinelOne_BaseUrl": { @@ -165,7 +165,7 @@ "defaultValue": "[variables('blanks')]" }, "SentinelOne_ApiToken": { - "type": "securestring", + "type": "string", "defaultValue": "[variables('blanks')]" }, "SentinelOne_AccountId": { @@ -827,7 +827,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "Cyren-SentinelOne-ThreatIntelligence", "publisherDisplayName": "Data443 Risk Mitigation, Inc.", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

\u2022 Review the solution Release Notes

\n

\u2022 There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Cyren SentinelOne Threat Intelligence solution polls the Cyren CCF (IP reputation, malware URLs) threat intelligence feed and pushes indicators of compromise (IOCs) to SentinelOne's Threat Intelligence API for automated detection and response.

\n

Playbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Cyren SentinelOne Threat Intelligence solution polls the Cyren CCF (IP reputation, malware URLs) threat intelligence feed and pushes indicators of compromise (IOCs) to SentinelOne's Threat Intelligence API for automated detection and response.

\n

Playbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -874,4 +874,4 @@ } ], "outputs": {} -} \ No newline at end of file +} From 9d420a68f63f80645276f0015ddd5bcd5f3e93ea Mon Sep 17 00:00:00 2001 From: PR Fixer Date: Wed, 8 Apr 2026 07:27:47 -0400 Subject: [PATCH 38/38] fix: address PR review feedback for Vaikora-Sentinel solution - Fix ReleaseNotes.md format: standard headers, DD-MM-YYYY date - Fix Solution_Vaikora.json: correct BasePath to Vaikora-Sentinel - Fix SolutionMetadata.json: remove empty verticals array - Fix analytic rules: sentence case names, descriptions start with Identifies, remove extra single quotes - Fix workbook: add TimeRange filter to Agent ID parameter query - Update mainTemplate.json and repackage 3.0.0.zip with all fixes --- .../Vaikora - Agent Policy Violation.yaml | 5 ++--- ...Vaikora - Behavioral Anomaly Detected.yaml | 5 ++--- .../Vaikora - High Risk AI Agent Action.yaml | 5 ++--- .../Data/Solution_Vaikora.json | 2 +- Solutions/Vaikora-Sentinel/Package/3.0.0.zip | Bin 9942 -> 10025 bytes .../Package/mainTemplate.json | 18 +++++++++--------- Solutions/Vaikora-Sentinel/ReleaseNotes.md | 6 +++--- .../Vaikora-Sentinel/SolutionMetadata.json | 3 +-- .../VaikoraAgentSignalsDashboard.json | 2 +- 9 files changed, 21 insertions(+), 25 deletions(-) diff --git a/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Agent Policy Violation.yaml b/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Agent Policy Violation.yaml index 77c466267db..929e07e61b2 100644 --- a/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Agent Policy Violation.yaml +++ b/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Agent Policy Violation.yaml @@ -1,8 +1,7 @@ id: c3d4e5f6-a7b8-9012-cdef-123456789012 -name: Vaikora - Agent Policy Violation +name: Vaikora - Agent policy violation description: | - 'Detects AI agent actions that were explicitly blocked by a Vaikora policy. - Blocked actions indicate the agent attempted something the configured policy prohibits. Repeated violations from the same agent may indicate prompt injection, policy circumvention, or a compromised agent workflow.' + Identifies AI agent actions explicitly blocked by a Vaikora policy. Repeated violations from the same agent may indicate prompt injection, policy circumvention, or a compromised workflow. severity: Medium status: Available requiredDataConnectors: diff --git a/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Behavioral Anomaly Detected.yaml b/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Behavioral Anomaly Detected.yaml index 0ef5ffcefe7..7b325d8ac7c 100644 --- a/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Behavioral Anomaly Detected.yaml +++ b/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Behavioral Anomaly Detected.yaml @@ -1,8 +1,7 @@ id: b2c3d4e5-f6a7-8901-bcde-f12345678901 -name: Vaikora - Behavioral Anomaly Detected +name: Vaikora - Behavioral anomaly detected description: | - 'Detects AI agent behavioral anomalies flagged by the Vaikora anomaly detection engine with a score of 0.7 or above. - A high anomaly score indicates the agent is deviating significantly from its established behavioral baseline, which may signal prompt injection, policy bypass attempts, or unexpected tool use.' + Identifies AI agent behavioral anomalies flagged by Vaikora with an anomaly score of 0.7 or above, indicating significant deviation from the agent's established behavioral baseline. severity: Medium status: Available requiredDataConnectors: diff --git a/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - High Risk AI Agent Action.yaml b/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - High Risk AI Agent Action.yaml index 0041d56cf5f..98f67022453 100644 --- a/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - High Risk AI Agent Action.yaml +++ b/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - High Risk AI Agent Action.yaml @@ -1,8 +1,7 @@ id: a1b2c3d4-e5f6-7890-abcd-ef1234567890 -name: Vaikora - High Risk AI Agent Action +name: Vaikora - High risk AI agent action detected description: | - 'Detects high-risk AI agent actions from Vaikora where the risk score is 75 or above and severity is high or critical. - These events may indicate an AI agent behaving outside safe operational parameters, attempting unauthorized resource access, or triggering policy thresholds that warrant immediate investigation.' + Identifies high-risk AI agent actions from Vaikora where the risk score is 75 or above and severity is high or critical. These events may indicate an agent operating outside safe parameters or triggering policy thresholds. severity: High status: Available requiredDataConnectors: diff --git a/Solutions/Vaikora-Sentinel/Data/Solution_Vaikora.json b/Solutions/Vaikora-Sentinel/Data/Solution_Vaikora.json index 78b3483bf2b..b4408c51755 100644 --- a/Solutions/Vaikora-Sentinel/Data/Solution_Vaikora.json +++ b/Solutions/Vaikora-Sentinel/Data/Solution_Vaikora.json @@ -16,7 +16,7 @@ ], "WorkbookDescription": "This workbook provides visualization and monitoring for Vaikora AI agent behavioral signals including action timelines, severity breakdowns, anomaly detection, and policy violations.", "Metadata": "SolutionMetadata.json", - "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\VaikoraSentinel", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Vaikora-Sentinel", "Version": "3.0.0", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/Vaikora-Sentinel/Package/3.0.0.zip b/Solutions/Vaikora-Sentinel/Package/3.0.0.zip index 6d3ed5daeb27b5679add71648cae5e2ae86bf948..21661684aea8dff9e0056f5ec3bcdc5799779dcb 100644 GIT binary patch delta 3303 zcmZ{nXHe6N(#AvYAV%rs&=sT}6);o*sR~FD1QP;8nuI1K2;omrkRnB-S5X9kV-!Ss z5~UeX5Ri_9VkjnrPUu{{@B8V_y|c5kyEFSdJNxlBa{cuUOB+ij<})A=h#lk$dF*OH zjD8P@fk367yqC>#8A!W5)9(#n(O;Ha%lMY3ypzT^%Ww+YMg} zCQaMLnm}2{FOlh|9KNuV;G|uF%}PUktKDIPYl+_g(a&0h31xoY)G^1@Vh;5zUXG>L z+^agZGfzc6aYS6$Kx@5R8nAf;R@3WPTM!75dqEml82ypho8MS<82pyW-O(X_^SfPk z%q_&2#6LNp?O+*li-vK+=%vwSvtTG-|FpIDU?7yO&(4?@ZEbVr!IAK&esp`oUBHECx&P1-SA$7*7 z(kM5;lf>yUcLD0be7bmY_Oo4Q*#YZbx|OtJz>T%gFX_fLpJU8bV|DnDqrCR#WnR|l zS_`5dF^2tp$>Ek!GIwoWvY>WF+uTUFNN_ep8<;$v<_c#73&hv+S@E;L10%HHufXZ3 z!@I`=7e{M*ClMUS!3!f91ujcUbMr1F_*%|_*9!u|wMxLtg4F<=@NT5`!9x{2oAZI{ zw-$OCA9a`&Xvll^1z%qoEESV?svsOuzaoE$rOnz0lSZhmhoFSe&U_7M$-eUUrgn^qO?B#s{ZyVt0xUpt_iiR&mb8=+2b_H;s?UtDEZ&y{ldM z*rWto^&F$ywG;2A%u6Pt_^a)T1Eiw1F3C0ZR8k70cuf(^X%7~o?XaT>n4)_g0Wy)a1$ zHL+#DBh;ZSc4p`$IX6fo_`@lQ{hPrNH2m}Ly4lyS9Os`edR}N!fK=Wl!XB}7s8z-; z!=I{)2y3Bl@J!1RYpWTA%9K-OdG&dd0-3#Y`WEbt&2?81(&_^N0kAnoq@o{S+QWnE zaCD|g|7de~F zs?C(=Vm;Q6LhiIdvrcyu*q1$v@|2Dn?lZIw%ocPF`P)3I zN~hei8^eqlzqn6m2-zrC{4>W8M)u$8g!l#oIJM)*bPQGKDp@gI99hZ2OiefP&??Ou zg1P;?zwdIcU3&*s4h9@6-T2v#X(I)YjT!uNTb)p!u_#HL*IE|%BqU@`a=_ANZ>g6O z9sXotFz>`XatjgxD48CT2>bz@5zEO95=}oST|qKuVDl(DuJd6K9T{liQdTC0>80BW zF6~-;6&@EW_UyKXz;2j_X&)cRnkDqgw&eBq>V;@hRPauC%ltWF*%moGMkJuXA{=(W9aQ5+gc9xrN)w z!eYpNg31!f*fw9zSoN*t$d#7fy$NxkQI+CX(tE8{5EcQMblqv*sK-XGD8UY7==BZb z14^)#?crF4$_w?3TG;`SWIKi4vn-CDBiqqlXBgh_3yTKO2lro9qx*oYw}5IzQ~vX2 zjK+(`)rz20m&5q6`mIO(w<+YEXGrW8&t=B5eX~bzh%7c4B@q1E%1bMkZ!Z8Sf|YFc z%NXE{^IlMdsbkY2NEQ@Ny!fdj(7BqWSHwNOVSRv61LU!)*n?ENGkRlYfej*1{kplx z8ULVl#6D^K!B%X9HHxs7`NI6LVyz4=2^3X>DXp8^;fvihrDI&#<~pnQ3Q=>hslu%f z*rGp&ul4(*FQ7OMV;38f(EtTFY?pn9J-53T&UvCQ+L?0hWsKFm9{!Mu!}+rIo@kJ9 zNwb5_W7V2zu8CJmB`7_{Vl%GP{Bzoge7%WOM+Ntra|!xSJ#t&*nNi<2G;!<(A?$98 zMDL@i;ML5!8uru9f^M+zZDNBo)m=ADl_KZALq~i8O^8)0@rz9D1Eoa02fQF|r8lJl zRnM(dkCKntDj1E9?(i|;6`@_Z2z;Rpw~SyBwuGSnk!H=j$CCHi+5oQeizp&e_Hf7; zOt-4(5jb?D5>ULWrH>6g9Y!u@wry|q;)xT}vt{nCh*K4QJDN@(l7r0yLG5yCd+r zmtkZ-t1grBo}9cd0cztUrz(soaXsi8Kk#vbZ~h?g+Exj$LnbA90o=a_doOL)gX=7+a4NFQ## zdH0Lrfs?oV+6&ka+gru8rz3hc?iLXIHQ(&f}K;YM)xXCZ&c1He}&LjMQ_>0M3;Y3MA1XLe^GOIJ9ec7iV?*hu{>oB zx(Q!T#*LEc6=l9=QJ$zFM~l2g8oe{u@^yf`YTvbIk>GUO8>)0mxo^87gW-!NTvqsT zZs;i!z(~63$+|2}Etfe?%MgXiFkh@DX;+8fw@Vee^+*@;G`6rZTW|qeC$m?2V2%-* z($BL$PuGT_cYVdVTDogGY>k72I6hD2RCq<^a-2LA9%#AGRM#E8AR5(^6L=@ms8sk@ zKww5>z74XgY6^VxSL{x97i|AETu&z7iam1@h&{8*AFRNC#U!T>=YG(OfK4MX*-RR=u;=AQ+ar;H^2=x4c zHwXL+U#X9iX4;j!41Qp3-d3)V`zB)?vTnXP$vhH9a1dA7(S>b7p3u}*4@&~`dk>L0 zr%?e8cUQ~4{bcG#;jRXv0vG8qix5{*XDj4$%WZEQ6#HrLO>($ZLHLR>!qL8CkUOYG zid3*zwf0?`+2a}fsUPDrSp$-?@_n(=qM|6O77 Hf2Mx{`N~hJ delta 3274 zcmZ{nXEYm(+s0$BHuh>`*Dh-Bs$HXIi4n1iTCoKwu}3J1h}P<3)1eQKRm85E)l$2S ztyV&)P&EHO|M$cD;XUttpL1X5y3Y0aKId0&G5bKy%8ZJd0{{Tf0~m6WAPoho6$Kyw zfN=@{VEvN@y8FT&dIbgtxQBbm`h^9-{x-w1Aip@ZU^WC_GbW+r1{-8Zq|k)%Emu46 zem-WUo^Z;w$+hQgec`f{81$(8xEP~h2P%|L#P2!Mn-ym$PU}lY{EXI0dG_pW^r{Zkw3mLc5^631_w|p~t!7&bY#Ab;ZrkBJLSwOmTih zs`bXmu=-`rw>p)G@v%)=@O}?})F&$HDA|1NXv0+16^7V@4$7EARO9yMDCA!)_eby6 zxAl(61mw(`#mDeHBf9V+1`tL5E>+TUx21L#H?MvqQf^BMi*Jca+3&O4ap`v<*q_`J zKJ4ddBF3v@DK&Gm;#t5aiJv_tP@Gc8c6R}aIW(p#p!jxY6id~M5<#~st^UE=ZwT6a0x%e#HeO4sE}H1YmLr5J$~wbOKqsMx&W zIr-VDn2~#WH24c^i-N~$Y|8G)SclTUAnmJBZKI_RHI z!|WArh?1aW$l))CRfQT8B~K99p^Hh4-+j<58jLEBy6zahR+FN^?XxTi6?;BuXm35Y zmhO5)@}7Qf%nl}x<6y(y(Nhe07@eCdjtrTh3j>3#4%_{fTt z9{P8U~2h`p|>xKQbU zZsl84ym}vHN9>W7!z{lx?j>J;ZF;C--kY_UdU=yD7ZT5<+?dbrN@?zNPlUfCog$>m zLUeb>SPbt#1R=v2eV+DtsbcZl`Kinh!=|w|w7&|EE1;q?k=DD^-*~3?b)5_q-Pae3 zQju;LoKa7AC4iKwyzd;hGn}pZ5Kp!6SBBGJFVIpc73f4mPi-^_NJvpAi6+}=T>7MN za)q1{VBH-eLFAh^hHNn^coGRg>#BaKqnbu$?WX>T%*A#Ai{^S|`N-viWS!=%s;ZlX)b@eL>>R!b{5VU?(7UdGU+~efHMk@`l`GJ>v>=FJ!HeQ z#Mt#GSsYBE^F}p}$9uu*lG^ zMi8N5$TOr1e4zI(>u%|KEL?rKlZxcUM+oE1BCSOQ`P7X;!PzAAdhBKtawD6hq8YOp z)rR%F13*{Xvkiw9G=laYbtv?q#^385W;OLH3wy2~K%H>moT|SX*-i_sNkvw+P^z zxfiDL&NG_&=Rs}u zS4}iMoSKKF1DX;ZERJa9iAR4PJu#@M72aOQ1Lhsvd2wZjEDX%BEToziNq-vAs~1+^ z`npuGjAVAnuq|vBwZ&P zUpCE*D%yj-i{X3azYYZZBAV0T!`JEwsBgTAs2wd?@7Lf^{fsQu5IBu$b9}LAi!{zh z0VZRI{rV^li5~gAYjZGWnw_I!CkIx3BiG=48OsW>CWepo%m?|VuhCf+lu5LRt2i!k z8h>q#Inj4j>n@8sS1VkUyOh2d0}dC|X7Cy=G-6h5tCmPK7bE^^$(E82qCJ^Bu}>e& z$}2EVjumyY#^T`iz3fL}`P$m0u!r8hpI`$#bp}hwt#;FZvgQ)ZM1zTt`L_7&zQ@&X z8yyd{g{_vw9;Up`9ec;R`)>4_c6QZCTPCJ>Jc8rhXF(=ndZl=vd*8P&Jp3Pq9&4<$ zHqNH1GLOdWYI}*E7Hm$aBrMSuyNM>z2wnFM)H_YFA%~<+$1H`$p(8&u2~_U8%}(86 zmsCaFK`K-Eajxz(44u%yXHcQXzxk8YfN2&BZQ@a$t17O!-ZizR@Q_WCnlDezTx4OV zaVvDl+5V`|u4~hJ$oT~vk5heHK}lhjVu!~ga=tFe@ueRb-qsq^N^-qv5QG30ll9ZN z2$qHn&n`dWYu*$neELSnl*icM%%LSuCCHkRC_)i^K|IM~R$LWO7Ky>Y+<@wzo($w%u)WO;qF2(tvXjlTWFJLN zIG_;~0tQpxznq!rD3ALXI&D=Mrp$7wYr=j)ofO$A0m!15V{;`WAtA?%@lT*qg=tx|HOMc8xPfemsE|3>S; zZg&^dgv-B}H%iv}}I%&9$|Pf>>L`Nz#_(^gS1haN(+M&`X|xtkoti@EZBh1deHXJ_R9 z1%y3pB1F1uxGH}c#K;Q(c!qlYp#nQ!121o1m~Xgm5bVE%(0r5cK7%d?)&CC_f4Jhm z6QA&}{2#=yGNYj6pvs>F@m&9(-oH0KVIY51>;{*W84c~fp7PHo|4}Wmf8Boord33_ diff --git a/Solutions/Vaikora-Sentinel/Package/mainTemplate.json b/Solutions/Vaikora-Sentinel/Package/mainTemplate.json index 88c51701dab..e96f81540d0 100644 --- a/Solutions/Vaikora-Sentinel/Package/mainTemplate.json +++ b/Solutions/Vaikora-Sentinel/Package/mainTemplate.json @@ -527,7 +527,7 @@ ], "properties": { "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "displayName": "Vaikora - High Risk AI Agent Action", + "displayName": "Vaikora - High risk AI agent action detected", "contentKind": "AnalyticsRule", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -542,8 +542,8 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects high-risk AI agent actions from Vaikora where the risk score is 75 or above and severity is high or critical. These events may indicate an AI agent behaving outside safe operational parameters.", - "displayName": "Vaikora - High Risk AI Agent Action", + "description": "Identifies high-risk AI agent actions from Vaikora where the risk score is 75 or above and severity is high or critical. These events may indicate an agent operating outside safe parameters or triggering policy thresholds.", + "displayName": "Vaikora - High risk AI agent action detected", "enabled": false, "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated > ago(1h)\n| where risk_score_d >= 75\n| where severity_s in ('high', 'critical')\n| summarize\n ActionCount = count(),\n MaxRiskScore = max(risk_score_d),\n Actions = make_set(action_type_s),\n PolicyDecisions = make_set(policy_decision_s),\n ResourceTypes = make_set(resource_type_s)\n by AgentId = agent_id_s, RiskLevel = risk_level_s, Severity = severity_s\n| extend\n ActionList = strcat_array(Actions, ', '),\n PolicyList = strcat_array(PolicyDecisions, ', '),\n ResourceList = strcat_array(ResourceTypes, ', ')", "queryFrequency": "PT1H", @@ -654,7 +654,7 @@ ], "properties": { "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "displayName": "Vaikora - Behavioral Anomaly Detected", + "displayName": "Vaikora - Behavioral anomaly detected", "contentKind": "AnalyticsRule", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -669,8 +669,8 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects AI agent behavioral anomalies flagged by the Vaikora anomaly detection engine with a score of 0.7 or above. A high anomaly score indicates the agent is deviating significantly from its established behavioral baseline.", - "displayName": "Vaikora - Behavioral Anomaly Detected", + "description": "Identifies AI agent behavioral anomalies flagged by Vaikora with an anomaly score of 0.7 or above, indicating significant deviation from the agent's established behavioral baseline.", + "displayName": "Vaikora - Behavioral anomaly detected", "enabled": false, "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated > ago(1h)\n| where is_anomaly_b == true\n| where anomaly_score_d >= 0.7\n| summarize\n AnomalyCount = count(),\n MaxAnomalyScore = max(anomaly_score_d),\n AvgAnomalyScore = avg(anomaly_score_d),\n AnomalyReasons = make_set(anomaly_reason_s),\n ActionTypes = make_set(action_type_s)\n by AgentId = agent_id_s, Severity = severity_s\n| extend\n ReasonList = strcat_array(AnomalyReasons, '; '),\n ActionList = strcat_array(ActionTypes, ', ')", "queryFrequency": "PT30M", @@ -778,7 +778,7 @@ ], "properties": { "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "displayName": "Vaikora - Agent Policy Violation", + "displayName": "Vaikora - Agent policy violation", "contentKind": "AnalyticsRule", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -793,8 +793,8 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects AI agent actions that were explicitly blocked by a Vaikora policy. Repeated violations from the same agent may indicate prompt injection, policy circumvention, or a compromised agent workflow.", - "displayName": "Vaikora - Agent Policy Violation", + "description": "Identifies AI agent actions explicitly blocked by a Vaikora policy. Repeated violations from the same agent may indicate prompt injection, policy circumvention, or a compromised workflow.", + "displayName": "Vaikora - Agent policy violation", "enabled": false, "query": "Vaikora_AgentSignals_CL\n| where TimeGenerated > ago(1h)\n| where policy_decision_s == 'block'\n| summarize\n ViolationCount = count(),\n PolicyIds = make_set(policy_id_s),\n ActionTypes = make_set(action_type_s),\n ResourceTypes = make_set(resource_type_s),\n MaxRiskScore = max(risk_score_d)\n by AgentId = agent_id_s\n| extend\n PolicyList = strcat_array(PolicyIds, ', '),\n ActionList = strcat_array(ActionTypes, ', '),\n ResourceList = strcat_array(ResourceTypes, ', ')\n| where ViolationCount >= 1", "queryFrequency": "PT15M", diff --git a/Solutions/Vaikora-Sentinel/ReleaseNotes.md b/Solutions/Vaikora-Sentinel/ReleaseNotes.md index da0ffabe334..8d3bd373556 100644 --- a/Solutions/Vaikora-Sentinel/ReleaseNotes.md +++ b/Solutions/Vaikora-Sentinel/ReleaseNotes.md @@ -1,3 +1,3 @@ -| Version | Date | Comments | -|---------|------|----------| -| 3.0.0 | 2026-04-03 | Initial release — REST API poller connector, custom Vaikora_AgentSignals_CL table, 3 analytic rules (High Risk Action, Behavioral Anomaly, Policy Violation), and AI agent signals dashboard workbook. | +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|---|---|---| +| 3.0.0 | 03-04-2026 | Initial release. REST API poller connector, custom Vaikora_AgentSignals_CL table, 3 analytic rules (High Risk Action, Behavioral Anomaly, Policy Violation), and AI agent signals dashboard workbook. | diff --git a/Solutions/Vaikora-Sentinel/SolutionMetadata.json b/Solutions/Vaikora-Sentinel/SolutionMetadata.json index 909bb8f12ca..7f8a8e598da 100644 --- a/Solutions/Vaikora-Sentinel/SolutionMetadata.json +++ b/Solutions/Vaikora-Sentinel/SolutionMetadata.json @@ -10,8 +10,7 @@ "domains": [ "Security - Threat Intelligence", "Security - Others" - ], - "verticals": [] + ] }, "support": { "name": "Data443 Risk Mitigation, Inc.", diff --git a/Solutions/Vaikora-Sentinel/Workbooks/VaikoraAgentSignalsDashboard.json b/Solutions/Vaikora-Sentinel/Workbooks/VaikoraAgentSignalsDashboard.json index 7b6d75f8f51..15c3d7a72a7 100644 --- a/Solutions/Vaikora-Sentinel/Workbooks/VaikoraAgentSignalsDashboard.json +++ b/Solutions/Vaikora-Sentinel/Workbooks/VaikoraAgentSignalsDashboard.json @@ -40,7 +40,7 @@ "name": "AgentId", "label": "Agent ID", "type": 2, - "query": "Vaikora_AgentSignals_CL | summarize by agent_id_s | project value=agent_id_s, label=agent_id_s", + "query": "Vaikora_AgentSignals_CL | where TimeGenerated {TimeRange} | where isnotempty(agent_id_s) | summarize by agent_id_s | project value=agent_id_s, label=agent_id_s", "typeSettings": { "additionalResourceOptions": [ "value::all" ], "showDefault": false