Add Vaikora AI Agent Behavioral Signals — Microsoft Sentinel Solution v1.0.0

Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Agent Policy Violation.yaml

@@ -0,0 +1,63 @@
+id: c3d4e5f6-a7b8-9012-cdef-123456789012
+name: Vaikora - Agent policy violation
+description: |
+  Identifies AI agent actions explicitly blocked by a Vaikora policy. Repeated violations from the same agent may indicate prompt injection, policy circumvention, or a compromised workflow.
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: VaikoraSentinel
+    dataTypes:
+      - Vaikora_AgentSignals_CL
+queryFrequency: 15m
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+  - DefenseEvasion
+relevantTechniques:
+  - T1078
+  - T1562
+query: |
+  Vaikora_AgentSignals_CL
+  | where TimeGenerated > ago(1h)
+  | where policy_decision_s == "block"
+  | summarize
+      ViolationCount = count(),
+      PolicyIds = make_set(policy_id_s),
+      ActionTypes = make_set(action_type_s),
+      ResourceTypes = make_set(resource_type_s),
+      MaxRiskScore = max(risk_score_d),
+      Severities = make_set(severity_s),
+      LogHashes = make_set(log_hash_s)
+    by AgentId = agent_id_s
+  | extend
+      PolicyList = strcat_array(PolicyIds, ", "),
+      ActionList = strcat_array(ActionTypes, ", "),
+      ResourceList = strcat_array(ResourceTypes, ", ")
+  | where ViolationCount >= 1
+suppressionDuration: 15m
+suppressionEnabled: false
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: false
+    lookbackDuration: 1h
+    matchingMethod: Selected
+    groupByEntities:
+      - Account
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+customDetails:
+  ViolationCount: ViolationCount
+  PolicyIds: PolicyList
+  ActionTypes: ActionList
+  MaxRiskScore: MaxRiskScore
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AgentId
+version: 1.0.0
+kind: Scheduled

Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Behavioral Anomaly Detected.yaml

@@ -0,0 +1,61 @@
+id: b2c3d4e5-f6a7-8901-bcde-f12345678901
+name: Vaikora - Behavioral anomaly detected
+description: |
+  Identifies AI agent behavioral anomalies flagged by Vaikora with an anomaly score of 0.7 or above, indicating significant deviation from the agent's established behavioral baseline.
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: VaikoraSentinel
+    dataTypes:
+      - Vaikora_AgentSignals_CL
+queryFrequency: 30m
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - DefenseEvasion
+  - Execution
+relevantTechniques:
+  - T1059
+  - T1027
+query: |
+  Vaikora_AgentSignals_CL
+  | where TimeGenerated > ago(1h)
+  | where is_anomaly_b == true
+  | where anomaly_score_d >= 0.7
+  | summarize
+      AnomalyCount = count(),
+      MaxAnomalyScore = max(anomaly_score_d),
+      AvgAnomalyScore = avg(anomaly_score_d),
+      AnomalyReasons = make_set(anomaly_reason_s),
+      ActionTypes = make_set(action_type_s)
+    by AgentId = agent_id_s, Severity = severity_s
+  | extend
+      ReasonList = strcat_array(AnomalyReasons, "; "),
+      ActionList = strcat_array(ActionTypes, ", ")
+suppressionDuration: 30m
+suppressionEnabled: false
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: false
+    lookbackDuration: 1h
+    matchingMethod: Selected
+    groupByEntities:
+      - Account
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+customDetails:
+  MaxAnomalyScore: MaxAnomalyScore
+  AvgAnomalyScore: AvgAnomalyScore
+  AnomalyCount: AnomalyCount
+  AnomalyReasons: ReasonList
+  ActionTypes: ActionList
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AgentId
+version: 1.0.0
+kind: Scheduled

Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - High Risk AI Agent Action.yaml

@@ -0,0 +1,64 @@
+id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
+name: Vaikora - High risk AI agent action detected
+description: |
+  Identifies high-risk AI agent actions from Vaikora where the risk score is 75 or above and severity is high or critical. These events may indicate an agent operating outside safe parameters or triggering policy thresholds.
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: VaikoraSentinel
+    dataTypes:
+      - Vaikora_AgentSignals_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+  - Execution
+  - PrivilegeEscalation
+relevantTechniques:
+  - T1059
+  - T1078
+  - T1548
+query: |
+  Vaikora_AgentSignals_CL
+  | where TimeGenerated > ago(1h)
+  | where risk_score_d >= 75
+  | where severity_s in ("high", "critical")
+  | summarize
+      ActionCount = count(),
+      MaxRiskScore = max(risk_score_d),
+      Actions = make_set(action_type_s),
+      PolicyDecisions = make_set(policy_decision_s),
+      ResourceTypes = make_set(resource_type_s)
+    by AgentId = agent_id_s, RiskLevel = risk_level_s, Severity = severity_s
+  | extend
+      ActionList = strcat_array(Actions, ", "),
+      PolicyList = strcat_array(PolicyDecisions, ", "),
+      ResourceList = strcat_array(ResourceTypes, ", ")
+suppressionDuration: 1h
+suppressionEnabled: false
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: false
+    lookbackDuration: 1h
+    matchingMethod: Selected
+    groupByEntities:
+      - Account
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+customDetails:
+  MaxRiskScore: MaxRiskScore
+  ActionCount: ActionCount
+  Actions: ActionList
+  PolicyDecisions: PolicyList
+  ResourceTypes: ResourceList
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AgentId
+version: 1.0.0
+kind: Scheduled

Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_ConnectorDefinition.json

@@ -0,0 +1,107 @@
+{
+  "name": "VaikoraSentinel",
+  "apiVersion": "2025-09-01",
+  "type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
+  "location": "{{location}}",
+  "kind": "Customizable",
+  "properties": {
+    "connectorUiConfig": {
+      "id": "VaikoraSentinel",
+      "connectorId": "VaikoraSentinel",
+      "title": "Vaikora AI Agent Behavioral Signals",
+      "publisher": "Data443 Risk Mitigation, Inc.",
+      "descriptionMarkdown": "Ingest AI agent behavioral signals from the Vaikora API into Microsoft Sentinel using the Codeless Connector Framework (CCF). Monitor agent actions, policy decisions, anomaly scores, and risk levels to detect suspicious AI activity in your environment.",
+      "graphQueriesTableName": "Vaikora_AgentSignals_CL",
+      "graphQueries": [
+        {
+          "metricName": "Total Vaikora agent signals received",
+          "legend": "Vaikora Agent Signals",
+          "baseQuery": "Vaikora_AgentSignals_CL"
+        }
+      ],
+      "sampleQueries": [
+        {
+          "description": "High-risk agent actions (last 24 hours)",
+          "query": "Vaikora_AgentSignals_CL | where TimeGenerated >= ago(24h) | where risk_score_d >= 75 | project TimeGenerated, agent_id_s, action_type_s, severity_s, policy_decision_s, risk_score_d, anomaly_score_d"
+        },
+        {
+          "description": "Anomalous agent behavior (last 7 days)",
+          "query": "Vaikora_AgentSignals_CL | where TimeGenerated >= ago(7d) | where is_anomaly_b == true | summarize AnomalyCount=count(), AvgAnomalyScore=avg(anomaly_score_d) by agent_id_s, action_type_s | order by AnomalyCount desc"
+        },
+        {
+          "description": "Blocked policy decisions (last 48 hours)",
+          "query": "Vaikora_AgentSignals_CL | where TimeGenerated >= ago(48h) | where policy_decision_s == 'block' | project TimeGenerated, agent_id_s, action_type_s, resource_type_s, policy_id_s, log_hash_s"
+        }
+      ],
+      "dataTypes": [
+        {
+          "name": "Vaikora_AgentSignals_CL",
+          "lastDataReceivedQuery": "Vaikora_AgentSignals_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+        }
+      ],
+      "connectivityCriteria": [
+        {
+          "type": "HasDataConnectors"
+        }
+      ],
+      "availability": {
+        "status": "Available",
+        "isPreview": false
+      },
+      "permissions": {
+        "resourceProvider": [
+          {
+            "provider": "Microsoft.OperationalInsights/workspaces",
+            "permissionsDisplayText": "Read and write permissions are required.",
+            "providerDisplayName": "Workspace",
+            "scope": "Workspace",
+            "requiredPermissions": {
+              "write": true,
+              "read": true,
+              "delete": false
+            }
+          }
+        ],
+        "customs": [
+          {
+            "name": "Vaikora API Key",
+            "description": "A Vaikora API key (vk_xxxxx) with read access to the actions endpoint. Obtain this from your Vaikora dashboard under Settings > API Keys."
+          }
+        ]
+      },
+      "instructionSteps": [
+        {
+          "title": "Connect Vaikora AI Agent Behavioral Signals",
+          "description": "To enable the Vaikora connector, provide your Vaikora API key and the agent ID you want to monitor, then click Connect.\n\nYour API key is available in the [Vaikora dashboard](https://app.vaikora.com) under **Settings > API Keys**. The agent ID is the UUID shown on your agent's detail page.",
+          "instructions": [
+            {
+              "type": "Textbox",
+              "parameters": {
+                "label": "Vaikora API Key",
+                "placeholder": "vk_xxxxxxxxxxxxxxxxxxxxxxxx",
+                "type": "password",
+                "name": "vaikoraApiKey"
+              }
+            },
+            {
+              "type": "Textbox",
+              "parameters": {
+                "label": "Vaikora Agent ID",
+                "placeholder": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+                "type": "text",
+                "name": "vaikoraAgentId"
+              }
+            },
+            {
+              "type": "ConnectionToggleButton",
+              "parameters": {
+                "connectLabel": "Connect",
+                "name": "connect"
+              }
+            }
+          ]
+        }
+      ]
+    }
+  }
+}

Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_DCR.json

@@ -0,0 +1,50 @@
+{
+  "name": "dcr-vaikora-agent-signals",
+  "apiVersion": "2024-03-11",
+  "type": "Microsoft.Insights/dataCollectionRules",
+  "location": "{{location}}",
+  "properties": {
+    "dataCollectionEndpointId": "{{dataCollectionEndpointId}}",
+    "streamDeclarations": {
+      "Custom-Vaikora_AgentSignals_CL": {
+        "columns": [
+          { "name": "TimeGenerated", "type": "datetime" },
+          { "name": "payload", "type": "dynamic" },
+          { "name": "timestamp", "type": "datetime" },
+          { "name": "action_type_s", "type": "string" },
+          { "name": "agent_id_s", "type": "string" },
+          { "name": "status_s", "type": "string" },
+          { "name": "severity_s", "type": "string" },
+          { "name": "policy_decision_s", "type": "string" },
+          { "name": "policy_id_s", "type": "string" },
+          { "name": "risk_score_d", "type": "int" },
+          { "name": "risk_level_s", "type": "string" },
+          { "name": "is_anomaly_b", "type": "boolean" },
+          { "name": "anomaly_score_d", "type": "real" },
+          { "name": "anomaly_reason_s", "type": "string" },
+          { "name": "threat_detected_b", "type": "boolean" },
+          { "name": "threat_score_d", "type": "int" },
+          { "name": "log_hash_s", "type": "string" },
+          { "name": "resource_type_s", "type": "string" },
+          { "name": "action_id_s", "type": "string" }
+        ]
+      }
+    },
+    "destinations": {
+      "logAnalytics": [
+        {
+          "workspaceResourceId": "{{workspaceResourceId}}",
+          "name": "clv2ws1"
+        }
+      ]
+    },
+    "dataFlows": [
+      {
+        "streams": [ "Custom-Vaikora_AgentSignals_CL" ],
+        "destinations": [ "clv2ws1" ],
+        "transformKql": "source | extend p=todynamic(payload) | extend TimeGenerated=todatetime(timestamp), action_type_s=tostring(p.action_type), agent_id_s=tostring(p.agent_id), status_s=tostring(p.status), severity_s=tostring(p.severity), policy_decision_s=tostring(p.policy_decision), policy_id_s=tostring(p.policy_id), risk_score_d=toint(p.risk_score), risk_level_s=tostring(p.risk_level), is_anomaly_b=tobool(p.is_anomaly), anomaly_score_d=toreal(p.anomaly_score), anomaly_reason_s=tostring(p.anomaly_reason), threat_detected_b=tobool(p.threat_detected), threat_score_d=toint(p.threat_score), log_hash_s=tostring(p.log_hash), resource_type_s=tostring(p.resource_type), action_id_s=tostring(p.id) | project TimeGenerated, action_type_s, agent_id_s, status_s, severity_s, policy_decision_s, policy_id_s, risk_score_d, risk_level_s, is_anomaly_b, anomaly_score_d, anomaly_reason_s, threat_detected_b, threat_score_d, log_hash_s, resource_type_s, action_id_s",
+        "outputStream": "Custom-Vaikora_AgentSignals_CL"
+      }
+    ]
+  }
+}