Add Vaikora AI Agent Behavioral Signals — Microsoft Sentinel Solution v1.0.0#13983
Add Vaikora AI Agent Behavioral Signals — Microsoft Sentinel Solution v1.0.0#13983mazamizo21 wants to merge 38 commits intoAzure:masterfrom
Conversation
v-shukore
added
the
New Solution
|
Hi @mazamizo21 Kindly package the solution with version 3.0.0. Thanks! |
mazamizo21
force-pushed
the
feature/vaikora-sentinel-v1.0.0
branch
from
e21e106 to
f3ea143
Compare
|
Hi @v-maheshbh — done! Repackaged all 4 Vaikora solutions with version 3.0.0. |
…aApiKey) — ARM validates clean
…r Center offer ID)
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a new Vaikora AI Agent Behavioral Signals Microsoft Sentinel solution (connector + detections + workbook) and increments a related solution package version.
Changes:
- Added Vaikora workbook/dashboard for agent-signal visualization.
- Added Vaikora solution metadata, release notes, README, solution data manifest, and 3 analytic rule templates.
- Updated a separate solution package template version and parameter security types (skipped review due to ignored path rules).
Reviewed changes
Copilot reviewed 15 out of 17 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| Solutions/Vaikora-Sentinel/Workbooks/VaikoraAgentSignalsDashboard.json | New workbook to visualize Vaikora agent signals (queries, parameters, charts, tables). |
| Solutions/Vaikora-Sentinel/SolutionMetadata.json | New solution marketplace metadata (publisher, offer, categories, support). |
| Solutions/Vaikora-Sentinel/ReleaseNotes.md | New release notes for the solution version history. |
| Solutions/Vaikora-Sentinel/README.md | New solution README describing deployment, schema, rules, and support. |
| Solutions/Vaikora-Sentinel/Package/mainTemplate.json | Skipped review (ignored path: Solutions/**/Package/**). |
| Solutions/Vaikora-Sentinel/Package/createUiDefinition.json | Skipped review (ignored path: Solutions/**/Package/**). |
| Solutions/Vaikora-Sentinel/Data/Solution_Vaikora.json | New solution data manifest (components, versioning, metadata reference). |
| Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_Table.json | Skipped review (ignored path: Solutions/**/Data Connectors/**). |
| Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_PollerConfig.json | Skipped review (ignored path: Solutions/**/Data Connectors/**). |
| Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_DCR.json | Skipped review (ignored path: Solutions/**/Data Connectors/**). |
| Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_ConnectorDefinition.json | Skipped review (ignored path: Solutions/**/Data Connectors/**). |
| Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - High Risk AI Agent Action.yaml | New scheduled analytic rule template for high-risk actions. |
| Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Behavioral Anomaly Detected.yaml | New scheduled analytic rule template for anomalies. |
| Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Agent Policy Violation.yaml | New scheduled analytic rule template for blocked actions/policy violations. |
| Solutions/Cyren-SentinelOne-ThreatIntelligence/Package/mainTemplate.json | Skipped review (ignored path: Solutions/**/Package/**). |
| | Version | Date | Comments | | ||
| |---------|------|----------| | ||
| | 3.0.0 | 2026-04-03 | Initial release — REST API poller connector, custom Vaikora_AgentSignals_CL table, 3 analytic rules (High Risk Action, Behavioral Anomaly, Policy Violation), and AI agent signals dashboard workbook. | |
There was a problem hiding this comment.
The ReleaseNotes table does not match the required format: it must have exactly 3 columns with headers **Version**, **Date Modified (DD-MM-YYYY)**, **Change History**, and dates must be DD-MM-YYYY (not YYYY-MM-DD). Please reformat this file to the standard ReleaseNotes.md table structure so it passes solution validation tooling.
| | Version | Date | Comments | | |
| |---------|------|----------| | |
| | 3.0.0 | 2026-04-03 | Initial release — REST API poller connector, custom Vaikora_AgentSignals_CL table, 3 analytic rules (High Risk Action, Behavioral Anomaly, Policy Violation), and AI agent signals dashboard workbook. | | |
| | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | | |
| |---|---|---| | |
| | 3.0.0 | 03-04-2026 | Initial release — REST API poller connector, custom Vaikora_AgentSignals_CL table, 3 analytic rules (High Risk Action, Behavioral Anomaly, Policy Violation), and AI agent signals dashboard workbook. | |
| @@ -0,0 +1,3 @@ | |||
| | Version | Date | Comments | | |||
| |---------|------|----------| | |||
| | 3.0.0 | 2026-04-03 | Initial release — REST API poller connector, custom Vaikora_AgentSignals_CL table, 3 analytic rules (High Risk Action, Behavioral Anomaly, Policy Violation), and AI agent signals dashboard workbook. | | |||
There was a problem hiding this comment.
The PR title/description calls this “Solution v1.0.0”, but ReleaseNotes uses version 3.0.0. Please align versions across PR description, ReleaseNotes, and the solution data/versioning files so the published solution version is consistent.
| "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\VaikoraSentinel", | ||
| "Version": "3.0.0", | ||
| "TemplateSpec": true, | ||
| "Is1Pconnector": false |
There was a problem hiding this comment.
This manifest has multiple schema/validation problems: (1) TemplateSpec must be false for Version 3.*.* solutions (per solution data validation rules), and (2) the required field is Is1PConnector (case-sensitive), but the file uses Is1Pconnector. Additionally, BasePath points to Solutions\\VaikoraSentinel while the folder in this PR is Solutions/Vaikora-Sentinel, which can break file existence validation during packaging.
| "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\VaikoraSentinel", | |
| "Version": "3.0.0", | |
| "TemplateSpec": true, | |
| "Is1Pconnector": false | |
| "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Vaikora-Sentinel", | |
| "Version": "3.0.0", | |
| "TemplateSpec": false, | |
| "Is1PConnector": false |
| "Name": "VaikoraSentinel", | ||
| "Author": "Data443 Risk Mitigation, Inc. - support@data443.com", | ||
| "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/data443_logo.svg\" width=\"75px\" height=\"75px\">", | ||
| "Description": "The [Vaikora AI Agent Behavioral Signals](https://vaikora.com) solution provides the capability to ingest AI agent behavioral data from the Vaikora API into Microsoft Sentinel using the Codeless Connector Framework (CCF). This solution deploys a REST API poller connector, a custom log table, data collection rules, analytics rules, and a visualization workbook to help security teams monitor AI agent activity, detect behavioral anomalies, and investigate policy violations.", |
There was a problem hiding this comment.
The solution Description does not follow the required “Underlying Microsoft Technologies used” pattern (including the dependency/cost/preview disclaimer section and listing dependent technologies with links). Please expand the description to include that standardized section so the solution metadata is complete and consistent with repository requirements.
| ], | ||
| "verticals": [] |
There was a problem hiding this comment.
categories.verticals is present but set to an empty array. Per solution metadata guidance, if verticals are not applicable, the verticals field should be omitted entirely (rather than provided empty).
| ], | |
| "verticals": [] | |
| ] |
| name: Vaikora - High Risk AI Agent Action | ||
| description: | | ||
| 'Detects high-risk AI agent actions from Vaikora where the risk score is 75 or above and severity is high or critical. | ||
| These events may indicate an AI agent behaving outside safe operational parameters, attempting unauthorized resource access, or triggering policy thresholds that warrant immediate investigation.' |
There was a problem hiding this comment.
The analytic rule name and description don’t match required detection-template conventions: the name should be sentence case (and ideally more specific), and the description must start with “This query searches for …” or “Identifies …”, be <= 255 characters, and should not be wrapped in extra single quotes. Please rewrite the name/description to meet the template schema requirements.
| name: Vaikora - Behavioral Anomaly Detected | ||
| description: | | ||
| 'Detects AI agent behavioral anomalies flagged by the Vaikora anomaly detection engine with a score of 0.7 or above. | ||
| A high anomaly score indicates the agent is deviating significantly from its established behavioral baseline, which may signal prompt injection, policy bypass attempts, or unexpected tool use.' |
There was a problem hiding this comment.
The analytic rule name and description violate required rule-format constraints: use sentence case for the name, and update the description to start with “This query searches for …” or “Identifies …”, keep it within 255 characters, and remove the surrounding single quotes (the current quoting will be treated as literal content).
| name: Vaikora - Agent Policy Violation | ||
| description: | | ||
| 'Detects AI agent actions that were explicitly blocked by a Vaikora policy. | ||
| Blocked actions indicate the agent attempted something the configured policy prohibits. Repeated violations from the same agent may indicate prompt injection, policy circumvention, or a compromised agent workflow.' |
There was a problem hiding this comment.
The analytic rule description must follow the required template style (start with “This query searches for …” or “Identifies …”, <= 255 characters, no extra quoting). Also consider adjusting the name to sentence case to comply with detection naming requirements.
| "name": "AgentId", | ||
| "label": "Agent ID", | ||
| "type": 2, | ||
| "query": "Vaikora_AgentSignals_CL | summarize by agent_id_s | project value=agent_id_s, label=agent_id_s", |
There was a problem hiding this comment.
The Agent ID parameter lookup query has no time filter, which can force a full-table scan as data grows. Please constrain it (for example, filter TimeGenerated to a reasonable lookback window) to keep workbook load times predictable at scale.
| "query": "Vaikora_AgentSignals_CL | summarize by agent_id_s | project value=agent_id_s, label=agent_id_s", | |
| "query": "Vaikora_AgentSignals_CL | where TimeGenerated {TimeRange} | where isnotempty(agent_id_s) | summarize by agent_id_s | project value=agent_id_s, label=agent_id_s", |
|
Hi @mazamizo21 Kindly review file chnages and removed the solution not part of this PR. Thanks! |
Reverted all Cyren-SentinelOne-ThreatIntelligence files to merge base state and removed 3.0.1.zip. These changes belong in a separate PR.
- Fix ReleaseNotes.md format: standard headers, DD-MM-YYYY date - Fix Solution_Vaikora.json: correct BasePath to Vaikora-Sentinel - Fix SolutionMetadata.json: remove empty verticals array - Fix analytic rules: sentence case names, descriptions start with Identifies, remove extra single quotes - Fix workbook: add TimeRange filter to Agent ID parameter query - Update mainTemplate.json and repackage 3.0.0.zip with all fixes
|
Hi @v-maheshbh — addressed all feedback: Reviewer comments:
Copilot suggestions fixed:
Ready for re-review. |
| "Metadata": "SolutionMetadata.json", | ||
| "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Vaikora-Sentinel", | ||
| "Version": "3.0.0", | ||
| "TemplateSpec": true, |
There was a problem hiding this comment.
For solution version 3.., the repository validation expects TemplateSpec to be false. Set TemplateSpec to false for Version: \"3.0.0\" to comply with solution-data validation requirements.
| "TemplateSpec": true, | |
| "TemplateSpec": false, |
| "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Vaikora-Sentinel", | ||
| "Version": "3.0.0", | ||
| "TemplateSpec": true, | ||
| "Is1Pconnector": false |
There was a problem hiding this comment.
The field name Is1Pconnector has incorrect casing and will likely be treated as missing the required Is1PConnector property. Rename the property to Is1PConnector (capital 'C') so the solution data file matches the required schema.
| "Is1Pconnector": false | |
| "Is1PConnector": false |
| "Name": "VaikoraSentinel", | ||
| "Author": "Data443 Risk Mitigation, Inc. - support@data443.com", | ||
| "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/data443_logo.svg\" width=\"75px\" height=\"75px\">", | ||
| "Description": "The [Vaikora AI Agent Behavioral Signals](https://vaikora.com) solution provides the capability to ingest AI agent behavioral data from the Vaikora API into Microsoft Sentinel using the Codeless Connector Framework (CCF). This solution deploys a REST API poller connector, a custom log table, data collection rules, analytics rules, and a visualization workbook to help security teams monitor AI agent activity, detect behavioral anomalies, and investigate policy violations.", |
There was a problem hiding this comment.
The Solution Description doesn’t include the required 'Underlying Microsoft Technologies used' section and dependency/cost/preview disclaimer structure expected for solution data files. Please expand the description to include that section with the specific dependent technologies (and links) while keeping within the max length constraints.
| "Description": "The [Vaikora AI Agent Behavioral Signals](https://vaikora.com) solution provides the capability to ingest AI agent behavioral data from the Vaikora API into Microsoft Sentinel using the Codeless Connector Framework (CCF). This solution deploys a REST API poller connector, a custom log table, data collection rules, analytics rules, and a visualization workbook to help security teams monitor AI agent activity, detect behavioral anomalies, and investigate policy violations.", | |
| "Description": "The [Vaikora AI Agent Behavioral Signals](https://vaikora.com) solution provides the capability to ingest AI agent behavioral data from the Vaikora API into Microsoft Sentinel using the [Codeless Connector Framework](https://learn.microsoft.com/azure/sentinel/create-codeless-connector).\\n\\n**Underlying Microsoft Technologies used:**\\n\\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\\n\\na. [Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/)\\n\\nb. [Codeless Connector Framework](https://learn.microsoft.com/azure/sentinel/create-codeless-connector)\\n\\nc. [Log Analytics](https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-workspace-overview)\\n\\nd. [Data Collection Rules](https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview)", |
| @@ -0,0 +1,21 @@ | |||
| { | |||
| "publisherId": "data443riskmitigationinc1761580347231", | |||
There was a problem hiding this comment.
The publisherId is not one of the commonly approved publisher IDs (azuresentinel, microsoftsentinelcommunity). If this is a custom publisherId, it must be pre-approved; otherwise, update it to an approved publisherId to avoid ingestion/packaging validation failures.
| "publisherId": "data443riskmitigationinc1761580347231", | |
| "publisherId": "azuresentinel", |
| @@ -0,0 +1,64 @@ | |||
| id: a1b2c3d4-e5f6-7890-abcd-ef1234567890 | |||
There was a problem hiding this comment.
The rule id looks like a placeholder/non-generated GUID (patterned a1b2c3...). Even if it matches GUID formatting, these IDs must be globally unique and not reused; please regenerate using a GUID generator. This also applies to the other two analytic rules in this PR (b2c3d4..., c3d4e5...).
| id: a1b2c3d4-e5f6-7890-abcd-ef1234567890 | |
| id: e46c5588-e643-4a60-a008-5ba9a4c84328 |
| @@ -0,0 +1,64 @@ | |||
| id: a1b2c3d4-e5f6-7890-abcd-ef1234567890 | |||
| name: Vaikora - High risk AI agent action detected | |||
There was a problem hiding this comment.
Analytic rule name is expected to be sentence case (capitalize first word and proper nouns only) and avoid punctuation patterns that read like a title. Consider adjusting to sentence case (and optionally removing the dash) for consistency with naming guidance.
| name: Vaikora - High risk AI agent action detected | |
| name: Vaikora high-risk AI agent action detected |
| "WorkbookDescription": "This workbook provides visualization and monitoring for Vaikora AI agent behavioral signals including action timelines, severity breakdowns, anomaly detection, and policy violations.", | ||
| "Metadata": "SolutionMetadata.json", | ||
| "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Vaikora-Sentinel", | ||
| "Version": "3.0.0", |
There was a problem hiding this comment.
PR title/description states solution v1.0.0, but the solution data file sets Version to 3.0.0 (and ReleaseNotes also references 3.0.0). Please align the PR description and the solution versioning strategy so the release version is consistent across metadata, release notes, and solution data.
Vaikora AI Agent Behavioral Signals — Microsoft Sentinel Solution v1.0.0
This PR adds a new Microsoft Sentinel solution that ingests AI agent behavioral signals from the Vaikora platform using the Codeless Connector Framework (CCF).
What's included
Data Connector (CCF RestApiPoller)
GET /api/v1/actions) every 6 hoursVaikora_AgentSignals_CL3 Analytic Rules
Workbook
Package
What is Vaikora?
Vaikora is an AI agent governance platform that monitors, evaluates, and enforces policies on AI agent actions in real time. It provides behavioral profiling, anomaly detection, policy enforcement, and human-in-the-loop approval workflows for AI agent systems.
This connector bridges the gap between AI agent governance and SIEM — enabling security teams to detect AI agents behaving outside safe operational parameters, attempting unauthorized resource access, or triggering policy blocks.
Publisher
Data443 Risk Mitigation, Inc. — support@data443.com