Add Vaikora AI Agent Signals to CrowdStrike — Microsoft Sentinel Solution v1.0.0#13984
Add Vaikora AI Agent Signals to CrowdStrike — Microsoft Sentinel Solution v1.0.0#13984mazamizo21 wants to merge 51 commits intoAzure:masterfrom
Conversation
v-shukore
added
the
New Solution
|
Hi @mazamizo21 Thanks! |
mazamizo21
force-pushed
the
feature/vaikora-crowdstrike-azure-v1.0.0
branch
from
7d68c28 to
f3ea143
Compare
|
Hi @v-maheshbh — done! Repackaged with version 3.0.0. |
…aApiKey) — ARM validates clean
…rams/vars, fix location
…ntId1), parentId bracket, arm-ttk clean (47-48/49 matching Cyren baseline)
…c App (playbook was invisible in Sentinel Automation tab)
…ntion, param casing
Vaikora GET /api/v1/actions returns {actions:[...], total:N} not bare array.
Fix For_Each 'from' expression to extract ?['actions'].
Fixes VaikoraToCrowdStrike_Playbook.json + mainTemplate.json (PR Azure#13984).
Same fix applied to vaikora-sentinelone-azure cf4bfa8 and
vaikora-azure-security-center via separate commit.
|
Hi @mazamizo21 Kindly review file changes and removed the solution not part of this PR. Thanks! |
Reverted Cyren-SentinelOne-ThreatIntelligence package files back to upstream master. These changes were accidentally included and don't belong in the Vaikora CrowdStrike solution PR.
These changes belong in a separate PR. Reverting Solution data, Playbook, ReleaseNotes, and package zip back to upstream master.
Restoring Cyren-SentinelOne-ThreatIntelligence to the exact state from before this branch. Removes 3.0.1.zip, reverts Solution data, Playbook, mainTemplate, and ReleaseNotes. These changes belong in their own separate PR.
|
Hi @v-maheshbh — removed the Cyren-SentinelOne-ThreatIntelligence files that were accidentally included. The PR now only contains the Vaikora-CrowdStrike-ThreatIntelligence solution (v3.0.0). Ready for re-review. |
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a new Microsoft Sentinel solution that deploys a Logic App playbook to poll Vaikora AI agent signals and create corresponding Custom IOCs in CrowdStrike Falcon.
Changes:
- Added solution metadata, release notes, and README documentation for the Vaikora → CrowdStrike integration.
- Added a standalone Logic App ARM template playbook that polls Vaikora and posts indicators to CrowdStrike.
- Added Content Hub packaging assets and a solution manifest for solution deployment.
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| Solutions/Vaikora-CrowdStrike-ThreatIntelligence/SolutionMetadata.json | Defines publisher/offer metadata and support details for the solution. |
| Solutions/Vaikora-CrowdStrike-ThreatIntelligence/ReleaseNotes.md | Captures the version history for the solution release. |
| Solutions/Vaikora-CrowdStrike-ThreatIntelligence/README.md | Documents purpose, mapping, parameters, and deployment steps. |
| Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Playbooks/VaikoraToCrowdStrike_Playbook.json | Implements the polling + indicator push workflow as an ARM-deployable Logic App. |
| Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/mainTemplate.json | Content Hub packaging template (not reviewed per repo guidelines for Solutions/**/Package/**). |
| Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/createUiDefinition.json | Content Hub UI definition (not reviewed per repo guidelines for Solutions/**/Package/**). |
| Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Data/Solution_VaikoraCrowdStrike.json | Solution manifest describing included content and solution properties. |
| @@ -0,0 +1,21 @@ | |||
| { | |||
| "publisherId": "data443riskmitigationinc1761580347231", | |||
| "offerId": "vaikora-crowdstrike-connector", | |||
There was a problem hiding this comment.
offerId does not appear to meet the Partner/Community rule that it must contain the keyword "sentinel". This will fail validation/publishing checks; rename it to include "sentinel" (and keep it <= 50 chars, using only allowed characters for Partner tier).
| "offerId": "vaikora-crowdstrike-connector", | |
| "offerId": "vaikora-crowdstrike-sentinel-connector", |
| ], | ||
| "verticals": [] |
There was a problem hiding this comment.
categories.verticals is set to an empty array. If verticals are not applicable, the field should be omitted entirely (instead of present-but-empty) to align with solution metadata conventions and avoid schema/validation issues.
| ], | |
| "verticals": [] | |
| ] |
| **Version** | **Date Modified (DD-MM-YYYY)**| **ChangeHistory** | ||
| |------------|-------------------------------|-------------------------------------------------------------------------------------------| | ||
| | 3.0.0 | 02-04-2026 | Initial release. Polls Vaikora AI agent signals every 6 hours and pushes high/critical risk actions and anomaly detections as Custom IOCs to CrowdStrike Falcon. Severity mapping: critical→prevent, high→detect, medium/low→detect. Dynamic IOC type detection (ipv4/url/domain). Conditional tags: ai-agent-anomaly, ai-threat-detected. externalId set to vaikora-{action_id} for deduplication. | |
There was a problem hiding this comment.
The ReleaseNotes table does not match the required format (missing leading/trailing pipes, header names must be exactly **Change History**, and the separator row should be |---|---|---|). Update the markdown to a 3-column table with the exact required headers: | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |.
| **Version** | **Date Modified (DD-MM-YYYY)**| **ChangeHistory** | |
| |------------|-------------------------------|-------------------------------------------------------------------------------------------| | |
| | 3.0.0 | 02-04-2026 | Initial release. Polls Vaikora AI agent signals every 6 hours and pushes high/critical risk actions and anomaly detections as Custom IOCs to CrowdStrike Falcon. Severity mapping: critical→prevent, high→detect, medium/low→detect. Dynamic IOC type detection (ipv4/url/domain). Conditional tags: ai-agent-anomaly, ai-threat-detected. externalId set to vaikora-{action_id} for deduplication. | | |
| | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | | |
| |---|---|---| | |
| | 3.0.0 | 02-04-2026 | Initial release. Polls Vaikora AI agent signals every 6 hours and pushes high/critical risk actions and anomaly detections as Custom IOCs to CrowdStrike Falcon. Severity mapping: critical→prevent, high→detect, medium/low→detect. Dynamic IOC type detection (ipv4/url/domain). Conditional tags: ai-agent-anomaly, ai-threat-detected. externalId set to vaikora-{action_id} for deduplication. | |
| **Solution ID:** azure-sentinel-solution-vaikora-crowdstrike | ||
| **Version:** 1.0.0 |
There was a problem hiding this comment.
The README states version 1.0.0, while the solution artifacts in this PR use 3.0.0 (e.g., ReleaseNotes and solution manifest). Align the version across README/ReleaseNotes/solution data (or update the PR title/description if 3.0.0 is intentional) to avoid conflicting published metadata.
| @@ -0,0 +1,14 @@ | |||
| { | |||
| "Name": "Vaikora-CrowdStrike-AIAgentSecurity", | |||
There was a problem hiding this comment.
Multiple solution data validation issues:
Namecontains hyphens; solution Name must be alphanumeric characters and spaces only, and should match the solution folder naming expectations.BasePathpoints toVaikora-CrowdStrike-AIAgentSecurity, but the folder in this PR isSolutions/Vaikora-CrowdStrike-ThreatIntelligence; this mismatch will break file resolution during validation/packaging.- For
Version3.0.0,TemplateSpecmust befalseper solution packaging rules. - Property name should be
Is1PConnector(case-sensitive);Is1Pconnectorwill be treated as a missing required field.
| "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Vaikora-CrowdStrike-AIAgentSecurity", | ||
| "Version": "3.0.0", | ||
| "TemplateSpec": true, | ||
| "Is1Pconnector": false |
There was a problem hiding this comment.
Multiple solution data validation issues:
Namecontains hyphens; solution Name must be alphanumeric characters and spaces only, and should match the solution folder naming expectations.BasePathpoints toVaikora-CrowdStrike-AIAgentSecurity, but the folder in this PR isSolutions/Vaikora-CrowdStrike-ThreatIntelligence; this mismatch will break file resolution during validation/packaging.- For
Version3.0.0,TemplateSpecmust befalseper solution packaging rules. - Property name should be
Is1PConnector(case-sensitive);Is1Pconnectorwill be treated as a missing required field.
| "Content-Type": "application/x-www-form-urlencoded", | ||
| "User-Agent": "data443-vaikora-crowdstrike/1.0" | ||
| }, | ||
| "body": "client_id=@{parameters('CrowdStrike_ClientId')}&client_secret=@{parameters('CrowdStrike_ClientSecret')}" |
There was a problem hiding this comment.
The OAuth2 form body is constructed without URL-encoding client_id / client_secret. If either contains characters like +, &, or =, the token request can fail or be parsed incorrectly. Build the form body using URL encoding (e.g., encode each value before concatenation).
| "body": "client_id=@{parameters('CrowdStrike_ClientId')}&client_secret=@{parameters('CrowdStrike_ClientSecret')}" | |
| "body": "client_id=@{encodeUriComponent(parameters('CrowdStrike_ClientId'))}&client_secret=@{encodeUriComponent(parameters('CrowdStrike_ClientSecret'))}" |
| "Succeeded" | ||
| ] | ||
| }, | ||
| "inputs": "@if(or(not(empty(item()?['ip_address'])), not(empty(item()?['target_ip']))), 'ipv4', if(or(not(empty(item()?['url'])), not(empty(item()?['target_url']))), 'url', 'domain'))" |
There was a problem hiding this comment.
Compose_IOC_Value can resolve to log_hash while Compose_IOC_Type will still fall back to domain, which can create invalid/wrongly-typed CrowdStrike indicators. Either remove log_hash from the value coalesce chain, or add explicit hash-type detection (e.g., sha256/sha1/md5) and map it to the correct CrowdStrike indicator type.
| "inputs": "@if(or(not(empty(item()?['ip_address'])), not(empty(item()?['target_ip']))), 'ipv4', if(or(not(empty(item()?['url'])), not(empty(item()?['target_url']))), 'url', 'domain'))" | |
| "inputs": "@if(or(not(empty(item()?['ip_address'])), not(empty(item()?['target_ip']))), 'ipv4', if(or(not(empty(item()?['url'])), not(empty(item()?['target_url']))), 'url', if(not(empty(item()?['log_hash'])), if(equals(length(item()?['log_hash']), 64), 'sha256', if(equals(length(item()?['log_hash']), 40), 'sha1', if(equals(length(item()?['log_hash']), 32), 'md5', 'domain'))), 'domain')))" |
| "Post_IOC_to_CrowdStrike": { | ||
| "type": "Http", | ||
| "runAfter": { | ||
| "Compose_IOC_Value": [ | ||
| "Succeeded" | ||
| ], |
There was a problem hiding this comment.
The flow posts an indicator for every filtered action, but there is no guard to ensure Compose_IOC_Value is non-empty. If an action matches the filter via is_anomaly=true but has none of the IOC fields, the CrowdStrike API call will be made with an empty/null value and likely fail. Add a conditional check (or enhance the query filter) to skip posting when the IOC value is empty.
Vaikora AI Agent Signals to CrowdStrike — Microsoft Sentinel Solution v1.0.0
This PR adds a Logic App playbook solution that polls Vaikora AI agent behavioral signals and pushes high-severity indicators as Custom IOCs to CrowdStrike Falcon.
What's included
Logic App Playbook (VaikoraToCrowdStrike_Playbook.json)
GET /api/v1/actionsfor high-risk + anomalous agent actionsPOST /iocs/entities/indicators/v1Signal Mapping
Parameters
Publisher
Data443 Risk Mitigation, Inc. — support@data443.com