Add Vaikora AI Agent Signals to SentinelOne — Microsoft Sentinel Solution v1.0.0#13985
Add Vaikora AI Agent Signals to SentinelOne — Microsoft Sentinel Solution v1.0.0#13985mazamizo21 wants to merge 52 commits intoAzure:masterfrom
Conversation
v-shukore
added
the
New Solution
mazamizo21
force-pushed
the
feature/vaikora-sentinelone-azure-v1.0.0
branch
from
d91b17d to
f3ea143
Compare
|
Hi @v-maheshbh — done! Repackaged with version 3.0.0. |
…aApiKey) — ARM validates clean
…rams/vars, fix location
…ntId1), parentId bracket, arm-ttk clean (47-48/49 matching Cyren baseline)
…ment fix (same as Cyren-SentinelOne PR Azure#13990)
…ated response
Vaikora API returns a paginated envelope: {"actions": [...], "total": N, ...}
not a bare array. Filter_High_Severity_Or_Anomaly was passing the whole object
to the 'from' property, which expects an array and failed with:
"The 'from' property value in the 'query' action is of type 'Object'."
Fix: changed 'from' to @Body('Get_Vaikora_Actions')?['actions']
Also fixes in same pass:
- Added workspace-name variable (was missing, caused template ref errors)
- playbookContentId1: "Playbooks" -> "VaikoraToSentinelOne_Playbook"
- PlaybookName defaultValue: "pb-vaikora-to-sentinelone" -> "VaikoraToSentinelOne_Playbook"
- Parameter casing: VaikoraApiKey/VaikoraAgentId -> vaikoraApiKey/vaikoraAgentId
- displayName: "Playbooks" -> "VaikoraToSentinelOne_Playbook"
- Rebuilt 3.0.0.zip
E2E tested: Logic App deployed to rg-vaikora-test, triggered, 6 anomaly IOCs
pushed to SentinelOne TI API (source: "Vaikora AI Agent Security (Data443)")
|
Hi @mazamizo21, accidently you have added multiple solutions in this PR please remove it all and clean the solution. Thanks! |
…plate compatibility
Reverted to merge base state and removed 3.0.1.zip.
- ReleaseNotes.md: standard table format with DD-MM-YYYY dates - SolutionMetadata.json: remove empty verticals array
|
Hi @v-shukore — cleaned up the PR:
Ready for re-review. |
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a new Microsoft Sentinel solution that deploys a Logic App playbook to poll Vaikora agent actions and push mapped indicators into SentinelOne Threat Intelligence.
Changes:
- Added solution packaging metadata (SolutionMetadata, Solution_*.json) and initial Release Notes/README.
- Added a Logic App playbook ARM template that polls Vaikora and posts IOCs to SentinelOne.
- Added Content Hub packaging templates under
Package/(skipped from review per repo guidelines).
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| Solutions/Vaikora-SentinelOne-ThreatIntelligence/SolutionMetadata.json | Defines offer/publisher metadata, categories, and support info for the solution. |
| Solutions/Vaikora-SentinelOne-ThreatIntelligence/ReleaseNotes.md | Adds initial release notes entry for the solution version. |
| Solutions/Vaikora-SentinelOne-ThreatIntelligence/README.md | Documents solution behavior, mapping, parameters, and deployment steps. |
| Solutions/Vaikora-SentinelOne-ThreatIntelligence/Playbooks/VaikoraToSentinelOne_Playbook.json | Implements the scheduled Vaikora poll + SentinelOne IOC push workflow. |
| Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/mainTemplate.json | Skipped from review (ignored path per repo guidelines). |
| Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/createUiDefinition.json | Skipped from review (ignored path per repo guidelines). |
| Solutions/Vaikora-SentinelOne-ThreatIntelligence/Data/Solution_VaikoraSentinelOne.json | Declares solution composition (playbooks), versioning, and required solution metadata. |
| | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | | ||
| |---|---|---| | ||
| | 3.0.0 | 02-04-2026 | Initial release. Polls Vaikora AI Agent Security API every 6 hours for high-severity and anomaly actions, pushes IOCs to SentinelOne Threat Intelligence API. SHA256 IOC type from log_hash, risk score severity mapping (0-100 to SentinelOne 2-7), STAR rule auto-creation, Content Hub ready. | |
There was a problem hiding this comment.
ReleaseNotes.md table rows start with a double pipe (||), which adds an extra empty column and violates the required 3-column structure. Remove the extra leading | so each row begins with a single pipe and the table has exactly 3 columns.
| @@ -0,0 +1,3 @@ | |||
| | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | | |||
| |---|---|---| | |||
| | 3.0.0 | 02-04-2026 | Initial release. Polls Vaikora AI Agent Security API every 6 hours for high-severity and anomaly actions, pushes IOCs to SentinelOne Threat Intelligence API. SHA256 IOC type from log_hash, risk score severity mapping (0-100 to SentinelOne 2-7), STAR rule auto-creation, Content Hub ready. | | |||
There was a problem hiding this comment.
The PR title/description states “Microsoft Sentinel Solution v1.0.0”, but the Release Notes introduce version 3.0.0. Either update the PR title/description to match 3.0.0, or change the solution/release notes versions to 1.0.0 so they’re consistent.
| @@ -0,0 +1,14 @@ | |||
| { | |||
| "Name": "Vaikora-SentinelOne-ThreatIntelligence", | |||
There was a problem hiding this comment.
The Name field must contain only alphanumeric characters and spaces. Update this to a display name like Vaikora SentinelOne Threat Intelligence (and keep the folder name independent if needed).
| "Name": "Vaikora-SentinelOne-ThreatIntelligence", | ||
| "Author": "Data443 Risk Mitigation, Inc. - support@data443.com", | ||
| "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/data443_logo.svg\" width=\"75px\" height=\"75px\">", | ||
| "Description": "The Vaikora SentinelOne Threat Intelligence solution polls the Vaikora AI Agent Security API for high-severity and anomaly actions and pushes indicators of compromise (IOCs) to SentinelOne's Threat Intelligence API for automated detection and response.", |
There was a problem hiding this comment.
The solution Description does not follow the required “Underlying Microsoft Technologies used” structure (including dependency/cost/preview disclaimers where applicable). Please expand this description to meet the Solution data file description requirements.
| "Description": "The Vaikora SentinelOne Threat Intelligence solution polls the Vaikora AI Agent Security API for high-severity and anomaly actions and pushes indicators of compromise (IOCs) to SentinelOne's Threat Intelligence API for automated detection and response.", | |
| "Description": "The Vaikora SentinelOne Threat Intelligence solution for Microsoft Sentinel polls the Vaikora AI Agent Security API for high-severity and anomaly actions and pushes indicators of compromise (IOCs) to SentinelOne's Threat Intelligence API for automated detection and response.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Microsoft Sentinel Playbooks](https://learn.microsoft.com/azure/sentinel/automation/playbooks)\n\nb. [Azure Logic Apps](https://learn.microsoft.com/azure/logic-apps/logic-apps-overview)", |
| "TemplateSpec": true, | ||
| "Is1Pconnector": false |
There was a problem hiding this comment.
For solution data files, version 3.*.* must have "TemplateSpec": false. Also, the field name must be exactly "Is1PConnector" (capital “C”)—"Is1Pconnector" may be ignored by tooling. Set TemplateSpec to false and correct the property name to Is1PConnector.
| "TemplateSpec": true, | |
| "Is1Pconnector": false | |
| "TemplateSpec": false, | |
| "Is1PConnector": false |
| @@ -0,0 +1,20 @@ | |||
| { | |||
| "publisherId": "data443riskmitigationinc1761580347231", | |||
There was a problem hiding this comment.
publisherId format is valid, but it is not one of the commonly approved IDs (azuresentinel, microsoftsentinelcommunity). If this is intended as a custom publisher ID, it typically needs prior approval/registration; otherwise solution ingestion/validation may fail. Consider using an approved publisher ID or confirm the custom ID is pre-approved.
| "publisherId": "data443riskmitigationinc1761580347231", | |
| "publisherId": "microsoftsentinelcommunity", |
| ] | ||
| }, | ||
| "inputs": { | ||
| "from": "@body('Get_Vaikora_Actions')", |
There was a problem hiding this comment.
The Query action’s from must be an array. As written, @body('Get_Vaikora_Actions') is likely an object (common pattern is { actions: [...] }), which will cause the filter to fail at runtime. Update from to target the actions array (for example, @body('Get_Vaikora_Actions')?['actions']) to match the expected API shape.
| "from": "@body('Get_Vaikora_Actions')", | |
| "from": "@body('Get_Vaikora_Actions')?['actions']", |
| "location": "[parameters('location')]", | ||
| "tags": { | ||
| "hidden-SentinelTemplateName": "VaikoraToSentinelOne", | ||
| "hidden-SentinelTemplateVersion": "1.0.0", |
There was a problem hiding this comment.
The playbook’s hidden-SentinelTemplateVersion is 1.0.0, while the solution/release notes are using 3.0.0. This mismatch can make troubleshooting and version tracking difficult in Sentinel. Align the playbook tag version with the solution/package version you intend to ship.
| "hidden-SentinelTemplateVersion": "1.0.0", | |
| "hidden-SentinelTemplateVersion": "3.0.0", |
| | `log_hash` | `value` | Falls back to `agent_id + action_type` | | ||
| | (fixed) | `type` | SHA256 | | ||
| | (fixed) | `source` | Vaikora AI Agent Security (Data443) | | ||
| | (fixed) | `method` | EQUALS | | ||
| | `risk_score` | `severity` | 0-30→2, 31-50→3, 51-70→4, 71-85→5, 86-95→6, 96-100→7 | |
There was a problem hiding this comment.
The PR description states IOC type is IPV4/IPV6 and a different severity mapping (75–89 → 5, 90+ → 7), but the README (and playbook) describe fixed SHA256 and a 6-band mapping with thresholds at 31/51/71/86/96. Update the PR description to match the implemented behavior, or adjust the implementation/docs to match the stated intent.
Vaikora AI Agent Signals to SentinelOne — Microsoft Sentinel Solution v1.0.0
This PR adds a Logic App playbook solution that polls Vaikora AI agent behavioral signals and pushes high-severity indicators as Threat Intelligence IOCs to SentinelOne.
What's included
Logic App Playbook (VaikoraToSentinelOne_Playbook.json)
GET /api/v1/actionsfor high-risk + anomalous agent actionsPOST /web/api/v2.1/threat-intelligence/iocsSignal Mapping
Parameters
Notes
filter.accountIdsin POST body (S1 enforcement requirement)Publisher
Data443 Risk Mitigation, Inc. — support@data443.com