Skip to content

Add Vaikora AI Agent Signals to Azure Security Center — Microsoft Sentinel Solution v1.0.0#13986

Open
mazamizo21 wants to merge 48 commits intoAzure:masterfrom
mazamizo21:feature/vaikora-azure-security-center-v1.0.0
Open

Add Vaikora AI Agent Signals to Azure Security Center — Microsoft Sentinel Solution v1.0.0#13986
mazamizo21 wants to merge 48 commits intoAzure:masterfrom
mazamizo21:feature/vaikora-azure-security-center-v1.0.0

Conversation

@mazamizo21
Copy link
Copy Markdown
Contributor

@mazamizo21 mazamizo21 commented Apr 3, 2026

Vaikora AI Agent Signals to Azure Security Center — Microsoft Sentinel Solution v1.0.0

This PR adds a Logic App playbook solution that polls Vaikora AI agent behavioral signals and creates security alerts in Microsoft Defender for Cloud (Azure Security Center).

What's included

Logic App Playbook (azuredeploy.json)

  • Runs on a configurable schedule (default: every 6 hours)
  • Polls Vaikora GET /api/v1/actions for high-risk + anomalous agent actions
  • Authenticates to Azure using Managed Identity
  • Creates custom security alerts via Defender for Cloud Alerts REST API

3 Analytic Rules

  • High Severity Security Alerts — detects Vaikora critical/high risk AI agent events
  • Behavioral Anomaly Detection — detects anomalous AI agent behavior patterns
  • Feed Outage Detection — alerts when Vaikora signal ingestion stops

Signal Mapping

  • risk_level: critical → Defender alert severity: High
  • risk_level: high → Defender alert severity: Medium
  • is_anomaly: true → alert category: Behavioral
  • threat_detected: true → alert category: Threat Intelligence

Parameters

  • VaikoraApiKey (securestring)
  • VaikoraAgentId
  • SubscriptionId (Azure subscription for Defender for Cloud)
  • WorkspaceResourceGroup
  • WorkspaceName

Publisher

Data443 Risk Mitigation, Inc. — support@data443.com

@mazamizo21 mazamizo21 requested review from a team as code owners April 3, 2026 06:56
@v-shukore v-shukore self-assigned this Apr 3, 2026
@v-shukore v-shukore added the New Solution For new Solutions which are new to Microsoft Sentinel label Apr 3, 2026
@mazamizo21 mazamizo21 force-pushed the feature/vaikora-azure-security-center-v1.0.0 branch from 6c546b5 to f3ea143 Compare April 3, 2026 14:59
@mazamizo21
Copy link
Copy Markdown
Contributor Author

mazamizo21 commented Apr 3, 2026

Hi @v-maheshbh — done! Repackaged with version 3.0.0. Package/3.0.0.zip is now included. Thanks!

Taz Jack added 5 commits April 3, 2026 12:13
fix: add missing parameters (contentProductId, dcrImmutableId, vaikor…
4fd4e5d 
…aApiKey) — ARM validates clean
fix: response field data->actions, replace ApiConnection with HTTP+MS…
184ebb6 
…I for Sentinel ingest
fix: arm-ttk — add metadata block, fix param casing, remove unused pa…
ab7098b 
…rams/vars, fix location
fix: PlaybookName param, missing vars (email/solutionId/playbookConte…
57eca15 
…ntId1), parentId bracket, arm-ttk clean (47-48/49 matching Cyren baseline)
fix: Vaikora API pagination envelope - use ?['actions'] in foreach
95d739b 
Vaikora GET /api/v1/actions returns {actions:[...], total:N} not bare array.
Fix For_Each 'from' to extract ?['actions'] from envelope.

Fixes VaikoraToAzureSecurityCenter azuredeploy.json + mainTemplate.json (PR Azure#13986).
@v-shukore
Copy link
Copy Markdown
Contributor

v-shukore commented Apr 6, 2026

Hi @mazamizo21, accidently you have added multiple solutions in this PR please remove it all and keep relevant solution in this PR. Thanks!

mazamizo21 added 26 commits April 6, 2026 06:38
@mazamizo21
fix: remove stray solutions — keep only Vaikora-AzureSecurityCenter
fa6d7ce
@mazamizo21
fix: remove stray solutions — keep only Vaikora-AzureSecurityCenter
0acbb36
@mazamizo21
fix: remove stray solutions — keep only Vaikora-AzureSecurityCenter
b119c4d
@mazamizo21
fix: remove stray solutions — keep only Vaikora-AzureSecurityCenter
4de69f9
@mazamizo21
fix: remove stray solutions — keep only Vaikora-AzureSecurityCenter
a6caab2
@mazamizo21
fix: remove stray solutions — keep only Vaikora-AzureSecurityCenter
d9ad3e1
@mazamizo21
fix: remove stray solutions — keep only Vaikora-AzureSecurityCenter
d286501
@mazamizo21
fix: remove stray solutions — keep only Vaikora-AzureSecurityCenter
be6fcd7
@mazamizo21
fix: remove stray solutions — keep only Vaikora-AzureSecurityCenter
93c97c3
@mazamizo21
fix: remove stray solutions — keep only Vaikora-AzureSecurityCenter
29bdcfd
@mazamizo21
fix: remove stray solutions — keep only Vaikora-AzureSecurityCenter
8e4d390
@mazamizo21
fix: remove stray solutions — keep only Vaikora-AzureSecurityCenter
8a242cf
@mazamizo21
fix: remove stray solutions — keep only Vaikora-AzureSecurityCenter
b2753eb
@mazamizo21
fix: remove stray solutions — keep only Vaikora-AzureSecurityCenter
0e42cc8
@mazamizo21
fix: remove stray solutions — keep only Vaikora-AzureSecurityCenter
c9b7fb1
@mazamizo21
fix: remove stray solutions — keep only Vaikora-AzureSecurityCenter
ed5150c
@mazamizo21
fix: remove stray solutions — keep only Vaikora-AzureSecurityCenter
38b5c81
@mazamizo21
fix: remove stray solutions — keep only Vaikora-AzureSecurityCenter
8a5b757
@mazamizo21
fix: remove stray solutions — keep only Vaikora-AzureSecurityCenter
ca9865b
@mazamizo21
fix: remove stray solutions — keep only Vaikora-AzureSecurityCenter
f87422c
@mazamizo21
fix: remove stray solutions — keep only Vaikora-AzureSecurityCenter
b156070
@mazamizo21
fix: remove stray solutions — keep only Vaikora-AzureSecurityCenter
a5c09a9
@mazamizo21
fix: bump version to 3.0.0
ddc606c
@mazamizo21
fix: bump version to 3.0.0
59a231f
@mazamizo21
fix: rename Azure Security Center to Microsoft Defender for Cloud in …
d9e1770 
…playbook title
@mazamizo21
fix: update solution description to use Microsoft Defender for Cloud …
e064fb2 
…branding
@v-shukore
Copy link
Copy Markdown
Contributor

v-shukore commented Apr 8, 2026

Hi @mazamizo21, please resolve branch conflicts. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@v-shukore v-shukore

Labels

New Solution For new Solutions which are new to Microsoft Sentinel

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mazamizo21 @v-shukore