Vaikora Solution: New AI Agent Governance Connector for Microsoft Sentinel

What Changed

Complete Microsoft Sentinel solution for Vaikora AI agent governance platform. Includes CCF data connector, custom table, 3 analytic rules, and workbook for monitoring AI agent behavioral signals.

Data Source

Vaikora API REST endpoint (GET /api/v1/actions) polling every 6 hours. Ingests AI agent action data including policy decisions, risk scores, anomaly detection, and threat status into custom table Vaikora_AgentSignals_CL.

Detection Logic

Vaikora - Agent Policy Violation (Medium severity, 15m frequency):

Primary data source: Vaikora_AgentSignals_CL
Core logic: fires when policy_decision_s == “block” — identifies explicit policy violations
Entity types: Account (mapped to agent_id_s)

Vaikora - Behavioral Anomaly Detected (Medium severity, 30m frequency):

Core logic: triggers when is_anomaly_b == true and anomaly_score_d >= 0.7 — high-confidence behavioral deviations
Entity types: Account

Vaikora - High Severity AI Agent Action (High severity, 1h frequency):

Core logic: fires when severity_s in (“high”, “critical”) — agent actions exceeding safety thresholds
Entity types: Account

MITRE Mapping

T1078 (Valid Accounts) — agent authentication abuse
T1562 (Impair Defenses) — policy circumvention attempts
T1059 (Command and Scripting Interpreter) — anomalous execution patterns
T1027 (Obfuscated Files or Information) — behavioral anomalies
T1548 (Abuse Elevation Control Mechanism) — privilege escalation detection

Detection Surface Unlocked

Enables monitoring of AI agent governance violations including prompt injection attempts, policy circumvention, behavioral anomalies, and unauthorized resource access. Bridges AI governance and SIEM for AI-powered infrastructure security.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/Vaikora_AgentSignals_CL.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Logos/vaikora_logo.svg
Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Agent Policy Violation.yaml
Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Behavioral Anomaly Detected.yaml
Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - High Risk AI Agent Action.yaml
Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_ConnectorDefinition.json
Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_DCR.json
Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_PollerConfig.json
Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_Table.json
Solutions/Vaikora-Sentinel/Package/testParameters.json
Solutions/Vaikora-Sentinel/README.md
Solutions/Vaikora-Sentinel/Workbooks/Images/Preview/VaikoraAgentSignalsDashboardBlack.png
Solutions/Vaikora-Sentinel/Workbooks/Images/Preview/VaikoraAgentSignalsDashboardWhite.png
Solutions/Vaikora-Sentinel/Workbooks/VaikoraAgentSignalsDashboard.json
Workbooks/Images/Logos/vaikora_logo.svg
Workbooks/Images/Preview/VaikoraAgentSignalsDashboardBlack.png
Workbooks/Images/Preview/VaikoraAgentSignalsDashboardWhite.png
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Vaikora.json, createUiDefinition.json, mainTemplate.json)

What Changed#

Data Source#

Detection Logic#

MITRE Mapping#

Detection Surface Unlocked#

Affected Files#