Vaikora AI Agent Security Monitoring for Defender for Cloud

What Changed

New Microsoft Sentinel solution (v3.0.0) that integrates Vaikora AI agent behavioral signals with Microsoft Defender for Cloud. The solution includes a Logic App playbook for automated data ingestion and three Analytic Rules for threat detection.

Solution Components

Logic App Playbook (VaikoraToAzureSecurityCenter)

• Polls Vaikora API every 6 hours for high-risk and anomalous agent actions
• Uses Managed Identity authentication to Azure services
• Ingests filtered signals into Vaikora_SecurityAlerts_CL custom table
• Creates security alerts via Defender for Cloud Alerts REST API

Three Analytic Rules

• High Severity Security Alerts: Detects critical/high severity AI agent events with immediate threat indicators
• Behavioral Anomaly Detection: Identifies statistical anomalies in agent behavior below critical thresholds but worth investigating
• Feed Outage Detection: Monitors for data ingestion failures (12+ hour gaps) indicating connectivity or authentication issues

Detection Surface Unlocked

This solution provides visibility into AI agent security risks including:

• Malware activity detection by AI agents
• Intrusion attempt identification
• Policy violation monitoring
• Behavioral baseline deviation alerts
• Agent compromise indicators

The solution maps agent events to multiple MITRE ATT&CK tactics including Initial Access, Execution, Persistence, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact.

Entity Mappings

All Analytic Rules include comprehensive entity mappings for:

• IP addresses (source and destination)
• Host identifiers
• User accounts
• Process names
• File paths

This enables full incident enrichment and correlation with other security data sources in Microsoft Sentinel.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/Vaikora_SecurityAlerts_CL.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Anomaly Detection.yaml
Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Feed Outage Detection.yaml
Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - High Severity Security Alerts.yaml
Solutions/Vaikora-AzureSecurityCenter/Playbooks/VaikoraToAzureSecurityCenter/azuredeploy.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_VaikoraSecurityCenter.json, createUiDefinition.json, mainTemplate.json)