What Changed
Vaikora-Sentinel v3.0.1 fixes a complete data ingestion failure in the CCF Data Connector. The v3.0.0 DCR declared a single dynamic column action but the Vaikora API returns events with top-level fields (action_type, agent_id, timestamp, severity, etc.). Since CCF auto-maps JSON keys to stream columns by name and no matching column names existed, zero fields landed in the stream.
Security Impact (Visibility & Fidelity)
Deployments running Vaikora-Sentinel v3.0.0 have had complete ingestion failure for AI agent behavioral signals since installation. Rows appeared in Vaikora_AgentSignals_CL with TimeGenerated populated but every _s column empty — zero actionable security data.
Per PR discussion: “Rows end up in the table with TimeGenerated set but every _s column empty.” This represents a total blind spot for AI agent threat detection in affected environments.
Fix Details
- DCR Stream: Replaced single action dynamic column with 14 explicit columns matching Vaikora API response shape (id, agent_id, action_type, resource_type, resource_id, status, severity, policy_id, policy_decision, is_anomaly, anomaly_score, anomaly_reason, log_hash, timestamp)
- Transform KQL: Eliminated todynamic(action) wrapper, now projects directly from top-level columns
- Pattern: Matches working Cyren Threat Intelligence solution architecture
Affected Files
Solutions/Vaikora-Sentinel/Data Connectors/VaikoraSentinel_CCF/Vaikora_DCR.json
(packaging artefacts: 3.0.1.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Vaikora.json, mainTemplate.json)