What Changed
The Get_Vaikora_Actions HTTP action in the VaikoraToSentinelOne_Playbook.json playbook previously built its URI by unconditionally concatenating agent_id= into the query string. When VaikoraAgentId is left blank (the documented monitor all agents mode), the request became:
GET https://api.vaikora.com/api/v1/actions?agent_id=&per_page=100
The Vaikora API Pydantic validator rejected the empty string with HTTP 422 (uuid_parsing error). Every downstream action in the playbook received ActionSkipped – meaning zero IOCs were ever pushed to SentinelOne Threat Intelligence on deployments where VaikoraAgentId was left blank.
Security Impact
Any deployment of v3.0.0 running in the default monitor-all-agents mode has had complete IOC ingestion failure since install. SentinelOne Threat Intelligence was receiving no indicators from Vaikora, eliminating the detection coverage this solution was intended to provide.
The fix introduces a Compose_Poll_Endpoint action that evaluates if(empty(parameters(VaikoraAgentId))) before building the URI:
- Blank VaikoraAgentId: …/actions?per_page=100 (no agent_id segment)
- Populated VaikoraAgentId: …/actions?agent_id=[UUID]&per_page=100 (unchanged behaviour)
The arm-ttk URIs Should Be Properly Constructed rule prohibits concat() or format() inside HTTP uri properties directly – the Compose action pattern is the correct workaround and was verified against a live Vaikora workspace returning HTTP 200.
Action required: Redeploy or update to v3.0.1 immediately if running v3.0.0 with VaikoraAgentId left blank.
Affected Files
Solutions/Vaikora-SentinelOne-ThreatIntelligence/Playbooks/VaikoraToSentinelOne_Playbook.json
(packaging artefacts: 3.0.1.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_VaikoraSentinelOne.json, mainTemplate.json)