What Changed
The Get_Vaikora_Actions HTTP action in VaikoraToCrowdStrike_Playbook.json previously hardcoded agent_id= into the polling URI unconditionally. When VaikoraAgentId was left empty (the documented monitor-all-agents mode), the request sent an empty agent_id parameter, and the Vaikora API Pydantic validator rejected it with HTTP 422: uuid_parsing error, Input should be a valid UUID, invalid length: expected length 32 for simple format, found 0.
Every downstream action - Filter_High_Priority_Actions, For_Each_Action, Post_IOC_to_CrowdStrike - was skipped. Zero IOCs reached CrowdStrike Falcon.
Fix
A new Compose_Poll_Endpoint action now builds the URI conditionally using if(empty(…)), omitting the agent_id segment entirely when the parameter is blank. The Get_Vaikora_Actions HTTP action now references the composed output instead of building the URI inline. This also satisfies arm-ttk URIs Should Be Properly Constructed rule, which rejects conditional concat() expressions directly in HTTP uri fields.
When VaikoraAgentId is supplied, the URL is unchanged: …/actions?agent_id=UUID&per_page=100. When empty: …/actions?per_page=100.
Security Impact
Any deployment running v3.0.0 with VaikoraAgentId left blank has had complete IOC pipeline failure since installation. High and critical-risk AI agent behavioral signals from Vaikora have not been pushed to CrowdStrike Falcon as Custom IOCs. Deployments configured with a specific agent UUID are unaffected - the URI is unchanged when the parameter is populated.
Affected deployments should redeploy the v3.0.1 playbook immediately to restore Threat Intelligence flow into CrowdStrike Falcon.
Affected Files
Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Playbooks/VaikoraToCrowdStrike_Playbook.json
(packaging artefacts: 3.0.1.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_VaikoraCrowdStrike.json, mainTemplate.json)