What Changed
This PR is a comprehensive schema realignment of the entire Vaikora-AzureSecurityCenter solution against the actual Vaikora /api/v1/actions API response shape. Five distinct defects in v3.0.0 are corrected.
Security Impact (Visibility and Fidelity)
All v3.0.0 deployments have had complete detection blind spots since installation. Specifically:
Poll_Vaikora_Actions always failed with HTTP 422 – the playbook sent agent_id= (empty string) which the Vaikora API Pydantic validator rejected (uuid_parsing error). Every downstream action was ActionSkipped – no data ever reached Log Analytics.
Send_to_Log_Analytics crashed with InvalidTemplate – replace() was called against title and description fields that do not exist on the actual API response (which returns action-shaped events, not alert-shaped events).
Filter_High_Risk_Actions referenced threat_detected – this field is absent from the API response; the filter could never match.
All three Analytic Rules queried Vaikora_SecurityAlerts_CL – a table the playbook never wrote to. The columns referenced (AlertId_s, Title_s, Description_s, SourceIP_s, UserName_s, etc.) do not exist on the actual ingested data.
Two divergent target tables across install paths – the standalone playbook wrote to Vaikora_SecurityAlerts, the mainTemplate inner playbook wrote to Vaikora_AgentSignals. Neither matched what the Analytic Rules queried.
Per PR discussion: E2E testing on a real Sentinel workspace confirmed all steps now return Succeeded after this fix.
Analytic Rules (3 updated)
All three rules are rewritten against Vaikora_AgentSignals_CL with action-field columns.
Vaikora - High Severity AI Agent Action (was: High Severity Security Alerts)
- Table: Vaikora_AgentSignals_CL
- Core logic: where severity_s in (high, critical) over 6h window; projects ActionId, AgentId, ActionType, Severity, Status, IsAnomaly, AnomalyScore
- Entity mapping: Account.Name from agent_id_s (IP, Host, Process mappings removed – these fields do not exist on the API response)
Vaikora - Behavioral Anomaly Detected (was: Anomaly Detection)
- Table: Vaikora_AgentSignals_CL
- Core logic: where is_anomaly_b == true and severity_s not in (high, critical) over 6h window; orders by anomaly_score_d desc
- Entity mapping: Account.Name from agent_id_s
- Previous rule referenced IsAnomaly_b and ThreatDetected_b – only is_anomaly_b exists on the response
Vaikora - Feed Outage Detection
- Table: Vaikora_AgentSignals_CL (previously Vaikora_SecurityAlerts_CL)
- Logic unchanged: fires when record count == 0 over 12h; description strings updated to reference correct table name
Playbook
- Compose_Poll_Endpoint action now builds the URI with if(empty(parameters(VaikoraAgentId))) conditional, omitting agent_id when blank
- Parse_Response schema updated to declare actions array (was data) with nullable types on all optional fields
- Send_to_Log_Analytics body rewritten to action fields: action_id, agent_id, action_type, resource_type, resource_id, status, severity, policy_id, policy_decision, is_anomaly, anomaly_score, anomaly_reason, log_hash, timestamp; is_anomaly wrapped with toLower(string(coalesce(…))) to force true/false JSON serialisation (Logic Apps natively produces True/False which json() refuses to parse)
- Log-Type header set to Vaikora_AgentSignals (single consistent target table)
- ARM template: location changed from parameters(location) to resourceGroup().location to satisfy deployment requirements
Action required: Redeploy or update to v3.0.1 immediately. All existing v3.0.0 deployments have zero Vaikora threat visibility in Microsoft Sentinel.
Affected Files
Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Anomaly Detection.yaml
Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Feed Outage Detection.yaml
Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - High Severity Security Alerts.yaml
Solutions/Vaikora-AzureSecurityCenter/Playbooks/VaikoraToAzureSecurityCenter/azuredeploy.json
(packaging artefacts: 3.0.1.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_VaikoraSecurityCenter.json, mainTemplate.json)