Vaikora-AzureSecurityCenter v3.0.2 — align playbook + rules with Vaikora /actions API schema#14367
Closed
mazamizo21 wants to merge 2 commits into
Closed
Vaikora-AzureSecurityCenter v3.0.2 — align playbook + rules with Vaikora /actions API schema#14367mazamizo21 wants to merge 2 commits into
mazamizo21 wants to merge 2 commits into
Conversation
added 2 commits
May 28, 2026 12:33
…ikoraAgentId is empty Poll_Vaikora_Actions used a queries object that always sent agent_id, even when VaikoraAgentId was empty. The resulting URL was /actions?agent_id=&per_page=100, which the Vaikora API rejects with HTTP 422 (Pydantic cannot parse '' as a UUID). Fix switches the action from a queries object to URI concatenation with an if(empty(...)) guard so the agent_id segment is omitted entirely when blank. Verified end-to-end against api.vaikora.com on a real Sentinel workspace: Poll_Vaikora_Actions now returns 200 OK with URL https://api.vaikora.com/api/v1/actions?per_page=100. arm-ttk local: 49/49 pass on Package/3.0.1.zip. 3.0.0.zip retained per repo policy. Known follow-up flagged in PR description: a separate schema mismatch (Send_to_Log_Analytics in standalone playbook builds an alert-shaped JSON body that the Vaikora API does not return; analytic rules query a different table name than the playbook writes to). That deserves its own v3.0.2 PR after this URI fix lands.
…ra /actions API schema The 3.0.1 PR fixed the agent_id query param. End-to-end testing surfaced a deeper schema mismatch: the standalone playbook assumed an alert-shaped response (title, description, source_ip, destination_ip, source_host, destination_host, process_name, user_name, file_path, threat_detected, confidence_score, created_at, updated_at) while the Vaikora /api/v1/actions endpoint returns action-shaped events (action_type, agent_id, severity, policy_decision, is_anomaly, anomaly_score, anomaly_reason, log_hash, timestamp). Concrete symptoms in 3.0.1: - Send_to_Log_Analytics crashed with InvalidTemplate because replace() ran against null fields. - Filter_High_Risk_Actions referenced threat_detected which does not exist on the response. - Three analytic rules queried Vaikora_SecurityAlerts_CL with column names (AlertId_s, Title_s, etc.) that the playbook never wrote. - Standalone playbook wrote to Vaikora_SecurityAlerts; mainTemplate inner playbook wrote to Vaikora_AgentSignals. Same solution shipped two divergent target tables. This PR aligns everything on the action-field schema and the Vaikora_AgentSignals_CL table: - Standalone playbook Send_to_Log_Analytics body rewritten to action fields with coalesce guards on nullable booleans/numbers; Log-Type set to Vaikora_AgentSignals. - Standalone Parse_Response schema updated to declare the real response shape. - Standalone Filter_High_Risk_Actions drops the threat_detected check. - mainTemplate inner playbook Filter mirrors the same fix. - All three analytic rules (Vaikora - High severity AI agent action, Vaikora - Behavioral anomaly detected, Vaikora - Feed outage detection) rewritten to query Vaikora_AgentSignals_CL with action-field columns. entityMappings reduced to mapping agent_id to Account.Name. alertDetailsOverride placeholders updated and kept under the 3-placeholder cap. - Solution description updated to reference Vaikora_AgentSignals_CL. arm-ttk local: 49/49 pass on Package/3.0.2.zip. 3.0.0.zip and 3.0.1.zip retained per repo policy. Pairs with PR Azure#14366 (v3.0.1 agent_id fix); v3.0.2 depends on v3.0.1 merging first or being folded in.
Contributor
Author
|
Closing in favor of folding the schema-alignment changes into #14366 (the v3.0.1 PR) so this solution ships a single consolidated v3.0.1 instead of two version bumps under review at the same time. I'll force-push the consolidated v3.0.1 branch shortly and update the #14366 description. Sorry for the noise. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR is the schema-alignment follow-up flagged in #14366. It depends on #14366 (v3.0.1) merging first or being folded in.
The 3.0.0 solution shipped against an assumed alert-shaped API response. The Vaikora `/api/v1/actions` endpoint actually returns action-shaped events. Concrete symptoms from end-to-end testing on a real Sentinel workspace:
Fix
Align everything on the action-field schema and the `Vaikora_AgentSignals_CL` table:
Files changed
Test plan
cc @v-maheshbh @v-shukore