Add Vaikora for O365 solution v3.0.0#14289
Open
mazamizo21 wants to merge 1 commit into
Open
Conversation
Sentinel content pairing with the Vaikora for O365 black-box Azure VM that classifies Microsoft 365 mailbox content and writes quarantine events to a custom Log Analytics table. Included: - 1 Logic App playbook (VaikoraO365ToQuarantine) for Sentinel-incident-triggered notification to a SOC Teams channel - 3 analytic rules over VaikoraO365_Quarantine_CL: - Vaikora - High score quarantine (high-confidence phishing/suspected) - Vaikora - Quarantine rate spike (per-tenant volume anomaly vs 7d baseline) - Vaikora - Engine offline (absent telemetry detection) - 1 workbook (Vaikora for O365 - Quarantine Dashboard) with dark and light preview images - VaikoraO365 registered in ValidConnectorIds.json - VaikoraO365QuarantineDashboard registered in Workbooks/WorkbooksMetadata.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds the Vaikora for O365 Microsoft Sentinel solution (v3.0.0) — the Sentinel-side content that pairs with the Vaikora for O365 black-box Azure VM. The VM scans Microsoft 365 mailboxes via the Microsoft Graph API, classifies messages with the CTASD inference engine, and writes quarantine events into the
VaikoraO365_Quarantine_CLcustom Log Analytics table.Contents
VaikoraO365ToQuarantine): Sentinel-incident-triggered Logic App that posts a structured notification to a SOC Teams channel and comments on the incident.VaikoraO365_Quarantine_CL:Vaikora - High score quarantine— fires onActionId in (4, 5)withConfidence >= 0.8(Suspected / Phishing classifications, every 15 min).Vaikora - Quarantine rate spike— per-tenant hourly count vs 7-day baseline (3× threshold + min 10 events).Vaikora - Engine offline— absent quarantine telemetry over the last 2h for tenants that were active in the prior 24h.Vaikora for O365 - Quarantine Dashboard): tenant overview, action breakdown, confidence distribution, top sender domains, top targeted recipients, recent high-risk quarantines.VaikoraO365added to.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json;VaikoraO365QuarantineDashboardregistered inWorkbooks/WorkbooksMetadata.jsonwith dark/light preview images.Validation
Package/3.0.0.zip: Pass=49 Fail=1 Total=50 (the single failure isIDs Should Be Derived From ResourceIDson the canonical managedApi connection pattern, matching the Microsoft Defender for Office 365 baseline).[resourceGroup().location]perplaybookResourceChecker.ts.Logos/andWorkbooks/Images/Logos/already present from prior Vaikora-Sentinel merge.Notes for reviewer
azure-sentinel-solution-vaikora-o365.hidden-Sentinel*tags on both the inner mainTemplate Logic App and the standaloneazuredeploy.json, with the inner parameter literally namedPlaybookName(per the binding fix on the Cyren-Defender PR thread).3.0.0.cc @v-maheshbh @v-shukore