Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Vaikora - High severity AI agent action detected

Vaikora - High severity AI agent action detected

Back
Id15c49777-7cb7-4746-8064-6fa4c7a73df8
RulenameVaikora - High severity AI agent action detected
DescriptionIdentifies AI agent actions from Vaikora classified as high or critical severity. These events may indicate an agent operating outside safe parameters or triggering policy thresholds.
SeverityHigh
TacticsImpact
Execution
PrivilegeEscalation
TechniquesT1059
T1078
T1548
Required data connectorsVaikoraSentinel
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - High Risk AI Agent Action.yaml
Version1.0.0
Arm template15c49777-7cb7-4746-8064-6fa4c7a73df8.json
Deploy To Azure
Vaikora_AgentSignals_CL
| where TimeGenerated > ago(1h)
| where severity_s in ("high", "critical")
| summarize
    ActionCount = count(),
    MaxAnomalyScore = max(anomaly_score_d),
    Actions = make_set(action_type_s),
    PolicyDecisions = make_set(policy_decision_s),
    ResourceTypes = make_set(resource_type_s),
    LogHashes = make_set(log_hash_s)
  by AgentId = agent_id_s, Severity = severity_s
| extend
    ActionList = strcat_array(Actions, ", "),
    PolicyList = strcat_array(PolicyDecisions, ", "),
    ResourceList = strcat_array(ResourceTypes, ", ")

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AgentId
tactics:
- Impact
- Execution
- PrivilegeEscalation
suppressionEnabled: false
suppressionDuration: 1h
requiredDataConnectors:
- dataTypes:
  - Vaikora_AgentSignals_CL
  connectorId: VaikoraSentinel
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: 1h
    groupByEntities:
    - Account
    enabled: true
    matchingMethod: Selected
  createIncident: true
id: 15c49777-7cb7-4746-8064-6fa4c7a73df8
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
customDetails:
  PolicyDecisions: PolicyList
  ActionCount: ActionCount
  Actions: ActionList
  ResourceTypes: ResourceList
  MaxAnomalyScore: MaxAnomalyScore
query: |
  Vaikora_AgentSignals_CL
  | where TimeGenerated > ago(1h)
  | where severity_s in ("high", "critical")
  | summarize
      ActionCount = count(),
      MaxAnomalyScore = max(anomaly_score_d),
      Actions = make_set(action_type_s),
      PolicyDecisions = make_set(policy_decision_s),
      ResourceTypes = make_set(resource_type_s),
      LogHashes = make_set(log_hash_s)
    by AgentId = agent_id_s, Severity = severity_s
  | extend
      ActionList = strcat_array(Actions, ", "),
      PolicyList = strcat_array(PolicyDecisions, ", "),
      ResourceList = strcat_array(ResourceTypes, ", ")  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - High Risk AI Agent Action.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.0
name: Vaikora - High severity AI agent action detected
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1059
- T1078
- T1548
description: |
    Identifies AI agent actions from Vaikora classified as high or critical severity. These events may indicate an agent operating outside safe parameters or triggering policy thresholds.
triggerOperator: GreaterThan