Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Vaikora - High severity AI agent action detected

Vaikora - High severity AI agent action detected

Back
Id15c49777-7cb7-4746-8064-6fa4c7a73df8
RulenameVaikora - High severity AI agent action detected
DescriptionIdentifies AI agent actions from Vaikora classified as high or critical severity. These events may indicate an agent operating outside safe parameters or triggering policy thresholds.
SeverityHigh
TacticsImpact
Execution
PrivilegeEscalation
TechniquesT1059
T1078
T1548
Required data connectorsVaikoraSentinel
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - High Risk AI Agent Action.yaml
Version1.0.0
Arm template15c49777-7cb7-4746-8064-6fa4c7a73df8.json
Deploy To Azure
Vaikora_AgentSignals_CL
| where TimeGenerated > ago(1h)
| where severity_s in ("high", "critical")
| summarize
    ActionCount = count(),
    MaxAnomalyScore = max(anomaly_score_d),
    Actions = make_set(action_type_s),
    PolicyDecisions = make_set(policy_decision_s),
    ResourceTypes = make_set(resource_type_s),
    LogHashes = make_set(log_hash_s)
  by AgentId = agent_id_s, Severity = severity_s
| extend
    ActionList = strcat_array(Actions, ", "),
    PolicyList = strcat_array(PolicyDecisions, ", "),
    ResourceList = strcat_array(ResourceTypes, ", ")

version: 1.0.0
id: 15c49777-7cb7-4746-8064-6fa4c7a73df8
relevantTechniques:
- T1059
- T1078
- T1548
requiredDataConnectors:
- connectorId: VaikoraSentinel
  dataTypes:
  - Vaikora_AgentSignals_CL
triggerOperator: GreaterThan
entityMappings:
- fieldMappings:
  - columnName: AgentId
    identifier: Name
  entityType: Account
name: Vaikora - High severity AI agent action detected
queryFrequency: 1h
triggerThreshold: 0
customDetails:
  ResourceTypes: ResourceList
  PolicyDecisions: PolicyList
  MaxAnomalyScore: MaxAnomalyScore
  Actions: ActionList
  ActionCount: ActionCount
description: |
    Identifies AI agent actions from Vaikora classified as high or critical severity. These events may indicate an agent operating outside safe parameters or triggering policy thresholds.
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - High Risk AI Agent Action.yaml
suppressionEnabled: false
queryPeriod: 1h
severity: High
suppressionDuration: 1h
kind: Scheduled
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: Selected
    reopenClosedIncident: false
    enabled: true
    lookbackDuration: 1h
    groupByEntities:
    - Account
tactics:
- Impact
- Execution
- PrivilegeEscalation
query: |
  Vaikora_AgentSignals_CL
  | where TimeGenerated > ago(1h)
  | where severity_s in ("high", "critical")
  | summarize
      ActionCount = count(),
      MaxAnomalyScore = max(anomaly_score_d),
      Actions = make_set(action_type_s),
      PolicyDecisions = make_set(policy_decision_s),
      ResourceTypes = make_set(resource_type_s),
      LogHashes = make_set(log_hash_s)
    by AgentId = agent_id_s, Severity = severity_s
  | extend
      ActionList = strcat_array(Actions, ", "),
      PolicyList = strcat_array(PolicyDecisions, ", "),
      ResourceList = strcat_array(ResourceTypes, ", ")  
eventGroupingSettings:
  aggregationKind: AlertPerResult