Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Vaikora - High severity AI agent action detected

Vaikora - High severity AI agent action detected

Back
Id15c49777-7cb7-4746-8064-6fa4c7a73df8
RulenameVaikora - High severity AI agent action detected
DescriptionIdentifies AI agent actions from Vaikora classified as high or critical severity. These events may indicate an agent operating outside safe parameters or triggering policy thresholds.
SeverityHigh
TacticsImpact
Execution
PrivilegeEscalation
TechniquesT1059
T1078
T1548
Required data connectorsVaikoraSentinel
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - High Risk AI Agent Action.yaml
Version1.0.0
Arm template15c49777-7cb7-4746-8064-6fa4c7a73df8.json
Deploy To Azure
Vaikora_AgentSignals_CL
| where TimeGenerated > ago(1h)
| where severity_s in ("high", "critical")
| summarize
    ActionCount = count(),
    MaxAnomalyScore = max(anomaly_score_d),
    Actions = make_set(action_type_s),
    PolicyDecisions = make_set(policy_decision_s),
    ResourceTypes = make_set(resource_type_s),
    LogHashes = make_set(log_hash_s)
  by AgentId = agent_id_s, Severity = severity_s
| extend
    ActionList = strcat_array(Actions, ", "),
    PolicyList = strcat_array(PolicyDecisions, ", "),
    ResourceList = strcat_array(ResourceTypes, ", ")

queryPeriod: 1h
description: |
    Identifies AI agent actions from Vaikora classified as high or critical severity. These events may indicate an agent operating outside safe parameters or triggering policy thresholds.
relevantTechniques:
- T1059
- T1078
- T1548
triggerThreshold: 0
customDetails:
  ActionCount: ActionCount
  PolicyDecisions: PolicyList
  MaxAnomalyScore: MaxAnomalyScore
  Actions: ActionList
  ResourceTypes: ResourceList
id: 15c49777-7cb7-4746-8064-6fa4c7a73df8
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - High Risk AI Agent Action.yaml
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByEntities:
    - Account
    matchingMethod: Selected
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 1h
query: |
  Vaikora_AgentSignals_CL
  | where TimeGenerated > ago(1h)
  | where severity_s in ("high", "critical")
  | summarize
      ActionCount = count(),
      MaxAnomalyScore = max(anomaly_score_d),
      Actions = make_set(action_type_s),
      PolicyDecisions = make_set(policy_decision_s),
      ResourceTypes = make_set(resource_type_s),
      LogHashes = make_set(log_hash_s)
    by AgentId = agent_id_s, Severity = severity_s
  | extend
      ActionList = strcat_array(Actions, ", "),
      PolicyList = strcat_array(PolicyDecisions, ", "),
      ResourceList = strcat_array(ResourceTypes, ", ")  
entityMappings:
- fieldMappings:
  - columnName: AgentId
    identifier: Name
  entityType: Account
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerOperator: GreaterThan
suppressionEnabled: false
tactics:
- Impact
- Execution
- PrivilegeEscalation
status: Available
name: Vaikora - High severity AI agent action detected
version: 1.0.0
severity: High
requiredDataConnectors:
- connectorId: VaikoraSentinel
  dataTypes:
  - Vaikora_AgentSignals_CL
kind: Scheduled
suppressionDuration: 1h