Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Vaikora - Agent policy violation

Vaikora - Agent policy violation

Back
Id54262ad1-f346-4246-a13f-9557595ff7bd
RulenameVaikora - Agent policy violation
DescriptionIdentifies AI agent actions explicitly blocked by a Vaikora policy. Repeated violations from the same agent may indicate prompt injection, policy circumvention, or a compromised workflow.
SeverityMedium
TacticsImpact
DefenseEvasion
TechniquesT1078
T1562
Required data connectorsVaikoraSentinel
KindScheduled
Query frequency15m
Query period1h
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Agent Policy Violation.yaml
Version1.0.0
Arm template54262ad1-f346-4246-a13f-9557595ff7bd.json
Deploy To Azure
Vaikora_AgentSignals_CL
| where TimeGenerated > ago(1h)
| where policy_decision_s == "block"
| summarize
    ViolationCount = count(),
    PolicyIds = make_set(policy_id_s),
    ActionTypes = make_set(action_type_s),
    ResourceTypes = make_set(resource_type_s),
    MaxAnomalyScore = max(anomaly_score_d),
    Severities = make_set(severity_s),
    LogHashes = make_set(log_hash_s)
  by AgentId = agent_id_s
| extend
    PolicyList = strcat_array(PolicyIds, ", "),
    ActionList = strcat_array(ActionTypes, ", "),
    ResourceList = strcat_array(ResourceTypes, ", ")
| where ViolationCount >= 1

version: 1.0.0
id: 54262ad1-f346-4246-a13f-9557595ff7bd
relevantTechniques:
- T1078
- T1562
requiredDataConnectors:
- connectorId: VaikoraSentinel
  dataTypes:
  - Vaikora_AgentSignals_CL
triggerOperator: GreaterThan
entityMappings:
- fieldMappings:
  - columnName: AgentId
    identifier: Name
  entityType: Account
name: Vaikora - Agent policy violation
queryFrequency: 15m
triggerThreshold: 0
customDetails:
  ActionTypes: ActionList
  ViolationCount: ViolationCount
  MaxAnomalyScore: MaxAnomalyScore
  PolicyIds: PolicyList
description: |
    Identifies AI agent actions explicitly blocked by a Vaikora policy. Repeated violations from the same agent may indicate prompt injection, policy circumvention, or a compromised workflow.
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Agent Policy Violation.yaml
suppressionEnabled: false
queryPeriod: 1h
severity: Medium
suppressionDuration: 15m
kind: Scheduled
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: Selected
    reopenClosedIncident: false
    enabled: true
    lookbackDuration: 1h
    groupByEntities:
    - Account
tactics:
- Impact
- DefenseEvasion
query: |
  Vaikora_AgentSignals_CL
  | where TimeGenerated > ago(1h)
  | where policy_decision_s == "block"
  | summarize
      ViolationCount = count(),
      PolicyIds = make_set(policy_id_s),
      ActionTypes = make_set(action_type_s),
      ResourceTypes = make_set(resource_type_s),
      MaxAnomalyScore = max(anomaly_score_d),
      Severities = make_set(severity_s),
      LogHashes = make_set(log_hash_s)
    by AgentId = agent_id_s
  | extend
      PolicyList = strcat_array(PolicyIds, ", "),
      ActionList = strcat_array(ActionTypes, ", "),
      ResourceList = strcat_array(ResourceTypes, ", ")
  | where ViolationCount >= 1  
eventGroupingSettings:
  aggregationKind: AlertPerResult