Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Vaikora - Agent policy violation

Vaikora - Agent policy violation

Back
Id54262ad1-f346-4246-a13f-9557595ff7bd
RulenameVaikora - Agent policy violation
DescriptionIdentifies AI agent actions explicitly blocked by a Vaikora policy. Repeated violations from the same agent may indicate prompt injection, policy circumvention, or a compromised workflow.
SeverityMedium
TacticsImpact
DefenseEvasion
TechniquesT1078
T1562
Required data connectorsVaikoraSentinel
KindScheduled
Query frequency15m
Query period1h
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Agent Policy Violation.yaml
Version1.0.0
Arm template54262ad1-f346-4246-a13f-9557595ff7bd.json
Deploy To Azure
Vaikora_AgentSignals_CL
| where TimeGenerated > ago(1h)
| where policy_decision_s == "block"
| summarize
    ViolationCount = count(),
    PolicyIds = make_set(policy_id_s),
    ActionTypes = make_set(action_type_s),
    ResourceTypes = make_set(resource_type_s),
    MaxAnomalyScore = max(anomaly_score_d),
    Severities = make_set(severity_s),
    LogHashes = make_set(log_hash_s)
  by AgentId = agent_id_s
| extend
    PolicyList = strcat_array(PolicyIds, ", "),
    ActionList = strcat_array(ActionTypes, ", "),
    ResourceList = strcat_array(ResourceTypes, ", ")
| where ViolationCount >= 1

queryFrequency: 15m
version: 1.0.0
queryPeriod: 1h
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByEntities:
    - Account
    lookbackDuration: 1h
    enabled: true
    matchingMethod: Selected
    reopenClosedIncident: false
relevantTechniques:
- T1078
- T1562
name: Vaikora - Agent policy violation
kind: Scheduled
severity: Medium
tactics:
- Impact
- DefenseEvasion
suppressionEnabled: false
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Agent Policy Violation.yaml
requiredDataConnectors:
- dataTypes:
  - Vaikora_AgentSignals_CL
  connectorId: VaikoraSentinel
triggerOperator: GreaterThan
suppressionDuration: 15m
customDetails:
  ViolationCount: ViolationCount
  ActionTypes: ActionList
  PolicyIds: PolicyList
  MaxAnomalyScore: MaxAnomalyScore
id: 54262ad1-f346-4246-a13f-9557595ff7bd
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AgentId
triggerThreshold: 0
query: |
  Vaikora_AgentSignals_CL
  | where TimeGenerated > ago(1h)
  | where policy_decision_s == "block"
  | summarize
      ViolationCount = count(),
      PolicyIds = make_set(policy_id_s),
      ActionTypes = make_set(action_type_s),
      ResourceTypes = make_set(resource_type_s),
      MaxAnomalyScore = max(anomaly_score_d),
      Severities = make_set(severity_s),
      LogHashes = make_set(log_hash_s)
    by AgentId = agent_id_s
  | extend
      PolicyList = strcat_array(PolicyIds, ", "),
      ActionList = strcat_array(ActionTypes, ", "),
      ResourceList = strcat_array(ResourceTypes, ", ")
  | where ViolationCount >= 1  
status: Available
description: |
    Identifies AI agent actions explicitly blocked by a Vaikora policy. Repeated violations from the same agent may indicate prompt injection, policy circumvention, or a compromised workflow.