Vaikora - Anomaly detection
| Id | c0984707-0855-430e-9c36-5e2d0d0ce56f |
| Rulename | Vaikora - Anomaly detection |
| Description | Identifies actions flagged as anomalies or confirmed threats by Vaikora. Catches behavioral anomalies that fall below high/critical severity but still represent statistically unusual activity worth investigating. |
| Severity | Medium |
| Tactics | Discovery LateralMovement Collection Exfiltration |
| Required data connectors | VaikoraSecurityCenter |
| Kind | Scheduled |
| Query frequency | 6h |
| Query period | 6h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Anomaly Detection.yaml |
| Version | 1.0.0 |
| Arm template | c0984707-0855-430e-9c36-5e2d0d0ce56f.json |
Vaikora_SecurityAlerts_CL
| where TimeGenerated >= ago(6h)
| where IsAnomaly_b == true or ThreatDetected_b == true
| where Severity_s !in ("high", "critical")
| extend
AlertId = AlertId_s,
AgentId = AgentId_s,
ActionType = ActionType_s,
Severity = Severity_s,
Title = Title_s,
Description = Description_s,
SourceIP = SourceIP,
DestinationIP = DestinationIP_s,
SourceHost = SourceHost_s,
DestHost = DestinationHost_s,
ProcessName = ProcessName_s,
UserName = UserName_s,
FilePath = FilePath_s,
Confidence = ConfidenceScore_d,
ThreatFlag = ThreatDetected_b,
AnomalyFlag = IsAnomaly_b
| project
TimeGenerated, AlertId, AgentId, ActionType, Severity, Title, Description,
SourceIP, DestinationIP, SourceHost, DestHost, ProcessName, UserName, FilePath,
Confidence, ThreatFlag, AnomalyFlag
| order by Confidence desc, TimeGenerated desc
name: Vaikora - Anomaly detection
query: |
Vaikora_SecurityAlerts_CL
| where TimeGenerated >= ago(6h)
| where IsAnomaly_b == true or ThreatDetected_b == true
| where Severity_s !in ("high", "critical")
| extend
AlertId = AlertId_s,
AgentId = AgentId_s,
ActionType = ActionType_s,
Severity = Severity_s,
Title = Title_s,
Description = Description_s,
SourceIP = SourceIP,
DestinationIP = DestinationIP_s,
SourceHost = SourceHost_s,
DestHost = DestinationHost_s,
ProcessName = ProcessName_s,
UserName = UserName_s,
FilePath = FilePath_s,
Confidence = ConfidenceScore_d,
ThreatFlag = ThreatDetected_b,
AnomalyFlag = IsAnomaly_b
| project
TimeGenerated, AlertId, AgentId, ActionType, Severity, Title, Description,
SourceIP, DestinationIP, SourceHost, DestHost, ProcessName, UserName, FilePath,
Confidence, ThreatFlag, AnomalyFlag
| order by Confidence desc, TimeGenerated desc
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SourceIP
identifier: Address
- entityType: Host
fieldMappings:
- columnName: SourceHost
identifier: HostName
- entityType: Account
fieldMappings:
- columnName: UserName
identifier: Name
queryPeriod: 6h
version: 1.0.0
tactics:
- Discovery
- LateralMovement
- Collection
- Exfiltration
triggerOperator: gt
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - Anomaly Detection.yaml
alertDetailsOverride:
alertDescriptionFormat: Vaikora AI detected a threat on agent {{AgentId_s}} (ThreatDetected={{ThreatDetected_b}}). {{Description_s}}
alertDisplayNameFormat: 'Vaikora Anomaly: {{Title_s}} (confidence: {{ConfidenceScore_d}})'
relevantTechniques: []
id: c0984707-0855-430e-9c36-5e2d0d0ce56f
severity: Medium
requiredDataConnectors:
- connectorId: VaikoraSecurityCenter
dataTypes:
- Vaikora_SecurityAlerts_CL
status: Available
description: |
Identifies actions flagged as anomalies or confirmed threats by Vaikora. Catches behavioral anomalies that fall below high/critical severity but still represent statistically unusual activity worth investigating.
queryFrequency: 6h