Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Vaikora - Behavioral anomaly detected

Vaikora - Behavioral anomaly detected

Back
Ide61258ec-1a7f-454c-95b5-458a6edb1ea4
RulenameVaikora - Behavioral anomaly detected
DescriptionIdentifies AI agent behavioral anomalies flagged by Vaikora with an anomaly score of 0.7 or above, indicating significant deviation from the agent’s established behavioral baseline.
SeverityMedium
TacticsDefenseEvasion
Execution
TechniquesT1059
T1027
Required data connectorsVaikoraSentinel
KindScheduled
Query frequency30m
Query period1h
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Behavioral Anomaly Detected.yaml
Version1.0.0
Arm templatee61258ec-1a7f-454c-95b5-458a6edb1ea4.json
Deploy To Azure
Vaikora_AgentSignals_CL
| where TimeGenerated > ago(1h)
| where is_anomaly_b == true
| where anomaly_score_d >= 0.7
| summarize
    AnomalyCount = count(),
    MaxAnomalyScore = max(anomaly_score_d),
    AvgAnomalyScore = avg(anomaly_score_d),
    AnomalyReasons = make_set(anomaly_reason_s),
    ActionTypes = make_set(action_type_s)
  by AgentId = agent_id_s, Severity = severity_s
| extend
    ReasonList = strcat_array(AnomalyReasons, "; "),
    ActionList = strcat_array(ActionTypes, ", ")

queryPeriod: 1h
description: |
    Identifies AI agent behavioral anomalies flagged by Vaikora with an anomaly score of 0.7 or above, indicating significant deviation from the agent's established behavioral baseline.
relevantTechniques:
- T1059
- T1027
triggerThreshold: 0
customDetails:
  ActionTypes: ActionList
  AvgAnomalyScore: AvgAnomalyScore
  MaxAnomalyScore: MaxAnomalyScore
  AnomalyCount: AnomalyCount
  AnomalyReasons: ReasonList
id: e61258ec-1a7f-454c-95b5-458a6edb1ea4
queryFrequency: 30m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Behavioral Anomaly Detected.yaml
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByEntities:
    - Account
    matchingMethod: Selected
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 1h
query: |
  Vaikora_AgentSignals_CL
  | where TimeGenerated > ago(1h)
  | where is_anomaly_b == true
  | where anomaly_score_d >= 0.7
  | summarize
      AnomalyCount = count(),
      MaxAnomalyScore = max(anomaly_score_d),
      AvgAnomalyScore = avg(anomaly_score_d),
      AnomalyReasons = make_set(anomaly_reason_s),
      ActionTypes = make_set(action_type_s)
    by AgentId = agent_id_s, Severity = severity_s
  | extend
      ReasonList = strcat_array(AnomalyReasons, "; "),
      ActionList = strcat_array(ActionTypes, ", ")  
entityMappings:
- fieldMappings:
  - columnName: AgentId
    identifier: Name
  entityType: Account
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerOperator: GreaterThan
suppressionEnabled: false
tactics:
- DefenseEvasion
- Execution
status: Available
name: Vaikora - Behavioral anomaly detected
version: 1.0.0
severity: Medium
requiredDataConnectors:
- connectorId: VaikoraSentinel
  dataTypes:
  - Vaikora_AgentSignals_CL
kind: Scheduled
suppressionDuration: 30m