Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Vaikora - Behavioral anomaly detected

Vaikora - Behavioral anomaly detected

Back
Ide61258ec-1a7f-454c-95b5-458a6edb1ea4
RulenameVaikora - Behavioral anomaly detected
DescriptionIdentifies AI agent behavioral anomalies flagged by Vaikora with an anomaly score of 0.7 or above, indicating significant deviation from the agent’s established behavioral baseline.
SeverityMedium
TacticsDefenseEvasion
Execution
TechniquesT1059
T1027
Required data connectorsVaikoraSentinel
KindScheduled
Query frequency30m
Query period1h
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Behavioral Anomaly Detected.yaml
Version1.0.0
Arm templatee61258ec-1a7f-454c-95b5-458a6edb1ea4.json
Deploy To Azure
Vaikora_AgentSignals_CL
| where TimeGenerated > ago(1h)
| where is_anomaly_b == true
| where anomaly_score_d >= 0.7
| summarize
    AnomalyCount = count(),
    MaxAnomalyScore = max(anomaly_score_d),
    AvgAnomalyScore = avg(anomaly_score_d),
    AnomalyReasons = make_set(anomaly_reason_s),
    ActionTypes = make_set(action_type_s)
  by AgentId = agent_id_s, Severity = severity_s
| extend
    ReasonList = strcat_array(AnomalyReasons, "; "),
    ActionList = strcat_array(ActionTypes, ", ")

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AgentId
tactics:
- DefenseEvasion
- Execution
suppressionEnabled: false
suppressionDuration: 30m
requiredDataConnectors:
- dataTypes:
  - Vaikora_AgentSignals_CL
  connectorId: VaikoraSentinel
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: 1h
    groupByEntities:
    - Account
    enabled: true
    matchingMethod: Selected
  createIncident: true
id: e61258ec-1a7f-454c-95b5-458a6edb1ea4
severity: Medium
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
customDetails:
  AnomalyReasons: ReasonList
  AvgAnomalyScore: AvgAnomalyScore
  ActionTypes: ActionList
  MaxAnomalyScore: MaxAnomalyScore
  AnomalyCount: AnomalyCount
query: |
  Vaikora_AgentSignals_CL
  | where TimeGenerated > ago(1h)
  | where is_anomaly_b == true
  | where anomaly_score_d >= 0.7
  | summarize
      AnomalyCount = count(),
      MaxAnomalyScore = max(anomaly_score_d),
      AvgAnomalyScore = avg(anomaly_score_d),
      AnomalyReasons = make_set(anomaly_reason_s),
      ActionTypes = make_set(action_type_s)
    by AgentId = agent_id_s, Severity = severity_s
  | extend
      ReasonList = strcat_array(AnomalyReasons, "; "),
      ActionList = strcat_array(ActionTypes, ", ")  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Behavioral Anomaly Detected.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.0
name: Vaikora - Behavioral anomaly detected
queryFrequency: 30m
triggerThreshold: 0
relevantTechniques:
- T1059
- T1027
description: |
    Identifies AI agent behavioral anomalies flagged by Vaikora with an anomaly score of 0.7 or above, indicating significant deviation from the agent's established behavioral baseline.
triggerOperator: GreaterThan