Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Vaikora - Behavioral anomaly detected

Vaikora - Behavioral anomaly detected

Back
Ide61258ec-1a7f-454c-95b5-458a6edb1ea4
RulenameVaikora - Behavioral anomaly detected
DescriptionIdentifies AI agent behavioral anomalies flagged by Vaikora with an anomaly score of 0.7 or above, indicating significant deviation from the agent’s established behavioral baseline.
SeverityMedium
TacticsDefenseEvasion
Execution
TechniquesT1059
T1027
Required data connectorsVaikoraSentinel
KindScheduled
Query frequency30m
Query period1h
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Behavioral Anomaly Detected.yaml
Version1.0.0
Arm templatee61258ec-1a7f-454c-95b5-458a6edb1ea4.json
Deploy To Azure
Vaikora_AgentSignals_CL
| where TimeGenerated > ago(1h)
| where is_anomaly_b == true
| where anomaly_score_d >= 0.7
| summarize
    AnomalyCount = count(),
    MaxAnomalyScore = max(anomaly_score_d),
    AvgAnomalyScore = avg(anomaly_score_d),
    AnomalyReasons = make_set(anomaly_reason_s),
    ActionTypes = make_set(action_type_s)
  by AgentId = agent_id_s, Severity = severity_s
| extend
    ReasonList = strcat_array(AnomalyReasons, "; "),
    ActionList = strcat_array(ActionTypes, ", ")

version: 1.0.0
id: e61258ec-1a7f-454c-95b5-458a6edb1ea4
relevantTechniques:
- T1059
- T1027
requiredDataConnectors:
- connectorId: VaikoraSentinel
  dataTypes:
  - Vaikora_AgentSignals_CL
triggerOperator: GreaterThan
entityMappings:
- fieldMappings:
  - columnName: AgentId
    identifier: Name
  entityType: Account
name: Vaikora - Behavioral anomaly detected
queryFrequency: 30m
triggerThreshold: 0
customDetails:
  AvgAnomalyScore: AvgAnomalyScore
  AnomalyCount: AnomalyCount
  MaxAnomalyScore: MaxAnomalyScore
  AnomalyReasons: ReasonList
  ActionTypes: ActionList
description: |
    Identifies AI agent behavioral anomalies flagged by Vaikora with an anomaly score of 0.7 or above, indicating significant deviation from the agent's established behavioral baseline.
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-Sentinel/Analytic Rules/Vaikora - Behavioral Anomaly Detected.yaml
suppressionEnabled: false
queryPeriod: 1h
severity: Medium
suppressionDuration: 30m
kind: Scheduled
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: Selected
    reopenClosedIncident: false
    enabled: true
    lookbackDuration: 1h
    groupByEntities:
    - Account
tactics:
- DefenseEvasion
- Execution
query: |
  Vaikora_AgentSignals_CL
  | where TimeGenerated > ago(1h)
  | where is_anomaly_b == true
  | where anomaly_score_d >= 0.7
  | summarize
      AnomalyCount = count(),
      MaxAnomalyScore = max(anomaly_score_d),
      AvgAnomalyScore = avg(anomaly_score_d),
      AnomalyReasons = make_set(anomaly_reason_s),
      ActionTypes = make_set(action_type_s)
    by AgentId = agent_id_s, Severity = severity_s
  | extend
      ReasonList = strcat_array(AnomalyReasons, "; "),
      ActionList = strcat_array(ActionTypes, ", ")  
eventGroupingSettings:
  aggregationKind: AlertPerResult