Azure Sentinel Fusion

Roman_Pelekh 

Hi Roman,

Simulating an atypical travel condition can be sometimes complex, as the algorithm uses machine learning to weed out false-positives such as atypical travel from familiar devices, or sign-ins from VPNs that are used by peer users in the directory. The high bar we maintian for incident creation in Sentinel is crucial for maintaining a low level of alert fatigue. The algorithm performs intially a baselining, requiring among others a min of 14 days sign-in history logs in the org as well as a number of logins by the user before it begins generating risk detections. Because of the complex, continuous learning of the machine learning models and the above rules, there is a chance that simulating an attack might not lead to a risk detection. 

The easiest simulation in my opinion is Sign-in event from an anonymous IP address leading to Office 365 mailbox exfiltration.

To simulate it:

- Enable MFA in the org

- Login from a TOR browser into an O365 account

- Add a rule for the same user account mailbox to forward the inbox to an email account external to the org.

- Wait up to 6 hours, for the periodic ML detections to run (It is actually much faster, but just to be on the safe side...)

- A Fusion detection should show up in Azure Sentinel incidents. You will be able to investigate and trace it back to the 2 low fidelity anomalies simulated above)

In case you need further help, please email FusionHelpLine@microsoft.com. 

Thanks,

Andi