Forum Discussion

Roman_Pelekh's avatar
Roman_Pelekh
Copper Contributor
Mar 25, 2020

Azure Sentinel Fusion

Hello everyone.   I've been trying trying to get Advanced multistage detection to work. As far as I'm aware, requirements for it are the Azure identity protection and Cloud App Security connectors...
Andi Comisioneru's avatar
Andi Comisioneru
Icon for Microsoft rankMicrosoft
Apr 08, 2020

Roman_Pelekh 

Hi Roman,

Simulating an atypical travel condition can be sometimes complex, as the algorithm uses machine learning to weed out false-positives such as atypical travel from familiar devices, or sign-ins from VPNs that are used by peer users in the directory. The high bar we maintian for incident creation in Sentinel is crucial for maintaining a low level of alert fatigue. The algorithm performs intially a baselining, requiring among others a min of 14 days sign-in history logs in the org as well as a number of logins by the user before it begins generating risk detections. Because of the complex, continuous learning of the machine learning models and the above rules, there is a chance that simulating an attack might not lead to a risk detection. 

The easiest simulation in my opinion is Sign-in event from an anonymous IP address leading to Office 365 mailbox exfiltration.

To simulate it:

- Enable MFA in the org

- Login from a TOR browser into an O365 account

- Add a rule for the same user account mailbox to forward the inbox to an email account external to the org.

- Wait up to 6 hours, for the periodic ML detections to run (It is actually much faster, but just to be on the safe side...)

- A Fusion detection should show up in Azure Sentinel incidents. You will be able to investigate and trace it back to the 2 low fidelity anomalies simulated above)

 

In case you need further help, please email FusionHelpLine@microsoft.com

Thanks,

Andi

Resources