Forum Discussion

Dean_Gross's avatar
Dean_Gross
Silver Contributor
Apr 25, 2021

Difference between Fusion and MCAS

Can somebody help me understand what is different between the multi-stage attack scenarios analyzed by Fusion and those in MCAS? When I see something like "Mass file download following suspicious Azure AD sign-in" it seems like both products are doing the same thing. I'm expecting a client to ask me why both products are needed when they appear to be evaluating the same scenarios.

  • Pawel_Giza's avatar
    Pawel_Giza
    Copper Contributor
    I see in the documentation that the analytic rule works only with MCAS connector, if you don't have MCAS you can't use "Mass file deletion following suspicious Azure AD sign-in"

    • Dean_Gross's avatar
      Dean_Gross
      Silver Contributor
      thank, I do understand that MCAS is required, but since MCAS has it's own policy to detect mass file deletion, I'm curious about any differences between the systems. It seems to me that we are going to be getting alerts from MCAS and from Fusion, so I'm wondering if the best practice would be to disable the policy in MCAS when Fusion is available.
      • Pawel_Giza's avatar
        Pawel_Giza
        Copper Contributor
        You mean e.g. policy in MCAS named "Mass download by a single user"?

Resources