Home

Still skeptical about "built-in" Machine Learning in Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-360740%22%20slang%3D%22en-US%22%3EStill%20skeptical%20about%20%22built-in%22%20Machine%20Learning%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-360740%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EI%20started%20gathering%20logs%20from%20different%20sources%20and%20was%20able%20to%20view%20the%20dashboards%20and%20raise%20alerts%20created%20in%20app%20logic%20designer%2C%20great%20so%20far..%3C%2FP%3E%3CP%3EStill%20though%2C%20most%20resources%20online%20mention%20a%20certain%20%22built-in%20machine%20learning%22%20capabilities.%20I%20would%20like%20to%20get%20to%20test%20these%20features%20hands-on.%3C%2FP%3E%3CP%3EI%20found%20this%20enable%2Fdisable%20fusion%20tutorial%20even%20more%20intriguing%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-fusion%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-fusion%3C%2FA%3E%20.So%2C%20what%20are%20the%20next%20steps%20after%20enabling%20it%3F%3C%2FP%3E%3CP%3EI%20started%20to%20wonder%20if%20this%20ML%20is%20something%20that%20is%20expected%20to%20run%20behind%20the%20scenes%20rather%20then%20a%20tool%20to%20leverage%20by%20customers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-376871%22%20slang%3D%22en-US%22%3ERe%3A%20Still%20skeptical%20about%20%22built-in%22%20Machine%20Learning%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-376871%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20Sentinel%20ML%20blog%20was%20published%20this%20morning.%20Here%20is%20the%20link%3A%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Freducing-security-alert-fatigue-using-machine-learning-in-azure-sentinel%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Freducing-security-alert-fatigue-using-machine-learning-in-azure-sentinel%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-376869%22%20slang%3D%22en-US%22%3ERe%3A%20Still%20skeptical%20about%20%22built-in%22%20Machine%20Learning%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-376869%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20Sentinel%20webinar%3A%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FAzureSentinelWebinar%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FAzureSentinelWebinar%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-361001%22%20slang%3D%22en-US%22%3ERe%3A%20Still%20skeptical%20about%20%22built-in%22%20Machine%20Learning%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-361001%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Sharon.%3C%2FP%3E%3CP%3EI've%20sent%20an%26nbsp%3B%3CSPAN%3Eemail%20to%20askepd%40microsoft.com%20as%20advised.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThe%20mail%20was%20not%20delivered%2C%20apparently%20I'm%20not%20authorized.%3C%2FP%3E%3CP%3E%3CSPAN%3EAlso%20looking%20forward%20to%20reading%20the%20blogpost%20and%20hopefully%20get%20more%20hands-on%20test%20scenarios%20and%20tutorials.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EMeanwhile%20I'll%20see%20what%20I%20can%20get%20out%20of%20fusion%20enabled%20along%20with%20Identity%20Protection%20and%20Cloud%20App%20Security.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-360900%22%20slang%3D%22en-US%22%3ERe%3A%20Still%20skeptical%20about%20%22built-in%22%20Machine%20Learning%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-360900%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EThere%20is%20an%20impending%20blogpost%20about%20AI%2FML%20in%20Azure%20Sentinel.%20I'll%20provide%20link%20here%20when%20the%20blog%20is%20live.%20%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EIn%20short%2C%20Fusion%20uses%20state%20of%20the%20art%20scalable%20learning%20algorithms%20to%20correlate%20millions%20of%20low%20fidelity%20anomalous%20activities%20from%20different%20services%20and%20products%20into%20high%20fidelity%20actionable%20cases%20so%20as%20to%20drastically%20decrease%20false%20positive%20rate.%20From%20our%20measurement%20with%20external%20customers%20and%20internal%20evaluation%2C%20we%20have%20a%20median%2094%25%20reduction%20in%20alert%20fatigue.%20The%20following%20scenarios%20are%20supported%20in%20Fusion%20now.%20We%20are%20going%20to%20add%20more.%20%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAnomalous%20Login%20followed%20by%20O365%20Mailbox%20Exfiltration%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAnomalous%20Login%20followed%20by%20Mass%20File%20deletion%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAnomalous%20Login%20followed%20by%20Ransomware%20in%20Cloud%20App%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAnomalous%20Login%20followed%20by%20Mass%20File%20Download%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAnomalous%20Login%20followed%20by%20Suspicious%20Cloud%20App%20Administrative%20Activity%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAnomalous%20Login%20followed%20by%20Mass%20File%20Sharing%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAnomalous%20Login%20followed%20by%20O365%20Impersonation%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3ETo%20get%20alert%20of%20above%20scenarios%2C%20you%20need%20Azure%20Active%20Directory%20Identity%20Protection%20and%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EMicrosoft%20Cloud%20App%20Security%3C%2FFONT%3E%20(MCAS)%20running%2C%20Fusion%20enabled%2C%20and%20at%20least%20one%20of%20the%20attack%20scenarios%20happens.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20Sentinel%20also%20supports%20built-in%20ML%20model%20and%20Built-Your-Own%20ML%20which%20are%20in%20private%20preview.%20Please%20send%20an%20email%20to%20askepd%40microsoft.com%20if%20you%20want%20to%20learn%20more%20about%20them%20or%20enable%20those%20ML%20features.%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
bornagainshell
Occasional Contributor

Hello,

I started gathering logs from different sources and was able to view the dashboards and raise alerts created in app logic designer, great so far..

Still though, most resources online mention a certain "built-in machine learning" capabilities. I would like to get to test these features hands-on.

I found this enable/disable fusion tutorial even more intriguing, https://docs.microsoft.com/en-us/azure/sentinel/connect-fusion .So, what are the next steps after enabling it?

I started to wonder if this ML is something that is expected to run behind the scenes rather then a tool to leverage by customers.

 

 

4 Replies

There is an impending blogpost about AI/ML in Azure Sentinel. I'll provide link here when the blog is live.

 

In short, Fusion uses state of the art scalable learning algorithms to correlate millions of low fidelity anomalous activities from different services and products into high fidelity actionable cases so as to drastically decrease false positive rate. From our measurement with external customers and internal evaluation, we have a median 94% reduction in alert fatigue. The following scenarios are supported in Fusion now. We are going to add more.

  • Anomalous Login followed by O365 Mailbox Exfiltration
  • Anomalous Login followed by Mass File deletion
  • Anomalous Login followed by Ransomware in Cloud App
  • Anomalous Login followed by Mass File Download
  • Anomalous Login followed by Suspicious Cloud App Administrative Activity
  • Anomalous Login followed by Mass File Sharing
  • Anomalous Login followed by O365 Impersonation

To get alert of above scenarios, you need Azure Active Directory Identity Protection and Microsoft Cloud App Security (MCAS) running, Fusion enabled, and at least one of the attack scenarios happens. 

 

Azure Sentinel also supports built-in ML model and Built-Your-Own ML which are in private preview. Please send an email to askepd@microsoft.com if you want to learn more about them or enable those ML features.  

Thanks Sharon.

I've sent an email to askepd@microsoft.com as advised.

The mail was not delivered, apparently I'm not authorized.

Also looking forward to reading the blogpost and hopefully get more hands-on test scenarios and tutorials.

Meanwhile I'll see what I can get out of fusion enabled along with Identity Protection and Cloud App Security.

Azure Sentinel webinar: https://aka.ms/AzureSentinelWebinar.

Azure Sentinel ML blog was published this morning. Here is the link: https://azure.microsoft.com/en-us/blog/reducing-security-alert-fatigue-using-machine-learning-in-azu...

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies