There is an impending blogpost about AI/ML in Azure Sentinel. I'll provide link here when the blog is live.
In short, Fusion uses state of the art scalable learning algorithms to correlate millions of low fidelity anomalous activities from different services and products into high fidelity actionable cases so as to drastically decrease false positive rate. From our measurement with external customers and internal evaluation, we have a median 94% reduction in alert fatigue. The following scenarios are supported in Fusion now. We are going to add more.
Anomalous Login followed by O365 Mailbox Exfiltration
Anomalous Login followed by Mass File deletion
Anomalous Login followed by Ransomware in Cloud App
Anomalous Login followed by Mass File Download
Anomalous Login followed by Suspicious Cloud App Administrative Activity
Anomalous Login followed by Mass File Sharing
Anomalous Login followed by O365 Impersonation
To get alert of above scenarios, you need Azure Active Directory Identity Protection and Microsoft Cloud App Security (MCAS) running, Fusion enabled, and at least one of the attack scenarios happens.
Azure Sentinel also supports built-in ML model and Built-Your-Own ML which are in private preview. Please send an email to email@example.com if you want to learn more about them or enable those ML features.