Azure Sentinel Fusion

%3CLINGO-SUB%20id%3D%22lingo-sub-1253456%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20Fusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1253456%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everyone.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20been%20trying%20trying%20to%20get%20Advanced%20multistage%20detection%20to%20work.%3C%2FP%3E%3CP%3EAs%20far%20as%20I'm%20aware%2C%20requirements%20for%20it%20are%20the%20Azure%20identity%20protection%20and%20Cloud%20App%20Security%20connectors.%20I%20have%20both%20connected%20in%20my%20Sentinel%20instance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20need%20to%20configure%20cloud%20app%20security%20or%20is%20it%20supposed%20to%20fetch%20data%20magically%3F%20I%20had%20to%20configure%20policies%20in%20Cloud%20app%20security%20to%20even%20get%20some%20data%20into%20sentinel.%20According%20to%20documentation%20Fusion%20requires%2030%20days%20for%20machine%20learning%20training.%20It%20has%20been%20on%20for%20longer%20than%20that%2C%20although%20it%20started%20receiving%20CAS%20data%20only%20recently.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20had%20any%20luck%20with%20Advanced%20Multi%20stage%20detection%20actually%20generating%20valuable%20security%20data%20based%20on%20Risky%20sign%20in%20data%20from%20Azure%20Identity%20protection%20and%20Cloud%20app%20security%3F%20Things%20like%20%3CSTRONG%3ESign-in%20event%20from%20an%20unfamiliar%20location%20leading%20to%20mass%20file%20deletion%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWould%20really%20appreciate%20your%20insight.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1290444%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Fusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1290444%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F594910%22%20target%3D%22_blank%22%3E%40Roman_Pelekh%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%20Roman%2C%3C%2FP%3E%0A%3CP%3ESimulating%20an%20atypical%20travel%20condition%20can%20be%20sometimes%20complex%2C%20as%20the%20algorithm%20uses%20machine%20learning%20to%20weed%20out%20false-positives%20such%20as%20atypical%20travel%20from%20familiar%20devices%2C%20or%20sign-ins%20from%20VPNs%20that%20are%20used%20by%20peer%20users%20in%20the%20directory.%20The%20high%20bar%20we%20maintian%20for%20incident%20creation%20in%20Sentinel%20is%20crucial%20for%20maintaining%20a%20low%20level%20of%20alert%20fatigue.%20The%20algorithm%20performs%20intially%20a%20baselining%2C%20requiring%20among%20others%20a%20min%20of%2014%20days%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%26nbsp%3Bsign-in%20history%20logs%20in%20the%20org%20as%20well%20as%20a%20number%20of%20logins%20by%20the%20user%20before%20it%20begins%20generating%20risk%20detections.%20Because%20of%20the%20complex%2C%20continuous%20learning%20of%20the%20machine%20learning%20models%20and%20the%20above%20rules%2C%20there%20is%20a%20chance%20that%20simulating%20an%20attack%20might%20not%20lead%20to%20a%20risk%20detection.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EThe%20easiest%20simulation%20in%20my%20opinion%20is%26nbsp%3B%3CSTRONG%3ESign-in%20event%20from%20an%20anonymous%20IP%20address%20leading%20to%20Office%20365%20mailbox%20exfiltration.%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3ETo%20simulate%20it%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E-%20Enable%20MFA%20in%20the%20org%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E-%20Login%20from%20a%20TOR%20browser%20into%20an%20O365%20account%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E-%20Add%20a%20rule%20for%20the%20same%20user%20account%20mailbox%20to%20forward%20the%20inbox%20to%20an%20email%20account%20external%20to%20the%20org.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E-%20Wait%20up%20to%206%20hours%2C%20for%20the%20periodic%20ML%20detections%20to%20run%20(It%20is%20actually%20much%20faster%2C%20but%20just%20to%20be%20on%20the%20safe%20side...)%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E-%20A%20Fusion%20detection%20should%20show%20up%20in%20Azure%20Sentinel%20incidents.%20You%20will%20be%20able%20to%20investigate%20and%20trace%20it%20back%20to%20the%202%20low%20fidelity%20anomalies%20simulated%20above)%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EIn%20case%20you%20need%20further%20help%2C%20please%20email%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%3CA%20href%3D%22mailto%3AFusionHelpLine%40microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EFusionHelpLine%40microsoft.com%3C%2FA%3E.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EThanks%2C%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EAndi%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello everyone.

 

I've been trying trying to get Advanced multistage detection to work.

As far as I'm aware, requirements for it are the Azure identity protection and Cloud App Security connectors. I have both connected in my Sentinel instance.

 

Do you need to configure cloud app security or is it supposed to fetch data magically? I had to configure policies in Cloud app security to even get some data into sentinel. According to documentation Fusion requires 30 days for machine learning training. It has been on for longer than that, although it started receiving CAS data only recently.

 

Has anyone had any luck with Advanced Multi stage detection actually generating valuable security data based on Risky sign in data from Azure Identity protection and Cloud app security? Things like Sign-in event from an unfamiliar location leading to mass file deletion

Would really appreciate your insight.

1 Reply

@Roman_Pelekh 

Hi Roman,

Simulating an atypical travel condition can be sometimes complex, as the algorithm uses machine learning to weed out false-positives such as atypical travel from familiar devices, or sign-ins from VPNs that are used by peer users in the directory. The high bar we maintian for incident creation in Sentinel is crucial for maintaining a low level of alert fatigue. The algorithm performs intially a baselining, requiring among others a min of 14 days sign-in history logs in the org as well as a number of logins by the user before it begins generating risk detections. Because of the complex, continuous learning of the machine learning models and the above rules, there is a chance that simulating an attack might not lead to a risk detection. 

The easiest simulation in my opinion is Sign-in event from an anonymous IP address leading to Office 365 mailbox exfiltration.

To simulate it:

- Enable MFA in the org

- Login from a TOR browser into an O365 account

- Add a rule for the same user account mailbox to forward the inbox to an email account external to the org.

- Wait up to 6 hours, for the periodic ML detections to run (It is actually much faster, but just to be on the safe side...)

- A Fusion detection should show up in Azure Sentinel incidents. You will be able to investigate and trace it back to the 2 low fidelity anomalies simulated above)

 

In case you need further help, please email FusionHelpLine@microsoft.com

Thanks,

Andi