Difference between Fusion and MCAS

%3CLINGO-SUB%20id%3D%22lingo-sub-2288469%22%20slang%3D%22en-US%22%3EDifference%20between%20Fusion%20and%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2288469%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20somebody%20help%20me%20understand%20what%20is%20different%20between%20the%20multi-stage%20attack%20scenarios%20analyzed%20by%20Fusion%20and%20those%20in%20MCAS%3F%20When%20I%20see%20something%20like%20%22Mass%20file%20download%20following%20suspicious%20Azure%20AD%20sign-in%22%20it%20seems%20like%20both%20products%20are%20doing%20the%20same%20thing.%20I'm%20expecting%20a%20client%20to%20ask%20me%20why%20both%20products%20are%20needed%20when%20they%20appear%20to%20be%20evaluating%20the%20same%20scenarios.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2290114%22%20slang%3D%22en-US%22%3ERe%3A%20Difference%20between%20Fusion%20and%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2290114%22%20slang%3D%22en-US%22%3EI%20see%20in%20the%20documentation%20that%20the%20analytic%20rule%20works%20only%20with%20MCAS%20connector%2C%20if%20you%20don't%20have%20MCAS%20you%20can't%20use%20%22Mass%20file%20deletion%20following%20suspicious%20Azure%20AD%20sign-in%22%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2291709%22%20slang%3D%22en-US%22%3ERe%3A%20Difference%20between%20Fusion%20and%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2291709%22%20slang%3D%22en-US%22%3Ethank%2C%20I%20do%20understand%20that%20MCAS%20is%20required%2C%20but%20since%20MCAS%20has%20it's%20own%20policy%20to%20detect%20mass%20file%20deletion%2C%20I'm%20curious%20about%20any%20differences%20between%20the%20systems.%20It%20seems%20to%20me%20that%20we%20are%20going%20to%20be%20getting%20alerts%20from%20MCAS%20and%20from%20Fusion%2C%20so%20I'm%20wondering%20if%20the%20best%20practice%20would%20be%20to%20disable%20the%20policy%20in%20MCAS%20when%20Fusion%20is%20available.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2292077%22%20slang%3D%22en-US%22%3ERe%3A%20Difference%20between%20Fusion%20and%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2292077%22%20slang%3D%22en-US%22%3EYou%20mean%20e.g.%20policy%20in%20MCAS%20named%20%22Mass%20download%20by%20a%20single%20user%22%3F%3C%2FLINGO-BODY%3E
Respected Contributor

Can somebody help me understand what is different between the multi-stage attack scenarios analyzed by Fusion and those in MCAS? When I see something like "Mass file download following suspicious Azure AD sign-in" it seems like both products are doing the same thing. I'm expecting a client to ask me why both products are needed when they appear to be evaluating the same scenarios.

3 Replies
I see in the documentation that the analytic rule works only with MCAS connector, if you don't have MCAS you can't use "Mass file deletion following suspicious Azure AD sign-in"

thank, I do understand that MCAS is required, but since MCAS has it's own policy to detect mass file deletion, I'm curious about any differences between the systems. It seems to me that we are going to be getting alerts from MCAS and from Fusion, so I'm wondering if the best practice would be to disable the policy in MCAS when Fusion is available.
You mean e.g. policy in MCAS named "Mass download by a single user"?