Still skeptical about "built-in" Machine Learning in Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-360740%22%20slang%3D%22en-US%22%3EStill%20skeptical%20about%20%22built-in%22%20Machine%20Learning%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-360740%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EI%20started%20gathering%20logs%20from%20different%20sources%20and%20was%20able%20to%20view%20the%20dashboards%20and%20raise%20alerts%20created%20in%20app%20logic%20designer%2C%20great%20so%20far..%3C%2FP%3E%3CP%3EStill%20though%2C%20most%20resources%20online%20mention%20a%20certain%20%22built-in%20machine%20learning%22%20capabilities.%20I%20would%20like%20to%20get%20to%20test%20these%20features%20hands-on.%3C%2FP%3E%3CP%3EI%20found%20this%20enable%2Fdisable%20fusion%20tutorial%20even%20more%20intriguing%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-fusion%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-fusion%3C%2FA%3E%20.So%2C%20what%20are%20the%20next%20steps%20after%20enabling%20it%3F%3C%2FP%3E%3CP%3EI%20started%20to%20wonder%20if%20this%20ML%20is%20something%20that%20is%20expected%20to%20run%20behind%20the%20scenes%20rather%20then%20a%20tool%20to%20leverage%20by%20customers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-376871%22%20slang%3D%22en-US%22%3ERe%3A%20Still%20skeptical%20about%20%22built-in%22%20Machine%20Learning%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-376871%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20Sentinel%20ML%20blog%20was%20published%20this%20morning.%20Here%20is%20the%20link%3A%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Freducing-security-alert-fatigue-using-machine-learning-in-azure-sentinel%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Freducing-security-alert-fatigue-using-machine-learning-in-azure-sentinel%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-376869%22%20slang%3D%22en-US%22%3ERe%3A%20Still%20skeptical%20about%20%22built-in%22%20Machine%20Learning%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-376869%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20Sentinel%20webinar%3A%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FAzureSentinelWebinar%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FAzureSentinelWebinar%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-361001%22%20slang%3D%22en-US%22%3ERe%3A%20Still%20skeptical%20about%20%22built-in%22%20Machine%20Learning%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-361001%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Sharon.%3C%2FP%3E%3CP%3EI've%20sent%20an%26nbsp%3B%3CSPAN%3Eemail%20to%20askepd%40microsoft.com%20as%20advised.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThe%20mail%20was%20not%20delivered%2C%20apparently%20I'm%20not%20authorized.%3C%2FP%3E%3CP%3E%3CSPAN%3EAlso%20looking%20forward%20to%20reading%20the%20blogpost%20and%20hopefully%20get%20more%20hands-on%20test%20scenarios%20and%20tutorials.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EMeanwhile%20I'll%20see%20what%20I%20can%20get%20out%20of%20fusion%20enabled%20along%20with%20Identity%20Protection%20and%20Cloud%20App%20Security.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-360900%22%20slang%3D%22en-US%22%3ERe%3A%20Still%20skeptical%20about%20%22built-in%22%20Machine%20Learning%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-360900%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EThere%20is%20an%20impending%20blogpost%20about%20AI%2FML%20in%20Azure%20Sentinel.%20I'll%20provide%20link%20here%20when%20the%20blog%20is%20live.%20%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EIn%20short%2C%20Fusion%20uses%20state%20of%20the%20art%20scalable%20learning%20algorithms%20to%20correlate%20millions%20of%20low%20fidelity%20anomalous%20activities%20from%20different%20services%20and%20products%20into%20high%20fidelity%20actionable%20cases%20so%20as%20to%20drastically%20decrease%20false%20positive%20rate.%20From%20our%20measurement%20with%20external%20customers%20and%20internal%20evaluation%2C%20we%20have%20a%20median%2094%25%20reduction%20in%20alert%20fatigue.%20The%20following%20scenarios%20are%20supported%20in%20Fusion%20now.%20We%20are%20going%20to%20add%20more.%20%3C%2FFONT%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAnomalous%20Login%20followed%20by%20O365%20Mailbox%20Exfiltration%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAnomalous%20Login%20followed%20by%20Mass%20File%20deletion%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAnomalous%20Login%20followed%20by%20Ransomware%20in%20Cloud%20App%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAnomalous%20Login%20followed%20by%20Mass%20File%20Download%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAnomalous%20Login%20followed%20by%20Suspicious%20Cloud%20App%20Administrative%20Activity%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAnomalous%20Login%20followed%20by%20Mass%20File%20Sharing%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAnomalous%20Login%20followed%20by%20O365%20Impersonation%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3ETo%20get%20alert%20of%20above%20scenarios%2C%20you%20need%20Azure%20Active%20Directory%20Identity%20Protection%20and%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EMicrosoft%20Cloud%20App%20Security%3C%2FFONT%3E%20(MCAS)%20running%2C%20Fusion%20enabled%2C%20and%20at%20least%20one%20of%20the%20attack%20scenarios%20happens.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20Sentinel%20also%20supports%20built-in%20ML%20model%20and%20Built-Your-Own%20ML%20which%20are%20in%20private%20preview.%20Please%20send%20an%20email%20to%20askepd%40microsoft.com%20if%20you%20want%20to%20learn%20more%20about%20them%20or%20enable%20those%20ML%20features.%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

I started gathering logs from different sources and was able to view the dashboards and raise alerts created in app logic designer, great so far..

Still though, most resources online mention a certain "built-in machine learning" capabilities. I would like to get to test these features hands-on.

I found this enable/disable fusion tutorial even more intriguing, https://docs.microsoft.com/en-us/azure/sentinel/connect-fusion .So, what are the next steps after enabling it?

I started to wonder if this ML is something that is expected to run behind the scenes rather then a tool to leverage by customers.

 

 

4 Replies
Highlighted

There is an impending blogpost about AI/ML in Azure Sentinel. I'll provide link here when the blog is live.

 

In short, Fusion uses state of the art scalable learning algorithms to correlate millions of low fidelity anomalous activities from different services and products into high fidelity actionable cases so as to drastically decrease false positive rate. From our measurement with external customers and internal evaluation, we have a median 94% reduction in alert fatigue. The following scenarios are supported in Fusion now. We are going to add more.

  • Anomalous Login followed by O365 Mailbox Exfiltration
  • Anomalous Login followed by Mass File deletion
  • Anomalous Login followed by Ransomware in Cloud App
  • Anomalous Login followed by Mass File Download
  • Anomalous Login followed by Suspicious Cloud App Administrative Activity
  • Anomalous Login followed by Mass File Sharing
  • Anomalous Login followed by O365 Impersonation

To get alert of above scenarios, you need Azure Active Directory Identity Protection and Microsoft Cloud App Security (MCAS) running, Fusion enabled, and at least one of the attack scenarios happens. 

 

Azure Sentinel also supports built-in ML model and Built-Your-Own ML which are in private preview. Please send an email to askepd@microsoft.com if you want to learn more about them or enable those ML features.  

Highlighted

Thanks Sharon.

I've sent an email to askepd@microsoft.com as advised.

The mail was not delivered, apparently I'm not authorized.

Also looking forward to reading the blogpost and hopefully get more hands-on test scenarios and tutorials.

Meanwhile I'll see what I can get out of fusion enabled along with Identity Protection and Cloud App Security.

Highlighted

Azure Sentinel webinar: https://aka.ms/AzureSentinelWebinar.

Highlighted

Azure Sentinel ML blog was published this morning. Here is the link: https://azure.microsoft.com/en-us/blog/reducing-security-alert-fatigue-using-machine-learning-in-azu...