Azure Sentinel leverages machine learning technology, Fusion, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill-chain. There are currently 90 multi-stage attack scenarios detected by Azure Sentinel through Fusion, 35 of which are generally available.
To help you discover threats and anomalous behaviors that are more tailored to your environment, we are now public previewing multi-stage attack scenarios leveraging a set of scheduled analytics rules.
If you have created and enabled these scheduled analytics rules in your Sentinel workspace, Fusion can detect 32 new scenarios by combining alerts from the scheduled analytics rules that detects specific events or sets of events across your environment, with alerts from Microsoft Cloud App Security or Azure Active Directory Identity Protection. The set of scheduled analytics rules are:
*This query is currently not availiable as a rule template. Please follow the tutorial to add the query as a custom analytics rule.
We encourage you to check out the best practices for configuring the scheduled analytics rules to maximize the Fusion detection capabilities.
Below are a few examples of Fusion incidents leveraging scheduled analytics rules:
Here’s the full list of the 32 new Fusion multistage attack detection scenarios:
Scheduled Analytics Rule + Microsoft Cloud App Security
Scheduled Analytics Rule + Azure Active Directory Identity Protection
We will continue to release new multi-stage attack scenarios detected by Fusion in Azure Sentinel, keep an eye on our Azure Sentinel Fusion page for updates!
For more information:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.