Azure Sentinel leverages machine learning technology, Fusion, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill-chain. There are currently 90 multi-stage attack scenarios detected by Azure Sentinel through Fusion, 35 of which are generally available.
To help you discover threats and anomalous behaviors that are more tailored to your environment, we are now public previewing multi-stage attack scenarios leveraging a set of scheduled analytics rules.
If you have created and enabled these scheduled analytics rules in your Sentinel workspace, Fusion can detect 32 new scenarios by combining alerts from the scheduled analytics rules that detects specific events or sets of events across your environment, with alerts from Microsoft Cloud App Security or Azure Active Directory Identity Protection. The set of scheduled analytics rules are:
- Cisco - firewall block but success logon to Azure AD
- Fortinet - Beacon pattern detected
- IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN
- Multiple Password Reset by user
- New Admin account activity seen which was not seen historically*
- Rare application consent
- SharePointFileOperation via previously unseen IPs
- Suspicious Resource deployment
*This query is currently not availiable as a rule template. Please follow the tutorial to add the query as a custom analytics rule.
You can watch our demo video to get a full experience of setting up custom analytic rule in your Sentinel workspace and investigating a Fusion incident with that scheduled rule. We also encourage you to check out the best practices for configuring the scheduled analytics rules to maximize the Fusion detection capabilities.
Below are a few examples of Fusion incidents leveraging scheduled analytics rules:
- Rare Application Consent following impossible travel to an atypical location: when Azure Active Directory Identity Protection detects a user signed in from an atypical location based on the user's recent sign-ins, an impossible travel to an atypical location alert is created. Within a specific time range, if an alert is trigged for rare consent to application operation based on the scheduled analytics rule you configured, Fusion triggers a high severity incident because the combination of those two suspicious activities is an indication that the account has been compromised and was used to access or manipulate the application for malicious purposes.
- Beacon pattern detected by Fortinet following multiple failed user logon attempts to a service: Microsoft Cloud App Security raises an alert when a user tries to sign in to a single app and fails exceed a certain threshold within a timeframe. Following that, network beaconing is detected by your scheduled analytics rule, which could be an indication of malware infection or compromised host doing data exfiltration. Fusion connects these two suspicious activities together and raise an incident to indicate a possible multi-stage attack.
- Mass download by a single user following IPs blocked by a Cisco firewall appliance with successful Azure Active Directory sign-ins: if you have set up a scheduled analytics rule to detect correlation between IPs blocked by a Cisco firewall appliance and successful Azure Active Directory sign-ins, the alert raised is suspicious but doesn’t meet the bar for a high-level threat. Separately, Microsoft Cloud App Security creates an alert when mass download by a single user is detected. When Fusion correlates these two alerts together, it’s a strong signal for a possible attempt by an attacker to exfiltrate data from your network after compromising a user account.
Here’s the full list of the 32 new Fusion multistage attack detection scenarios:
Scheduled Analytics Rule + Microsoft Cloud App Security
- Beacon pattern detected by Fortinet following multiple failed user sign-ins to a service
- Mail forwarding activities following new admin-account activity not seen recently
- Mass file deletion following successful Azure AD sign-in from IP blocked by a Cisco firewall appliance
- Mass file deletion following successful sign-in to Palo Alto VPN by IP with multiple failed Azure AD sign-ins
- Mass file download following SharePoint file operation from previously unseen IP
- Mass file download following successful Azure AD sign-in from IP blocked by a Cisco firewall appliance
- SharePoint file operation from previously unseen IP following malware detection
Scheduled Analytics Rule + Azure Active Directory Identity Protection
- Beacon pattern detected by Fortinet following suspicious Azure AD sign-in (5 distinct detections)
- Multiple password reset by user following suspicious sign-in (5 distinct detections)
- Rare application consent following suspicious sign-in (5 distinct detections)
- Suspicious resource / resource group deployment by a previously unseen caller following suspicious Azure AD sign-in (5 distinct detections)
- Suspicious sign-in coinciding with successful sign-in to Palo Alto VPN by IP with multiple failed Azure AD sign-ins (5 distinct detections)
We will continue to release new multi-stage attack scenarios detected by Fusion in Azure Sentinel, keep an eye on our Azure Sentinel Fusion page for updates!
For more information:
- Azure Sentinel Fusion
- Azure Sentinel uncovers the real threats hidden in billions of low fidelity signals
- Detect threats with built-in analytics rules in Azure Sentinel
- Configure sentinel custom analytic rule
- Azure Sentinel GitHub repo