Microsoft Sentinel leverages machine learning technology, Fusion, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill-chain. On the basis of these discoveries, Microsoft Sentinel generates incidents that would otherwise be difficult to catch. These incidents comprise two or more alerts or anomalies. By design, these incidents are low-volume, high-fidelity, and high-severity.
To help security analysts better understand and investigate Fusion incidents, we released an investigation notebook “Guided Investigation - Fusion Incident” that is available in the Sentinel GitHub repo and the Sentinel Notebook template gallery.
What’s in the Fusion investigation Notebook?
This notebook takes you through a guided investigation of a Microsoft Sentinel Fusion Incident. The investigation focuses on the entities that are included in the Fusion incidents with expansions to additional alerts and incidents for further investigation.
- Timeline view of Fusion incidents: shows you a timeline view of all the Fusion incidents in the selected Sentinel workspace.
- Guided investigation steps:
- Select a Fusion incident to investigate.
- Start investigation from the entities Fusion joined the alerts/anomalies on. Fusion creates correlations on entities including host, account, IP addresses and Azure resources.
- Expand to additional relevant alerts and incidents.
- Associated incidents created on the fused entities in the last 14 days.
- Expanded alerts that are triggered on the fused entities in the last 7 days.
- Additional investigation on entities:
- Run analysis on the incident's entities that appear in threat intelligence sources.
- Run analysis for different entity types including IP, URL, user account and host.
Getting Started
You can find the investigation notebook in the Sentinel Notebook template gallery:
- Navigate to the Threat Management section and open the Notebooks blade.
- Go to the Templates tab.
- Search for Fusion and you should see the investigation notebook in the result.
Haven’t used notebooks before? Check out Sentinel Notebooks documentation to learn more about the notebook pre-requisites and deployment steps in your Sentinel workspace.
Summary
Try out the Fusion investigation notebook and let us know your feedback! As you investigate and close the Fusion incidents, we also encourage you to provide feedback on whether this incident was a True Positive, Benign Positive, or a False Positive, along with details in the comments. Your feedback is critical to help Microsoft deliver the highest quality detections!
You can reach us by sending me a direct message, or share your feedback via any of the channels listed in the resources.
Additional Resources: