Microsoft Sentinel leverages machine learning technology, Fusion, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill-chain. On the basis of these discoveries, Microsoft Sentinel generates incidents that would otherwise be difficult to catch. These incidents comprise two or more alerts or anomalies. By design, these incidents are low-volume, high-fidelity, and high-severity.
To help security analysts better understand and investigate Fusion incidents, we released an investigation notebook “Guided Investigation - Fusion Incident” that is available in the Sentinel GitHub repo and the Sentinel Notebook template gallery.
This notebook takes you through a guided investigation of a Microsoft Sentinel Fusion Incident. The investigation focuses on the entities that are included in the Fusion incidents with expansions to additional alerts and incidents for further investigation.
You can find the investigation notebook in the Sentinel Notebook template gallery:
Haven’t used notebooks before? Check out Sentinel Notebooks documentation to learn more about the notebook pre-requisites and deployment steps in your Sentinel workspace.
Try out the Fusion investigation notebook and let us know your feedback! As you investigate and close the Fusion incidents, we also encourage you to provide feedback on whether this incident was a True Positive, Benign Positive, or a False Positive, along with details in the comments. Your feedback is critical to help Microsoft deliver the highest quality detections!
You can reach us by sending me a direct message, or share your feedback via any of the channels listed in the resources.
Additional Resources:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.