Configure multistage attack detection (Fusion) rules in Microsoft Sentinel
Important
The new version of the Fusion analytics rule is currently in PREVIEW. See the Supplemental Terms of Use for Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. Based on these discoveries, Microsoft Sentinel generates incidents that would otherwise be difficult to catch. These incidents comprise two or more alerts or activities. By design, these incidents are low-volume, high-fidelity, and high-severity.
Customized for your environment, this detection technology not only reduces false positive rates but can also detect attacks with limited or missing information.
Configure Fusion rules
This detection is enabled by default in Microsoft Sentinel. To check or change its status, use the following instructions:
Sign in to the Azure portal and enter Microsoft Sentinel.
From the Microsoft Sentinel navigation menu, select Analytics.
Select the Active rules tab, and then locate Advanced Multistage Attack Detection in the NAME column by filtering the list for the Fusion rule type. Check the STATUS column to confirm whether this detection is enabled or disabled.
To change the status, select this entry and on the Advanced Multistage Attack Detection preview pane, select Edit.
In the General tab of the Analytics rule wizard, note the status (Enabled/Disabled), or change it if you want.
If you changed the status but have no further changes to make, select the Review and update tab and select Save.
Note
Microsoft Sentinel currently uses 30 days of historical data to train the machine learning systems. This data is always encrypted using Microsoft's keys as it passes through the machine learning pipeline. However, the training data is not encrypted using Customer-Managed Keys (CMK) if you enabled CMK in your Microsoft Sentinel workspace. To opt out of Fusion, navigate to Microsoft Sentinel > Configuration > Analytics > Active rules, right-click on the Advanced Multistage Attack Detection rule, and select Disable.
Configure scheduled analytics rules for Fusion detections
Important
- Fusion-based detection using analytics rule alerts is currently in PREVIEW. See the Supplemental Terms of Use for Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Fusion can detect scenario-based multi-stage attacks and emerging threats using alerts generated by scheduled analytics rules. We recommend you take the following steps to configure and enable these rules, so that you can get the most out of Microsoft Sentinel's Fusion capabilities.
Fusion for emerging threats can use alerts generated by any scheduled analytics rules that contain kill-chain (tactics) and entity mapping information. To ensure that an analytics rule's output can be used by Fusion to detect emerging threats:
Review entity mapping for these scheduled rules. Use the entity mapping configuration section to map parameters from your query results to Microsoft Sentinel-recognized entities. Because Fusion correlates alerts based on entities (such as user account or IP address), its ML algorithms cannot perform alert matching without the entity information.
Review the tactics and techniques in your analytics rule details. The Fusion ML algorithm uses MITRE ATT&CK information for detecting multi-stage attacks, and the tactics and techniques you label the analytics rules with will show up in the resulting incidents. Fusion calculations might be affected if incoming alerts are missing tactic information.
Fusion can also detect scenario-based threats using rules based on the following scheduled analytics rule templates.
To enable the queries available as templates in the Analytics page, go to the Rule templates tab, select the rule name in the templates gallery, and select Create rule in the details pane.
- Cisco - firewall block but success logon to Microsoft Entra ID
- Fortinet - Beacon pattern detected
- IP with multiple failed Microsoft Entra logins successfully logs in to Palo Alto VPN
- Multiple Password Reset by user
- Rare application consent
- SharePointFileOperation via previously unseen IPs
- Suspicious Resource deployment
- Palo Alto Threat signatures from Unusual IP addresses
To add queries that are not currently available as a rule template, see Create a custom analytics rule from scratch.
For more information, see Fusion Advanced Multistage Attack Detection Scenarios with Scheduled Analytics Rules.
Note
For the set of scheduled analytics rules used by Fusion, the ML algorithm does fuzzy matching for the KQL queries provided in the templates. Renaming the templates will not impact Fusion detections.
Next steps
Learn more about Fusion detections in Microsoft Sentinel.
If you're ready to investigate the incidents that are created for you, see the following tutorial: Investigate incidents with Microsoft Sentinel.