Advanced multistage attack detection in Microsoft Sentinel

Important

Some Fusion detections (see those so indicated below) are currently in PREVIEW. See the Supplemental Terms of Use for Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks (also known as advanced persistent threats or APT) by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Microsoft Sentinel generates incidents that would otherwise be difficult to catch. These incidents comprise two or more alerts or activities. By design, these incidents are low-volume, high-fidelity, and high-severity.

Customized for your environment, this detection technology not only reduces false positive rates but can also detect attacks with limited or missing information.

Since Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page and not as alerts, and are stored in the SecurityIncident table in Logs and not in the SecurityAlert table.

Configure Fusion

Fusion is enabled by default in Microsoft Sentinel, as an analytics rule called Advanced multistage attack detection. You can view and change the status of the rule, configure source signals to be included in the Fusion ML model, or exclude specific detection patterns that may not be applicable to your environment from Fusion detection. Learn how to configure the Fusion rule.

Note

Microsoft Sentinel currently uses 30 days of historical data to train the Fusion engine's machine learning algorithms. This data is always encrypted using Microsoft's keys as it passes through the machine learning pipeline. However, the training data is not encrypted using Customer-Managed Keys (CMK) if you enabled CMK in your Microsoft Sentinel workspace. To opt out of Fusion, navigate to Microsoft Sentinel > Configuration > Analytics > Active rules, right-click on the Advanced Multistage Attack Detection rule, and select Disable.

Fusion for emerging threats

Important

  • Fusion-based detection for emerging threats is currently in PREVIEW. See the Supplemental Terms of Use for Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

The volume of security events continues to grow, and the scope and sophistication of attacks are ever increasing. We can define the known attack scenarios, but how about the emerging and unknown threats in your environment?

Microsoft Sentinel's ML-powered Fusion engine can help you find the emerging and unknown threats in your environment by applying extended ML analysis and by correlating a broader scope of anomalous signals, while keeping the alert fatigue low.

The Fusion engine's ML algorithms constantly learn from existing attacks and apply analysis based on how security analysts think. It can therefore discover previously undetected threats from millions of anomalous behaviors across the kill-chain throughout your environment, which helps you stay one step ahead of the attackers.

Fusion for emerging threats supports data collection and analysis from the following sources:

You don't need to have connected all the data sources listed above in order to make Fusion for emerging threats work. However, the more data sources you have connected, the broader the coverage, and the more threats Fusion will find.

When the Fusion engine's correlations result in the detection of an emerging threat, a high-severity incident titled "Possible multistage attack activities detected by Fusion" is generated in the incidents table in your Microsoft Sentinel workspace.

Fusion for ransomware

Microsoft Sentinel's Fusion engine generates an incident when it detects multiple alerts of different types from the following data sources, and determines that they may be related to ransomware activity:

Such Fusion incidents are named Multiple alerts possibly related to Ransomware activity detected, and are generated when relevant alerts are detected during a specific time-frame and are associated with the Execution and Defense Evasion stages of an attack.

For example, Microsoft Sentinel would generate an incident for possible ransomware activities if the following alerts are triggered on the same host within a specific timeframe:

Alert Source Severity
Windows Error and Warning Events Microsoft Sentinel scheduled analytics rules informational
'GandCrab' ransomware was prevented Microsoft Defender for Cloud medium
'Tofsee' backdoor was detected Microsoft Defender for Cloud low

Next steps

Get more information about Fusion advanced multistage attack detection:

If you're ready to investigate the incidents that are created for you, see the following tutorial: Investigate incidents with Microsoft Sentinel.