learn.microsoft.com Open in urlscan Pro
104.87.134.157  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Skip to main content


This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security
updates, and technical support.

Download Microsoft Edge More info about Internet Explorer and Microsoft Edge

Table of contents Exit focus mode

Read in English Save
Table of contents Read in English Save Edit Print

Twitter LinkedIn Facebook Email
Table of contents


ADVANCED MULTISTAGE ATTACK DETECTION IN MICROSOFT SENTINEL

 * Article
 * 12/20/2022
 * 7 minutes to read
 * 6 contributors

Feedback


IN THIS ARTICLE

Important

Some Fusion detections (see those so indicated below) are currently in PREVIEW.
See the Supplemental Terms of Use for Microsoft Azure Previews for additional
legal terms that apply to Azure features that are in beta, preview, or otherwise
not yet released into general availability.

Note

For information about feature availability in US Government clouds, see the
Microsoft Sentinel tables in Cloud feature availability for US Government
customers.

Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine
learning algorithms, to automatically detect multistage attacks (also known as
advanced persistent threats or APT) by identifying combinations of anomalous
behaviors and suspicious activities that are observed at various stages of the
kill chain. On the basis of these discoveries, Microsoft Sentinel generates
incidents that would otherwise be difficult to catch. These incidents comprise
two or more alerts or activities. By design, these incidents are low-volume,
high-fidelity, and high-severity.

Customized for your environment, this detection technology not only reduces
false positive rates but can also detect attacks with limited or missing
information.

Since Fusion correlates multiple signals from various products to detect
advanced multistage attacks, successful Fusion detections are presented as
Fusion incidents on the Microsoft Sentinel Incidents page and not as alerts, and
are stored in the SecurityIncident table in Logs and not in the SecurityAlert
table.


CONFIGURE FUSION

Fusion is enabled by default in Microsoft Sentinel, as an analytics rule called
Advanced multistage attack detection. You can view and change the status of the
rule, configure source signals to be included in the Fusion ML model, or exclude
specific detection patterns that may not be applicable to your environment from
Fusion detection. Learn how to configure the Fusion rule.

Note

Microsoft Sentinel currently uses 30 days of historical data to train the Fusion
engine's machine learning algorithms. This data is always encrypted using
Microsoft’s keys as it passes through the machine learning pipeline. However,
the training data is not encrypted using Customer-Managed Keys (CMK) if you
enabled CMK in your Microsoft Sentinel workspace. To opt out of Fusion, navigate
to Microsoft Sentinel > Configuration > Analytics > Active rules, right-click on
the Advanced Multistage Attack Detection rule, and select Disable.


FUSION FOR EMERGING THREATS

Important

 * Fusion-based detection for emerging threats is currently in PREVIEW. See the
   Supplemental Terms of Use for Microsoft Azure Previews for additional legal
   terms that apply to Azure features that are in beta, preview, or otherwise
   not yet released into general availability.

The volume of security events continues to grow, and the scope and
sophistication of attacks are ever increasing. We can define the known attack
scenarios, but how about the emerging and unknown threats in your environment?

Microsoft Sentinel's ML-powered Fusion engine can help you find the emerging and
unknown threats in your environment by applying extended ML analysis and by
correlating a broader scope of anomalous signals, while keeping the alert
fatigue low.

The Fusion engine's ML algorithms constantly learn from existing attacks and
apply analysis based on how security analysts think. It can therefore discover
previously undetected threats from millions of anomalous behaviors across the
kill-chain throughout your environment, which helps you stay one step ahead of
the attackers.

Fusion for emerging threats supports data collection and analysis from the
following sources:

 * Out-of-the-box anomaly detections
 * Alerts from Microsoft products:
   * Azure Active Directory Identity Protection
   * Microsoft Defender for Cloud
   * Microsoft Defender for IoT
   * Microsoft 365 Defender
   * Microsoft Defender for Cloud Apps
   * Microsoft Defender for Endpoint
   * Microsoft Defender for Identity
   * Microsoft Defender for Office 365
 * Alerts from scheduled analytics rules, both built-in and those created by
   your security analysts. Analytics rules must contain kill-chain (tactics) and
   entity mapping information in order to be used by Fusion.

You don’t need to have connected all the data sources listed above in order to
make Fusion for emerging threats work. However, the more data sources you have
connected, the broader the coverage, and the more threats Fusion will find.

When the Fusion engine's correlations result in the detection of an emerging
threat, a high-severity incident titled “Possible multistage attack activities
detected by Fusion” is generated in the incidents table in your Microsoft
Sentinel workspace.


FUSION FOR RANSOMWARE

Microsoft Sentinel's Fusion engine generates an incident when it detects
multiple alerts of different types from the following data sources, and
determines that they may be related to ransomware activity:

 * Microsoft Defender for Cloud
 * Microsoft Defender for Endpoint
 * Microsoft Defender for Identity
 * Microsoft Defender for Cloud Apps
 * Microsoft Sentinel scheduled analytics rules. Fusion only considers scheduled
   analytics rules with tactics information and mapped entities.

Such Fusion incidents are named Multiple alerts possibly related to Ransomware
activity detected, and are generated when relevant alerts are detected during a
specific time-frame and are associated with the Execution and Defense Evasion
stages of an attack.

For example, Microsoft Sentinel would generate an incident for possible
ransomware activities if the following alerts are triggered on the same host
within a specific timeframe:

Alert Source Severity Windows Error and Warning Events Microsoft Sentinel
scheduled analytics rules informational 'GandCrab' ransomware was prevented
Microsoft Defender for Cloud medium 'Emotet' malware was detected Microsoft
Defender for Endpoint informational 'Tofsee' backdoor was detected Microsoft
Defender for Cloud low 'Parite' malware was detected Microsoft Defender for
Endpoint informational


SCENARIO-BASED FUSION DETECTIONS

The following section lists the types of scenario-based multistage attacks,
grouped by threat classification, that Microsoft Sentinel detects using the
Fusion correlation engine.

In order to enable these Fusion-powered attack detection scenarios, their
associated data sources must be ingested to your Log Analytics workspace. Select
the links in the table below to learn about each scenario and its associated
data sources.

Note

Some of these scenarios are in PREVIEW. They will be so indicated.

Threat classification Scenarios Compute resource abuse
 * (PREVIEW) Multiple VM creation activities following suspicious Azure Active
   Directory sign-in

Credential access
 * (PREVIEW) Multiple passwords reset by user following suspicious sign-in
 * (PREVIEW) Suspicious sign-in coinciding with successful sign-in to Palo Alto
   VPN
   by IP with multiple failed Azure AD sign-ins

Credential harvesting
 * Malicious credential theft tool execution following suspicious sign-in
 * Suspected credential theft activity following suspicious sign-in

Crypto-mining
 * Crypto-mining activity following suspicious sign-in

Data destruction
 * Mass file deletion following suspicious Azure AD sign-in
 * (PREVIEW) Mass file deletion following successful Azure AD sign-in from
   IP blocked by a Cisco firewall appliance
 * (PREVIEW) Mass file deletion following successful sign-in to Palo Alto VPN
   by IP with multiple failed Azure AD sign-ins
 * (PREVIEW) Suspicious email deletion activity following suspicious Azure AD
   sign-in

Data exfiltration
 * (PREVIEW) Mail forwarding activities following new admin-account activity not
   seen recently
 * Mass file download following suspicious Azure AD sign-in
 * (PREVIEW) Mass file download following successful Azure AD sign-in from
   IP blocked by a Cisco firewall appliance
 * (PREVIEW) Mass file download coinciding with SharePoint file operation from
   previously unseen IP
 * Mass file sharing following suspicious Azure AD sign-in
 * (PREVIEW) Multiple Power BI report sharing activities following suspicious
   Azure AD sign-in
 * Office 365 mailbox exfiltration following a suspicious Azure AD sign-in
 * (PREVIEW) SharePoint file operation from previously unseen IP following
   malware detection
 * (PREVIEW) Suspicious inbox manipulation rules set following suspicious Azure
   AD sign-in
 * (PREVIEW) Suspicious Power BI report sharing following suspicious Azure AD
   sign-in

Denial of service
 * (PREVIEW) Multiple VM deletion activities following suspicious Azure AD
   sign-in

Lateral movement
 * Office 365 impersonation following suspicious Azure AD sign-in
 * (PREVIEW) Suspicious inbox manipulation rules set following suspicious Azure
   AD sign-in

Malicious administrative activity
 * Suspicious cloud app administrative activity following suspicious Azure AD
   sign-in
 * (PREVIEW) Mail forwarding activities following new admin-account activity not
   seen recently

Malicious execution
with legitimate process
 * (PREVIEW) PowerShell made a suspicious network connection, followed by
   anomalous traffic flagged by Palo Alto Networks firewall
 * (PREVIEW) Suspicious remote WMI execution followed by
   anomalous traffic flagged by Palo Alto Networks firewall
 * Suspicious PowerShell command line following suspicious sign-in

Malware C2 or download
 * (PREVIEW) Beacon pattern detected by Fortinet following multiple failed user
   sign-ins to a service
 * (PREVIEW) Beacon pattern detected by Fortinet following suspicious Azure AD
   sign-in
 * (PREVIEW) Network request to TOR anonymization service followed by
   anomalous traffic flagged by Palo Alto Networks firewall
 * (PREVIEW) Outbound connection to IP with a history of unauthorized access
   attempts followed by
   anomalous traffic flagged by Palo Alto Networks firewall

Persistence
 * (PREVIEW) Rare application consent following suspicious sign-in

Ransomware
 * Ransomware execution following suspicious Azure AD sign-in

Remote exploitation
 * (PREVIEW) Suspected use of attack framework followed by
   anomalous traffic flagged by Palo Alto Networks firewall

Resource hijacking
 * (PREVIEW) Suspicious resource / resource group deployment by a previously
   unseen caller
   following suspicious Azure AD sign-in


NEXT STEPS

Get more information about Fusion advanced multistage attack detection:

 * Learn more about the Fusion scenario-based attack detections.
 * Learn how to configure the Fusion rules.

Now you've learned more about advanced multistage attack detection, you might be
interested in the following quickstart to learn how to get visibility into your
data and potential threats: Get started with Microsoft Sentinel.

If you're ready to investigate the incidents that are created for you, see the
following tutorial: Investigate incidents with Microsoft Sentinel.






FEEDBACK

Submit and view feedback for

This product This page
View all page feedback

--------------------------------------------------------------------------------


ADDITIONAL RESOURCES





Theme
 * Light
 * Dark
 * High contrast

 * 
 * Previous Versions
 * Blog
 * Contribute
 * Privacy
 * Terms of Use
 * Trademarks
 * © Microsoft 2023


ADDITIONAL RESOURCES






IN THIS ARTICLE



Theme
 * Light
 * Dark
 * High contrast

 * 
 * Previous Versions
 * Blog
 * Contribute
 * Privacy
 * Terms of Use
 * Trademarks
 * © Microsoft 2023