Configure multistage attack detection (Fusion) rules in Microsoft Sentinel

Important

The new version of the Fusion analytics rule is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Note

For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.

Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Microsoft Sentinel generates incidents that would otherwise be difficult to catch. These incidents comprise two or more alerts or activities. By design, these incidents are low-volume, high-fidelity, and high-severity.

Customized for your environment, this detection technology not only reduces false positive rates but can also detect attacks with limited or missing information.

Configure Fusion rules

This detection is enabled by default in Microsoft Sentinel. To check or change its status, use the following instructions:

1. Sign in to the Azure portal and enter Microsoft Sentinel.

2. From the Microsoft Sentinel navigation menu, select Analytics.

3. Select the Active rules tab, and then locate Advanced Multistage Attack Detection in the NAME column by filtering the list for the Fusion rule type. Check the STATUS column to confirm whether this detection is enabled or disabled.

   

4. To change the status, select this entry and on the Advanced Multistage Attack Detection preview pane, select Edit.

5. In the General tab of the Analytics rule wizard, note the status (Enabled/Disabled), or change it if you want.

   If you changed the status but have no further changes to make, select the Review and update tab and select Save.

   To further configure the Fusion detection rule, select Next: Configure Fusion.

   

6. Configure source signals for Fusion detection: we recommend you include all the listed source signals, with all severity levels, for the best result. By default they are already all included, but you have the option to make changes in the following ways:

   Note

   If you exclude a particular source signal or an alert severity level, any Fusion detections that rely on signals from that source, or on alerts matching that severity level, will not be triggered.

   • Exclude signals from Fusion detections, including anomalies, alerts from various providers, and raw logs.

     Use case: if you are testing a specific signal source known to produce noisy alerts, you can temporarily turn off the signals from that particular signal source for Fusion detections.

   • Configure alert severity for each provider: by design, the Fusion ML model correlates low fidelity signals into a single high severity incident based on anomalous signals across the kill-chain from multiple data sources. Alerts included in Fusion are generally lower severity (medium, low, informational), but occasionally relevant high severity alerts are included.

     Use case: If you have a separate process for triaging and investigating high severity alerts and would prefer not to have these alerts included in Fusion, you can configure the source signals to exclude high severity alerts from Fusion detections.

   • Exclude specific detection patterns from Fusion detection. Certain Fusion detections may not be applicable to your environment, or may be prone to generating false positives. If you’d like to exclude a specific Fusion detection pattern, follow the instructions below:

     1. Locate and open a Fusion incident of the kind you want to exclude.

     2. In the Description section, select Show more.

     3. Under Exclude this specific detection pattern, select exclusion link, which redirects you to the Configure Fusion tab in the analytics rule wizard.

        

     On the Configure Fusion tab, you'll see the detection pattern - a combination of alerts and anomalies in a Fusion incident - has been added to the exclusion list, along with the time when the detection pattern was added.

     You can remove an excluded detection pattern any time by selecting the trashcan icon on that detection pattern.

     

     Incidents that match excluded detection patterns will still be triggered, but they will not show up in your active incidents queue. They will be auto-populated with the following values:

     • Status: "Closed"

     • Closing classification: “Undetermined”

     • Comment: “Auto closed, excluded Fusion detection pattern”

     • Tag: “ExcludedFusionDetectionPattern” - you can query on this tag to view all incidents matching this detection pattern.

       

Note

Microsoft Sentinel currently uses 30 days of historical data to train the machine learning systems. This data is always encrypted using Microsoft’s keys as it passes through the machine learning pipeline. However, the training data is not encrypted using Customer-Managed Keys (CMK) if you enabled CMK in your Microsoft Sentinel workspace. To opt out of Fusion, navigate to Microsoft Sentinel > Configuration > Analytics > Active rules, right-click on the Advanced Multistage Attack Detection rule, and select Disable.

Configure scheduled analytics rules for Fusion detections

Important

• Fusion-based detection using analytics rule alerts is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Fusion can detect scenario-based multi-stage attacks and emerging threats using alerts generated by scheduled analytics rules. We recommend you take the following steps to configure and enable these rules, so that you can get the most out of Microsoft Sentinel's Fusion capabilities.

1. Fusion for emerging threats can use alerts generated by any scheduled analytics rules, both built-in and those created by your security analysts, that contain kill-chain (tactics) and entity mapping information. To ensure that an analytics rule's output can be used by Fusion to detect emerging threats:

   • Review entity mapping for these scheduled rules. Use the entity mapping configuration section to map parameters from your query results to Microsoft Sentinel-recognized entities. Because Fusion correlates alerts based on entities (such as user account or IP address), its ML algorithms cannot perform alert matching without the entity information.

   • Review the tactics and techniques in your analytics rule details. The Fusion ML algorithm uses MITRE ATT&CK information for detecting multi-stage attacks, and the tactics and techniques you label the analytics rules with will show up in the resulting incidents. Fusion calculations may be affected if incoming alerts are missing tactic information.

2. Fusion can also detect scenario-based threats using rules based on the following scheduled analytics rule templates.

   To enable the queries available as templates in the Analytics blade, go to the Rule templates tab, select the rule name in the templates gallery, and click Create rule in the details pane.

   • Cisco - firewall block but success logon to Microsoft Entra ID
   • Fortinet - Beacon pattern detected
   • IP with multiple failed Microsoft Entra logins successfully logs in to Palo Alto VPN
   • Multiple Password Reset by user
   • Rare application consent
   • SharePointFileOperation via previously unseen IPs
   • Suspicious Resource deployment
   • Palo Alto Threat signatures from Unusual IP addresses

   To add queries that are not currently available as a rule template, see Create a custom analytics rule from scratch.

   • New Admin account activity seen which was not seen historically

   For more information, see Fusion Advanced Multistage Attack Detection Scenarios with Scheduled Analytics Rules.

   Note

   For the set of scheduled analytics rules used by Fusion, the ML algorithm does fuzzy matching for the KQL queries provided in the templates. Renaming the templates will not impact Fusion detections.

Next steps

Learn more about Fusion detections in Microsoft Sentinel.

Learn more about the many scenario-based Fusion detections.

Now you've learned more about advanced multistage attack detection, you might be interested in the following quickstart to learn how to get visibility into your data and potential threats: Get started with Microsoft Sentinel.

If you're ready to investigate the incidents that are created for you, see the following tutorial: Investigate incidents with Microsoft Sentinel.