Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home SIEM

What’s new: New Fusion detections and BYOML in public preview!

Azure Sentinel News Editor by Azure Sentinel News Editor
December 18, 2020
in SIEM
0
With new release, CrowdStrike targets Google Cloud, Azure and container adopters
5.6kViews
822 Shares Share on Facebook Share on Twitter

This installment is part of a broader series to keep you up to date with the latest features in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content.

This blog is a collaboration between myself and my colleague, Sreedhar Ande.

What truly sets Azure Sentinel apart from other SIEM tools or other security solutions in the market is the extensive use of machine learning to fuel built-in analytics and custom machine learning models. These capabilities are the culmination of decades of research and experience protecting Microsoft services at massive scale by Microsoft security experts. As you might already be aware, Microsoft Ignite 2020 announcements highlighted some of the most recent innovations in this space.

We are delighted to announce that 32 new Fusion detections and Build Your Own Machine Learning framework are now available in public preview! Below has a recap of what these features are and how they work.

Fusion Detections

What is Fusion technology in Azure Sentinel?

Using machine learning, Fusion detections combine low- and medium-severity alerts from Microsoft and 3rd-party security products into high-severity incidents. By design, these incidents are low-volume, high-fidelity, and high-severity. Here is an example of how a Fusion incident looks like in Azure Sentinel portal.

The main goals of Fusion detections can be summarized into two points.

  • Fusion detects threats that fly under radar: Azure Sentinel can automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill-chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be difficult to catch. 
  • Alert fatigue reduction: Fusion incorporates graph-based machine learning and a probabilistic kill chain to reduce alert fatigue by 90 percent.

For more details of how Fusion technology works behind the scene, please check out this excellent article by our colleague, Ram Shankar Siva Kumar.

What are the new Fusion detections?

Our Fusion team recently released 32 new Fusion detections in public preview, reaching a total of 70 Fusion incident types which are turned on by default in Azure Sentinel. These additional detections fall into eight scenario types.

MDATP + Palo Alto Network firewall:

  1. Suspicious remote WMI execution followed by anomalous traffic flagged by Palo Alto Networks firewall
  2. Suspected use of attack framework followed by anomalous traffic flagged by Palo Alto Networks firewall

AAD IP + MCAS:

  1. Suspicious inbox manipulation rules set following suspicious Azure AD sign-in (5 distinct detections)
  2. Multiple VM creation activities following suspicious Azure Active Directory sign-in (5 distinct detections)
  3. Multiple VM delete activities following suspicious Azure AD sign-in (5 distinct detections)
  4. Suspicious email deletion activity following suspicious Azure AD sign-in (5 distinct detections)
  5. Multiple Power BI report sharing activities following suspicious Azure AD sign-in (5 distinct detections)
  6. Suspicious Power BI report sharing following suspicious Azure AD sign-in (5 distinct detections)

How to enable and use Fusion detections

Under Analytics blade in Azure Sentinel portal, in your Active Rules view, a built-in rule of Fusion rule type named “Advanced Multistage Attack Detection” is enabled by default for all Sentinel workspaces. You have the option to disable the rule any time. There is no extra cost to use this detection rule on top of the normal data ingestion and storage cost. All you need for the rule to work is to have your data connectors configured and data ingested correctly. To see what data connector sources are required for each Fusion incident type, please refer to the documentation.

To get step-by-step instructions about Fusion in Azure Sentinel, please refer to our documentation, which has been revamped with updated detection descriptions, now includes MITRE ATT&CK Tactics and Techniques, and is now organized by threat classifications for easier navigation.

Build Your Own Machine Learning (BYO-ML)

Many security organizations understand the value of machine learning for security, though not many of them have the luxury of professionals who have expertise in both security and ML. We designed the framework Build-Your-Own ML (BYO-ML) for security organizations and professionals to grow with us in their ML journey. Organizations new to ML, or without the necessary expertise, can get significant protection value out of Azure Sentinel’s built-in ML capabilities.

ML detection models can adapt to individual environments and to changes in user behavior, to reduce false positives and identify threats that would not be found with a traditional approach. Azure Sentinel makes it easier for data scientists in these organizations to unlock these insights with a BYO-ML framework.

What is the Build Your Own Machine Learning (BYO-ML) platform?

For organizations that have ML resources and would like to build customized ML models for their unique business needs, we offer the BYO-ML platform. The platform makes use of the Azure Databricks/Apache Spark environment and Jupyter Notebooks to produce the ML environment. It provides the following components:

  • A BYO-ML package, which includes libraries to help you access data and push the results back to Log Analytics (LA), so you can integrate the results with your detection, investigation, and hunting.
  • ML algorithm templates for you to customize to fit specific security problems in your organization.
  • Sample notebooks to train the model and schedule the model scoring.

Besides all this, you can bring your own ML models, and/or your own Spark environment, to integrate with Azure Sentinel.

For more details on BYO-ML platform, please check out this excellent blog by our colleague, Andi Comisioneru. For supported use cases, please refer to the documentation.

How to use Build Your Own Machine Learning (BYO-ML) platform

To build custom ML models on your data, you have two options.

  1. For smaller amounts of data, like alerts and anomalies, you can use Azure ML to run models hosted in the Azure Sentinel Notebooks (new menu option currently in Preview). Azure Machine Learning offers Intellisense for improved ease of use, support for existing Jupyter and JupyterLab experiences, as well as point-in-time notebook snapshots and a notebook file explorer for easy notebook collaboration. Dedicated compute and multiple pricing options provide increased flexibility and control. Take advantage of built-in security analytics via MSTICPy and Jupyter notebook templates help you get started.

Note: To use the Notebooks, you must first create an Azure Machine Learning (ML) workspace. For step-by-step instructions on how to create an Azure Machine Learning (ML) workspace, please refer to the documentation.

  1. For development and operationalization of models built on larger data, like analyzing feeds of raw data, you will need to make this data accessible to the ML model in Azure Databricks.

Apache Spark™ provides a unified environment for building big data pipelines. Azure Databricks builds on this environment, providing a zero-management cloud platform, holistically addressing the platform needed for data analysts to develop their custom ML based security analysis.

You can either bring your raw data directly to the Azure Databricks ML environment, via EventHub or Azure Blobs or you can use the capabilities provided with Azure Sentinel, to export the data from Azure Sentinel Log Analytics tables. Regardless of the export methods used for raw data, you can use the libraries provided by BYO-ML framework to import the scoring of the ML model back into Sentinel Log Analytics tables for further processing and creating incidents.

You can either set up a new Azure Databricks environment or use one already set up for other use. To set up a new Databricks environment, please refer to the quickstarts document (note that MMLSpark used by our algorithm requires Spark 2.4.5).

On Azure Sentinel roadmap, we plan to support Azure Synapse in addition to Azure Databricks as a BYO-ML development environment.

Get started today!

We encourage you to explore these machine learning innovations in the Azure Sentinel to detect and protect your organization from threats.

Try it out, and let us know what you think!

You can also contribute new Notebooks in Azure Sentinel. Get started now by joining the Azure Sentinel BYOML GitHub community.

Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-new-fusion-detections-and-byoml-in-public-preview/ba-p/1765990

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

What’s new: Microsoft Teams connector in Public Preview
SIEM

Changes in How Running Hunting Queries Works in Azure Sentinel

February 11, 2021
Microsoft suspends 18 Azure accounts tied to China-based hackers
SIEM

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

February 8, 2021
With new release, CrowdStrike targets Google Cloud, Azure and container adopters
SIEM

How to Setup a Managed Identity for the Azure Sentinel Logic App Connector

January 21, 2021
Next Post
Enriching Windows Security Events with Parameterized Function

What’s New: HTML and Markdown support for incident comment

Microsoft announces security, identity, management, and compliance updates across Azure and Office

Ingestion Cost Alert Playbook

ITC Secure Achieves Microsoft Gold Partner Status

Protecting your GitHub assets with Azure Sentinel

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Security Unlocked—A new podcast exploring the people and AI that power Microsoft Security solutions

Security Unlocked—A new podcast exploring the people and AI that power Microsoft Security solutions

3 months ago
Enriching Windows Security Events with Parameterized Function

Azure Sentinel Daily Task: Data Connectors

2 months ago
Microsoft announces security, identity, management, and compliance updates across Azure and Office

Microsoft announces security, identity, management, and compliance updates across Azure and Office

3 months ago
New Recorded Future and Microsoft Azure Partnership Brings Security Intelligence to Cloud Environments

New Recorded Future and Microsoft Azure Partnership Brings Security Intelligence to Cloud Environments

4 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Trending

What’s new: Microsoft Teams connector in Public Preview
AI & ML

Azure Sentinel Weekly Newsletter

by Azure Sentinel News Editor
March 1, 2021
0

I’ve sensed this for a while now, but a few days ago it really hit me —...

What’s new: Microsoft Teams connector in Public Preview

How to Generate Azure Sentinel Incidents for Testing

February 26, 2021
What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • Azure Sentinel Weekly Newsletter March 1, 2021
  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News