{"id":90614,"date":"2020-02-20T06:00:43","date_gmt":"2020-02-20T14:00:43","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=90614"},"modified":"2023-05-15T23:29:00","modified_gmt":"2023-05-16T06:29:00","slug":"azure-sentinel-uncovers-real-threats-hidden-billions-low-fidelity-signals","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/02\/20\/azure-sentinel-uncovers-real-threats-hidden-billions-low-fidelity-signals\/","title":{"rendered":"Azure Sentinel uncovers the real threats hidden in billions of low fidelity signals"},"content":{"rendered":"
Cybercrime is as much a people problem as it is a technology problem. To respond effectively, the defender community must harness machine learning to compliment the strengths of people. This is the philosophy that undergirds Azure Sentinel. Azure Sentinel is a cloud-native SIEM that exploits machine learning techniques to empower security analysts, data scientists, and engineers to focus on the threats that matter. You may have heard of similar solutions from other vendors, but the Fusion technology that powers Azure Sentinel<\/a> sets this SIEM apart for three reasons:<\/p>\n \n Intelligent security analytics for your entire enterprise.<\/p>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t\t\t\t\t\t\t You can get a sense of how powerful Fusion is by looking at data from December 2019. During that month, billions of events flowed into Azure Sentinel from thousands of Azure Sentinel customers. Nearly 50 billion anomalous alerts were identified and graphed. After Fusion applied the probabilistic kill chain, the graph was reduced to 110 sub graphs. A second level of machine learning reduced it further to just 25 actionable incidents. This is how Azure Sentinel reduces alert fatigue by 90 percent.<\/p>\n <\/a><\/p>\n There are currently 35 multi-stage attack scenarios<\/a> generally available through Fusion machine learning technology in Azure Sentinel. Today, Microsoft has introduced several additional scenarios\u2014in public preview\u2014using Microsoft Defender Advanced Threat Protection (ATP)<\/a> and Palo Alto logs. This way, you can leverage the power of Sentinel and Microsoft Threat Protection as complementary technologies for the best customer protection.<\/p>\n Here are a few examples:<\/p>\n An endpoint connects to TOR network followed by suspicious activity on the Internal network<\/strong>\u2014Microsoft Defender ATP detects that a user inside the network made a request to a TOR anonymization service. On its own this incident would be a low-level fidelity. It\u2019s suspicious but doesn\u2019t rise to the level of a high-level threat. Palo Alto firewalls registers anomalous activity from the same IP address, but it isn\u2019t risky enough to block. Separately neither of these alerts get elevated, but together they indicate a multi-stage attack. Fusion makes the connection and promotes it to a high-fidelity incident.<\/p>\n <\/a><\/p>\n A PowerShell program on an endpoint connects to a suspicious IP address, followed by suspicious activity on the Internal network<\/strong>\u2014Microsoft Defender ATP generates an alert when a PowerShell program makes a suspicious network connection. If Palo Alto allows traffic from that IP address back into the network, Fusion ties the two incidents together to create a high-fidelity incident<\/p>\n An endpoint connects to a suspicious IP followed by anomalous activity on the Internal network<\/strong>\u2014If Microsoft Defender ATP detects an outbound connection to an IP with a history of unauthorized access and<\/em> Palo Alto firewalls allows an inbound request from that same IP address, it\u2019s elevated by Fusion.<\/p>\n The process starts by collecting data from several data sources, such as Microsoft products, Microsoft security partner<\/a> products, and other cloud providers. Each of those security products output anomalous activity, which together can number in the billions or trillions. Fusion gathers all the low and medium level alerts detected in a 30-day window and creates a graph. The graph is hyperconnected and consists of billions of vertices and edges. Each entity is represented by a vertex (or node). For example, a vertex could be a user, an IP address, a virtual machine (VM), or any other entity within the network. The edges (or links) represent all the activities. If a user accesses company resources with a mobile device, both the device and the user are represented as vertices connected by an edge.<\/p>\n <\/a><\/p>\n Once the graph is built there are still billions of alerts\u2014far too many for any security operations team to make sense of. However, within those connected alerts there may be a pattern that indicates something more serious. The human brain is just not equipped to quickly remove it. This is where machine learning can make a real difference.<\/p>\n Fusion applies a probabilistic kill chain which acts as a regularizer to the graph. The statistical analysis is based on how real people\u2014Microsoft security experts, vendors, and customers\u2014triage alerts. For example, defenders prioritize kill chains that are time bound. If a kill chain is executed within a day, it will take precedence over one that is enacted over a few days. An even higher priority kill chain is one in which all steps have been completed. This intelligence is encoded into the Fusion machine learning statistical model. Once the probabilistic kill chain is applied, Fusion outputs a smaller number of sub graphs, reducing the number of threats from billions to hundreds.<\/p>\n To reduce the noise further, Fusion uses machine learning to apply a final round of scoring. If labeled data exists, Fusion uses random forests. Labeled data for attacks is generated from the extensive Azure red team that execute these scenarios. If labeled data doesn\u2019t exist Fusion uses spectral clustering.<\/p>\n Some of the criteria used to elevate threats include the number of high impact activity in the graph and whether the subgraph connects to another subgraph.<\/p>\n The output of this machine learning process is tens of threats. These are extremely high priority alerts that require immediate action. Without Fusion, these alerts would likely remain hidden from view, since they can only be seen after two or more low level threats are stitched together to shine a light on stealth activities. AI-generated alerts can now be handed off to people who will determine how to respond.<\/p>\n The great promise of AI in cybersecurity is its ability to enable your cybersecurity people to stay one step ahead of the humans on the other side. AI-backed Fusion is just one example of the innovative potential of partnering technology and people to take on the threats of today and tomorrow.<\/p>\n Read more about Azure Sentinel<\/a> and dig into all the Azure Sentinel detection scenarios<\/a>.<\/p>\n Also, bookmark the\u00a0Security blog<\/a>\u00a0to keep up with our expert coverage on security matters. Follow us at\u00a0@MSFTSecurity<\/a>\u00a0for the latest news and updates on cybersecurity.<\/p>\n","protected":false},"excerpt":{"rendered":" Azure Sentinel Fusion technology uses powerful machine learning methods to enable your SecOps team to focus on the threats that matter.<\/p>\n","protected":false},"author":96,"featured_media":90637,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3662],"topic":[3685,3688],"products":[3726],"threat-intelligence":[],"tags":[],"coauthors":[2253],"class_list":["post-90614","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-news","topic-siem-and-xdr","topic-threat-trends","products-microsoft-sentinel"],"yoast_head":"\n\n
Azure Sentinel<\/h2>\n\n\t\t\t\t\t
New Fusion scenarios\u2014Microsoft Defender ATP + Palo Alto firewalls<\/h3>\n
\n
How Fusion works<\/h3>\n
\n
\n
\n
Learn more<\/h3>\n