updates from Ram

cabailey · cabailey · commit 447e39a8cf86 · 2019-09-20T14:23:40.000-07:00
diff --git a/articles/sentinel/fusion.md b/articles/sentinel/fusion.md
@@ -44,17 +44,19 @@ Rule templates are not applicable for the advanced multistage attack detection.
 
 Using advanced multistage attack detection, Azure Sentinel supports the following scenarios that combine anomaly events from Azure Active Directory Identity Protection and Microsoft Cloud App Security:
 
-- [Impossible travel to atypical location](#impossible-travel-to-atypical-location)
-- [Sign-in activity for unfamiliar location](#sign-in-activity-for-unfamiliar-location)
-- [Sign-in activity from infected device](#sign-in-activity-from-infected-device)
-- [Sign-in activity from anonymous IP address](#sign-in-activity-from-anonymous-ip-address)
-- [Sign-in activity from user with leaked credentials](#sign-in-activity-from-user-with-leaked-credentials)
+- [Impossible travel to atypical location followed by anomalous Office 365 activity](#impossible-travel-to-atypical-location)
+- [Sign-in activity for unfamiliar location followed by anomalous Office 365 activity](#sign-in-activity-for-unfamiliar-location)
+- [Sign-in activity from infected device followed by anomalous Office 365 activity](#sign-in-activity-from-infected-device)
+- [Sign-in activity from anonymous IP address followed by anomalous Office 365 activity](#sign-in-activity-from-anonymous-ip-address)
+- [Sign-in activity from user with leaked credentials followed by anomalous Office 365 activity](#sign-in-activity-from-user-with-leaked-credentials)
 
 You must have the [Azure AD Identity Protection data connector](connect-azure-ad-identity-protection.md) and the [Cloud App Security](connect-cloud-app-security.md) connectors configured.
 
 In the descriptions that follow, Azure Sentinel will display the actual value from your data that is represented on this page as variables in brackets. For example, the actual display name of an account rather than \<*account name*>, and the actual number rather than \<*number*>.
 
-### Impossible travel to atypical location
+### Impossible travel to atypical location followed by anomalous Office 365 activity
+
+There are seven possible Azure Sentinel incidents that combine impossible travel to atypical location alerts from Azure Identity Protection and anomalous Office 365 alerts generated by Microsoft Cloud App Security.
 
 - **Impossible travel to atypical locations leading to Office 365 mailbox exfiltration**
     
@@ -101,7 +103,9 @@ In the descriptions that follow, Azure Sentinel will display the actual value fr
     This activity pattern is indicative of a potential ransomware attack.
 
 
-### Sign-in activity for unfamiliar location
+### Sign-in activity for unfamiliar location followed by anomalous Office 365 activity
+
+There are seven possible Azure Sentinel incidents that combine sign-in activity for unfamiliar location alerts from Azure Identity Protection and anomalous Office 365 alerts generated by Microsoft Cloud App Security.
 
 - **Sign-in event from an unfamiliar location leading to Exchange Online mailbox exfiltration**
     
@@ -147,7 +151,9 @@ In the descriptions that follow, Azure Sentinel will display the actual value fr
     
     This activity pattern is indicative of a potential ransomware attack.
 
-### Sign-in activity from infected device
+### Sign-in activity from infected device followed by anomalous Office 365 activity
+
+There are seven possible Azure Sentinel incidents that combine sign-in activity from infected device alerts from Azure Identity Protection and anomalous Office 365 alerts generated by Microsoft Cloud App Security.
 
 - **Sign-in event from an infected device leading to Office 365 mailbox exfiltration**
     
@@ -193,7 +199,9 @@ In the descriptions that follow, Azure Sentinel will display the actual value fr
     
     This activity pattern is indicative of a potential ransomware attack.
 
-### Sign-in activity from anonymous IP address
+### Sign-in activity from anonymous IP address followed by anomalous Office 365 activity
+
+There are seven possible Azure Sentinel incidents that combine sign-in activity from anonymous IP address alerts from Azure Identity Protection and anomalous Office 365 alerts generated by Microsoft Cloud App Security.
 
 - **Sign-in event from an anonymous IP address leading to Office 365 mailbox exfiltration**
     
@@ -239,7 +247,9 @@ In the descriptions that follow, Azure Sentinel will display the actual value fr
     
     This activity pattern is indicative of a potential ransomware attack.
 
-### Sign-in activity from user with leaked credentials
+### Sign-in activity from user with leaked credentials followed by anomalous Office 365 activity
+
+There are seven possible Azure Sentinel incidents that combine sign-in activity from user with leaked credentials alerts from Azure Identity Protection and anomalous Office 365 alerts generated by Microsoft Cloud App Security.
 
 - **Sign-in event from User with leaked credentials leading to Office 365 mailbox exfiltration**
     
