You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Microsoft Sentinel generates incidents that would otherwise be difficult to catch. These incidents comprise two or more alerts or activities. By design, these incidents are low-volume, high-fidelity, and high-severity.
16
+
Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. Based on these discoveries, Microsoft Sentinel generates incidents that would otherwise be difficult to catch. These incidents comprise two or more alerts or activities. By design, these incidents are low-volume, high-fidelity, and high-severity.
17
17
18
18
Customized for your environment, this detection technology not only reduces [false positive](false-positives.md) rates but can also detect attacks with limited or missing information.
19
19
@@ -54,7 +54,7 @@ This detection is enabled by default in Microsoft Sentinel. To check or change i
54
54
55
55
56
56
57
-
-**Exclude specific detection patterns from Fusion detection**. Certain Fusion detections may not be applicable to your environment, or may be prone to generating false positives. If you’d like to exclude a specific Fusion detection pattern, follow the instructions below:
57
+
-**Exclude specific detection patterns from Fusion detection**. Certain Fusion detections might not be applicable to your environment, or might be prone to generating false positives. If you’d like to exclude a specific Fusion detection pattern, follow the instructions below:
58
58
59
59
1. Locate and open a Fusion incident of the kind you want to exclude.
60
60
@@ -64,9 +64,9 @@ This detection is enabled by default in Microsoft Sentinel. To check or change i
64
64
65
65
:::image type="content" source="media/configure-fusion-rules/exclude-fusion-incident.png" alt-text="Screenshot of Fusion incident. Select the exclusion link.":::
66
66
67
-
On the **Configure Fusion** tab, you'll see the detection pattern - a combination of alerts and anomalies in a Fusion incident - has been added to the exclusion list, along with the time when the detection pattern was added.
67
+
On the **Configure Fusion** tab, you see that the detection pattern—a combination of alerts and anomalies in a Fusion incident—has been added to the exclusion list, along with the time when the detection pattern was added.
68
68
69
-
You can remove an excluded detection pattern any time by selecting the trashcan icon on that detection pattern.
69
+
You can remove an excluded detection pattern at any time by selecting the trashcan icon on that detection pattern.
70
70
71
71
:::image type="content" source="media/configure-fusion-rules/exclusion-patterns-list.png" alt-text="Screenshot of list of excluded detection patterns.":::
72
72
@@ -99,11 +99,11 @@ This detection is enabled by default in Microsoft Sentinel. To check or change i
99
99
100
100
- Review **entity mapping** for these scheduled rules. Use the [entity mapping configuration section](map-data-fields-to-entities.md) to map parameters from your query results to Microsoft Sentinel-recognized entities. Because Fusion correlates alerts based on entities (such as *user account* or *IP address*), its ML algorithms cannot perform alert matching without the entity information.
101
101
102
-
- Review the **tactics and techniques** in your analytics rule details. The Fusion ML algorithm uses [MITRE ATT&CK](https://attack.mitre.org/) information for detecting multi-stage attacks, and the tactics and techniques you label the analytics rules with will show up in the resulting incidents. Fusion calculations may be affected if incoming alerts are missing tactic information.
102
+
- Review the **tactics and techniques** in your analytics rule details. The Fusion ML algorithm uses [MITRE ATT&CK](https://attack.mitre.org/) information for detecting multi-stage attacks, and the tactics and techniques you label the analytics rules with will show up in the resulting incidents. Fusion calculations might be affected if incoming alerts are missing tactic information.
103
103
104
104
1. Fusion can also detect scenario-based threats using rules based on the following **scheduled analytics rule templates**.
105
105
106
-
To enable the queries available as templates in the **Analytics**blade, go to the **Rule templates** tab, select the rule name in the templates gallery, and click**Create rule** in the details pane.
106
+
To enable the queries available as templates in the **Analytics**page, go to the **Rule templates** tab, select the rule name in the templates gallery, and select**Create rule** in the details pane.
107
107
108
108
-[Cisco - firewall block but success logon to Microsoft Entra ID](https://github.com/Azure/Azure-Sentinel/blob/60e7aa065b196a6ed113c748a6e7ae3566f8c89c/Detections/MultipleDataSources/SigninFirewallCorrelation.yaml)
Copy file name to clipboardExpand all lines: articles/sentinel/scheduled-rules-overview.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -195,7 +195,7 @@ The analytics rule wizard allows you to test its efficacy by running it on the c
195
195
196
196
Here's what the results simulation might look like for the query in the screenshot above. The left side is the default view, and the right side is what you see when you hover over a point in time on the graph.
:::image type="content" source="media/create-analytics-rules/results-simulation.png" alt-text="Screenshots of results simulations.":::
199
199
200
200
If you see that your query would trigger too many or too-frequent alerts, you can experiment with the scheduling and threshold settings and run the simulation again.
0 commit comments