{"id":1547,"date":"2019-03-19T00:00:00","date_gmt":"2019-03-19T00:00:00","guid":{"rendered":"https:\/\/azure.microsoft.com\/blog\/reducing-security-alert-fatigue-using-machine-learning-in-azure-sentinel"},"modified":"2025-06-18T07:25:26","modified_gmt":"2025-06-18T14:25:26","slug":"reducing-security-alert-fatigue-using-machine-learning-in-azure-sentinel","status":"publish","type":"post","link":"https:\/\/azure.microsoft.com\/en-us\/blog\/reducing-security-alert-fatigue-using-machine-learning-in-azure-sentinel\/","title":{"rendered":"Reducing security alert fatigue using machine learning in Azure Sentinel"},"content":{"rendered":"\n

Last week we launched Azure Sentinel<\/a>, a cloud native SIEM tool. Machine learning (ML) in Azure Sentinel is built-in right from the beginning. We have thoughtfully designed the system with ML innovations aimed to make security analysts, security data scientists, and engineers productive. The focus is to reduce alert fatigue and offer ML toolkits tailored to the security community. The three ML pillars in Azure Sentinel include Fusion, built-in ML, build your own ML.<\/p>\n\n\n\n

Fusion<\/h2>\n\n\n\n

Alert fatigue is real. Security analysts face a huge burden of triage as they not only have to sift through a sea of alerts, but also correlate alerts from different products manually or using a traditional correlation engine.<\/p>\n\n\n\n

Our Fusion technology, currently in public preview, uses state of the art scalable learning algorithms to correlate millions of lower fidelity anomalous activities into tens of high fidelity cases. Azure Sentinel integrates with Microsoft 365 solution and correlates millions of signals from different products such as Azure Identity Protection, Microsoft Cloud App Security, and soon Azure Advanced Threat Protection, Windows Advanced Threat Protection, O365 Advanced Threat Protection, Intune, and Azure Information Protection. You can learn how to turn Fusion on by visiting our documentation, \u201cEnable Fusion<\/a>.\u201d<\/p>\n\n\n\n

\"Screenshot<\/figure>\n\n\n\n

Fusion combines yellow alerts, which themselves may not be actionable, into high fidelity security interesting red cases<\/strong>. We look at disparate products to produce actionable incidents so as to reduce the false positive rate. From our measurement with external customers and internal evaluation, we have a median 90 percent reduction in alert fatigue<\/strong>. This is possible because Fusion can detect complex, multi-stage attacks and differs from traditional correlation engines in the following ways:<\/p>\n\n\n\n


Traditional correlation engines<\/strong><\/p><\/td>


Fusion<\/strong><\/p><\/td><\/tr>


Assume that the attacker takes only one path to attain their goal.<\/p><\/td>


Iterative attack simulation – <\/b>Fusion encodes uncertainty with paths\/stages by simulating different attack paths using an iterative arkov chain Monte Carlo simulations.<\/p><\/td><\/tr>


Assumes the attacker follows a static kill chain, as the attack path is executed.<\/p><\/td>


Probabilistic cloud kill chain \u2013 <\/b>Fusion constantly updates the probability of moving to the next step in kill chain through a custom defined prior probability function.<\/p><\/td><\/tr>


Assumes that all the information is present in the logs to catch the attacker.<\/p><\/td>


Using advances in graphical methods <\/strong>\u2013 we encode uncertainty in completeness\/connectivity of information in the kill chain helping us to detect novel attacks.<\/p><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

In the above screenshot, one can see that the Fusion case, and the two composite alerts that went into it.<\/p>\n\n\n\n

Organizations are currently using Fusion for the following scenarios to compound anomalies from Identity Protection and Microsoft Cloud App Security products<\/strong>.<\/p>\n\n\n\n