With the launch of Azure Sentinel, the cloud SIEM solution from Microsoft, additional capabilities are being added to help improve awareness and security of your infrastructure, both on-premises and online.
This may lead to an over flooding alert notifications and as such this reduce the comprehensiveness of a potential incident.
To assist with it, Machine Learning is used to aggregate and analyse the information.
You can also now improve it and reduce the ‘alert fatigue’ by using Fusion (currently in preview).
Fusion uses graph powered machine learning algorithms to correlate between millions of lower fidelity anomalous activities from different products such as Azure AD Identity Protection, and Microsoft Cloud App Security, to combine them into a manageable number of interesting security cases.
To enable it, logon to your Azure portal (https://portal.azure.com) and open the Cloud Shell (or you can also use the Azure Cli client)
If you don’t have yet configured your tenant to use Cloud Shell, you will be requested to create a storage account
Then type the following commands to use Azure Cli and then enable Fusion, you will need to gather your subscription GUID, Log Analytics resource group and name:
az
az resource update –ids /subscriptions/<replace with your subscription ID>/resourceGroups/<replace with your Log Analytics resource group>/providers/Microsoft.OperationalInsights/workspaces/<replace with your Log analytics name>/providers/Microsoft.SecurityInsights/settings/Fusion –api-version 2019-01-01-preview –set properties.IsEnabled=true –subscription “<replace with your subscription ID>“
If you get a JSON format result, Fusion has been enabled; otherwise look at the error message and fix the issue
You can also use the below command
az resource show –ids /subscriptions/<replace with your subscription ID>/resourceGroups/<replace with your Log Analytics resource group>/providers/Microsoft.OperationalInsights/workspaces/<replace with your Log analytics name>/providers/Microsoft.SecurityInsights/settings/Fusion –api-version 2019-01-01-preview –subscription “<replace with your subscription ID>“