Microsoft Previews Early Ransomware Detection in Azure Sentinel -- Redmondmag.com

Microsoft Previews Early Ransomware Detection in Azure Sentinel

By Kurt Mackie
08/10/2021

Microsoft is previewing early detection capabilities for spotting ransomware campaigns using its Azure Sentinel security information event management (SIEM) solution.

This "Fusion detection for ransomware" capability in Azure Sentinel was described in a Monday announcement as now being "publicly available." It's further described in this document as being at the preview stage. Fusion is a machine learning component of Azure Sentinel that's been around for a few years, although its early ransomware campaign detection capability is apparently new.

Microsoft added the Fusion detection for ransomware capability to Azure Sentinel to aid the detection and response capabilities of organizations. The solution checks for "malicious activities at the defense evasion and execution stages" of a ransomware attack. These early detections give organizations more time to investigate machines in a network that may be under attack. Machines deemed to be under attack can then be isolated to halt the movement of attackers.

Microsoft developed the Fusion detection for ransomware capability in collaboration with the Microsoft Threat Intelligence Center. It uses signals from other Microsoft security products, such as Azure Security Center, Azure Sentinel's scheduled analytics rules, Microsoft Cloud App Security, Microsoft Defender for Endpoint and Microsoft Defender for Identity.

When certain activities happen in a certain time frame, Azure Sentinel indicates a possible ransomware attack and sends an alert. It even tracks "low severity signals" if they are known to be associated with ransomware attacks.

These early alerts are needed, Microsoft contended, because so-called "ransomware-as-a-service" groups are emerging that conduct "human-operated ransomware." These "attackers are using slow and stealth techniques" to compromise networks, Microsoft explained, "which makes it harder to detect them in the first place."

The ability of Fusion to detect multistage attack scenarios was highlighted by Microsoft back in May. Azure Sentinel can track 90 multistage attack scenarios, with 35 of them deemed to be at the "general availability" commercial-release stage, Microsoft said back in May.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.