This chapter covers AI and ML threat detection capabilities within Microsoft Sentinel, a critical domain for the SC-200 exam. You will learn how built-in machine learning models, anomaly detection, fusion, and threat intelligence integration enable automated threat identification. Approximately 15-20% of SC-200 exam questions touch on Sentinel analytics and ML-based detection, making this a high-yield topic. Mastery of these concepts is essential for configuring and managing advanced threat detection in a modern Security Operations Center (SOC).
Jump to a section
Imagine a massive office building with thousands of employees and visitors. A traditional security guard watches CCTV feeds and checks badges, but they can only spot known troublemakers from a wanted poster. Now, imagine a guard with X-ray vision and a supercomputer brain. This guard doesn't just look for faces—they analyze every person's gait, heartbeat, and micro-expressions. They learn what 'normal' looks like for each employee: when they arrive, which floor they go to, how they walk. When someone deviates—like an employee arriving at 3 AM when they always come at 9 AM, or a visitor heading to a restricted area—the guard doesn't just raise an alarm; they calculate the probability of a threat, compare it to similar past incidents, and decide whether to escalate. This guard also shares intelligence with other buildings, learning from incidents elsewhere. In Microsoft Sentinel, this guard is the fusion of machine learning models: Anomaly Detection learns baselines, Fusion correlates alerts like the guard connecting a suspicious gait with a stolen badge, and TI Mapping checks against known threat 'wanted posters'. The guard never sleeps, never gets bored, and gets smarter every day.
What AI and ML Threat Detection Is and Why It Exists
Traditional signature-based detection relies on known patterns of malicious activity—like matching a file hash against a database of malware. This approach fails against novel threats, zero-day exploits, and sophisticated adversaries who change tactics. AI and ML threat detection in Microsoft Sentinel addresses this by learning 'normal' behavior from your environment and identifying deviations that indicate compromise. Sentinel uses several built-in ML models that require no manual training—they are pre-trained on Microsoft's vast telemetry from millions of customers and the Microsoft Defender suite. These models are designed to reduce alert fatigue by filtering out noise and surfacing only high-fidelity incidents.
The exam tests your understanding of these models, how they are configured, and when to use them. You must know the difference between Anomaly Detection, Fusion, and Threat Intelligence (TI) mapping, as well as the specific analytics rules that leverage ML.
How It Works Internally
Sentinel's ML detection operates at multiple layers:
Data Ingestion: Raw logs from various sources (Azure Activity, Microsoft 365 Defender, AWS CloudTrail, syslog, etc.) are ingested into Log Analytics workspaces. The ML models analyze these logs in near real-time.
Feature Engineering: The models extract features such as timestamp, source IP, user agent, geolocation, event frequency, and sequence patterns. For example, a model might look at the number of failed logins from a single IP over 5 minutes.
Baseline Learning: Each model learns a baseline of normal behavior for your environment. This baseline is specific to your tenant and adapts over time. For instance, the "Unusual Sign-in" model learns typical sign-in times, locations, and devices for each user.
Scoring and Alerting: When new events arrive, the model assigns an anomaly score. If the score exceeds a threshold (configurable per rule), an alert is generated. The alert includes the anomaly score, affected entities (user, IP, device), and a link to the raw log.
Correlation (Fusion): Fusion is a correlation engine that combines alerts from multiple sources (e.g., Defender for Endpoint, Defender for Identity) and ML models to create a single incident. It uses a machine learning algorithm to determine which alerts are related to the same attack chain.
Key Components, Values, Defaults, and Timers
- Anomaly Detection Rules: These are built-in analytics rules under the 'Anomaly' rule template type. Examples include: - "Unusual sign-in" (detects sign-ins from atypical locations, devices, or times) - "Unusual volume of file downloads" - "Unusual number of Azure AD authentication requests" - Each rule has a default frequency (e.g., every 5 minutes) and lookback period (e.g., 14 days for baseline). - The threshold for anomaly score is typically set to 3 (standard deviations above mean), but you can adjust via the rule's 'Anomaly threshold' setting.
Fusion: Fusion is enabled by default for all Sentinel workspaces. It uses a machine learning model called "Multi-Stage Attack Detection" to correlate alerts. Fusion generates incidents only when it detects a chain of events that matches an attack pattern (e.g., reconnaissance -> credential theft -> lateral movement). The default lookback period for correlation is 48 hours.
Threat Intelligence (TI) Mapping: Sentinel can ingest threat intelligence feeds (STIX/TAXII) and map them to logs. The ML component here is the 'TI Map' analytics rule that matches IOCs (IPs, domains, file hashes) from TI feeds against your logs. The rule runs every 5 minutes by default.
Entity Behavior Analytics (UEBA): This is an ML model that profiles user and entity behavior. It is enabled by default and generates alerts for actions like "User account compromised" or "Anomalous lateral movement". The model retains behavior profiles for up to 30 days.
Configuration and Verification Commands
To view and enable anomaly rules in the Azure portal:
Navigate to Azure Sentinel -> Analytics -> Rule templates.
Filter by 'Anomaly' in the 'Rule type' column.
Select a rule and click 'Create rule' to activate it.
To verify anomaly detections using KQL:
SecurityAlert
| where AlertName contains "anomaly"
| project TimeGenerated, AlertName, CompromisedEntity, AlertSeverity, ExtendedPropertiesTo check Fusion incidents:
SecurityIncident
| where ProviderName == "Fusion"
| project TimeGenerated, IncidentNumber, Title, Severity, AlertIdsTo inspect UEBA anomalies:
BehaviorAnalytics
| where ActionType == "AnomalousActivity"
| project TimeGenerated, UserPrincipalName, ActivityType, InvestigationPriorityInteraction with Related Technologies
AI/ML detection in Sentinel integrates tightly with:
Microsoft 365 Defender: Alerts from M365D (e.g., malware detections, phishing) are ingested and can be correlated by Fusion.
Azure AD Identity Protection: Risk detections (e.g., leaked credentials) are fed into Sentinel and can trigger ML anomalies.
Microsoft Defender for Cloud: Security alerts from VMs, databases, etc., are ingested and used by Fusion.
Custom ML Models: You can bring your own ML models using Azure Machine Learning and deploy them as analytics rules via the 'Custom ML' template. This is less common on the exam but important to know.
Exam-Relevant Details
The default lookback period for Fusion correlation is 48 hours.
Anomaly rules use a 14-day lookback for baseline learning by default.
The anomaly threshold is expressed as a z-score (default 3).
Fusion is enabled by default and cannot be disabled via Azure Policy—only through the Sentinel UI.
TI mapping rules require a TI data connector (e.g., TAXII, Threat Intelligence Platform) to be configured.
UEBA is enabled by default but can be disabled per workspace.
Common Pitfalls
Misunderstanding Fusion: Candidates often think Fusion is a single ML model that detects attacks without any rules. In reality, Fusion correlates alerts from other analytics rules (including ML rules) to form incidents. It does not generate its own alerts.
Assuming Anomaly rules require training data: They do not—they use pre-trained models that adapt to your environment over time (cold start).
Confusing UEBA with Anomaly rules: UEBA focuses on entity behavior (users, devices), while Anomaly rules can detect patterns in any log type.
Step-by-Step: How an Anomaly Detection Rule Fires
Data Ingestion: A user signs in from an IP in a country they have never visited before. The sign-in log is sent to the Log Analytics workspace.
Feature Extraction: The 'Unusual sign-in' model extracts features: user principal name, IP geolocation, timestamp, device type, and frequency of sign-ins from that IP.
Baseline Comparison: The model compares the new sign-in to the user's historical behavior (last 14 days). It calculates a probability score based on how many standard deviations this event is from the mean.
Anomaly Scoring: The model assigns a z-score of 4.2 (threshold is 3). This exceeds the threshold, so an alert is generated.
Alert Creation: A SecurityAlert record is created with AlertName "Unusual sign-in", severity Medium, and the user and IP as entities.
Fusion Correlation: If within 48 hours, there is also a malware alert from Defender for Endpoint on that user's device, Fusion correlates both alerts into a single incident titled "Multi-stage attack detected".
Incident Generation: The incident appears in Sentinel with all related alerts, entities, and a suggested investigation playbook.
Step-by-Step: How Fusion Correlates Alerts
Alert Ingestion: Multiple alerts from various sources (e.g., Defender for Identity, Azure ATP, custom analytics) arrive in Sentinel.
Feature Extraction: Fusion extracts entities (IP, user, host) and timestamps from each alert.
Graph Building: Fusion builds a temporal graph of entities and their relationships. For example, an alert about a suspicious login on Host A from IP X, and another alert about lateral movement from Host A to Host B.
Pattern Matching: The ML model matches this graph against known attack patterns (e.g., kill chain, MITRE ATT&CK). It calculates a confidence score.
Incident Creation: If confidence exceeds threshold (default 0.8), Fusion creates a single incident with all related alerts.
Alert Suppression: Individual alerts that are part of the fusion incident are suppressed to reduce noise.
Step-by-Step: Implementing TI Mapping
Ingest TI: Connect a threat intelligence feed using the TAXII data connector. Configure the API root and collection ID.
Map IOCs: The TI data connector ingests indicators (IPs, domains, hashes) into the ThreatIntelligenceIndicator table.
Create Analytics Rule: Use the 'TI Map' rule template, which is a scheduled query that runs every 5 minutes.
Query Execution: The rule runs a KQL query that joins ThreatIntelligenceIndicator with CommonSecurityLog or other log tables on IP/Domain fields.
Alert Generation: If a match is found, an alert is created with severity from the TI feed (e.g., High).
Real-World Section
Scenario 1: Detecting Compromised VIP Accounts
A multinational corporation uses Sentinel to protect C-suite executives. They enable the 'Unusual sign-in' anomaly rule and UEBA. One day, the model detects the CEO's account signing in from a foreign country at 3 AM local time, using a device never seen before. The alert triggers an automated playbook that forces a password reset and notifies the SOC. Without ML, this attack might have been missed because the sign-in was from a legitimate IP range (but not the CEO's typical location). The SOC analyst uses the incident to investigate further and finds that the CEO's credentials were phished. The ML model's baseline adapted over 14 days to learn the CEO's typical sign-in patterns.
Scenario 2: Multi-Stage Attack Detection with Fusion
A healthcare provider uses Sentinel across Azure and on-premises. An attacker performs reconnaissance by scanning for open RDP ports (detected by Defender for Cloud). Then they brute-force an admin account (detected by Azure AD Identity Protection). Finally, they move laterally to a database server (detected by Defender for Identity). Each alert individually might be low severity, but Fusion correlates them into a single incident. The SOC investigates and contains the attack before data exfiltration. Without Fusion, the alerts would be siloed and likely ignored as false positives.
Scenario 3: Threat Intelligence Hunting
A financial institution ingests threat intelligence from multiple open-source feeds (e.g., AlienVault OTX, MISP). They create a custom TI mapping rule to alert on any traffic to known C2 servers. One day, the rule matches an outbound connection from a user's workstation to a malicious IP. The alert includes the TI feed's reputation score and context. The SOC blocks the IP and investigates the workstation, finding a trojan. Without TI mapping, the C2 traffic would blend in with normal internet traffic.
Common Misconfigurations:
Setting the anomaly threshold too low (e.g., z-score 1) causes alert fatigue.
Not enabling Fusion because of fear of missing alerts—Fusion actually reduces noise by grouping related alerts.
Using outdated TI feeds that cause false positives (e.g., IPs that are no longer malicious).
Exam Focus Section
What SC-200 Tests:
Objective 2.3: "Create and manage analytics rules" – specifically, you must know how to create anomaly rules, understand Fusion, and configure TI mapping.
Objective 2.4: "Manage threat intelligence" – includes TI data connectors and mapping rules.
Objective 2.5: "Use entity behavior analytics" – UEBA configuration and interpretation.
Common Wrong Answers: 1. "Fusion is a type of analytics rule" – Wrong. Fusion is a correlation engine that operates on alerts from other rules. It is not a rule itself; you cannot create a 'Fusion rule'. 2. "Anomaly rules require a training period before they generate alerts" – Wrong. They use pre-trained models that adapt immediately. However, the baseline improves over time. 3. "TI mapping rules can only use Microsoft-provided feeds" – Wrong. You can bring your own feeds via TAXII, Threat Intelligence Platform, or custom connectors. 4. "UEBA must be enabled manually per workspace" – Wrong. It is enabled by default.
Exam-Tested Numbers:
Default Fusion lookback: 48 hours
Default anomaly baseline period: 14 days
Default anomaly threshold (z-score): 3
Default TI mapping rule frequency: 5 minutes
Edge Cases:
If you disable Fusion, correlated alerts will appear as separate incidents. The exam may ask what happens when Fusion is off.
If a TI feed goes offline, the mapping rule will still run but produce no matches.
Anomaly rules can be tuned by adjusting the threshold, but the baseline is automatic.
How to Eliminate Wrong Answers:
If a question mentions 'correlation of multiple alerts', look for Fusion.
If a question mentions 'behavior baseline', look for Anomaly or UEBA.
If a question mentions 'known malicious indicators', look for TI mapping.
Misconceptions
- Myth: "Fusion detects unknown attacks using ML without any rules." Reality: Fusion correlates alerts from existing rules; it does not generate its own detections.
- Myth: "Anomaly rules must be trained on clean data before use." Reality: They use pre-trained models and adapt to your environment over time; no manual training needed.
- Myth: "TI mapping rules require premium Sentinel tier." Reality: TI mapping is available in all tiers (Free, Standard, Premium) but data ingestion costs apply.
- Myth: "UEBA only works for Azure AD users." Reality: UEBA profiles any entity type, including devices, IPs, and applications.
- Myth: "You can create custom anomaly rules from scratch." Reality: You can only enable/disable built-in anomaly rules or create custom ML models via Azure ML, not define new anomaly logic in Sentinel UI.
Comparisons
Anomaly Detection vs. Fusion:
Anomaly: Detects single unusual events (e.g., unusual sign-in). Uses pre-trained ML models. Generates individual alerts.
Fusion: Correlates multiple alerts (including anomaly alerts) into incidents. Uses ML to find attack chains. Does not generate its own alerts.
Anomaly Detection vs. UEBA:
Anomaly: Focuses on specific event types (sign-in, file download, etc.). Rules are configurable per template.
UEBA: Profiles overall entity behavior across many activities. Generates 'AnomalousActivity' alerts. Less granular but broader scope.
TI Mapping vs. Custom Analytics:
TI Mapping: Matches logs against known IOCs from feeds. Simple join query. Low false positives.
Custom Analytics: Can use any KQL query to detect patterns. More flexible but requires tuning.
Key Takeaways
Fusion is enabled by default and correlates alerts from multiple sources into incidents.
Anomaly detection rules use a default z-score threshold of 3 and a 14-day baseline lookback.
TI mapping requires a data connector to ingest threat intelligence feeds.
UEBA profiles user and entity behavior and is enabled by default.
All ML detection models are pre-trained and require no manual training.
The default Fusion correlation lookback period is 48 hours.
Anomaly rules are available under 'Anomaly' rule templates; you cannot create custom anomaly rules.
Fusion does not generate alerts; it only correlates existing alerts.
TI mapping rules run every 5 minutes by default.
UEBA can be disabled per workspace if not needed.
FAQ
- Q: How do I enable Fusion in Sentinel? A: Fusion is enabled by default. To verify, go to Analytics -> Active rules and look for 'Fusion' rule. If disabled, you can enable it by selecting the rule and clicking 'Enable'.
- Q: Can I create a custom anomaly detection rule? A: No, you cannot create custom anomaly rules from scratch in Sentinel. You can only enable/disable built-in anomaly templates. For custom ML, use Azure Machine Learning and deploy via the 'Custom ML' rule template.
- Q: What is the difference between Fusion and UEBA? A: Fusion correlates alerts from multiple sources to detect multi-stage attacks. UEBA profiles entity behavior and identifies anomalous activities. They work together: UEBA alerts can be correlated by Fusion.
- Q: How do I tune an anomaly rule to reduce false positives? A: You can adjust the 'Anomaly threshold' (z-score) in the rule settings. Increasing the threshold reduces alerts. Also, you can set the rule to 'Disabled' if not needed.
- Q: Do I need a license for TI mapping? A: TI mapping itself does not require a separate license beyond Sentinel. However, some TI feeds may be paid. The TAXII connector is free.
- Q: How long does it take for UEBA to build a baseline? A: UEBA starts profiling immediately but the baseline becomes more accurate over time. Microsoft recommends at least 14 days of data for reliable detection.
- Q: Can Fusion correlate alerts from external sources? A: Yes, as long as the alerts are ingested into Sentinel via data connectors and have entity fields (IP, user, host).
Quiz
- Q: Which of the following is true about Fusion in Microsoft Sentinel? A: Fusion correlates alerts from multiple analytics rules to create multi-stage attack incidents. (Fusion does not generate its own alerts; it uses existing alerts.)
- Q: What is the default lookback period for Fusion correlation? A: 48 hours.
- Q: An administrator wants to detect sign-ins from unusual locations. Which type of analytics rule should they enable? A: Anomaly rule (specifically 'Unusual sign-in'). (Not Fusion, not TI mapping.)
- Q: What is the default threshold for anomaly detection rules? A: A z-score of 3.
- Q: Which data connector is required to use TI mapping? A: A threat intelligence data connector, such as TAXII or Threat Intelligence Platform.
Meta
meta_title: AI & ML Threat Detection in Microsoft Sentinel | SC-200 Chapter
meta_description: Master AI and ML threat detection for SC-200: Fusion, anomaly detection, UEBA, and TI mapping in Microsoft Sentinel. Exam-focused guide with step-by-step scenarios.
estimated_read_minutes: 25
Enable Anomaly Detection Rule
Navigate to Azure Sentinel -> Analytics -> Rule templates. Filter by 'Anomaly' in the rule type column. Select a rule such as 'Unusual sign-in' and click 'Create rule'. Review the default settings: frequency (every 5 minutes), lookback period (14 days for baseline), and anomaly threshold (z-score of 3). You can adjust these, but for the exam, know the defaults. Once enabled, the rule starts analyzing incoming logs immediately.
Data Ingestion and Feature Extraction
When logs (e.g., SigninLogs) arrive in the Log Analytics workspace, the anomaly model extracts features: timestamp, user principal name, IP address geolocation, device OS, and authentication method. These features are normalized into a feature vector. The model uses a pre-trained algorithm (e.g., Isolation Forest) to assign an anomaly score based on how the feature vector deviates from the baseline.
Baseline Learning and Scoring
The model maintains a baseline for each user by aggregating historical data over the lookback period (default 14 days). The baseline includes mean and standard deviation for each feature. For each new event, the model calculates a z-score: (event value - mean) / standard deviation. If the absolute z-score exceeds the threshold (default 3), the event is flagged as anomalous. The alert includes the z-score and affected entities.
Alert Generation and Fusion Correlation
The anomaly alert is written to the SecurityAlert table. Fusion, running as a separate process, scans all alerts (including anomaly alerts) within a 48-hour window. It extracts entities and builds a temporal graph. If the graph matches a known attack pattern (e.g., reconnaissance followed by credential access), Fusion creates a single incident with all related alerts. The incident appears in Sentinel with severity based on the highest alert severity.
Incident Investigation and Response
SOC analysts review the incident in Sentinel. The incident includes a timeline of alerts, entities, and suggested investigation playbooks. Analysts can use KQL queries to dive deeper, e.g., `SecurityIncident | where IncidentNumber == "INC-123"` to see details. Automated playbooks (Logic Apps) can be triggered to block IPs, reset passwords, or isolate machines. The analyst then resolves the incident with a classification.
In a global enterprise with 50,000 users, the SOC deploys Sentinel to detect compromised accounts. They enable the 'Unusual sign-in' anomaly rule and UEBA. One day, the model flags a sign-in from a user who typically logs in from New York but now appears from Nigeria using a new device. The alert triggers a playbook that forces a password reset and notifies the user. The SOC investigates and finds that the user's credentials were phished. Without ML, this attack might have been missed because the sign-in used valid credentials. The ML model's baseline adapted over 14 days to learn the user's typical sign-in patterns. The SOC also uses Fusion to correlate this anomaly with a subsequent malware alert from Defender for Endpoint on the same user's device, creating a single incident that speeds up containment.
In another scenario, a healthcare provider uses TI mapping to block known C2 servers. They ingest threat intelligence from a paid feed via TAXII. The mapping rule runs every 5 minutes and alerts on any outbound connection to a malicious IP. One day, the rule fires, and the SOC blocks the IP at the firewall. They investigate the endpoint and find a trojan. The TI feed provided context (malware family, confidence score) that helped prioritize the response. Without TI mapping, the C2 traffic would have blended in with normal internet traffic.
A common misconfiguration is setting the anomaly threshold too low (e.g., z-score 1) to catch more threats, but this generates thousands of false positives daily, overwhelming the SOC. Conversely, setting it too high (z-score 5) misses real attacks. The recommended starting point is the default z-score of 3, then adjust based on feedback. Another pitfall is not enabling Fusion because of fear of missing alerts—Fusion actually reduces noise by grouping related alerts into incidents. In production, Fusion can reduce the number of incidents by up to 90% compared to raw alerts. Performance considerations: Anomaly rules and Fusion are compute-intensive; Sentinel's backend scales automatically, but ingestion quotas apply. TI mapping is lightweight but requires a stable TI feed connection.
The SC-200 exam tests AI/ML detection primarily under Objective 2.3 (Create and manage analytics rules) and 2.4 (Manage threat intelligence). You must know the following with precision:
Fusion: It is NOT an analytics rule; it is a correlation engine enabled by default. The default lookback period is 48 hours. It correlates alerts from any analytics rule (including anomaly rules) to create multi-stage attack incidents. The exam may ask what happens when Fusion is disabled: individual alerts appear as separate incidents.
Anomaly Detection Rules: These are pre-built templates under 'Anomaly' rule type. They use a default z-score threshold of 3 and a baseline lookback of 14 days. They do NOT require manual training. You cannot create custom anomaly rules; you can only enable/disable built-in ones.
TI Mapping: Requires a TI data connector (TAXII, Threat Intelligence Platform). The default rule runs every 5 minutes. It matches logs against IOCs from the ThreatIntelligenceIndicator table. The exam may test that you can use custom TI feeds, not just Microsoft-provided ones.
UEBA: Enabled by default. It profiles entity behavior and generates 'AnomalousActivity' alerts. It can be disabled per workspace. The exam may ask about its purpose: to detect compromised users and insider threats.
Common Wrong Answers: 1. "Fusion is a type of analytics rule that detects anomalies." – Wrong. Fusion correlates alerts, it does not detect anomalies. 2. "Anomaly rules require a training period of 30 days before generating alerts." – Wrong. They use pre-trained models and start immediately. 3. "TI mapping can only use Microsoft Threat Intelligence." – Wrong. You can bring your own feeds. 4. "UEBA must be manually enabled for each workspace." – Wrong. It is enabled by default.
Edge Cases:
If a TI feed is offline, the mapping rule still runs but produces no matches.
If you disable an anomaly rule, existing baselines are lost after the lookback period.
Fusion can correlate alerts from custom analytics rules as long as they have entity fields.
How to Eliminate Wrong Answers:
Look for keywords: 'correlation' -> Fusion; 'baseline' -> Anomaly or UEBA; 'known malicious' -> TI mapping.
Remember that Fusion does not generate its own alerts; it only correlates.
Anomaly rules are not customizable beyond threshold adjustment.
TI mapping requires a separate data connector, not just enabling a rule.
Fusion is enabled by default and correlates alerts from multiple sources into incidents with a 48-hour lookback.
Anomaly detection rules use a default z-score threshold of 3 and a 14-day baseline lookback.
TI mapping requires a threat intelligence data connector and runs every 5 minutes by default.
UEBA profiles user and entity behavior and is enabled by default.
All ML detection models are pre-trained and require no manual training.
Fusion does not generate alerts; it only correlates existing alerts.
You cannot create custom anomaly rules; only enable/disable built-in templates.
TI mapping can use custom threat intelligence feeds via TAXII or other connectors.
UEBA can be disabled per workspace if not needed.
The default anomaly threshold is a z-score of 3, meaning events more than 3 standard deviations from the mean are flagged.
These come up on the exam all the time. Here's how to tell them apart.
Anomaly Detection Rules
Detects single unusual events (e.g., unusual sign-in).
Uses pre-trained ML models per rule.
Generates individual alerts.
Default threshold: z-score 3.
Baseline lookback: 14 days.
Fusion
Correlates multiple alerts into incidents.
Uses ML to find attack chains.
Does not generate its own alerts.
Default lookback: 48 hours.
Enabled by default.
Anomaly Detection Rules
Focuses on specific event types (sign-in, file download).
Rules are configurable per template.
Generates alerts with anomaly scores.
Baseline per user for each rule.
Requires enabling individual rules.
UEBA
Profiles overall entity behavior across many activities.
Generates 'AnomalousActivity' alerts.
Broad scope, less granular.
Baseline per entity across all behaviors.
Enabled by default for all workspaces.
Mistake
Fusion detects unknown attacks using machine learning without any rules.
Correct
Fusion correlates alerts from existing analytics rules; it does not generate its own detections. It uses ML to find patterns among alerts, not to detect new threats.
Mistake
Anomaly rules must be trained on clean data before they can generate alerts.
Correct
They use pre-trained models that adapt to your environment over time. No manual training is needed; they start generating alerts immediately.
Mistake
TI mapping rules require a premium Sentinel tier.
Correct
TI mapping is available in all tiers (Free, Standard, Premium). However, data ingestion costs apply based on volume.
Mistake
UEBA only works for Azure AD user accounts.
Correct
UEBA profiles any entity type, including devices, IP addresses, and applications, as long as data is ingested.
Mistake
You can create custom anomaly detection rules from scratch in Sentinel.
Correct
You can only enable/disable built-in anomaly rule templates. For custom ML, you must use Azure Machine Learning and deploy via the 'Custom ML' rule template.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Fusion is enabled by default. To verify, go to Analytics -> Active rules and look for a rule named 'Fusion' (rule type: Fusion). If it is disabled, select it and click 'Enable'. Fusion cannot be disabled via Azure Policy; only through the UI.
No, you cannot create custom anomaly rules from scratch. Sentinel provides built-in anomaly rule templates that you can enable or disable. For custom ML detection, you must use Azure Machine Learning to create a model and deploy it via the 'Custom ML' analytics rule template.
Fusion correlates alerts from multiple sources to detect multi-stage attacks (e.g., reconnaissance followed by lateral movement). UEBA profiles entity behavior over time and identifies anomalous activities (e.g., a user logging in at unusual hours). They complement each other: UEBA alerts can be correlated by Fusion.
You can adjust the 'Anomaly threshold' (z-score) in the rule settings. Increasing the threshold reduces the number of alerts. For example, changing from 3 to 4 will only flag events that are 4 standard deviations from the mean. You can also set the rule to 'Disabled' if it produces too many false positives.
No, TI mapping is included with Sentinel. However, you may need a subscription for a third-party threat intelligence feed if you use a paid provider. The TAXII connector is free, but data ingestion costs for the logs being matched apply.
UEBA starts profiling immediately, but the baseline becomes more accurate over time. Microsoft recommends at least 14 days of data for reliable detection. The baseline is continuously updated as new data arrives.
Yes, as long as the alerts are ingested into Sentinel via data connectors and include entity fields (IP, user, host). Fusion does not care about the source; it only looks at the alert data.
You've just covered AI and ML Threat Detection in Microsoft Security — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?