This chapter covers Microsoft Sentinel's Fusion machine learning detection engine, a core capability for reducing alert fatigue and identifying multi-stage attacks. Fusion is a high-value topic on the SC-200 exam, appearing in approximately 10-15% of questions related to Sentinel analytics and incident management. Understanding Fusion's internal mechanisms, configuration options, and limitations is critical for passing the exam and for real-world threat hunting.
Jump to a section
Imagine a city with thousands of security cameras and motion sensors. Each camera records everything, but individually they see only isolated events: a person running, a window breaking, a car speeding away. A junior security guard monitors each feed and triggers an alert for each event—but most are false alarms (a dog chasing a ball, a delivery truck backfiring). The city hires a master detective who doesn't watch every feed but instead receives a daily summary of all alerts. The detective uses years of experience to correlate seemingly unrelated events: the running person near the broken window at 2 AM matches a known burglar's modus operandi, and the speeding car matches a stolen vehicle report from earlier that day. The detective then issues a single high-priority case file—'possible burglary in progress'—to the police. Fusion ML in Microsoft Sentinel works exactly like this detective: it ingests low-fidelity alerts from multiple sources, applies machine learning models trained on millions of real attacks, and outputs a single high-fidelity incident that correlates related alerts, reducing noise and revealing complex attack chains.
What is Fusion ML and Why It Exists
Fusion is a built-in, machine learning-based detection engine in Microsoft Sentinel that correlates alerts from multiple security products (e.g., Microsoft Defender for Cloud, Azure Active Directory Identity Protection, Microsoft 365 Defender) to identify multi-stage attacks. It consumes low-fidelity alerts—each individually may be a false positive—and produces high-fidelity incidents that represent a likely real attack. Fusion reduces alert fatigue by presenting security operations center (SOC) analysts with a single incident instead of dozens of separate alerts. On the SC-200 exam, you must know that Fusion is enabled by default and cannot be entirely disabled via the UI—only specific sources can be excluded.
How Fusion Works Internally
Fusion operates through a multi-step pipeline: 1. Ingestion: Sentinel collects alerts from connected data sources. Fusion only processes alerts from specific Microsoft security products, not third-party sources. The supported sources include: Azure Active Directory Identity Protection, Microsoft Defender for Cloud (formerly Azure Security Center), Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft 365 Defender. Third-party alerts (e.g., from Syslog, CEF, or custom connectors) are NOT processed by Fusion. 2. Pre-processing: Alerts are normalized into a common schema. Fusion extracts key fields: alert type, severity, timestamp, affected entities (users, IPs, devices), and kill-chain stage. Alerts with severity 'Informational' are typically ignored. 3. Correlation: Fusion uses pre-trained machine learning models to find patterns across alerts. The models are trained on millions of real-world attack patterns and known multi-stage attack chains (e.g., credential theft followed by lateral movement). Fusion does NOT require custom training; the models are updated automatically by Microsoft. 4. Scoring: Each correlated set of alerts receives a confidence score. If the score exceeds a threshold (internal, not configurable), Fusion generates a single incident. The incident includes a fusion signal (a unique identifier) and a detailed description of the attack chain. 5. Incident Creation: The incident is created in Sentinel with severity based on the highest severity among correlated alerts. The incident contains all source alerts as entities. Fusion incidents have a special 'Fusion' source in the incident details.
Key Components, Values, and Timers
Fusion Rule: There is one built-in Fusion rule per Sentinel workspace. It cannot be deleted or disabled entirely; you can only exclude specific source products. The rule is named 'Advanced Multistage Attack Detection' in the UI.
Exclusion: You can exclude alerts from specific sources (e.g., Azure AD Identity Protection) via the Fusion rule configuration. This is the only user-configurable setting.
Alert Ingestion Delay: Fusion requires alerts to be ingested into Sentinel. There is no specific timer; Fusion processes alerts as they arrive, but correlation may take several minutes because Fusion waits for related alerts within a sliding time window (approximately 5-10 minutes, not user-configurable).
Incident Deduplication: If Fusion correlates the same set of alerts multiple times (due to reprocessing), it does not create duplicate incidents; it updates the existing incident.
Retention: Fusion incidents follow Sentinel's standard incident retention (90 days by default).
Configuration and Verification Commands
Fusion is configured via the Azure portal under Sentinel -> Analytics -> Rule templates. To verify Fusion incidents:
In Sentinel, go to Incidents, filter by 'Fusion' in the 'Product name' column.
Use KQL: SecurityIncident | where ProductName == 'Fusion'
To check which sources are excluded: SecurityIncident | where ProductName == 'Fusion' | project AdditionalData (look for 'ExcludedSources' field).
PowerShell/CLI: There is no direct command to modify Fusion; use Azure Resource Manager REST API or Azure CLI with the Sentinel workspace. Example Azure CLI to list Fusion rule:
az sentinel alert-rule list --resource-group <rg> --workspace-name <workspace> --query "[?kind=='Fusion'].{name:name, enabled:enabled}"Interaction with Related Technologies
Fusion works alongside other Sentinel analytics: - Scheduled Analytics Rules: These generate alerts from KQL queries. Fusion can consume these alerts if they are from supported sources? Actually, Fusion only consumes alerts from Microsoft security products, not from custom scheduled rules. This is a common exam trap: custom alerts do NOT feed into Fusion. - NRT (Near-Real-Time) Rules: Same as scheduled; not consumed by Fusion. - Behavioral Analytics (UEBA): UEBA in Sentinel provides user and entity behavior analytics. Fusion does NOT directly use UEBA; they are separate detection methods. However, both can generate incidents independently. - Microsoft 365 Defender: Alerts from M365D (e.g., incidents from Defender for Endpoint) are ingested into Sentinel and can be correlated by Fusion.
Step-by-Step: How Fusion Creates an Incident
Alert Generation: A user receives a suspicious login alert from Azure AD Identity Protection (e.g., 'Anonymous IP address'). Separately, Microsoft Defender for Cloud detects a VM being accessed from a known malicious IP.
Ingestion: Both alerts are ingested into Sentinel via the respective connectors. They appear as separate alerts in the Sentinel Logs.
Correlation: Fusion's ML model identifies that both alerts share the same user account and occur within a short time window (e.g., 5 minutes). The model has learned that this pattern often precedes credential theft and lateral movement.
Scoring: The correlation score exceeds the threshold, so Fusion creates a single incident titled 'Possible credential theft followed by suspicious VM access'.
Incident Creation: The incident appears in Sentinel with severity High. The incident contains both source alerts as entities, and the 'Fusion' source is listed.
Exam-Specific Details
Fusion is enabled by default in every Sentinel workspace.
You cannot disable Fusion entirely; you can only exclude sources.
Fusion processes alerts from Microsoft security products only—third-party alerts are ignored.
Fusion incidents have severity equal to the highest severity among correlated alerts.
Fusion uses pre-trained ML models—no custom training or tuning.
Fusion is not available in Azure Government clouds (a known exam fact).
Fusion does not generate alerts directly; it generates incidents from existing alerts.
Trap Patterns on the Exam
Wrong answer: 'Fusion can be disabled by turning off the rule.' Reality: The rule cannot be disabled; you can only exclude sources.
Wrong answer: 'Fusion correlates all alerts in Sentinel.' Reality: Only from specific Microsoft products.
Wrong answer: 'Fusion requires custom ML training.' Reality: Models are pre-trained and updated by Microsoft.
Wrong answer: 'Fusion creates alerts.' Reality: It creates incidents from alerts.
Wrong answer: 'Fusion works with third-party alerts via CEF.' Reality: No, only Microsoft products.
Summary of Key Values
Supported sources: Azure AD Identity Protection, Microsoft Defender for Cloud, Defender for Endpoint, Defender for Identity, Defender for Office 365, Microsoft Cloud App Security, Microsoft 365 Defender.
Severity mapping: Fusion incident severity = max severity of correlated alerts.
Sliding time window: ~5-10 minutes (not configurable).
Exclusion: Only at source product level.
Fusion model updates: Automatic via Microsoft.
Advanced: How to Exclude Sources
In the Azure portal, navigate to Sentinel -> Analytics -> Active rules. Find the 'Advanced Multistage Attack Detection' rule. Click on it and select 'Edit'. In the rule configuration, you will see a list of source products with checkboxes. Uncheck the ones you want to exclude. You can also use PowerShell or REST API to update the rule's sourceSettings.
Common Exam Scenarios
Scenario: A company wants to reduce noise from Azure AD Identity Protection alerts but still wants Fusion to correlate other alerts. Solution: Exclude Azure AD Identity Protection from Fusion.
Scenario: A company asks why Fusion is not creating incidents from custom KQL alerts. Explanation: Fusion only processes alerts from Microsoft security products. Custom alerts must be handled by other analytics rules.
Scenario: A company wants to see all alerts that were correlated by Fusion. Use KQL: SecurityAlert | where ProductName in ('Azure AD Identity Protection', ...) | join SecurityIncident on AlertId to find alerts that are part of a Fusion incident.
Alert Ingestion from Sources
Fusion begins by ingesting alerts from connected Microsoft security data sources. These sources include Azure Active Directory Identity Protection, Microsoft Defender for Cloud, Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft 365 Defender. Alerts from third-party sources (e.g., Syslog, CEF, custom connectors) are not processed by Fusion. Each alert must be of severity Low, Medium, High, or Critical; Informational alerts are ignored. The ingestion is near real-time, but there may be a delay of a few minutes depending on the source connector and Sentinel's ingestion pipeline.
Normalization and Feature Extraction
Once ingested, alerts are normalized into a common schema that Fusion's ML model understands. Key features extracted include: alert type (e.g., 'Suspicious sign-in'), severity, timestamp, affected entities (user, IP, device, application), and kill-chain stage (e.g., 'Initial Access', 'Lateral Movement'). The normalization process ensures that alerts from different sources have consistent field names and formats. This step is critical because the ML model was trained on normalized data. Any alert that cannot be normalized (e.g., malformed) is dropped.
Correlation Using ML Models
Fusion applies pre-trained machine learning models to correlate alerts based on patterns of multi-stage attacks. The models are trained on millions of real-world attack sequences and are updated automatically by Microsoft. Correlation looks for relationships such as shared entities (same user, same IP, same device) and temporal proximity (alerts occurring within a sliding time window of approximately 5-10 minutes). The models also consider the order of alerts in the kill chain. For example, a 'Brute force' alert followed by a 'Successful logon' from a different country may indicate credential theft and account takeover.
Scoring and Threshold Evaluation
Each correlated set of alerts receives a confidence score calculated by the ML model. The score reflects the likelihood that the alerts represent a genuine multi-stage attack. If the score exceeds an internal threshold (not user-configurable), Fusion proceeds to create an incident. The threshold is calibrated to balance false positives and false negatives. If the score is too low, the alerts are not correlated, and they remain as individual alerts. The scoring process is opaque; administrators cannot see the score value.
Incident Creation and Enrichment
When the score threshold is met, Fusion creates a single incident in Sentinel. The incident is assigned a severity equal to the highest severity among the correlated alerts. The incident includes a 'Fusion' product name and a description that summarizes the attack chain (e.g., 'Possible credential theft followed by lateral movement'). All source alerts are attached as entities in the incident. The incident is then visible in the Sentinel Incidents blade and can be investigated by SOC analysts. Fusion also enriches the incident with additional context, such as the fusion signal ID and links to the original alerts.
Enterprise Scenario 1: Reducing Alert Fatigue in a Large SOC
A global enterprise with 50,000 employees uses Microsoft 365, Azure, and Defender for Endpoint. The SOC receives over 10,000 alerts per day from these sources, most of which are low-fidelity false positives (e.g., sign-ins from unfamiliar locations, anomalous file downloads). The SOC was overwhelmed and missing real attacks. By enabling Fusion (default), the SOC saw a 70% reduction in incidents because Fusion correlated related alerts into a single incident. For example, a 'Impossible travel' alert from Azure AD Identity Protection combined with a 'Malware detected' alert from Defender for Endpoint on the same user within 10 minutes became a single 'Credential theft and malware deployment' incident. The SOC now focuses on Fusion incidents first, which have a much higher true positive rate. Configuration: The SOC excluded Microsoft Cloud App Security alerts from Fusion because those were generating too many false correlations with Defender alerts. This was done by editing the Fusion rule and unchecking Cloud App Security.
Enterprise Scenario 2: Detecting Advanced Persistent Threats
A financial services company uses Sentinel to monitor its hybrid environment. An attacker compromised a user's credentials via a phishing email (detected by Defender for Office 365 as 'Phish delivered'). The attacker then used those credentials to access a SharePoint site (alert from Microsoft Cloud App Security: 'Unusual file access pattern'). Finally, the attacker attempted to exfiltrate data via an external share (alert from Defender for Cloud Apps: 'Mass download'). Without Fusion, these three alerts would appear as separate incidents, and the SOC might miss the connection. Fusion correlated them into a single incident: 'Phishing followed by data exfiltration attempt'. The incident severity was set to Critical because one of the alerts was Critical. The SOC was able to contain the threat within minutes. The company also uses Fusion to feed incidents into its SIEM (via Sentinel's API) for further automation.
Common Misconfiguration Issues
Over-exclusion: Some administrators exclude too many sources from Fusion, reducing its effectiveness. For example, excluding all sources except Defender for Endpoint defeats the purpose of multi-stage detection.
Ignoring Fusion incidents: Some SOCs treat Fusion incidents as lower priority because they are automated. However, Fusion incidents have a high confidence and should be investigated promptly.
Not using Fusion with playbooks: Fusion incidents can trigger automation playbooks (e.g., disable user account, isolate device). Failing to set up playbooks misses an opportunity for rapid response.
Performance at scale: Fusion processes alerts in near real-time, but in very large workspaces (millions of alerts per day), there may be a delay of up to 15 minutes for correlation. This is due to the time window and processing overhead. Microsoft recommends using dedicated Sentinel tiers (e.g., Pay-as-you-go) to ensure adequate performance.
SC-200 Objective Coverage
Fusion ML is covered under Objective 2.3: 'Create and manage analytics rules in Microsoft Sentinel'. Specifically, the exam tests your ability to:
Describe the purpose and functionality of Fusion.
Configure Fusion exclusion settings.
Identify which alerts are processed by Fusion.
Differentiate Fusion from other analytics rule types (scheduled, NRT, behavioral).
Understand when Fusion does NOT generate incidents.
Top 3 Common Wrong Answers and Why
'Fusion can be disabled by turning off the rule.' Candidates see the 'Disable' button in the UI but don't realize that disabling the rule is not allowed—only exclusion of sources is possible. The exam presents a scenario where you need to stop Fusion from generating incidents; the correct action is to exclude all sources, not to disable the rule.
'Fusion correlates all alerts in Sentinel, including custom alerts.' Many candidates assume Fusion works like a SIEM correlation engine. But Fusion only processes alerts from specific Microsoft security products. Custom KQL alerts are not consumed. The exam loves to ask: 'Why is Fusion not creating incidents from my custom scheduled rule?' The answer: Fusion does not ingest custom alerts.
'Fusion requires custom ML model training to be effective.' Some candidates think Fusion needs to be trained on their environment. In reality, the models are pre-trained by Microsoft and updated automatically. No user training is required or possible.
Specific Numbers and Terms That Appear on the Exam
Supported sources: The exam lists them explicitly. Memorize the list: Azure AD Identity Protection, Microsoft Defender for Cloud, Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Office 365, Microsoft Cloud App Security, Microsoft 365 Defender.
Exclusion: The only configurable setting is which source products to exclude.
Severity: Fusion incident severity = max severity of correlated alerts.
Time window: Approximately 5-10 minutes (not configurable).
Cloud availability: Fusion is not available in Azure Government clouds.
Rule name: 'Advanced Multistage Attack Detection'.
Edge Cases and Exceptions
What if an alert is from a supported source but has severity Informational? Fusion ignores it; only Low and above are considered.
What if an alert is ingested after the time window? It may not be correlated with earlier alerts. The window is sliding and not configurable.
Can Fusion correlate alerts from the same source? Yes, e.g., two Defender for Endpoint alerts on the same device can be correlated.
Does Fusion create incidents for single alerts? No, Fusion requires at least two alerts from the same or different sources to correlate.
Can Fusion be used with Microsoft Sentinel in Azure China? Yes, but availability may vary; check Microsoft documentation.
How to Eliminate Wrong Answers
If the question mentions 'custom alerts' or 'third-party alerts', Fusion is not the answer.
If the question asks about 'disabling Fusion', look for 'exclude sources' as the correct action.
If the question asks about 'training', remember that Fusion uses pre-trained models.
If the question asks about 'alert creation', remember Fusion creates incidents, not alerts.
If the question asks about 'severity', remember it's the max of correlated alerts.
Exam Tip
When you see 'Fusion' in a question, immediately think: 'Microsoft security products only, pre-trained ML, cannot be disabled, only sources excluded.' This will help you eliminate at least two wrong answers quickly.
Fusion is enabled by default in all Sentinel workspaces and cannot be disabled; only source product exclusions are allowed.
Fusion correlates alerts exclusively from Microsoft security products: Azure AD Identity Protection, Defender for Cloud, Defender for Endpoint, Defender for Identity, Defender for Office 365, Cloud App Security, and Microsoft 365 Defender.
Fusion generates incidents, not alerts; incident severity equals the highest severity among correlated alerts.
Fusion uses pre-trained ML models that are automatically updated by Microsoft; no user training is required or possible.
The correlation time window is approximately 5-10 minutes and is not user-configurable.
Fusion is not available in Azure Government clouds.
Custom scheduled rule alerts and third-party alerts are not processed by Fusion.
These come up on the exam all the time. Here's how to tell them apart.
Fusion ML
Uses pre-trained ML models, no user-defined queries
Correlates alerts from multiple Microsoft security products only
Generates incidents, not alerts
Cannot be disabled, only sources excluded
No custom threshold or time window configuration
Scheduled Analytics Rules
Uses user-defined KQL queries to generate alerts
Can query any data in the Log Analytics workspace
Generates alerts that can be grouped into incidents
Can be enabled, disabled, and customized freely
Allows configuration of query frequency, lookback period, and alert threshold
Mistake
Fusion correlates all alerts in Microsoft Sentinel, including custom analytics rule alerts.
Correct
Fusion only processes alerts from specific Microsoft security products: Azure AD Identity Protection, Microsoft Defender for Cloud, Defender for Endpoint, Defender for Identity, Defender for Office 365, Microsoft Cloud App Security, and Microsoft 365 Defender. Custom KQL alerts and third-party alerts are not consumed by Fusion.
Mistake
Fusion can be disabled completely in the Sentinel workspace.
Correct
The Fusion rule ('Advanced Multistage Attack Detection') cannot be disabled. You can only exclude specific source products from being processed. To effectively 'disable' Fusion, you must exclude all supported sources.
Mistake
Fusion requires custom machine learning model training to adapt to your environment.
Correct
Fusion uses pre-trained ML models that are developed and updated by Microsoft. No user training or customization is possible. The models are automatically updated via Microsoft's cloud service.
Mistake
Fusion generates alerts that can be used in other analytics rules.
Correct
Fusion generates incidents, not alerts. These incidents appear in the Sentinel Incidents blade. They cannot be used as alerts for other rules (e.g., scheduled rules cannot trigger on Fusion incidents).
Mistake
Fusion correlates alerts based on a configurable time window.
Correct
The correlation time window is approximately 5-10 minutes and is not user-configurable. It is determined by the ML model's internal logic and cannot be adjusted via the UI or API.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, the Fusion rule ('Advanced Multistage Attack Detection') cannot be disabled. You can only exclude specific source products from being processed. To effectively stop Fusion from creating incidents, you must exclude all supported sources. This is a common exam point: the option to disable is not available in the UI or API.
Fusion only processes alerts from specific Microsoft security products. Custom KQL scheduled rules generate alerts that are not consumed by Fusion. If you need correlation for custom alerts, you must create your own correlation logic using scheduled rules or playbooks. This is a frequent exam scenario.
No, Fusion uses pre-trained ML models developed by Microsoft. These models are trained on millions of real-world attack patterns and are automatically updated. There is no way to train Fusion on your own data. This is a key differentiator from other ML-based detection systems.
You can query Sentinel Logs using KQL to find alerts that are part of a Fusion incident. For example: `SecurityAlert | where TimeGenerated > ago(1d) | where ProductName in ('Azure AD Identity Protection', ...) | join kind=inner SecurityIncident on $left.AlertId == $right.AlertId` to see alerts that are linked to incidents with ProductName 'Fusion'. You can also filter incidents by 'Fusion' in the Incidents blade.
If you exclude all supported source products, Fusion will have no alerts to correlate, and it will not generate any incidents. This effectively disables Fusion without actually disabling the rule. However, note that you cannot exclude sources that are not connected; if a source is not connected, it is automatically excluded.
Yes, Fusion can correlate multiple alerts from the same source product if they share entities and occur within the time window. For example, two Defender for Endpoint alerts on the same device can be correlated into a single incident. The correlation is not limited to cross-source scenarios.
No, Fusion is not available in Azure Government clouds (e.g., US Government Virginia, US Government Arizona). This is a known exam fact. In those environments, you must rely on scheduled rules and other analytics to achieve multi-stage detection.
You've just covered Sentinel Fusion ML Detection Scenarios — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?