Microsoft says the cloud-native Azure Sentinel SIEM (Security Information and Event Management) platform can now detect potential ransomware activity using the Fusion machine learning model.
Azure Sentinel uses built-in artificial intelligence (AI) technology to rapidly analyze large volumes of data in business environments, looking for potential activity from threat actors.
It also employs machine learning technology known as fusion to detect and trigger alerts for multi-stage attacks by identifying sets of suspicious activities and abnormal behaviors detected at various stages of attack.
Azure Sentinel combines several of these alerts to generate incidents even when there is limited or missing information, making it difficult to detect otherwise.
Microsoft Announced Today, its cloud-based SIEM now supports Fusion detections for potential ransomware attacks and triggers high severity Multiple alerts possibly related to ransomware activity detected incidents.
For example, Azure Sentinel will generate incidents of ransomware attacks after detecting the following alerts within a specified period of time on the same host:
- Azure Sentinel scheduled alerts (informational): Windows error and warning events
- Azure Defender (medium): ‘GandCrab’ ransomware prevented
- Microsoft Defender for Endpoint (informational): ‘Emotet’ malware detected
- Azure Defender (low): Rear door ‘Tofsee’ detected
- Microsoft Defender for Endpoint (informational): ‘Parite’ malware detected
To detect potential ransomware attacks in progress, Azure Sentinel can use the following data connectors to collect data from the following sources: Azure Defender (Azure Security Center), Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Cloud Application Security, Y Azure Sentinel scheduled scan rules.
Administrators are advised to view systems as ‘potentially compromised’
“Incidents are generated for alerts that are possibly associated with ransomware activities, when they occur during a specified period of time, and are associated with the execution and defense evasion stages of an attack,” Microsoft said. Explain.
“You can use the alerts listed in the incident to analyze techniques possibly used by attackers to compromise a host / device and evade detection.”
Following a Fusion-detected ransomware attack scenario on Azure Sentinel, administrators are advised to view systems as “potentially compromised” and take immediate action.
Microsoft provides the following recommended steps to analyze the techniques used by attackers during the possible attack:
- Isolate the machine from the net to avoid possible lateral movements.
- Run a full antimalware scan on the machine, following the resulting remediation tips.
- Review the installed / running software on the machine, removing any unknown or unwanted packages.
- Revert the machine to a known good state, reinstall the operating system only if necessary, and restore the software from a verified malware-free source.
- Resolve recommendations from alert providers (eg, Azure Security Center other Microsoft Defender) to prevent future infringements.
- Investigate the entire network to understand the intrusion and identify other machines that could be affected by this attack.