Improving Alert Recall: Miss Fewer Attacks Through Customizable ML Anomalies

OVERVIEW

In the ongoing game of cat and mouse between attackers and defenders, attackers continually find new ways to evade detection. Whilst high fidelity security detections tend to have high precision, they can sometimes have low recall, therefore some new attack techniques can go undetected. Anomalies on the other hand are much noisier but can capture attacks that would otherwise be missed. Anomalies don’t necessarily indicate malicious behavior on their own. But when combined with other anomalies or alerts their cumulative effect is much stronger.

In this talk, we explore our approach at Microsoft Sentinel to provide the user with customizable anomaly rules. Our engineering methodology uses a PySpark backend to implement a variety of ML techniques including both supervised and unsupervised learning. We deep dive into the ML behind one of our customizable anomalies and then demonstrate the ease at which the rules can be configured by the user. Lastly, we demonstrate, via simulated attacks, how anomalies and alerts can be combined at various stages of the kill chain to produce high quality incidents.

Thus, we can see how customizable anomaly rules improve recall while reducing the noise of traditional anomalies via machine learning and customization.