Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home SOC

Understanding How Azure Sentinel and Entity Behavior Analytics Deliver Actionable Intelligence

Azure Sentinel News Editor by Azure Sentinel News Editor
November 12, 2020
in SOC
0
Understanding How Azure Sentinel and Entity Behavior Analytics Deliver Actionable Intelligence
2.1kViews

At Ignite in September, Microsoft announced the availability of User and Entity Behavior Analytics (UEBA) in preview for Azure Sentinel. UEBA takes user data from Azure Active Directory (AD), and combined with logs and alerts from connected data sources, it builds baseline behavioral profiles for entities like Azure AD users, hosts, IP addresses, and applications.

Using behavior analytics and machine learning, UEBA can identify unusual activity and help SOC teams identify if there is a compromised entity or a malicious insider. Microsoft says that additionally, UEBA can work out the relative sensitivity of your assets, peer groups of assets, and tell you the possible impact if a given asset gets compromised. Microsoft calls this an asset’s ‘blast radius’. With the extra information that UEBA provides, SOC teams can better prioritize investigation and incident response.

Before using the UEBA preview, you need to enable synchronization of Azure AD users and entities to create profiles for them in Sentinel. Once that’s done, configure some data sources to populate Sentinel with data like security logon events, Azure AD audit and sign-in logs, and Azure activity logs. The data sources you select will be processed, enriched, and profiled by UEBA.

For more information on how to set up Azure Sentinel and add data sources, check out Monitor Windows Server Security Using Azure Sentinel Part 1 – Set Up a Workspace and Data Connector on Petri.

The profiles that UEBA builds provide a unified view of your organization’s entities. The SOC team can search by entity name, or another identifier, to open an entity profile. At the time of writing, entities are limited to users and hosts. But Microsoft says that there will be more entities available in the future. Each entity has an entity page, which is a datasheet containing useful information that includes a timeline of important events and insights on entity behavior.

Image #1

Azure Sentinel User and Entity Behavior Analytics Delivers Actionable Intelligence on User Threats (Image Credit: Microsoft)

UEBA workbook and Investigation Priority Score

As part of the preview, Microsoft has also released a UEBA workbook that is designed to aid SOC analysts with user investigation. The workbook is based on user-related incidents, alerts, and unusual behavior. The workbook shows analysts the top user to investigate. For example, the user might be suspected as compromised or considered an insider threat because the user’s behavior was different from its base profile.

Microsoft says that all its behavior and configuration anomalies are based on real-life attack scenarios and they are mapped to the MITRE ATT&CK framework. Each ‘anomaly’ is given an ‘Investigation Priority Score’ that helps to determine the likelihood of a user performing a specific activity. The score is based on behavioral learning of the user and the user’s peers.

UEBA enhances raw log data to make advanced threat hunting easier

UEBA adds useful information to raw log data and then updates customers’ log analytics so that SOC analysts can run complex queries easily. The results have contextual and behavioral information included in them, and all the hard work is done by the backend instead of the analyst. The Guides & Feedback panel provides analysts with useful information on how to make best use of UEBA, including the ability to share feedback with Microsoft’s Sentinel team via the user voice platform.

Reference: https://petri.com/azure-sentinel-user-and-entity-behavior-analytics-delivers-actionable-intelligence-on-user-threats

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021
SOC

How to Evolve the SOC with Azure Sentinel: Hunting Queries

January 5, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021
SOC

How to Grant Access to Specific Azure Sentinel Playbooks for Specific Analysts

December 31, 2020
Enriching Windows Security Events with Parameterized Function
SOC

New Private Preview Tag in Azure Sentinel

December 30, 2020
Next Post
A Deep Dive Into How to Use Azure Sentinel

A Deep Dive Into How to Use Azure Sentinel

Auditing Azure Sentinel activities

Auditing Azure Sentinel activities

Microsoft’s Azure Sentinel SIEM Service Gains Watchlists Feature

Microsoft’s Azure Sentinel SIEM Service Gains Watchlists Feature

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Microsoft is quietly becoming a cybersecurity powerhouse

Secure Working from Home – Deep Insights at Enrolled MEM Assets via Azure Sentinel

3 months ago
BlueVoyant acquires Managed Sentinel, builds out Microsoft MSS offerings

BlueVoyant acquires Managed Sentinel, builds out Microsoft MSS offerings

4 months ago
WA strikes govt-wide cloud deal with Microsoft

Web shell threat hunting with Azure Sentinel and Microsoft Threat Protection

3 months ago
What’s new: Microsoft Teams connector in Public Preview

Adding MBAM/Bitlocker Logs to Azure Sentinel

2 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News