This blog post introduces a new and improved version of the User and Entity Behavior Analytics workbook. This workbook uses data from User and Entity Behavior Analytics (UEBA), a feature of Microsoft Sentinel that leverages machine learning and threat intelligence to detect anomalous and potentially malicious behavior of users and devices in your network (for more information see Identify advanced threats with UEBA).
UEBA is a powerful tool that can help you identify and respond to various types of cyberattacks, such as insider threats, brute-force attacks, DDoS attacks, and phishing campaigns. By using UEBA data in the workbook, you can gain deeper insights into the activities and patterns of your users and entities, and visualize the scope and impact of the threats you face.
The main updates you will find in this version:
- Anomalies related to IPs and hosts, on top of accounts are now displayed.
- A new section has been added for incidents involving entities with anomalies raised up to 3 days prior to the incident's creation.
- The workbook now relies on the Anomalies table, whereas the old version was looking at the BehaviorAnalytics table
As always, you can find the latest version on the Content Hub:
- Search for ‘User and entitity behavior analytics' on the Content hub and install the solution.
- After you install it (or update it), you can
- Either select ‘Configuration'
- or go to the Workbooks blade, and select View Template or save the workbook in case you want to make modifications.
Once you launch the workbook, we recommend selecting Show Help: Yes the first time so you can see explanations for each step:
At the top you will find the number of new or active incidents and alerts, as well as anomalies.
We have now added a section for Incidents with entities present in anomalies created up to 3 days before the incident was generated:
This can be helpful to prioritize incident investigation, as well as discover suspicious behaviors in the entities involved.
Finally, at the bottom you can see top Users, Ips and Hosts by anomalies. (Previously, this was only available for users).
We hope that this workbook helps your organization in your investigations.