Unleash the full potential of User and Entity Behavior Analytics with our updated workbook

This blog post introduces a new and improved version of the User and Entity Behavior Analytics workbook. This workbook uses data from User and Entity Behavior Analytics (UEBA), a feature of Microsoft Sentinel that leverages and to detect anomalous and potentially malicious behavior of users and devices in your (for more information see Identify advanced threats with UEBA).

UEBA is a powerful tool that can help you identify and respond to various types of cyberattacks, such as insider threats, brute-force attacks, DDoS attacks, and campaigns. By using UEBA data in the workbook, you can gain deeper insights into the activities and patterns of your users and entities, and visualize the scope and impact of the threats you face.

The main updates you will find in this version:

  • Anomalies related to IPs and hosts, on top of accounts are now displayed.
  • A new section has been added for incidents involving entities with anomalies raised up to 3 days prior to the incident's creation.
  • The workbook now relies on the Anomalies table, whereas the old version was looking at the BehaviorAnalytics table

As always, you can find the latest version on the Content Hub:

  • Search for ‘User and entitity behavior analytics' on the Content hub and install the solution.

    Captura de pantalla 2024-01-16 101642.png

  • After you install it (or update it), you can
    • Either select ‘Configuration'
    • or go to the Workbooks blade, and select View Template or save the workbook in case you want to make modifications.

Once you launch the workbook, we recommend selecting Show Help: Yes the first time so you can see explanations for each step:

Captura de pantalla 2024-01-16 101836.png

At the top you will find the number of new or active incidents and alerts, as well as anomalies.


We have now added a section for Incidents with entities present in anomalies created up to 3 days before the incident was generated:


This can be helpful to prioritize incident investigation, as well as discover suspicious behaviors in the entities involved.

Finally, at the bottom you can see top Users, Ips and Hosts by anomalies. (Previously, this was only available for users).

Captura de pantalla 2024-01-16 103443.png

Captura de pantalla 2024-01-16 103525.png


We hope that this workbook helps your organization in your investigations.

This workbook has been updated by @NChristis  (Senior Product Manager) and @madesous  (Senior Product Manager).


This article was originally published by Microsoft's Sentinel Blog. You can find the original article here.