Microsoft Sentinel UEBA reference
This reference article lists the input data sources for the User and Entity Behavior Analytics service in Microsoft Sentinel. It also describes the enrichments that UEBA adds to entities, providing needed context to alerts and incidents.
Important
Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal. For preview, Microsoft Sentinel is available in the Defender portal without Microsoft Defender XDR or an E5 license. For more information, see Microsoft Sentinel in the Microsoft Defender portal.
UEBA data sources
These are the data sources from which the UEBA engine collects and analyzes data to train its ML models and set behavioral baselines for users, devices, and other entities. UEBA then looks at data from these sources to find anomalies and glean insights.
Data source | Events |
---|---|
Microsoft Entra ID Sign-in logs |
All |
Microsoft Entra ID Audit logs |
ApplicationManagement DirectoryManagement GroupManagement Device RoleManagement UserManagementCategory |
Azure Activity logs | Authorization AzureActiveDirectory Billing Compute Consumption KeyVault Devices Network Resources Intune Logic Sql Storage |
Windows Security events WindowsEvent or SecurityEvent |
4624: An account was successfully logged on 4625: An account failed to log on 4648: A logon was attempted using explicit credentials 4672: Special privileges assigned to new logon 4688: A new process has been created |
UEBA enrichments
This section describes the enrichments UEBA adds to Microsoft Sentinel entities, along with all their details, that you can use to focus and sharpen your security incident investigations. These enrichments are displayed on entity pages and can be found in the following Log Analytics tables, the contents and schema of which are listed below:
The BehaviorAnalytics table is where UEBA's output information is stored.
The following three dynamic fields from the BehaviorAnalytics table are described in the entity enrichments dynamic fields section below.
The UsersInsights and DevicesInsights fields contain entity information from Active Directory / Microsoft Entra ID and Microsoft Threat Intelligence sources.
The ActivityInsights field contains entity information based on the behavioral profiles built by Microsoft Sentinel's entity behavior analytics.
User activities are analyzed against a baseline that is dynamically compiled each time it is used. Each activity has its defined lookback period from which the dynamic baseline is derived. The lookback period is specified in the Baseline column in this table.
The IdentityInfo table is where identity information synchronized to UEBA from Microsoft Entra ID (and from on-premises Active Directory via Microsoft Defender for Identity) is stored.
BehaviorAnalytics table
The following table describes the behavior analytics data displayed on each entity details page in Microsoft Sentinel.
Field | Type | Description |
---|---|---|
TenantId | string | The unique ID number of the tenant. |
SourceRecordId | string | The unique ID number of the EBA event. |
TimeGenerated | datetime | The timestamp of the activity's occurrence. |
TimeProcessed | datetime | The timestamp of the activity's processing by the EBA engine. |
ActivityType | string | The high-level category of the activity. |
ActionType | string | The normalized name of the activity. |
UserName | string | The username of the user that initiated the activity. |
UserPrincipalName | string | The full username of the user that initiated the activity. |
EventSource | string | The data source that provided the original event. |
SourceIPAddress | string | The IP address from which activity was initiated. |
SourceIPLocation | string | The country/region from which activity was initiated, enriched from IP address. |
SourceDevice | string | The hostname of the device that initiated the activity. |
DestinationIPAddress | string | The IP address of the target of the activity. |
DestinationIPLocation | string | The country/region of the target of the activity, enriched from IP address. |
DestinationDevice | string | The name of the target device. |
UsersInsights | dynamic | The contextual enrichments of involved users (details below). |
DevicesInsights | dynamic | The contextual enrichments of involved devices (details below). |
ActivityInsights | dynamic | The contextual analysis of activity based on our profiling (details below). |
InvestigationPriority | int | The anomaly score, between 0-10 (0=benign, 10=highly anomalous). |
Entity enrichments dynamic fields
Note
The Enrichment name column in the tables in this section displays two rows of information.
- The first, in bold, is the "friendly name" of the enrichment.
- The second (in italics and parentheses) is the field name of the enrichment as stored in the Behavior Analytics table.
UsersInsights field
The following table describes the enrichments featured in the UsersInsights dynamic field in the BehaviorAnalytics table:
Enrichment name | Description | Sample value |
---|---|---|
Account display name (AccountDisplayName) |
The account display name of the user. | Admin, Hayden Cook |
Account domain (AccountDomain) |
The account domain name of the user. | |
Account object ID (AccountObjectID) |
The account object ID of the user. | a58df659-5cab-446c-9dd0-5a3af20ce1c2 |
Blast radius (BlastRadius) |
The blast radius is calculated based on several factors: the position of the user in the org tree, and the user's Microsoft Entra roles and permissions. User must have Manager property populated in Microsoft Entra ID for BlastRadius to be calculated. | Low, Medium, High |
Is dormant account (IsDormantAccount) |
The account has not been used for the past 180 days. | True, False |
Is local admin (IsLocalAdmin) |
The account has local administrator privileges. | True, False |
Is new account (IsNewAccount) |
The account was created within the past 30 days. | True, False |
On premises SID (OnPremisesSID) |
The on-premises SID of the user related to the action. | S-1-5-21-1112946627-1321165628-2437342228-1103 |
DevicesInsights field
The following table describes the enrichments featured in the DevicesInsights dynamic field in the BehaviorAnalytics table:
Enrichment name | Description | Sample value |
---|---|---|
Browser (Browser) |
The browser used in the action. | Edge, Chrome |
Device family (DeviceFamily) |
The device family used in the action. | Windows |
Device type (DeviceType) |
The client device type used in the action | Desktop |
ISP (ISP) |
The internet service provider used in the action. | |
Operating system (OperatingSystem) |
The operating system used in the action. | Windows 10 |
Threat intel indicator description (ThreatIntelIndicatorDescription) |
Description of the observed threat indicator resolved from the IP address used in the action. | Host is member of botnet: azorult |
Threat intel indicator type (ThreatIntelIndicatorType) |
The type of the threat indicator resolved from the IP address used in the action. | Botnet, C2, CryptoMining, Darknet, Ddos, MaliciousUrl, Malware, Phishing, Proxy, PUA, Watchlist |
User agent (UserAgent) |
The user agent used in the action. | Microsoft Azure Graph Client Library 1.0, Swagger-Codegen/1.4.0.0/csharp, EvoSTS |
User agent family (UserAgentFamily) |
The user agent family used in the action. | Chrome, Edge, Firefox |
ActivityInsights field
The following tables describe the enrichments featured in the ActivityInsights dynamic field in the BehaviorAnalytics table:
Action performed
Enrichment name | Baseline (days) | Description | Sample value |
---|---|---|---|
First time user performed action (FirstTimeUserPerformedAction) |
180 | The action was performed for the first time by the user. | True, False |
Action uncommonly performed by user (ActionUncommonlyPerformedByUser) |
10 | The action is not commonly performed by the user. | True, False |
Action uncommonly performed among peers (ActionUncommonlyPerformedAmongPeers) |
180 | The action is not commonly performed among user's peers. | True, False |
First time action performed in tenant (FirstTimeActionPerformedInTenant) |
180 | The action was performed for the first time by anyone in the organization. | True, False |
Action uncommonly performed in tenant (ActionUncommonlyPerformedInTenant) |
180 | The action is not commonly performed in the organization. | True, False |
App used
Enrichment name | Baseline (days) | Description | Sample value |
---|---|---|---|
First time user used app (FirstTimeUserUsedApp) |
180 | The app was used for the first time by the user. | True, False |
App uncommonly used by user (AppUncommonlyUsedByUser) |
10 | The app is not commonly used by the user. | True, False |
App uncommonly used among peers (AppUncommonlyUsedAmongPeers) |
180 | The app is not commonly used among user's peers. | True, False |
First time app observed in tenant (FirstTimeAppObservedInTenant) |
180 | The app was observed for the first time in the organization. | True, False |
App uncommonly used in tenant (AppUncommonlyUsedInTenant) |
180 | The app is not commonly used in the organization. | True, False |
Browser used
Enrichment name | Baseline (days) | Description | Sample value |
---|---|---|---|
First time user connected via browser (FirstTimeUserConnectedViaBrowser) |
30 | The browser was observed for the first time by the user. | True, False |
Browser uncommonly used by user (BrowserUncommonlyUsedByUser) |
10 | The browser is not commonly used by the user. | True, False |
Browser uncommonly used among peers (BrowserUncommonlyUsedAmongPeers) |
30 | The browser is not commonly used among user's peers. | True, False |
First time browser observed in tenant (FirstTimeBrowserObservedInTenant) |
30 | The browser was observed for the first time in the organization. | True, False |
Browser uncommonly used in tenant (BrowserUncommonlyUsedInTenant) |
30 | The browser is not commonly used in the organization. | True, False |
Country/region connected from
Enrichment name | Baseline (days) | Description | Sample value |
---|---|---|---|
First time user connected from country (FirstTimeUserConnectedFromCountry) |
90 | The geo location, as resolved from the IP address, was connected from for the first time by the user. | True, False |
Country uncommonly connected from by user (CountryUncommonlyConnectedFromByUser) |
10 | The geo location, as resolved from the IP address, is not commonly connected from by the user. | True, False |
Country uncommonly connected from among peers (CountryUncommonlyConnectedFromAmongPeers) |
90 | The geo location, as resolved from the IP address, is not commonly connected from among user's peers. | True, False |
First time connection from country observed in tenant (FirstTimeConnectionFromCountryObservedInTenant) |
90 | The country/region was connected from for the first time by anyone in the organization. | True, False |
Country uncommonly connected from in tenant (CountryUncommonlyConnectedFromInTenant) |
90 | The geo location, as resolved from the IP address, is not commonly connected from in the organization. | True, False |
Device used to connect
Enrichment name | Baseline (days) | Description | Sample value |
---|---|---|---|
First time user connected from device (FirstTimeUserConnectedFromDevice) |
30 | The source device was connected from for the first time by the user. | True, False |
Device uncommonly used by user (DeviceUncommonlyUsedByUser) |
10 | The device is not commonly used by the user. | True, False |
Device uncommonly used among peers (DeviceUncommonlyUsedAmongPeers) |
180 | The device is not commonly used among user's peers. | True, False |
First time device observed in tenant (FirstTimeDeviceObservedInTenant) |
30 | The device was observed for the first time in the organization. | True, False |
Device uncommonly used in tenant (DeviceUncommonlyUsedInTenant) |
180 | The device is not commonly used in the organization. | True, False |
Other device-related
Enrichment name | Baseline (days) | Description | Sample value |
---|---|---|---|
First time user logged on to device (FirstTimeUserLoggedOnToDevice) |
180 | The destination device was connected to for the first time by the user. | True, False |
Device family uncommonly used in tenant (DeviceFamilyUncommonlyUsedInTenant) |
30 | The device family is not commonly used in the organization. | True, False |
Internet Service Provider used to connect
Enrichment name | Baseline (days) | Description | Sample value |
---|---|---|---|
First time user connected via ISP (FirstTimeUserConnectedViaISP) |
30 | The ISP was observed for the first time by the user. | True, False |
ISP uncommonly used by user (ISPUncommonlyUsedByUser) |
10 | The ISP is not commonly used by the user. | True, False |
ISP uncommonly used among peers (ISPUncommonlyUsedAmongPeers) |
30 | The ISP is not commonly used among user's peers. | True, False |
First time connection via ISP in tenant (FirstTimeConnectionViaISPInTenant) |
30 | The ISP was observed for the first time in the organization. | True, False |
ISP uncommonly used in tenant (ISPUncommonlyUsedInTenant) |
30 | The ISP is not commonly used in the organization. | True, False |
Resource accessed
Enrichment name | Baseline (days) | Description | Sample value |
---|---|---|---|
First time user accessed resource (FirstTimeUserAccessedResource) |
180 | The resource was accessed for the first time by the user. | True, False |
Resource uncommonly accessed by user (ResourceUncommonlyAccessedByUser) |
10 | The resource is not commonly accessed by the user. | True, False |
Resource uncommonly accessed among peers (ResourceUncommonlyAccessedAmongPeers) |
180 | The resource is not commonly accessed among user's peers. | True, False |
First time resource accessed in tenant (FirstTimeResourceAccessedInTenant) |
180 | The resource was accessed for the first time by anyone in the organization. | True, False |
Resource uncommonly accessed in tenant (ResourceUncommonlyAccessedInTenant) |
180 | The resource is not commonly accessed in the organization. | True, False |
Miscellaneous
Enrichment name | Baseline (days) | Description | Sample value |
---|---|---|---|
Last time user performed action (LastTimeUserPerformedAction) |
180 | Last time the user performed the same action. | <Timestamp> |
Similar action wasn't performed in the past (SimilarActionWasn'tPerformedInThePast) |
30 | No action in the same resource provider was performed by the user. | True, False |
Source IP location (SourceIPLocation) |
N/A | The country/region resolved from the source IP of the action. | [Surrey, England] |
Uncommon high volume of operations (UncommonHighVolumeOfOperations) |
7 | A user performed a burst of similar operations within the same provider | True, False |
Unusual number of Microsoft Entra Conditional Access failures (UnusualNumberOfAADConditionalAccessFailures) |
5 | An unusual number of users failed to authenticate due to conditional access | True, False |
Unusual number of devices added (UnusualNumberOfDevicesAdded) |
5 | A user added an unusual number of devices. | True, False |
Unusual number of devices deleted (UnusualNumberOfDevicesDeleted) |
5 | A user deleted an unusual number of devices. | True, False |
Unusual number of users added to group (UnusualNumberOfUsersAddedToGroup) |
5 | A user added an unusual number of users to a group. | True, False |
IdentityInfo table
After you enable UEBA for your Microsoft Sentinel workspace, data from your Microsoft Entra ID is synchronized to the IdentityInfo table in Log Analytics for use in Microsoft Sentinel. You can embed user data synchronized from your Microsoft Entra ID in your analytics rules to enhance your analytics to fit your use cases and reduce false positives.
While the initial synchronization may take a few days, once the data is fully synchronized:
Changes made to your user profiles, groups, and roles in Microsoft Entra ID are updated in the IdentityInfo table within 15-30 minutes.
Every 14 days, Microsoft Sentinel re-synchronizes with your entire Microsoft Entra ID to ensure that stale records are fully updated.
Default retention time in the IdentityInfo table is 30 days.
Limitations
Currently, only built-in roles are supported.
Data about deleted groups, where a user was removed from a group, is not currently supported.
Versions of the IdentityInfo table
There are actually two versions of the IdentityInfo table:
- The Log Analytics schema version serves Microsoft Sentinel in the Azure portal.
- The Advanced hunting schema version serves Microsoft Sentinel in the Microsoft Defender portal via Microsoft Defender for Identity.
Both versions of this table are fed by Microsoft Entra ID, but the Log Analytics version added a few fields.
Microsoft Sentinel in the Microsoft Defender portal, uses the Advanced hunting version of this table. To minimize the differences between the two versions of the table, most of the unique fields in the Log Analytics version are gradually being added to the Advanced hunting version as well. Regardless of in which portal you're using Microsoft Sentinel, you'll have access to nearly all the same information, though there may be a small time lag in synchronization between the versions. For more information, see the documentation of the Advanced hunting version of this table.
The following table describes the user identity data included in the IdentityInfo table in Log Analytics in the Azure portal. The fourth column shows the corresponding fields in the Advanced hunting version of the table, that Microsoft Sentinel uses in the Defender portal. Field names in boldface are named differently in the Advanced hunting schema than they are in the Microsoft Sentinel Log Analytics version.
Field name in Log Analytics schema |
Type | Description | Field name in Advanced hunting schema |
---|---|---|---|
AccountCloudSID | string | The Microsoft Entra security identifier of the account. | CloudSid |
AccountCreationTime | datetime | The date the user account was created (UTC). | CreatedDateTime |
AccountDisplayName | string | The display name of the user account. | AccountDisplayName |
AccountDomain | string | The domain name of the user account. | AccountDomain |
AccountName | string | The user name of the user account. | AccountName |
AccountObjectId | string | The Microsoft Entra object ID for the user account. | AccountObjectId |
AccountSID | string | The on-premises security identifier of the user account. | AccountSID |
AccountTenantId | string | The Microsoft Entra tenant ID of the user account. | -- |
AccountUPN | string | The user principal name of the user account. | AccountUPN |
AdditionalMailAddresses | dynamic | The additional email addresses of the user. | -- |
AssignedRoles | dynamic | The Microsoft Entra roles the user account is assigned to. | AssignedRoles |
BlastRadius | string | A calculation based on the position of the user in the org tree and the user's Microsoft Entra roles and permissions. Possible values: Low, Medium, High |
-- |
ChangeSource | string | The source of the latest change to the entity. Possible values: |
ChangeSource |
CompanyName | The company name to which the user belongs. | -- | |
City | string | The city of the user account. | City |
Country | string | The country/region of the user account. | Country |
DeletedDateTime | datetime | The date and time the user was deleted. | -- |
Department | string | The department of the user account. | Department |
GivenName | string | The given name of the user account. | GivenName |
GroupMembership | dynamic | Microsoft Entra groups where the user account is a member. | -- |
IsAccountEnabled | bool | An indication as to whether the user account is enabled in Microsoft Entra ID or not. | IsAccountEnabled |
JobTitle | string | The job title of the user account. | JobTitle |
MailAddress | string | The primary email address of the user account. | EmailAddress |
Manager | string | The manager alias of the user account. | Manager |
OnPremisesDistinguishedName | string | The Microsoft Entra ID distinguished name (DN). A distinguished name is a sequence of relative distinguished names (RDN), connected by commas. | DistinguishedName |
Phone | string | The phone number of the user account. | Phone |
SourceSystem | string | The system where the user is managed. Possible values: |
SourceProvider |
State | string | The geographical state of the user account. | State |
StreetAddress | string | The office street address of the user account. | Address |
Surname | string | The surname of the user. account. | Surname |
TenantId | string | The tenant ID of the user. | -- |
TimeGenerated | datetime | The time when the event was generated (UTC). | Timestamp |
Type | string | The name of the table. | -- |
UserAccountControl | dynamic | Security attributes of the user account in the AD domain. Possible values (may contain more than one): |
-- |
UserState | string | The current state of the user account in Microsoft Entra ID. Possible values: |
-- |
UserStateChangedOn | datetime | The date of the last time the account state was changed (UTC). | -- |
UserType | string | The user type. | -- |
Next steps
This document described the Microsoft Sentinel entity behavior analytics table schema.
- Learn more about entity behavior analytics.
- Enable UEBA in Microsoft Sentinel.
- Put UEBA to use in your investigations.