Accelerate Your UEBA Journey: Introducing the Microsoft Sentinel Behaviors Workbook

In our recent announcement, we introduced the UEBA Behaviors layer - a breakthrough capability that transforms noisy, high-volume security telemetry into clear, human-readable behavioral insights. The Behaviors layer answers the critical question: "Who did what to whom, and why does it matter?" by aggregating and sequencing raw events into normalized, MITRE ATT&CK-mapped behaviors.

But understanding what behaviors are is just the beginning. The next question for SOC teams is: "How do I actually use behaviors to get value from day one?"

Today, we announce the Microsoft Sentinel Behaviors Workbook (part of the “UEBA essentials solution” in the content hub) - a purpose-built, interactive analytics workbook that helps you extract maximum value from the Behaviors layer across your investigation, hunting, and detection workflows. Whether you're a SOC manager looking for high-level situational awareness, an analyst triaging an incident, or a threat hunter searching for hidden threats, this workbook provides the insights you need, when you need them. And the best thing? You can always make it your own!

Why a Workbook?

While the behaviors data is incredibly rich, knowing where to start and what questions to ask can present a learning curve. The UEBA Behaviors Workbook solves this by providing pre-built, validated analytics across three core SOC workflows:

• Overview: High-level metrics and trends for leadership and SOC managers
• Investigation: Deep-dive timeline analysis for incident response
• Hunting: Proactive threat discovery with anomaly detection and attack chain analysis

Think of the workbook as your guided tour through the Behaviors layer - it surfaces the most actionable insights automatically, while still giving you the flexibility to drill down and customize as needed.

Quick Recap: What Are UEBA Behaviors?

Before diving into the workbook, let's briefly recap what makes the Behaviors layer unique:

• Behaviors are neutral, descriptive observations - they explain what happened, not whether it's malicious.
• They aggregate and sequence raw events from sources like AWSCloudTrail, GCPAuditLog and CommonSecurityLog data into unified, human-readable summaries.
• Each behavior is enriched with MITRE ATT&CK mappings, entity roles, and natural-language explanations.
• They bridge the gap between raw logs and alerts, providing an abstraction layer that makes investigation and detection dramatically faster.

In essence: behaviors turn "what's in the logs" into "what actually happened in my environment" - without requiring deep expertise in every log schema.

The Behaviors Workbook: Three Tabs, Three Workflows

The Behaviors Workbook is organized into three tabs; each designed for a specific SOC persona and use case. Let's walk through each one.

Tab 1: Overview - Situational Awareness at a Glance

Who it's for: SOC managers, leadership, and anyone who needs a quick pulse-check on what's happening in the environment.

What it provides: The Overview tab delivers high-level metrics and visualizations including key metrics tiles, timeline trend charts, MITRE coverage heatmaps, and behavior type distribution that help you quickly spot spikes, patterns, or anomalies requiring investigation.

Use case example: A SOC manager opens the Overview tab and immediately sees an unusual spike in behaviors concentrated in the Defense Evasion and Persistence tactics. The Behavior Type Distribution reveals a surge in "Failed IAM Identity Provider Configuration Attempts" and "AWS EC2 Security Group Rule Modifications Observed", signaling potential attack preparation that needs immediate triage.

 

 

Tab 2: Hunting - Proactive Threat Discovery

Who it's for: Threat hunters, purple teams, and proactive security analysts.

What it does: The Hunting tab empowers hunters to discover emerging threats before they become incidents by surfacing anomalous patterns, rare behaviors, and potential attack chains. Unlike the Investigation tab (which reacts to known incidents), Hunting is about proactive discovery.

Key capabilities:

Use case example: Rarest Behaviors
A threat hunter reviews the "Rarest Behaviors" panel, filtered for the past 7 days. They notice a behavior titled "Inbound remote management session from external address" that has only occurred 5 times in the entire environment. Pivoting to the BehaviorEntities table, they discover all 5 instances involve Palo Alto firewall logs showing the same external IP targeting different internal management interfaces - a clear sign of targeted reconnaissance.

Use case example: Attack Chain Detector
The Attack Chain Detector highlights an AWS IAM role (arn:aws:iam::123456789012:role/CompromisedRole) appearing across 5 distinct MITRE tactics: Reconnaissance, Persistence, Defense Evasion, Credential Access, and Impact. Reviewing the associated behaviors reveals:

This multi-stage pattern - invisible when looking at individual CloudTrail events - is now crystal clear. The hunter initiates an immediate investigation.

Use case example: CyberArk Vault Anomaly
The workbook shows that the "CyberArk Vault CPM Automatic Detection Operations" behavior had an average of 120 instances per day over the past week, but today it has 1,847 instances - a 15x increase. Drilling into the behaviors reveals that a single service account is performing mass privileged account access operations across multiple safes - potential insider threat or compromised privileged account. This insightful information would have been buried in verbose Vault audit logs, but velocity tracking surfaces it immediately.

 

Tab 3: Investigation - Deep-Dive Analysis for Incident Response

Who it's for: SOC analysts, incident responders, and anyone investigating a specific incident or specific entities.

What it does: The Investigation tab transforms how analysts respond to incidents by providing comprehensive behavioral context for the entities involved. Instead of manually querying multiple log sources and stitching together timelines, analysts get an automated, pre-correlated view of everything those entities did before, during, and after the incident.

How to use it: When investigating an incident, you provide:

• The entities involved (users, machines, IPs, etc.)
• The time of incident generation
• Time range before the first alert (e.g., 24 hours before)
• Time range after the last alert (e.g., 12 hours after)

Use case example: An alert fires for "Suspicious AWS IAM Activity" involving IAM user AdminUser123. The analyst opens the Investigation tab, enters the user identity as the entity, sets the incident time, and configures a 24-hour lookback and 12-hour look-forward window.

The analyst immediately sees:

• Before the incident: Normal behaviors like "AWS EC2 Security Group Information Retrieval" show routine reconnaissance.
• During the incident: Multiple instances of "Failed IAM Identity Provider Configuration Attempts", indicating the attacker is trying to establish persistence through SAML federation
• After the incident: "AWS Resource Deletion Monitoring" behaviors showing potential attempted cleanup of evidence.

This comprehensive view - which would have taken 30+ minutes of manual querying across CloudTrail, VPC Flow Logs, and IAM logs - is now available in seconds and is easily readable and provides rich context.

Real Impact on Your SOC

The Behaviors Workbook represents a fundamental shift in how SOCs can operate:

Investigation time drops from hours to minutes through automated entity-centric behavioral analysis. Threat hunting becomes accessible to junior analysts through pre-built queries that surface rare behaviors and attack chains. Leadership gains visibility into MITRE ATT&CK coverage and behavior trends without needing to know KQL. Detection engineering is faster because rare behaviors and velocity anomalies are automatically surfaced as high-fidelity signals.

The workbook doesn't just give you data - it gives you insights you can act on immediately.

Getting Started

Prerequisites:

• A Microsoft Sentinel workspace onboarded to the Microsoft Defender portal.
• The Behaviors layer enabled for your workspace (Settings → UEBA → Behaviors layer) and at least one supported data source configured (list is always updated in the documentation).
• The Workbook uses the Log Analytics table names, SentinelBehaviorInfo and SentinelBehaviorEntities. The “Sentinel” prefix isn’t needed when querying behaviors in Advanced Hunting.

Installation:

1. Navigate to Microsoft Sentinel → Content Hub.
2. Search for the "UEBA essentials" solution in the gallery.
3. Click Save to add it to your workspace. One of the content items is the UEBA behaviors workbook (you will also find there a Workbook for UEBA and great hunting queries to get you started with UEBA).
4. Open the workbook and select your time range and parameters.
5. Adjust the queries as needed for your use cases.

We Want Your Feedback

As you start using the workbook, let us know:

• Which tab do you find most valuable?
• What additional visualizations or hunting queries would help your workflow?
• What should be integrated into the portal, and where?

Share your thoughts in the comments below or reach out to our team directly.

For more details on the Behaviors layer, see our original announcement blog post and https://learn.microsoft.com/azure/sentinel/behaviors-overview. You will find those links in the “Resources” tab of the Workbook for ease of use.