We are unveiling a major enhancement of Microsoft Sentinel’s UEBA Essentials solution. This update includes expanded multi-cloud anomaly detection queries across Azure, AWS, GCP, and Okta, as well as new queries leveraging the anomalies table. These enhancements allow users to rapidly identify high-risk anomalies, establish long-term baselines, align patterns with MITRE ATT&CK, highlight complex malicious IP activities, and generate comprehensive anomalous activity profiles for any user within seconds.
This comprehensive upgrade is designed to reduce investigation times, improve signal quality, and enhance coverage throughout distributed identity and workload environments. All queries are centrally available in the UEBA Essentials solution within the Microsoft Sentinel content hub, offering more than 30 queries ready for deployment in your workspace.
What is the UEBA Essentials Solution and why does it matter?
The UEBA Essentials solution delivers pre-built anomaly detection queries and behavioral insights powered by machine learning, helping SOC teams uncover insider threats, compromised accounts, and subtle attack signals that traditional rules often miss. This solution is built and backed by Microsoft security experts.
The purpose of pre-built queries is to offer default query options that facilitate the initial investigation of UEBA tables.
How UEBA Enhances Protection: Real-World Scenarios
Scenario 1: Detecting Suspicious AWS Console Logins
Query Name: Anomalous AWS Console Login Without MFA from Uncommon Country
Why It Matters: Attackers often exploit cloud credentials. Without UEBA, subtle anomalies like first-time geographic access or unusual login hours can go unnoticed.
UEBA Value: UEBA compares login patterns against behavioral baselines and assigns anomaly scores, helping you prioritize high-risk events.
Scenario 2: Spotting First-Time Device Logons
Query Name: Anomalous First-Time Device Logon
Why It Matters: Lateral movement often starts with accessing new devices.
UEBA Value: UEBA correlates Defender for Endpoint signals with anomaly scoring to flag unusual device associations before privilege escalation occurs.
Scenario 3: Triage of High‑Score Anomalous Activity
Query Name: Anomalous High-Score Activity Triage
Why It Matters: Quickly identify the most critical anomalies by sorting recent events (last 7 days) by their anomaly score.
UEBA Value: Ideal for prioritizing investigations on high-risk behaviors.
How to Install the Solution
Follow the official guide: https://learn.microsoft.com/en-us/azure/sentinel/discover-and-deploy-content-hub.
Quick steps:
- Go to Content Hub in your Sentinel workspace.
- Select UEBA Essentials and click Install.
- Navigate to Microsoft Sentinel → Threat Management -> Hunting -> Queries
Install UEBA Essentials today from Microsoft Learn and start leveraging advanced behavioral analytics to strengthen your security posture.
Additional news
We’ve streamlined the experience by integrating UEBA directly into the connectors page. Now, when you add new data sources, you can enable User and Entity Behavior Analytics (UEBA) instantly—no extra steps required. This enhancement helps you quickly detect advanced threats and strengthen your security posture. Learn more here:
Enable entity behavior analytics to detect advanced threats | Microsoft Learn
Microsoft