Forum Discussion

Chris_321's avatar
Chris_321
Copper Contributor
Feb 16, 2022

I don't understand the ability to connect Ueba to multiple data sources.

Hello,

 

I have connected UEBA in my environment, but I don't understand what it offers to connect the log sources of Audit Logs, Azure Activity, Security Events and Login Logs.

According to UEBA, it collects alert information from other connectors such as Microsoft Defender for Endpoint, bookmarks or activities to generate these user behaviour profiles, so I don't understand why connect the aforementioned data sources?

 

That added value where can you see it?

 

 

 

Regards.

 

  • G_Wilson3468's avatar
    G_Wilson3468
    Iron Contributor

    Chris_321 

    Sign-in logs gives you all events. 

    Audit Logs gives you ApplicationManagement, DirectoryManagement, GroupManagement, Device, RoleManagement, andUserManagementCategory

    Azure Activity Logs give you Authorization, AzureActiveDirectory, Billing ,Compute ,Consumption, KeyVault, Devices, Network, Resources, Intune, Logic, Sql ,Storage

    Security Events gives you the following (Windows or Security events) 4624: An account was successfully logged on, 4625: An account failed to log on, 4648: A logon was attempted using explicit credentials, 4672: Special privileges assigned to new logon, 4688: A new process has been created

     

    Here is the value for you.

     

    Sign-in logs will give you insight (user sign-ins to various services and applications) to detect unusual login times, multiple failed login attempts, or potentially malicious login behavior.

    Audit Logs will provide data (user actions, system changes, and administrative operations) that illuminates user interactions, system modifications, and administrative activities. This is key to understanding what is normal and then finding deviations from that. 

    Activity Logs will monitor changes to Azure resources (resource creation, updates, and deletions). Malicious behavior patterns with azure resources can be found here.

    Security Events provide a context ( login attempts, access control changes, and other stuff). Patterns of compromise are found in accounts that are compromised, insider threats, or other malicious behavior.

     

    The other connectors like MDE give important data, you get the ability to correlate events, detect blind spots, create a behavioral profile of an entity, and get the context in which to evaluate an suspicious actions. 

    Microsoft Sentinel UEBA reference | Microsoft Learn

    So, in a nutshell its just a good idea to connect them to UEBA.

     

    Hope this helps.

     

    G.

Resources