UEBA: tables missing in azure sentinel logs

%3CLINGO-SUB%20id%3D%22lingo-sub-2371483%22%20slang%3D%22en-US%22%3EUEBA%3A%20tables%20missing%20in%20azure%20sentinel%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2371483%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eso%20I%20noticed%20that%20cross%20different%20tenants%20the%20amount%20of%20UEBA%20tables%20in%20Azure%20sentinel%20are%20not%20the%20same.%3C%2FP%3E%3CP%3EI%20assume%20that%20you%20normally%20have%204%20tables%3A%3C%2FP%3E%3CP%3E-%20BehaviorAnalytics%3C%2FP%3E%3CDIV%20class%3D%22table-content-container%22%3E%3CSPAN%20class%3D%22table-name%20ellipsis%22%3E-%20IdentityInfo%3C%2FSPAN%3E%3CDIV%20class%3D%22table-content-container%22%3E-%20UserAccessAnalytics%3CDIV%20class%3D%22table-content-container%22%3E-%20UserPeerAnalytics%3CDIV%20class%3D%22table-content-container%22%3E%26nbsp%3B%3CDIV%20class%3D%22table-content-container%22%3EThis%20is%20wat%20i%20encountered%20in%20on%202%20different%20tenants%20with%20the%20same%20settings%3A%3CDIV%20class%3D%22table-content-container%22%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222021-03-24%2014_47_54-Azure%20Sentinel%20-%20Microsoft%20Azure%20and%2010%20more%20pages%20-%20Operator%20-%20Microsoft_%20Edge.png%22%20style%3D%22width%3A%20258px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F282139i6D126D56ADE4F72F%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222021-03-24%2014_47_54-Azure%20Sentinel%20-%20Microsoft%20Azure%20and%2010%20more%20pages%20-%20Operator%20-%20Microsoft_%20Edge.png%22%20alt%3D%222021-03-24%2014_47_54-Azure%20Sentinel%20-%20Microsoft%20Azure%20and%2010%20more%20pages%20-%20Operator%20-%20Microsoft_%20Edge.png%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222021-03-24%2014_45_11-Azure%20Sentinel%20-%20Microsoft%20Azure%20and%2010%20more%20pages%20-%20Operator%20-%20Microsoft_%20Edge.png%22%20style%3D%22width%3A%20248px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F282140i5D1D4B95F47E6C1B%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222021-03-24%2014_45_11-Azure%20Sentinel%20-%20Microsoft%20Azure%20and%2010%20more%20pages%20-%20Operator%20-%20Microsoft_%20Edge.png%22%20alt%3D%222021-03-24%2014_45_11-Azure%20Sentinel%20-%20Microsoft%20Azure%20and%2010%20more%20pages%20-%20Operator%20-%20Microsoft_%20Edge.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EFor%20some%20reason%20on%20an%20other%20tenant%20the%20identityinfo%20table%20is%20missing.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%20class%3D%22table-content-container%22%3EI%20have%20checked%20the%20entity%20behavior%20settings%20and%20all%204%20of%20data%20sources%20are%20enabled.%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22table-content-container%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22table-content-container%22%3E%3CBR%20%2F%3EAny%20idea's%3F%3CDIV%20class%3D%22table-content-container%22%3E%26nbsp%3B%3CDIV%20class%3D%22table-content-container%22%3EKind%20Regards%3CDIV%20class%3D%22table-content-container%22%3ELouis%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi all, 

 

so I noticed that cross different tenants the amount of UEBA tables in Azure sentinel are not the same.

I assume that you normally have 4 tables:

- BehaviorAnalytics

- IdentityInfo
- UserAccessAnalytics
- UserPeerAnalytics
 
This is wat i encountered in on 2 different tenants with the same settings:
 

 

2021-03-24 14_47_54-Azure Sentinel - Microsoft Azure and 10 more pages - Operator - Microsoft_ Edge.png2021-03-24 14_45_11-Azure Sentinel - Microsoft Azure and 10 more pages - Operator - Microsoft_ Edge.png

 

For some reason on an other tenant the identityinfo table is missing. 

I have checked the entity behavior settings and all 4 of data sources are enabled. 
 

Any idea's?
 
Kind Regards
Louis
0 Replies