What's new: User and Entity Behavior Analytics (UEBA) insights in the entity page!

Published Feb 17 2021 08:54 AM 3,865 Views
Microsoft

This blog post covers a new feature of the Azure Sentinel entity pages: four new UEBA-related insights to the insights panel.

 

When you encounter any entity (currently limited to users and hosts) in a search, an alert, or an investigation, you can select the entity and be taken to an entity page, a datasheet full of useful information about that entity. The types of information you will find on this page include basic facts about the entity, a timeline of notable events related to this entity, and insights into the entity's behavior.

 

Entity pages consist of three parts:

  • Entity info – located in the left-side panel, contains the entity's identifying information, collected from data sources like Azure Active Directory, Azure Monitor, Azure Security Center, and Microsoft Defender.
  • Activity timeline – The center panel shows a graphical and textual timeline of notable events related to the entity, such as alerts, bookmarks, and activities.
  • Insights – The right-side panel presents behavioral insights on the entity. These insights help to identify anomalies and security threats quickly.

 

We’ve added four UEBA-related insights to the insights panel that this post will describe.

 

Spoiler

* To benefit from these insights, UEBA must be enabled and a timeframe of at least 4 days.

 

UEBA Insights

 

This insights section summarizes anomalous user activities - across geographical locations, devices, and environments; across time and frequency horizons (compared to user's own history); compared to peers' behavior, and compared to organization's behavior.

 

Clicking on “See all anomalies” will present you with the specific anomalies associated with the user and the evidence.

 

UEBA InsightsUEBA Insights

 

User Peers Based on Security Group Membership

 

This insight presents the user's peers based on Azure AD Security Groups membership. This provides the SecOps analysts with visibility to other users who share similar permissions as the user.

 
 

User Peers Based on Security Group MembershipUser Peers Based on Security Group Membership

 

User Access Permissions to Azure Subscription

 

This insight shows a user’s access permissions to the Azure subscriptions that it can access directly or transitively (via Azure AD groups or service principals). Clicking on “View detailed information” will present the Azure subscriptions’ names and the access method (directly or via which group/service principal).

 

User Access Permissions to Azure SubscriptionUser Access Permissions to Azure Subscription

 

Threat Indicators Related to The User

 

This insight shows the collection of known threats by threat type and family and enriched by Microsoft’s threat intelligence service, relating to IP addresses represented in the user’s activities.

 

Threat indicators related to the userThreat indicators related to the user

 

Going Forward

 

Try out the new insights provided by Sentinel UEBA and let us know your feedback using any of the channels listed in the Resources. We’re working on surfacing more interesting insights that will help you investigate entities faster. :cool:

  

 Many thanks to Payal Rani & Rajvardhan Oak for contributing to the insights work

 

1 Comment
Occasional Contributor

@Itay Argoety , Article is Very Nice . Thanks for making and sharing here. I will test this and if i have any questions i will post here.

 

%3CLINGO-SUB%20id%3D%22lingo-sub-2138990%22%20slang%3D%22en-US%22%3EWhat's%20new%3A%20User%20and%20Entity%20Behavior%20Analytics%20(UEBA)%20insights%20in%20the%20entity%20page!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2138990%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20blog%20post%20covers%20a%20new%20feature%20of%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fidentify-threats-with-entity-behavior-analytics%23entity-pages%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Sentinel%20entity%20pages%3C%2FA%3E%3A%20four%20new%20UEBA-related%20insights%20to%20the%20insights%20panel.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20you%20encounter%20any%20entity%20(currently%20limited%20to%20users%20and%20hosts)%20in%20a%20search%2C%20an%20alert%2C%20or%20an%20investigation%2C%20you%20can%20select%20the%20entity%20and%20be%20taken%20to%20an%26nbsp%3B%3CSTRONG%3Eentity%20page%3C%2FSTRONG%3E%2C%20a%20datasheet%20full%20of%20useful%20information%20about%20that%20entity.%20The%20types%20of%20information%20you%20will%20find%20on%20this%20page%20include%20basic%20facts%20about%20the%20entity%2C%20a%20timeline%20of%20notable%20events%20related%20to%20this%20entity%2C%20and%20insights%20into%20the%20entity's%20behavior.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEntity%20pages%20consist%20of%20three%20parts%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EEntity%20info%3C%2FSTRONG%3E%20%E2%80%93%20located%20in%20the%20left-side%20panel%2C%20contains%20the%20entity's%20identifying%20information%2C%20collected%20from%20data%20sources%20like%20Azure%20Active%20Directory%2C%20Azure%20Monitor%2C%20Azure%20Security%20Center%2C%20and%20Microsoft%20Defender.%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fidentify-threats-with-entity-behavior-analytics%23the-timeline%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3EActivity%20timeline%3C%2FSTRONG%3E%20%3C%2FA%3E%E2%80%93%20The%20center%20panel%20shows%20a%20graphical%20and%20textual%20timeline%20of%20notable%20events%20related%20to%20the%20entity%2C%20such%20as%20alerts%2C%20bookmarks%2C%20and%20activities.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fidentify-threats-with-entity-behavior-analytics%23entity-insights%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EInsights%3C%2FA%3E%20%3C%2FSTRONG%3E%E2%80%93%20The%20right-side%20panel%20presents%20behavioral%20insights%20on%20the%20entity.%20These%20insights%20help%20to%20identify%20anomalies%20and%20security%20threats%20quickly.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99ve%20added%20four%20UEBA-related%20insights%20to%20the%20insights%20panel%20that%20this%20post%20will%20describe.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20class%3D%22lia-spoiler-container%22%3E%3CA%20class%3D%22lia-spoiler-link%22%20href%3D%22%23%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3ESpoiler%3C%2FA%3E%3CNOSCRIPT%3E(Highlight%20to%20read)%3C%2FNOSCRIPT%3E%3CDIV%20class%3D%22lia-spoiler-border%22%3E%3CDIV%20class%3D%22lia-spoiler-content%22%3E%0A%3CP%3E*%20To%20benefit%20from%20these%20insights%2C%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fenable-entity-behavior-analytics%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EUEBA%20must%20be%20enabled%3C%2FA%3E%26nbsp%3Band%20a%20timeframe%20of%20at%20least%204%20days.%3C%2FP%3E%0A%3C%2FDIV%3E%3CNOSCRIPT%3E%3CDIV%20class%3D%22lia-spoiler-noscript-container%22%3E%3CDIV%20class%3D%22lia-spoiler-noscript-content%22%3E*%20To%20benefit%20from%20these%20insights%2C%20UEBA%20must%20be%20enabled%26nbsp%3Band%20a%20timeframe%20of%20at%20least%204%20days.%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FNOSCRIPT%3E%3C%2FDIV%3E%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--525174189%22%20id%3D%22toc-hId--525174189%22%20id%3D%22toc-hId--525174189%22%3E%3CSTRONG%3EUEBA%20Insights%3C%2FSTRONG%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20insights%20section%20summarizes%20anomalous%20user%20activities%20-%20across%20geographical%20locations%2C%20devices%2C%20and%20environments%3B%20across%20time%20and%20frequency%20horizons%20(compared%20to%20user's%20own%20history)%3B%20compared%20to%20peers'%20behavior%2C%20and%20compared%20to%20organization's%20behavior.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EClicking%20on%20%E2%80%9CSee%20all%20anomalies%E2%80%9D%20will%20present%20you%20with%20the%20specific%20anomalies%20associated%20with%20the%20user%20and%20the%20evidence.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F255214i9063DE73520D9E37%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22UEBA%20Insights%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EUEBA%20Insights%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1962338644%22%20id%3D%22toc-hId-1962338644%22%20id%3D%22toc-hId-1962338644%22%3E%3CSTRONG%3EUser%20Peers%20Based%20on%20Security%20Group%20Membership%3C%2FSTRONG%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20insight%20presents%20the%20user's%20peers%20based%20on%20Azure%20AD%20Security%20Groups%20membership.%20This%20provides%20the%20SecOps%20analysts%20with%20visibility%20to%20other%20users%20who%20share%20similar%20permissions%20as%20the%20user.%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorItay%20Argoety_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%20id%3D%22tinyMceEditorItay%20Argoety_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F255213i7E35FD0AC4F6C2F6%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22User%20Peers%20Based%20on%20Security%20Group%20Membership%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EUser%20Peers%20Based%20on%20Security%20Group%20Membership%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1642067178%22%20id%3D%22toc-hId--1642067178%22%20id%3D%22toc-hId--1642067178%22%3E%3CSTRONG%3EUser%20Access%20Permissions%20to%20Azure%20Subscription%3C%2FSTRONG%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20insight%20shows%20a%20user%E2%80%99s%20access%20permissions%20to%20the%20Azure%20subscriptions%20that%20it%20can%20access%20directly%20or%20transitively%20(via%20Azure%20AD%20groups%20or%20service%20principals).%26nbsp%3BClicking%20on%20%E2%80%9CView%20detailed%20information%E2%80%9D%20will%20present%20the%20Azure%20subscriptions%E2%80%99%20names%20and%20the%20access%20method%20(directly%20or%20via%20which%20group%2Fservice%20principal).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F255215iB73E31E214D636A0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22User%20Access%20Permissions%20to%20Azure%20Subscription%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EUser%20Access%20Permissions%20to%20Azure%20Subscription%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1652570282%22%20id%3D%22toc-hId--1652570282%22%20id%3D%22toc-hId--1652570282%22%3E%3CSTRONG%3EThreat%20Indicators%20Related%20to%20The%20User%3C%2FSTRONG%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20insight%20shows%20the%20collection%20of%20known%20threats%20by%20threat%20type%20and%20family%20and%20enriched%20by%20Microsoft%E2%80%99s%20threat%20intelligence%20service%2C%20relating%20to%20IP%20addresses%20represented%20in%20the%20user%E2%80%99s%20activities.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F255216i217C382B99DED683%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22Threat%20indicators%20related%20to%20the%20user%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EThreat%20indicators%20related%20to%20the%20user%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CFONT%20size%3D%224%22%3EGoing%20Forward%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETry%20out%20the%20new%20insights%20provided%20by%20Sentinel%20UEBA%20and%20let%20us%20know%20your%20feedback%20using%20any%20of%20the%20channels%20listed%20in%20the%E2%80%AF%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fwiki%23resources%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EResources%3C%2FA%3E.%26nbsp%3BWe%E2%80%99re%20working%20on%20surfacing%20more%20interesting%20insights%20that%20will%20help%20you%20investigate%20entities%20faster.%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%40B71AFCCE02F5853FE57A20BD4B04EADD%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%3C%2FP%3E%0A%3CP%3E%E2%80%AF%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3CEM%3EMany%20thanks%20to%20%3CSPAN%20class%3D%22cf0%22%3EPayal%20Rani%20%26amp%3B%26nbsp%3B%3C!--StartFragment%20--%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22cf0%22%3ERajvardhan%20Oak%3C%2FSPAN%3E%3CSPAN%20class%3D%22cf0%22%3E%3C!--EndFragment%20--%3E%26nbsp%3B%3C%2FSPAN%3Efor%20contributing%20to%20the%20insights%20work%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2138990%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20blog%20post%20covers%20a%20new%20feature%20of%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fidentify-threats-with-entity-behavior-analytics%23entity-pages%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Sentinel%20entity%20pages%3C%2FA%3E%3A%20four%20new%20UEBA-related%20insights%20to%20the%20insights%20panel.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2138990%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWhat's%20new%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2184731%22%20slang%3D%22en-US%22%3ERe%3A%20What's%20new%3A%20User%20and%20Entity%20Behavior%20Analytics%20(UEBA)%20insights%20in%20the%20entity%20page!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2184731%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F98230%22%20target%3D%22_blank%22%3E%40Itay%20Argoety%3C%2FA%3E%26nbsp%3B%2C%20Article%20is%20Very%20Nice%20.%20Thanks%20for%20making%20and%20sharing%20here.%20I%20will%20test%20this%20and%20if%20i%20have%20any%20questions%20i%20will%20post%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Feb 17 2021 08:56 AM
Updated by: