Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Discover the power of UEBA anomalies in Microsoft Sentinel
Published Jul 27 2022 11:57 PM 7,178 Views
Microsoft

To avoid detections, sophisticated attackers will most likely use a method where they try to go under the radar and masquerade their actions as normal activities. In the scale between ordinary, innocent user activities, and obvious attacker doings – there’s a large grey area covering suspicious activities, that might actually be imminent threats to your organization but can easily be overlooked.

 

Our mission in Microsoft Sentinel UEBA is to detect insider and unknown threats – so we surface those suspicious activities that won’t be detected by other platforms. Since we’re looking into and analyzing that grey area of activities - we’re able to provide insights on threats that might have been missed otherwise.

 

This is how we do it

Our capability is to create behavioral baselining for entities based on various indicators across any behavior type. Meaning – we’re not looking into specific threat scenarios or known patterns of attack. We break down each activity into components (action, user, device, geo location, etc.) and search anomalous indication for each of those, using ML models (popularity, time series, etc.).


On top of that – being part of a next-generation SIEM platform allows us to correlate data from different sources, even cross domains like on-prem and cloud environments. We can truly see every aspect of an entity, and not rely on a narrow vision of a specific data aspect. Our entity correlation capability, for instance, allows us to create one baseline for a single user according to various account indicators.

 

It all comes down to this

Every event that goes through our UEBA engine, will be enriched with lots of contextual and behavioral information, based on info we get from entity providers (AD, AAD), TI repositories (Microsoft Interflow), and of course our own ever-updating dynamic ML modules. All this goodness will be exposed to the BehavioralAnalytics table you can find in Log Analytics.


UEBA set different baselines for each entity, that changes all the time – to make sure we create sensitive and accurate thresholds when it comes to anomaly detection. For example, for one user 10 wrong password login attempts will be considered “too many” in a certain timeframe, and for another user it will be only 2 attempts. So, it’s not only that UEBA considers different behavioral profiling per organization, it also considers it per entity.


If we find enough anomaly indications in one of those events, we’ll aggregate them per user and anomaly type – they will be triggered in the Anomalies table; alongside the MITRE ATT&CK Tactic and Techniques that are associated with it.


This is an example for a transition from a raw event originating in Windows Security log, to a UEBA Sign-in anomaly:

idanbell_2-1658218025667.png

 

In the Anomalies table, as well as the other experiences that are mentioned bellow, you’ll be able to find UEBA anomalies like Anomalous sign-on, Anomalous Role Assignment, Anomalous Password Reset, and much more. They’re originated according from various data sources and aggregated by type. Please take a look here to learn about anomaly types and the different data sources that feed into the UEBA engine.

 

Anomalies tab

Anomalies now have their own tab on the Analytics blade! It provides a consolidated view of anomalies in one place. New anomalies will be added to this tab so check back often. 

 

idanbell_3-1658218475813.png

 

 

The Duplicate and Edit functionality remain the same. We added an opportunity for you to provide feedback about anomalies as a part of the Edit process, however.

 

idanbell_4-1658218542372.png

 

We look forward to hearing your feedback!

 

Anomalies in timeline

Anomalies are now incorporated into entity pages. Now, you can see both alerts and activities related to the entity as well as anomalies in the timeline. 

 

Idan_Bellayev_0-1658921331799.png

 

 

These anomalies are often useful for investigating an entity, as well as for investigating incidents. Anomalies such as anomalous account creation, suspicious volume of logins to user account, or (in more advanced stages of an attack) anomalous data destruction, can be seen in the same timeframe as other alerts and activities, enabling the analyst to connect the dots, identify malicious activity and take action.


Anomalies are shown both in the chart and in the timeline. The timeline will soon be transformed into a new version that will be compact and provide better visibility of MITRE tactics for alerts and anomalies.

 

Workbook

Previously, you had to query the Anomalies table to find the anomalies in your workspace, but, now, we’ve done that work for you! The Anomalies Visualization Workbook not only provides you with a comprehensive view of the anomalies in your workspace for unprecedented situational awareness, but also shows you how the anomalies are making an impact via incidents.

 

  • A high-level view of all anomalies is at the top of the page, followed by anomaly types, and at the bottom are the details of individual anomalies.

 

idanbell_6-1658219410909.png

 

  • Anomaly Summary: This summary gives you different views into the anomalous activity occurring in your workspace that can be explored through the visualizations on the rest of the page.

 

idanbell_7-1658219584711.png

 

 

  • Incidents and Recent Anomalies: These incidents may have been triggered by a fusion detection or scheduled rule. You can click through to the Incidents page for each incident. The Incidents table clearly shows you how anomalies help to improve your security. The recent anomalies may be of immediate interest, and you can click through to an anomaly’s details for further investigation or threat hunting.

 

idanbell_1-1658305112735.png

 

  • Anomaly Type and Trend: When you click on the anomaly type, it displays a graph of the number of anomalies of that type over the last 30 days and lists each individual anomaly of that type ordered by score at the bottom of the page. The clustering of anomalies within a short period of time could be an indicator of a concerted attack and be worth further investigation.

Idan_Bellayev_0-1658922617885.png

 

Since the anomalies are ordered by score, you can prioritize investigating the most unusual behavior easily. If you click on one of those anomalies, you will be shown many of the details you would see in the Anomalies table without having to make a single query.

This is just the beginning, we plan to update this workbook continuously with new visualizations and integrations with other Microsoft Sentinel features, like Hunting queries. We welcome your feedback on how to improve this experience. You can find the Anomalies Visualization Workbook in the Workbook blade of Microsoft Sentinel.

 

Coming soon! UEBA Essentials content hub solution

Not only that, but soon you’ll be able to enjoy a whole new content hub solution full of UEBA hunting queries, based on Anomalies, BehavioralAnalytics and IdentityInfo tables. Some of the queries make use of watchlist templates like VIP, HighValueAssets, and TerminatedEmployees - which highlight activities for especially critical entities.


Those are threat scenarios that can help you hunt for certain use-cases utilizing UEBA capabilities, that can also inspire you to customize queries that will be tailored to your specific needs!

1 Comment
Version history
Last update:
‎Jul 27 2022 04:50 AM
Updated by: