Guided UEBA Investigation Scenarios to empower your SOC
Published Nov 05 2020 11:11 PM 14.8K Views

Related Content:

Enable User and Entity Behavior Analytics (UEBA) in Azure Sentinel

Introducing User and Entity Behavior Analytics (Public Preview)*UEBA is now Generally Available

Co- Author :@joross 

Reviewers: @Cristhofer Munoz @Itay Argoety 



In today’s cybersecurity landscape, bad actors have almost made a game of trying to breach through various defenses, as defense tools are becoming obsolete. Today, organizations have such a vast and porous digital estate that it has become unmanageable to obtain a comprehensive picture of the risk and posture their environment may be facing. As organizations focus heavily on reactive efforts such as analytics and rules, bad actors are quickly finding ways to evade them. This is where UEBA comes to play by providing risk scoring methodologies and algorithms to figure out what is really happening.


What is UEBA in the context of Azure Sentinel?


Within Azure Sentinel we leverage UEBA to get an understanding of the behavior of entities. For more introductory information on UEBA capabilities in Azure Sentinel and how to enable the feature please view the above referenced blog post. The focus of this blog will be to share major customer scenarios and entry points where UEBA has been used to investigate and mitigate malicious activity




1. Proactive Routine Search on entities (UEBA Workbook)


The following use case comes into play by leveraging the Azure Sentinel’s UEBA workbook to proactively look for information on the user activity (this information is usually the top users, different anomalies/ incidents attached to the user) and this is definitively used to create leads for investigation.

You can find additional information on the UEBA workbook here .


For example, while leveraging the UEBA Workbook, we have the ability to surface the top risky users with Incidents and anomalies. We can also narrow down the security review to specific users and determine whether the subject has indeed been compromised or whether it’s an insider threat due to action deviating from the profile .


Additionally, we are able to capture non routine actions in the UEBA workbook which can be leveraged to determine anomalous activities and potentially non-compliant practices e.g. a user connecting via a VPN connection while his/her behavior denotes never having done so before.



Figure 1: SecOps analyst investigating the top user leveraging UEBA workbook.


2. Leveraging UEBA for False Positive analysis during incident investigation


The investigation process allows the user the ability to get a detailed overview of incidents that are captured. Through the incident panel one can gain visibility of the entities involved in the incident - this is important due to the fact that one can easily determine which entities are involved in the incident and narrow down your remediation activities to them.


Now, in certain scenarios the incident captured could be of a false positive nature, a common example for this is the frequent incident of impossible travel activity as seen in the image below:


figure 2.png

Figure 2: impossible Travel activity alert /incident


In this scenario we have an incident indicating that a user – has either logged on to an application/ portal through multiple destinations within a short period of time, deeming that the user wouldn’t have been able to travel between locations within the time period. By clicking “investigate” on the Impossible travel activity incident, a security analyst will be able to determine the scope of the potentially malicious activity as seen below:



Figure 3: impossible Travel activity alert /incident and leveraging the Insights on investigation.


Azure Sentinel captures this as an anomaly, however after confirming with the user directly we realize that a VPN connection was used, and this provided an alternative location to where the user actually was. In the figure below, we can then leverage the user page, and its timeline, to drill down to the user and determine whether the locations captured are part of their commonly known locations.


insights on Incidents investigationinsights on Incidents investigation

Figure 4: UEBA Entity insights on incident for user


After gaining insights from the Users entity page (powered by UEBA) we can then proceed to close the incident and label it as a false positive. Azure Sentinel’s UEBA capabilities can provide ML powered insights after being enabled for 1 week.


Another entry point for investigation is by leveraging a UEBA hunting query, the hunting query in this example is known as Anomalous Geo Location Logon.  The hunting query picks critical information such as user insights, device insights and activity insights of defined users that helps with the identified scenario.  


Additionally using a simple query we can discover her peers usually connect from the same locations as well - making it even clearer that it's a false positive This can be showcased in the following figures below:



Figure 5: Geo Location Anomaly Hunting Query & hunting query capturing information on user insights, device insights & activity insights.




Figure 6: Hunting Query capturing uncommon logins based on Peers


3. Identify Password Spray and Spear Phishing Attempts


Without MFA, user credentials are preyed upon by attackers looking to compromise accounts with password spraying and spear phishing attempts. Let’s look at an example of how you can use Azure Sentinel’s UEBA to easily determine whether password guessing is expected in your organization’s environment or part of a malicious operation.


From the Azure Sentinel Overview page, we see that one of the most recent incidents was a Potential Password Spray attack. Putting our Security Analyst hat on, let's investigate!


Figure 6: Potential Password Spray IncidentFigure 6: Potential Password Spray Incident

Figure 7: Potential Password Spray Incident


From the Medium Severity Incident, we see that across 6,800 events and 7 accounts there was unusual activity that could have been part of a potential password spray attack. By clicking investigate we see which accounts, machines, and other data points were potentially targeted.



Figure 8: Investigation Graph


As part of this investigation, we saw that an administrator account had over 50 Windows logon failures. While this is a significantly high amount of logon failures, that may not always be the case. For example, without user confirmation would you take action to restrict the account based on 3 sign-in failures? Choosing not to restrict the admins access could allow an attacker to go by undetected. So, let’s look at the built-in insights blade on the investigation graph related to the administrator involved in the password spray attack.



Figure 9: Insights blade in the Investigation Graph


For more detail we can view the full Entity Behavior page related to the administrator, which can surface historical alerts related to the user as well as past sign in anomalies.



Figure 10: Past user behavior observed from the users Entity Behavior page


As you can see in the above timeline, this is not the first time we have seen an incident of a Potential Password Spray attack for this admin. Additionally, Machine Learning powered insights would appear in the right column. These insights can quickly inform you whether the sign-in activity was anomalous or typical (as seen below).



Figure 11: Entity Insights Powered by Machine Learning


While the above example showed how you can investigate an incident and gain context with UEBA, you can also start an investigation directly from an entity page or from evidence found as part of hunting. As part of Azure Sentinel’s hunting experience, you can benefit from UEBA in the form of anomaly driven queries. For example, below you can see how a hunting query can run to monitor all of an organization anomalous failed logins. The results can serve as the basis to start an investigation into a potential password spray attack.



Figure 12: Anomalous Failed Login (UEBA) Hunting Query


By leveraging Azure Sentinel’s UEBA as part of an investigation or general security monitoring you can gain greater context to potentially malicious activity occurring in your organization. Try out UEBA in Sentinel today by navigating to the Entity Analytics page.


For more information view the official documentation page and the blog on Entity Insights.


Happy Investigating! :cool:

1 Comment
Version history
Last update:
‎Nov 02 2021 06:24 PM
Updated by: