Unleash the full potential of User and Entity Behavior Analytics with our updated workbook
Published Jan 17 2024 05:27 AM 5,928 Views
Microsoft

This blog post introduces a new and improved version of the User and Entity Behavior Analytics workbook. This workbook uses data from User and Entity Behavior Analytics (UEBA), a feature of Microsoft Sentinel that leverages machine learning and threat intelligence to detect anomalous and potentially malicious behavior of users and devices in your network (for more information see Identify advanced threats with UEBA).

 

UEBA is a powerful tool that can help you identify and respond to various types of cyberattacks, such as insider threats, brute-force attacks, DDoS attacks, and phishing campaigns. By using UEBA data in the workbook, you can gain deeper insights into the activities and patterns of your users and entities, and visualize the scope and impact of the threats you face.

 

The main updates you will find in this version:

  • Anomalies related to IPs and hosts, on top of accounts are now displayed.
  • A new section has been added for incidents involving entities with anomalies raised up to 3 days prior to the incident's creation.
  • The workbook now relies on the Anomalies table, whereas the old version was looking at the BehaviorAnalytics table

 

Getting started

 

As always, you can find the latest version on the Content Hub:

  • Search for 'User and entitity behavior analytics' on the Content hub and install the solution.

     

    Captura de pantalla 2024-01-16 101642.png

     

  • After you install it (or update it), you can
    • Either select 'Configuration'
    • or go to the Workbooks blade, and select View Template or save the workbook in case you want to make modifications.

Once you launch the workbook, we recommend selecting Show Help: Yes the first time so you can see explanations for each step:

Captura de pantalla 2024-01-16 101836.png

 

Visualizing your workbook

 

At the top you will find the number of new or active incidents and alerts, as well as anomalies.

 

5UPdOoxboG.png

 

We have now added a section for Incidents with entities present in anomalies created up to 3 days before the incident was generated:

 

Animation.gif

 

This can be helpful to prioritize incident investigation, as well as discover suspicious behaviors in the entities involved.

Finally, at the bottom you can see top Users, Ips and Hosts by anomalies. (Previously, this was only available for users).

 

Captura de pantalla 2024-01-16 103443.png

 

 

Captura de pantalla 2024-01-16 103525.png

 

anomalies.png

 

We hope that this workbook helps your organization in your investigations.

 

This workbook has been updated by @NChristis  (Senior Product Manager) and @madesous  (Senior Product Manager).

 

 

1 Comment
Version history
Last update:
‎Jan 17 2024 09:44 AM
Updated by: