This blog post introduces a new and improved version of the User and Entity Behavior Analytics workbook. This workbook uses data from User and Entity Behavior Analytics (UEBA), a feature of Microsoft Sentinel that leverages machine learning and threat intelligence to detect anomalous and potentially malicious behavior of users and devices in your network (for more information see Identify advanced threats with UEBA).
UEBA is a powerful tool that can help you identify and respond to various types of cyberattacks, such as insider threats, brute-force attacks, DDoS attacks, and phishing campaigns. By using UEBA data in the workbook, you can gain deeper insights into the activities and patterns of your users and entities, and visualize the scope and impact of the threats you face.
The main updates you will find in this version:
As always, you can find the latest version on the Content Hub:
Once you launch the workbook, we recommend selecting Show Help: Yes the first time so you can see explanations for each step:
At the top you will find the number of new or active incidents and alerts, as well as anomalies.
We have now added a section for Incidents with entities present in anomalies created up to 3 days before the incident was generated:
This can be helpful to prioritize incident investigation, as well as discover suspicious behaviors in the entities involved.
Finally, at the bottom you can see top Users, Ips and Hosts by anomalies. (Previously, this was only available for users).
We hope that this workbook helps your organization in your investigations.
This workbook has been updated by @NChristis (Senior Product Manager) and @madesous (Senior Product Manager).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.