Azure Sentinel's User and Entity Behavior Analytics provide various capabilities – from resolving different user identifiers into one user account, enriching the data, triggering anomalies, and providing entity pages for the SecOps analyst to support the investigation.
The entity page aggregates information from various data sources about that specific entity, providing contextual information and insights to help the SecOps analyst to decide whether it’s compromised or not.
Many customers ingest data into Azure Monitor custom tables. This data often contains useful information such as VPN data, internal application data, data sent by Logstash, and so on. You may also want to surface specific Windows events in the entity page that have significance in your environment.
Azure Sentinel can now correlate data from any table to a specific entity, and that data will surface in the entity page.
Our goal – surface the data that you find important to your organization in the entity page, helping SecOps to reduce time for investigation and remediation.