Azure Sentinel Incident Entities and UEBA

Copper Contributor



I've been struggling A LOT to properly setup user/host entities in the Analytic rules so they are properly recognized by UEBA module. Could you explain how we should set Incident entities so they are properly recognized and aggregated into the UEBA module?


To me for UEBA to make sense there should be first a standardized way to map the user / host for each data source with the User / host in Azure AD. If not what happens is that each data source is creating "different users" in the UEBA module and information gets split among different copies of the same user instead of being aggregated into the same one.


I even have the case where OfficeActivity logs are being match with an instance of a user, and the security events collected from the Log Analytics Agent are being aggregated into a different instance of the same user.

0 Replies