EUBA - Active Directory (Preview)

Brass Contributor



We have a few activity rules which rely on specific SID of well know groups etc. It is unclear to me which source is needed to enable those activity rules.


There is also a preview for Active Directory, but in Microsoft docs I do not see any information besides toggle the option to On :)


I have  the following questions:

  1. What will be ingested when you enable the Active Directory (preview)?
  2. In which UEBA tables?
  3. Which activity rules rely on the Active Directory (preview) data source?


UEBA also relies on security events ingestion, we ingest those events already from our domain controllers with the common setting.


     4. Will there be an overlap of security events which will be ingested?




From Defender we also ingest the following 3 tables into Sentinel

  • IdentityLogonEvents;
  • IdentityQueryEvents;
  • IdentityDirectoryEvents.

Is this an overkill or is there a best practice available when you utilize all these data sources from you Domain Controllers?





0 Replies