Feb 16 2022 01:40 AM
Hello,
I have connected UEBA in my environment, but I don't understand what it offers to connect the log sources of Audit Logs, Azure Activity, Security Events and Login Logs.
According to UEBA, it collects alert information from other connectors such as Microsoft Defender for Endpoint, bookmarks or activities to generate these user behaviour profiles, so I don't understand why connect the aforementioned data sources?
That added value where can you see it?
Regards.
Feb 26 2024 04:50 AM
Sign-in logs gives you all events.
Audit Logs gives you ApplicationManagement, DirectoryManagement, GroupManagement, Device, RoleManagement, andUserManagementCategory
Azure Activity Logs give you Authorization, AzureActiveDirectory, Billing ,Compute ,Consumption, KeyVault, Devices, Network, Resources, Intune, Logic, Sql ,Storage
Security Events gives you the following (Windows or Security events) 4624: An account was successfully logged on, 4625: An account failed to log on, 4648: A logon was attempted using explicit credentials, 4672: Special privileges assigned to new logon, 4688: A new process has been created
Here is the value for you.
Sign-in logs will give you insight (user sign-ins to various services and applications) to detect unusual login times, multiple failed login attempts, or potentially malicious login behavior.
Audit Logs will provide data (user actions, system changes, and administrative operations) that illuminates user interactions, system modifications, and administrative activities. This is key to understanding what is normal and then finding deviations from that.
Activity Logs will monitor changes to Azure resources (resource creation, updates, and deletions). Malicious behavior patterns with azure resources can be found here.
Security Events provide a context ( login attempts, access control changes, and other stuff). Patterns of compromise are found in accounts that are compromised, insider threats, or other malicious behavior.
The other connectors like MDE give important data, you get the ability to correlate events, detect blind spots, create a behavioral profile of an entity, and get the context in which to evaluate an suspicious actions.
Microsoft Sentinel UEBA reference | Microsoft Learn
So, in a nutshell its just a good idea to connect them to UEBA.
Hope this helps.
G.