Having the right information during an investigation is crucial to differentiating between FP and TP, and to starting the ‘Scope of Breach’ process on time, since every second counts. The attack surface used by hackers is often the company’s user and service accounts, so the information about those accounts – who is the user behind them, what are their privileges, and additional data – is important for the analyst to have while investigating those entities. Furthermore, embedding entity information in your analytics rules will result in ‘tailor-made’ analytics for your organization that fit your use cases and scenarios and can reduce FP.
If you haven’t enabled UEBA – we encourage you to do so! It’s sosimple. Part of the process of enabling UEBA is providing consent for Sentinel UEBA to synchronize you Azure Active Directory. This allows us to create profiles for user accounts in the organization. If already have UEBA enabled, you will notice that a new table called ‘IdentityInfo’ is now available under ‘Azure Sentinel UEBA’ group in LA.