Introducing Investigation Priority built on User and Entity Behavior Analytics

Published 03-06-2019 06:55 AM 31.9K Views

This post is authored by Itay Argoety, Product Manager, Azure ATP


Enterprise security operations (SecOps) often have limited resources and staff, and security analysts face evolving, more sophisticated attack methods. Many of the newest tools and vulnerabilities can often go undetected without the right tools.


Today, Microsoft is expanding the preview of the Unified SecOps Experience which includes the new Investigation Priority.


The new Investigation Priority uses information from Azure ATP, Microsoft Cloud App Security (MCAS), and Azure AD Identity Protection to add powerful User and Entity Behavioral Analytics (UEBA) capabilities into Microsoft Threat Protection, to better help organizations in attack detection and incident investigation.


UEBA for Azure ATP, MCAS, and Azure AD Identity Protection


Identifying the riskiest users in your organization and their potential impact has remained a labor-intensive process - until now.


Instead of trying to connect the dots between alerts in the queue and active hunting, our user and behavior analytics highlights which users in your organization pose the biggest potential risk.


The Investigation Priority engine pulls signals and data from Azure ATP, Microsoft Cloud App Security as well as Azure AD Identity Protection. Activities and events from these solutions are scored based on their abnormality and aggregated into users’ Investigation Priority score. This allows SecOps analysts to identify the users posing the most risk to the organization, should they be compromised.




By identifying and surfacing the top users to investigate within your organization, this unified platform removes the guess work for security analysts by showing the greatest potential asset and business risks exposed by these suspicious users and their actions, in a single pane of glass.


Calculating the Investigation Priority


Analytics are used to build the standard profile and behaviors of users and entities across both time and peer group horizons, while activity that is anomalous to your standard baselines is evaluated and scored.  Once scoring is completed, we apply Microsoft patent-pending machine learning and proprietary dynamic peer calculations, to offer the fastest possible Time-to-Remediate (TTR) workflow. 


The Investigation Priority Score provides you the ability to detect both malicious insiders and external attackers moving laterally in your organizations, without having to rely on standard deterministic detections.


Investigation Priority Score Evidence.PNG



Investigation Priority Score:

Assessing the investigation urgency of each specific user, the Investigation Priority Score is based on security alerts, abnormal activities, and potential business and asset impact related to each user. 


Every Azure AD user has a dynamic Investigation Priority Score, that is constantly updated based on recent behavior and impact, built from data evaluated from Azure ATP, Microsoft Cloud App Security as well as Azure AD Identity Protection. Your SecOps team can now immediately understand the real top user threats by Investigation Priority Score, and then directly verify their business impact and investigate all related activities – no matter whether they are compromised, exfiltrating data or acting as insider threats.


Alerts scoring:
Understand the potential impact of a specific alert on each user. Alert scoring is based on severity, user impact, alert popularity across users, and all entities in the organization.


Activity scoring:
Determine the probability of a specific user performing a specific activity, based on behavioral learning of the user and their peers. Activities identified as the most abnormal receive the highest scores.  


User impact (blast radius):
Gauge the potential damage each specific user can cause to your business. The user impact analysis takes a holistic organizational user approach, assessing user role, group membership, privileges, hierarchy at the organization, access to sensitive resources (high value assets), and the ability to access sensitive information. This capability will be coming soon.


Azure Sentinel & Investigation Priority:

With the newly announced Microsoft Azure Sentinel, the Investigation Priority Score will also be based on specific data types onboarded into your Azure Sentinel workspace. Custom alerts created in Azure sentinel will be scored and will impact the Investigation Priority of users.


Used together, the solution offers a unified user investigation priority for Azure AD users across Azure Sentinel, as well as the other services in Microsoft Threat Protection.



Participate in the evolution of the Unified SecOps Experience


If you’re one of the many enterprise customers already using Azure ATP, MCAS, or Azure AD Identity Protection (or a combination of these) and want to experience this new functionality, join our expanding preview program.



Get Started Today


If you are just starting your journey, begin trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace:










Frequent Contributor

Hi @Jason Wilson / @Itay Argoety 


How can I drill into the "Investigation Priority Score:" and review the Users from the highest priority in descending order?

This would appear to be a logical progression?

And yet when I open "Investigate" under Users it doesn't look like I can filter by this criteria...


If I open the "User" specific page there are various links to ONLY that specific Users alerts in the last 7 days?

But no link to see "ALL Users" by order of priority for investigation?

Am I looking in the wrong place or possibly missing something obvious?

Given that we want to focus on the User/Identity this would seem like a good place to start....


I hope this make sense?

@David Caddick 

CC @Kenny Singh 


Hi David.


The top users scores is surfaced on the main dashboard to help you get an immediate idea of which users currently represent the highest risk within your organization and should be prioritized for further investigation (picture 1).


Under "Investigate" tab, click on "Activity log" to view all the activities we profile for users.

clicking on "Advanced" for advanced filters, selecting "Investigation Priority" "is set" will filter the results to all activities with the investigation priority score. you can add additional filters (user/device/country) for further investigation (Picture 2).


Since we are still in preview, there is no place to see all the users scores, only the top ones. 

But we are working to add this option to the experience. 


The users page timeline will only show alerts from the past 7 days - which impacts the Investigation Priority Score.

If the user has additional open alerts, which haven't impacted the score, you can pivot from the users page to the alert queue (picture 3).


Hope that's clarifying.

Feel free to send us feedback from the console itself, regarding the score, experience, help etc'. 

We are always available :)



Top Users by Investigation Priority WidgetTop Users by Investigation Priority Widget



Activity log filtered by Investigation PriorityActivity log filtered by Investigation Priority


User page with Investigation Priority ScoreUser page with Investigation Priority Score


Frequent Contributor

Thanks @Itay Argoety, that makes perfect sense, I’m embarrassed to admit that I just hadn’t navigated lower in the Dashboard to find that info. So, not sure it needs to be fixed at all (cause it’s clearly not broken) but maybe have it available from more than one location so it can be found in a couple of different ways? Maybe a link in the “specific” users details for “view all users by priority”?


very much appreciating the quick response, watch out as we have another couple of customers spinning up shortly, so more questions coming :squinting_face_with_tongue:



@David Caddick


Hi @Jason Wilson or @David Caddick ,


I'd like this to be useful in Sentinel as your article suggest is will be (in the future?).


For Sentinel I would need 1 or 2 things:

- The ability to create an MCAS alert based on Priority Score - I can't find a way to do this.

- The ability to create a KQL query in Sentinel that matches/simulates the Priority Score - I don't know what that query would look like.




Version history
Last update:
‎May 11 2021 02:00 PM
Updated by: