Discover the power of UEBA anomalies in Microsoft Sentinel
Our mission in Microsoft Sentinel UEBA is to detect insider and unknown threats – so we surface those suspicious activities that won’t be detected by other platforms. Since we’re looking into and analyzing that grey area of activities - we’re able to provide insights on threats that might have been missed otherwise. We now offer a verity of new experiences that makes anomalies much easier to use.
Azure Active Directory Identity Protection user account enrichments removed: how to mitigate impact
AADIP connector no longer contains user account enrichment fields. In this post we'll offer mitigation steps you can take, to allow you to self enrich your AADIP data in your Microsoft Sentinel workspace using UEBA's IdentityInfo table.Unleash the full potential of User and Entity Behavior Analytics with our updated workbook
We have updated the User and Entity Behavior Analytics workbook to include more. Now, you can prioritize incidents based on anomalies affecting the entities that are involved in the alerts. You will also gain visibility into anomalies affecting different types of entities, like accounts, IPs and hosts.
IoT Entity Page - Enhance IoT/OT Threat Monitoring in Your SOC with Sentinel and Defender for IoT
The new IoT device entity page is designed to help your SOC investigate incidents that involve IoT/OT devices in your environment, by providing the full OT/IoT context through Microsoft Defender for IoT, our agentless IoT/OT security monitoring solution, to Sentinel. This enables SOC teams to detect and respond more quickly across all domains to the entire attack timeline.Level Up Your Security Skills with the New Microsoft Sentinel Ninja Training!
If you’ve explored our Microsoft Sentinel Ninja Training in the past, it’s time to revisit! Our training program has undergone some exciting changes to keep you ahead of the curve in the ever-evolving cybersecurity landscape. Microsoft Sentinel is a cutting-edge, cloud-native SIEM and SOAR solution designed to help security professionals protect their organizations from today’s complex threats. Our Ninja Training program is here to guide you through every aspect of this powerful tool. So, what’s new? In addition to the structured security roles format, the Ninja Training now offers a more interactive experience with updated modules, hands-on labs, and real-world scenarios. Whether you're focusing on threat detection, incident response, or automation, the training ensures you gain the practical skills needed to optimize your security operations. One of the biggest updates is the integration of Sentinel into the Defender XDR portal, creating a unified security platform. This merger simplifies workflows, speeds up incident response, and minimizes tool-switching, allowing for seamless operations. Other highlights include: Step-by-step guidance through the official Microsoft Sentinel documentation. Exclusive webinars and up-to-date blog posts from Microsoft experts. If you're ready to take your Sentinel skills to the next level or want to revisit the program’s new features, head over to the blog now and dive into the refreshed Microsoft Sentinel Ninja Training! Don’t miss out—your next cybersecurity breakthrough is just a click away!
Entities missing in Incidents
Hello, Entities are not showing on any of the incidents in Sentinel. Although, I have mapped the entities correctly for each alert. I have the same alerts and entities mapping on other tenant and it shows entities there. What could be the issue? Update: I raised the support ticket to microsoft. Issue has been resolved by Microsoft. It was a misconfiguration from the backend.
Analytic rules, KQL queries and UEBA pricing
Hi, I am interested if there is any additional cost when talking about Log Analytics Workspace (without Sentinel) when it comes to running KQL queries? Are there any "data processing" costs that occur or is it free in that sense? On this link https://azure.microsoft.com/en-us/pricing/details/monitor/ I didn't see any mention of "data processing costs", Microsoft only mentions "Log data processing" feature name "Log data ingestion and transformation" but writing KQL queries is not data transformation in that sense -> https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-transformations When talking about Sentinel, should I expect larger bill if I enable 50-500 Analytic rules from Sentinel templates or content hub? Do these or custom analytic rules occur any additional "processing" costs? On this link https://azure.microsoft.com/en-us/pricing/details/microsoft-sentinel/ Microsoft only mentions "Search jobs". I assume Analytic rules and issuing KQL queries fall into category search jobs. What if someone is not using Sentinel but only Log Analytics Workspace and writing KQL queries? Since this (search jobs) is not mentioned on https://azure.microsoft.com/en-us/pricing/details/monitor/ is documentation just not up to date and this same search job price applies to KQL queries in Log Analytics deployments without Sentinel? Microsoft states UEBA doesn't cost any additional money. Is it truly no additional cost or some cost will occur since it processes data from Audit Logs, Azure Activity, Security Events and SignIn Logs tables, namely as described by "search jobs"?
