Enable User and Entity Behavior Analytics (UEBA) in Azure Sentinel
Introducing User and Entity Behavior Analytics (Public Preview)*UEBA is now Generally Available
Co- Author :@joross
Reviewers: @Cristhofer Munoz @Itay Argoety
In today’s cybersecurity landscape, bad actors have almost made a game of trying to breach through various defenses, as defense tools are becoming obsolete. Today, organizations have such a vast and porous digital estate that it has become unmanageable to obtain a comprehensive picture of the risk and posture their environment may be facing. As organizations focus heavily on reactive efforts such as analytics and rules, bad actors are quickly finding ways to evade them. This is where UEBA comes to play by providing risk scoring methodologies and algorithms to figure out what is really happening.
What is UEBA in the context of Azure Sentinel?
Within Azure Sentinel we leverage UEBA to get an understanding of the behavior of entities. For more introductory information on UEBA capabilities in Azure Sentinel and how to enable the feature please view the above referenced blog post. The focus of this blog will be to share major customer scenarios and entry points where UEBA has been used to investigate and mitigate malicious activity
USE CASES FOR UEBA
1. Proactive Routine Search on entities (UEBA Workbook)
The following use case comes into play by leveraging the Azure Sentinel’s UEBA workbook to proactively look for information on the user activity (this information is usually the top users, different anomalies/ incidents attached to the user) and this is definitively used to create leads for investigation.
You can find additional information on the UEBA workbook here .
For example, while leveraging the UEBA Workbook, we have the ability to surface the top risky users with Incidents and anomalies. We can also narrow down the security review to specific users and determine whether the subject has indeed been compromised or whether it’s an insider threat due to action deviating from the profile .
Additionally, we are able to capture non routine actions in the UEBA workbook which can be leveraged to determine anomalous activities and potentially non-compliant practices e.g. a user connecting via a VPN connection while his/her behavior denotes never having done so before.
Figure 1: SecOps analyst investigating the top user leveraging UEBA workbook.
2. Leveraging UEBA for False Positive analysis during incident investigation
The investigation process allows the user the ability to get a detailed overview of incidents that are captured. Through the incident panel one can gain visibility of the entities involved in the incident - this is important due to the fact that one can easily determine which entities are involved in the incident and narrow down your remediation activities to them.
Now, in certain scenarios the incident captured could be of a false positive nature, a common example for this is the frequent incident of impossible travel activity as seen in the image below:
Figure 2: impossible Travel activity alert /incident
In this scenario we have an incident indicating that a user – meganB@secxp.ninja has either logged on to an application/ portal through multiple destinations within a short period of time, deeming that the user wouldn’t have been able to travel between locations within the time period. By clicking “investigate” on the Impossible travel activity incident, a security analyst will be able to determine the scope of the potentially malicious activity as seen below:
Figure 3: impossible Travel activity alert /incident and leveraging the Insights on investigation.
Azure Sentinel captures this as an anomaly, however after confirming with the user directly we realize that a VPN connection was used, and this provided an alternative location to where the user actually was. In the figure below, we can then leverage the user page, and its timeline, to drill down to the user and determine whether the locations captured are part of their commonly known locations.
insights on Incidents investigation
Figure 4: UEBA Entity insights on incident for user email@example.com
After gaining insights from the Users entity page (powered by UEBA) we can then proceed to close the incident and label it as a false positive. Azure Sentinel’s UEBA capabilities can provide ML powered insights after being enabled for 1 week.
Another entry point for investigation is by leveraging a UEBA hunting query, the hunting query in this example is known as Anomalous Geo Location Logon. The hunting query picks critical information such as user insights, device insights and activity insights of defined users that helps with the identified scenario.
Additionally using a simple query we can discover her peers usually connect from the same locations as well - making it even clearer that it's a false positive This can be showcased in the following figures below:
Figure 5: Geo Location Anomaly Hunting Query & hunting query capturing information on user insights, device insights & activity insights.
Figure 6: Hunting Query capturing uncommon logins based on Peers
3. Identify Password Spray and Spear Phishing Attempts
Without MFA, user credentials are preyed upon by attackers looking to compromise accounts with password spraying and spear phishing attempts. Let’s look at an example of how you can use Azure Sentinel’s UEBA to easily determine whether password guessing is expected in your organization’s environment or part of a malicious operation.
From the Azure Sentinel Overview page, we see that one of the most recent incidents was a Potential Password Spray attack. Putting our Security Analyst hat on, let's investigate!
Figure 6: Potential Password Spray Incident
Figure 7: Potential Password Spray Incident
From the Medium Severity Incident, we see that across 6,800 events and 7 accounts there was unusual activity that could have been part of a potential password spray attack. By clicking investigate we see which accounts, machines, and other data points were potentially targeted.
Figure 8: Investigation Graph
As part of this investigation, we saw that an administrator account had over 50 Windows logon failures. While this is a significantly high amount of logon failures, that may not always be the case. For example, without user confirmation would you take action to restrict the account based on 3 sign-in failures? Choosing not to restrict the admins access could allow an attacker to go by undetected. So, let’s look at the built-in insights blade on the investigation graph related to the administrator involved in the password spray attack.
Figure 9: Insights blade in the Investigation Graph
For more detail we can view the full Entity Behavior page related to the administrator, which can surface historical alerts related to the user as well as past sign in anomalies.
Figure 10: Past user behavior observed from the users Entity Behavior page
As you can see in the above timeline, this is not the first time we have seen an incident of a Potential Password Spray attack for this admin. Additionally, Machine Learning powered insights would appear in the right column. These insights can quickly inform you whether the sign-in activity was anomalous or typical (as seen below).
Figure 11: Entity Insights Powered by Machine Learning
While the above example showed how you can investigate an incident and gain context with UEBA, you can also start an investigation directly from an entity page or from evidence found as part of hunting. As part of Azure Sentinel’s hunting experience, you can benefit from UEBA in the form of anomaly driven queries. For example, below you can see how a hunting query can run to monitor all of an organization anomalous failed logins. The results can serve as the basis to start an investigation into a potential password spray attack.
Figure 12: Anomalous Failed Login (UEBA) Hunting Query
By leveraging Azure Sentinel’s UEBA as part of an investigation or general security monitoring you can gain greater context to potentially malicious activity occurring in your organization. Try out UEBA in Sentinel today by navigating to the Entity Analytics page.
For more information view the official documentation page and the blog on Entity Insights.