This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .
Microsoft Sentinel User Entity Behavior Analytics (UEBA) allows security teams to identify threats that elude classic detection methods. It achieves this by building baseline behavioral profiles of your organization’s entities (such as users, hosts, IP addresses, and applications) across time and peer group horizon, and identifying anomalous activity that deviates from normal behavior. Not only that, but it can also figure out the relative sensitivity of particular assets, identify peer groups of assets, and evaluate the potential impact of any given compromised asset (its “blast radius”).
Our UEBA engine uses several tables in the Microsoft Sentinel workspace to hold all these valuable insights and anomalies, which you can then access by using KQL queries in the different Microsoft Sentinel experiences, such as analytics rules, hunting queries, workbooks or just plain log exploration.
Today, we are announcing the new UEBA Essentials solution available in Content Hub, which packages 23 hunting queries that immediately unlock valuable insights provided by Microsoft Sentinel UEBA. 9 of those queries are brand new content that use correlation with other data sources and some of our watchlist templates. In the following table we summarize the new content:
Query name |
Description |
KQL query |
Comments |
Terminated employee accessing High Value Asset |
Shows all users tagged as terminated employees in the Terminated Employees watchlist that had activities after their termination date |
|
Must have defined watchlist template HighValueAssets |
Activity from terminated employees after their termination date |
Shows all users tagged as terminated employees in the Terminated Employees watchlist that had activities after their termination date |
|
Must have defined watchlist template TerminatedEmployees |
Anomalous update Key Vault activity by high blast radius user |
Shows all update Key Vault activities done by a user with a High blast radius. If the activity is performed for the first time (by the user or in the tenant) or if the activity originated in a never seen before country |
|
Have onboarded Azure Activity logs and using Azure Key Vault resources |
Anomalous login activity originated from Botnet, Tor proxy or C2 |
Shows login activity (successful or failed) originated from botnet, Tor proxy or C2, with at least one 'True' activity insight |
|
Requires onboarding AAD Sign-in logs or Windows Security Events |
Anomalies on users tagged as VIP |
Shows all users tagged as VIP in the VIP users watchlist that had anomalies with a score greater than 0 |
|
N/A |
Anomalous action performed in tenant by privileged user |
Shows activities that have never been executed in the tenant, performed by a user with high privileges |
|
N/A |
Dormant account activity from uncommon country |
Shows dormant accounts (not active in last 180 days), that connect from a country for the first time and the country is uncommon in the tenant or is the first time the ISP is used |
|
N/A |
Anomalous connection from highly privileged user |
Shows all users from a given department, which have high impact on the organization, who connected to a resource for the first time, and none of their peers accessed it |
|
Requires onboarding AAD Sign-in logs or Windows Security Events.
Modify the group variable in the query to match your environment |
New account added to admin group |
Account created in the last 7 days that is added to administrators group |
|
Modify the adminGroup variable in the query to match your environment |
Getting started
In order to install this new solution, you will have to follow these steps:
- (Prerequisite) Create your Microsoft Sentinel workspace if you don’t have one already
- (Prerequisite) Enable UEBA and select relevant data sources (see details at Use entity behavior analytics to detect advanced threats | Microsoft Learn)
- Go to Content Hub and search for "UEBA Essentials"
- Select the "UEBA Essentials" solution and click install
- Follow the installation wizard
Call to action
Go ahead to our Content Hub and start benefiting from these queries that show the great value Microsoft Sentinel’s UEBA can provide to security teams :smiling_face_with_smiling_eyes: and feel free to leave your feedback below or in the marketplace reviews.