Microsoft Sentinel UEBA reference

This reference article lists the input data sources for the User and Entity Behavior Analytics service in Microsoft Sentinel. It also describes the enrichments that UEBA adds to entities, providing needed context to alerts and incidents.

Important

Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal. For preview, Microsoft Sentinel is available in the Defender portal without Microsoft Defender XDR or an E5 license. For more information, see Microsoft Sentinel in the Microsoft Defender portal.

UEBA data sources

These are the data sources from which the UEBA engine collects and analyzes data to train its ML models and set behavioral baselines for users, devices, and other entities. UEBA then looks at data from these sources to find anomalies and glean insights.

Data source Events
Microsoft Entra ID
Sign-in logs
All
Microsoft Entra ID
Audit logs
ApplicationManagement
DirectoryManagement
GroupManagement
Device
RoleManagement
UserManagementCategory
Azure Activity logs Authorization
AzureActiveDirectory
Billing
Compute
Consumption
KeyVault
Devices
Network
Resources
Intune
Logic
Sql
Storage
Windows Security events
WindowsEvent or
SecurityEvent
4624: An account was successfully logged on
4625: An account failed to log on
4648: A logon was attempted using explicit credentials
4672: Special privileges assigned to new logon
4688: A new process has been created

UEBA enrichments

This section describes the enrichments UEBA adds to Microsoft Sentinel entities, along with all their details, that you can use to focus and sharpen your security incident investigations. These enrichments are displayed on entity pages and can be found in the following Log Analytics tables, the contents and schema of which are listed below:

  • The BehaviorAnalytics table is where UEBA's output information is stored.

    The following three dynamic fields from the BehaviorAnalytics table are described in the entity enrichments dynamic fields section below.

    • The UsersInsights and DevicesInsights fields contain entity information from Active Directory / Microsoft Entra ID and Microsoft Threat Intelligence sources.

    • The ActivityInsights field contains entity information based on the behavioral profiles built by Microsoft Sentinel's entity behavior analytics.

      User activities are analyzed against a baseline that is dynamically compiled each time it is used. Each activity has its defined lookback period from which the dynamic baseline is derived. The lookback period is specified in the Baseline column in this table.

  • The IdentityInfo table is where identity information synchronized to UEBA from Microsoft Entra ID (and from on-premises Active Directory via Microsoft Defender for Identity) is stored.

BehaviorAnalytics table

The following table describes the behavior analytics data displayed on each entity details page in Microsoft Sentinel.

Field Type Description
TenantId string The unique ID number of the tenant.
SourceRecordId string The unique ID number of the EBA event.
TimeGenerated datetime The timestamp of the activity's occurrence.
TimeProcessed datetime The timestamp of the activity's processing by the EBA engine.
ActivityType string The high-level category of the activity.
ActionType string The normalized name of the activity.
UserName string The username of the user that initiated the activity.
UserPrincipalName string The full username of the user that initiated the activity.
EventSource string The data source that provided the original event.
SourceIPAddress string The IP address from which activity was initiated.
SourceIPLocation string The country/region from which activity was initiated, enriched from IP address.
SourceDevice string The hostname of the device that initiated the activity.
DestinationIPAddress string The IP address of the target of the activity.
DestinationIPLocation string The country/region of the target of the activity, enriched from IP address.
DestinationDevice string The name of the target device.
UsersInsights dynamic The contextual enrichments of involved users (details below).
DevicesInsights dynamic The contextual enrichments of involved devices (details below).
ActivityInsights dynamic The contextual analysis of activity based on our profiling (details below).
InvestigationPriority int The anomaly score, between 0-10 (0=benign, 10=highly anomalous).

Entity enrichments dynamic fields

Note

The Enrichment name column in the tables in this section displays two rows of information.

  • The first, in bold, is the "friendly name" of the enrichment.
  • The second (in italics and parentheses) is the field name of the enrichment as stored in the Behavior Analytics table.

UsersInsights field

The following table describes the enrichments featured in the UsersInsights dynamic field in the BehaviorAnalytics table:

Enrichment name Description Sample value
Account display name
(AccountDisplayName)
The account display name of the user. Admin, Hayden Cook
Account domain
(AccountDomain)
The account domain name of the user.
Account object ID
(AccountObjectID)
The account object ID of the user. aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb
Blast radius
(BlastRadius)
The blast radius is calculated based on several factors: the position of the user in the org tree, and the user's Microsoft Entra roles and permissions. User must have Manager property populated in Microsoft Entra ID for BlastRadius to be calculated. Low, Medium, High
Is dormant account
(IsDormantAccount)
The account has not been used for the past 180 days. True, False
Is local admin
(IsLocalAdmin)
The account has local administrator privileges. True, False
Is new account
(IsNewAccount)
The account was created within the past 30 days. True, False
On premises SID
(OnPremisesSID)
The on-premises SID of the user related to the action. S-1-5-21-1112946627-1321165628-2437342228-1103

DevicesInsights field

The following table describes the enrichments featured in the DevicesInsights dynamic field in the BehaviorAnalytics table:

Enrichment name Description Sample value
Browser
(Browser)
The browser used in the action. Edge, Chrome
Device family
(DeviceFamily)
The device family used in the action. Windows
Device type
(DeviceType)
The client device type used in the action Desktop
ISP
(ISP)
The internet service provider used in the action.
Operating system
(OperatingSystem)
The operating system used in the action. Windows 10
Threat intel indicator description
(ThreatIntelIndicatorDescription)
Description of the observed threat indicator resolved from the IP address used in the action. Host is member of botnet: azorult
Threat intel indicator type
(ThreatIntelIndicatorType)
The type of the threat indicator resolved from the IP address used in the action. Botnet, C2, CryptoMining, Darknet, Ddos, MaliciousUrl, Malware, Phishing, Proxy, PUA, Watchlist
User agent
(UserAgent)
The user agent used in the action. Microsoft Azure Graph Client Library 1.0,
​Swagger-Codegen/1.4.0.0/csharp,
EvoSTS
User agent family
(UserAgentFamily)
The user agent family used in the action. Chrome, Edge, Firefox

ActivityInsights field

The following tables describe the enrichments featured in the ActivityInsights dynamic field in the BehaviorAnalytics table:

Action performed
Enrichment name Baseline (days) Description Sample value
First time user performed action
(FirstTimeUserPerformedAction)
180 The action was performed for the first time by the user. True, False
Action uncommonly performed by user
(ActionUncommonlyPerformedByUser)
10 The action is not commonly performed by the user. True, False
Action uncommonly performed among peers
(ActionUncommonlyPerformedAmongPeers)
180 The action is not commonly performed among user's peers. True, False
First time action performed in tenant
(FirstTimeActionPerformedInTenant)
180 The action was performed for the first time by anyone in the organization. True, False
Action uncommonly performed in tenant
(ActionUncommonlyPerformedInTenant)
180 The action is not commonly performed in the organization. True, False
App used
Enrichment name Baseline (days) Description Sample value
First time user used app
(FirstTimeUserUsedApp)
180 The app was used for the first time by the user. True, False
App uncommonly used by user
(AppUncommonlyUsedByUser)
10 The app is not commonly used by the user. True, False
App uncommonly used among peers
(AppUncommonlyUsedAmongPeers)
180 The app is not commonly used among user's peers. True, False
First time app observed in tenant
(FirstTimeAppObservedInTenant)
180 The app was observed for the first time in the organization. True, False
App uncommonly used in tenant
(AppUncommonlyUsedInTenant)
180 The app is not commonly used in the organization. True, False
Browser used
Enrichment name Baseline (days) Description Sample value
First time user connected via browser
(FirstTimeUserConnectedViaBrowser)
30 The browser was observed for the first time by the user. True, False
Browser uncommonly used by user
(BrowserUncommonlyUsedByUser)
10 The browser is not commonly used by the user. True, False
Browser uncommonly used among peers
(BrowserUncommonlyUsedAmongPeers)
30 The browser is not commonly used among user's peers. True, False
First time browser observed in tenant
(FirstTimeBrowserObservedInTenant)
30 The browser was observed for the first time in the organization. True, False
Browser uncommonly used in tenant
(BrowserUncommonlyUsedInTenant)
30 The browser is not commonly used in the organization. True, False
Country/region connected from
Enrichment name Baseline (days) Description Sample value
First time user connected from country
(FirstTimeUserConnectedFromCountry)
90 The geo location, as resolved from the IP address, was connected from for the first time by the user. True, False
Country uncommonly connected from by user
(CountryUncommonlyConnectedFromByUser)
10 The geo location, as resolved from the IP address, is not commonly connected from by the user. True, False
Country uncommonly connected from among peers
(CountryUncommonlyConnectedFromAmongPeers)
90 The geo location, as resolved from the IP address, is not commonly connected from among user's peers. True, False
First time connection from country observed in tenant
(FirstTimeConnectionFromCountryObservedInTenant)
90 The country/region was connected from for the first time by anyone in the organization. True, False
Country uncommonly connected from in tenant
(CountryUncommonlyConnectedFromInTenant)
90 The geo location, as resolved from the IP address, is not commonly connected from in the organization. True, False
Device used to connect
Enrichment name Baseline (days) Description Sample value
First time user connected from device
(FirstTimeUserConnectedFromDevice)
30 The source device was connected from for the first time by the user. True, False
Device uncommonly used by user
(DeviceUncommonlyUsedByUser)
10 The device is not commonly used by the user. True, False
Device uncommonly used among peers
(DeviceUncommonlyUsedAmongPeers)
180 The device is not commonly used among user's peers. True, False
First time device observed in tenant
(FirstTimeDeviceObservedInTenant)
30 The device was observed for the first time in the organization. True, False
Device uncommonly used in tenant
(DeviceUncommonlyUsedInTenant)
180 The device is not commonly used in the organization. True, False
Enrichment name Baseline (days) Description Sample value
First time user logged on to device
(FirstTimeUserLoggedOnToDevice)
180 The destination device was connected to for the first time by the user. True, False
Device family uncommonly used in tenant
(DeviceFamilyUncommonlyUsedInTenant)
30 The device family is not commonly used in the organization. True, False
Internet Service Provider used to connect
Enrichment name Baseline (days) Description Sample value
First time user connected via ISP
(FirstTimeUserConnectedViaISP)
30 The ISP was observed for the first time by the user. True, False
ISP uncommonly used by user
(ISPUncommonlyUsedByUser)
10 The ISP is not commonly used by the user. True, False
ISP uncommonly used among peers
(ISPUncommonlyUsedAmongPeers)
30 The ISP is not commonly used among user's peers. True, False
First time connection via ISP in tenant
(FirstTimeConnectionViaISPInTenant)
30 The ISP was observed for the first time in the organization. True, False
ISP uncommonly used in tenant
(ISPUncommonlyUsedInTenant)
30 The ISP is not commonly used in the organization. True, False
Resource accessed
Enrichment name Baseline (days) Description Sample value
First time user accessed resource
(FirstTimeUserAccessedResource)
180 The resource was accessed for the first time by the user. True, False
Resource uncommonly accessed by user
(ResourceUncommonlyAccessedByUser)
10 The resource is not commonly accessed by the user. True, False
Resource uncommonly accessed among peers
(ResourceUncommonlyAccessedAmongPeers)
180 The resource is not commonly accessed among user's peers. True, False
First time resource accessed in tenant
(FirstTimeResourceAccessedInTenant)
180 The resource was accessed for the first time by anyone in the organization. True, False
Resource uncommonly accessed in tenant
(ResourceUncommonlyAccessedInTenant)
180 The resource is not commonly accessed in the organization. True, False
Miscellaneous
Enrichment name Baseline (days) Description Sample value
Last time user performed action
(LastTimeUserPerformedAction)
180 Last time the user performed the same action. <Timestamp>
Similar action wasn't performed in the past
(SimilarActionWasn'tPerformedInThePast)
30 No action in the same resource provider was performed by the user. True, False
Source IP location
(SourceIPLocation)
N/A The country/region resolved from the source IP of the action. [Surrey, England]
Uncommon high volume of operations
(UncommonHighVolumeOfOperations)
7 A user performed a burst of similar operations within the same provider True, False
Unusual number of Microsoft Entra Conditional Access failures
(UnusualNumberOfAADConditionalAccessFailures)
5 An unusual number of users failed to authenticate due to conditional access True, False
Unusual number of devices added
(UnusualNumberOfDevicesAdded)
5 A user added an unusual number of devices. True, False
Unusual number of devices deleted
(UnusualNumberOfDevicesDeleted)
5 A user deleted an unusual number of devices. True, False
Unusual number of users added to group
(UnusualNumberOfUsersAddedToGroup)
5 A user added an unusual number of users to a group. True, False

IdentityInfo table

After you enable UEBA for your Microsoft Sentinel workspace, data from your Microsoft Entra ID is synchronized to the IdentityInfo table in Log Analytics for use in Microsoft Sentinel. You can embed user data synchronized from your Microsoft Entra ID in your analytics rules to enhance your analytics to fit your use cases and reduce false positives.

While the initial synchronization may take a few days, once the data is fully synchronized:

  • Changes made to your user profiles, groups, and roles in Microsoft Entra ID are updated in the IdentityInfo table within 15-30 minutes.

  • Every 14 days, Microsoft Sentinel re-synchronizes with your entire Microsoft Entra ID to ensure that stale records are fully updated.

  • Default retention time in the IdentityInfo table is 30 days.

Limitations

  • Currently, only built-in roles are supported.

  • Data about deleted groups, where a user was removed from a group, is not currently supported.

Versions of the IdentityInfo table

There are actually two versions of the IdentityInfo table:

  • The Log Analytics schema version serves Microsoft Sentinel in the Azure portal.
  • The Advanced hunting schema version serves Microsoft Sentinel in the Microsoft Defender portal via Microsoft Defender for Identity.

Both versions of this table are fed by Microsoft Entra ID, but the Log Analytics version added a few fields.

Microsoft Sentinel in the Microsoft Defender portal, uses the Advanced hunting version of this table. To minimize the differences between the two versions of the table, most of the unique fields in the Log Analytics version are gradually being added to the Advanced hunting version as well. Regardless of in which portal you're using Microsoft Sentinel, you'll have access to nearly all the same information, though there may be a small time lag in synchronization between the versions. For more information, see the documentation of the Advanced hunting version of this table.

The following table describes the user identity data included in the IdentityInfo table in Log Analytics in the Azure portal. The fourth column shows the corresponding fields in the Advanced hunting version of the table, that Microsoft Sentinel uses in the Defender portal. Field names in boldface are named differently in the Advanced hunting schema than they are in the Microsoft Sentinel Log Analytics version.

Field name in
Log Analytics schema
Type Description Field name in
Advanced hunting schema
AccountCloudSID string The Microsoft Entra security identifier of the account. CloudSid
AccountCreationTime datetime The date the user account was created (UTC). CreatedDateTime
AccountDisplayName string The display name of the user account. AccountDisplayName
AccountDomain string The domain name of the user account. AccountDomain
AccountName string The user name of the user account. AccountName
AccountObjectId string The Microsoft Entra object ID for the user account. AccountObjectId
AccountSID string The on-premises security identifier of the user account. AccountSID
AccountTenantId string The Microsoft Entra tenant ID of the user account. --
AccountUPN string The user principal name of the user account. AccountUPN
AdditionalMailAddresses dynamic The additional email addresses of the user. --
AssignedRoles dynamic The Microsoft Entra roles the user account is assigned to. AssignedRoles
BlastRadius string A calculation based on the position of the user in the org tree and the user's Microsoft Entra roles and permissions.
Possible values: Low, Medium, High
--
ChangeSource string The source of the latest change to the entity.
Possible values:
  • AzureActiveDirectory
  • ActiveDirectory
  • UEBA
  • Watchlist
  • FullSync
  • ChangeSource
    CompanyName The company name to which the user belongs. --
    City string The city of the user account. City
    Country string The country/region of the user account. Country
    DeletedDateTime datetime The date and time the user was deleted. --
    Department string The department of the user account. Department
    GivenName string The given name of the user account. GivenName
    GroupMembership dynamic Microsoft Entra groups where the user account is a member. --
    IsAccountEnabled bool An indication as to whether the user account is enabled in Microsoft Entra ID or not. IsAccountEnabled
    JobTitle string The job title of the user account. JobTitle
    MailAddress string The primary email address of the user account. EmailAddress
    Manager string The manager alias of the user account. Manager
    OnPremisesDistinguishedName string The Microsoft Entra ID distinguished name (DN). A distinguished name is a sequence of relative distinguished names (RDN), connected by commas. DistinguishedName
    Phone string The phone number of the user account. Phone
    SourceSystem string The system where the user is managed.
    Possible values:
  • AzureActiveDirectory
  • ActiveDirectory
  • Hybrid
  • SourceProvider
    State string The geographical state of the user account. State
    StreetAddress string The office street address of the user account. Address
    Surname string The surname of the user. account. Surname
    TenantId string The tenant ID of the user. --
    TimeGenerated datetime The time when the event was generated (UTC). Timestamp
    Type string The name of the table. --
    UserAccountControl dynamic Security attributes of the user account in the AD domain.
    Possible values (may contain more than one):
  • AccountDisabled
  • HomedirRequired
  • AccountLocked
  • PasswordNotRequired
  • CannotChangePassword
  • EncryptedTextPasswordAllowed
  • TemporaryDuplicateAccount
  • NormalAccount
  • InterdomainTrustAccount
  • WorkstationTrustAccount
  • ServerTrustAccount
  • PasswordNeverExpires
  • MnsLogonAccount
  • SmartcardRequired
  • TrustedForDelegation
  • DelegationNotAllowed
  • UseDesKeyOnly
  • DontRequirePreauthentication
  • PasswordExpired
  • TrustedToAuthenticationForDelegation
  • PartialSecretsAccount
  • UseAesKeys
  • --
    UserState string The current state of the user account in Microsoft Entra ID.
    Possible values:
  • Active
  • Disabled
  • Dormant
  • Lockout
  • --
    UserStateChangedOn datetime The date of the last time the account state was changed (UTC). --
    UserType string The user type. --

    Next steps

    This document described the Microsoft Sentinel entity behavior analytics table schema.