A Deeper look into Sentinel Analytic Rules and Behavior Analysis
I recently discussed Importance of Entity Behavioral modeling in Sentinel.
However, it’s necessary a deeper look into this capability to properly understand it.
You see, this Analytical, machine-learning powered, feature can assist Sentinel admins and the larger SOC in multiple ways.
Let’s then peel the onion from different angles.
What angles will I be looking through? Usage in a SOC environment, and consequently, complexity:
- Workbook: Easy to consume, good to prioritize investigations looking at users.
- Entity Pages: Easy to Consume and get value from UEBA once you know what entity you’re looking for.
- Logs: Medium complexity, starting to look under the hood — highlights use of queries (KQL) to tables and ability to tweak queries.
- Analytics: Advanced use case with rule tweaking.
Assuming you’ve enabled UEBA for your Sentinel as mentioned in a previous document, after ingesting some data, you may be able to follow and experience along in your tenant.
I’ll be using a demonstration environment.
All the information shared here can be found in public…