A Deeper look into Sentinel Analytic Rules and Behavior Analysis

I recently discussed Importance of Entity Behavioral modeling in Sentinel.

However, it’s necessary a deeper look into this capability to properly understand it.

You see, this Analytical, machine-learning powered, feature can assist Sentinel admins and the larger SOC in multiple ways.

Let’s then peel the onion from different angles.

Glass Onion (Remastered 2009) — YouTube

What angles will I be looking through? Usage in a SOC environment, and consequently, complexity:

• Workbook: Easy to consume, good to prioritize investigations looking at users.
• Entity Pages: Easy to Consume and get value from UEBA once you know what entity you’re looking for.
• Logs: Medium complexity, starting to look under the hood — highlights use of queries (KQL) to tables and ability to tweak queries.
• Analytics: Advanced use case with rule tweaking.

Assuming you’ve enabled UEBA for your Sentinel as mentioned in a previous document, after ingesting some data, you may be able to follow and experience along in your tenant.

I’ll be using a demonstration environment.

All the information shared here can be found in public…