Microsoft Sentinel UEBA enrichments reference

Note

Azure Sentinel is now called Microsoft Sentinel, and we’ll be updating these pages in the coming weeks. Learn more about recent Microsoft security enhancements.

This article describes the Microsoft Sentinel BehaviorAnalytics table found in Logs and mentioned on the entity details pages, and provides the details of the entity enrichments fields in that table, the contents of which you can use to focus and sharpen your security incident investigations.

The following three dynamic fields from the BehaviorAnalytics table are described in the tables below.

The UsersInsights and DevicesInsights fields contain entity information from Active Directory / Azure AD and Microsoft Threat Intelligence sources.

The ActivityInsights field contains entity information based on the behavioral profiles built by Microsoft Sentinel's entity behavior analytics.

User activities are analyzed against a baseline that is dynamically compiled each time it is used. Each activity has its defined lookback period from which the dynamic baseline is derived. The lookback period is specified in the Baseline column in this table.

Note

The Enrichment name column in all the entity enrichment field tables displays two rows of information.

  • The first, in bold, is the "friendly name" of the enrichment.
  • The second (in italics and parentheses) is the field name of the enrichment as stored in the Behavior Analytics table.

Important

Noted features are currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

BehaviorAnalytics table

The following table describes the behavior analytics data displayed on each entity details page in Microsoft Sentinel.

Field Type Description
TenantId string The unique ID number of the tenant.
SourceRecordId string The unique ID number of the EBA event.
TimeGenerated datetime The timestamp of the activity's occurrence.
TimeProcessed datetime The timestamp of the activity's processing by the EBA engine.
ActivityType string The high-level category of the activity.
ActionType string The normalized name of the activity.
UserName string The username of the user that initiated the activity.
UserPrincipalName string The full username of the user that initiated the activity.
EventSource string The data source that provided the original event.
SourceIPAddress string The IP address from which activity was initiated.
SourceIPLocation string The country from which activity was initiated, enriched from IP address.
SourceDevice string The hostname of the device that initiated the activity.
DestinationIPAddress string The IP address of the target of the activity.
DestinationIPLocation string The country of the target of the activity, enriched from IP address.
DestinationDevice string The name of the target device.
UsersInsights dynamic The contextual enrichments of involved users (details below).
DevicesInsights dynamic The contextual enrichments of involved devices (details below).
ActivityInsights dynamic The contextual analysis of activity based on our profiling (details below).
InvestigationPriority int The anomaly score, between 0-10 (0=benign, 10=highly anomalous).

Entity enrichments dynamic fields

UsersInsights field

The following table describes the enrichments featured in the UsersInsights dynamic field in the BehaviorAnalytics table:

Enrichment name Description Sample value
Account display name
(AccountDisplayName)
The account display name of the user. Admin, Hayden Cook
Account domain
(AccountDomain)
The account domain name of the user.
Account object ID
(AccountObjectID)
The account object ID of the user. a58df659-5cab-446c-9dd0-5a3af20ce1c2
Blast radius
(BlastRadius)
The blast radius is calculated based on several factors: the position of the user in the org tree, and the user's Azure Active Directory roles and permissions. User must have Manager property populated in Azure Active Directory for BlastRadius to be calculated. Low, Medium, High
Is dormant account
(IsDormantAccount)
The account has not been used for the past 180 days. True, False
Is local admin
(IsLocalAdmin)
The account has local administrator privileges. True, False
Is new account
(IsNewAccount)
The account was created within the past 30 days. True, False
On premises SID
(OnPremisesSID)
The on-premises SID of the user related to the action. S-1-5-21-1112946627-1321165628-2437342228-1103

DevicesInsights field

The following table describes the enrichments featured in the DevicesInsights dynamic field in the BehaviorAnalytics table:

Enrichment name Description Sample value
Browser
(Browser)
The browser used in the action. Edge, Chrome
Device family
(DeviceFamily)
The device family used in the action. Windows
Device type
(DeviceType)
The client device type used in the action Desktop
ISP
(ISP)
The internet service provider used in the action.
Operating system
(OperatingSystem)
The operating system used in the action. Windows 10
Threat intel indicator description
(ThreatIntelIndicatorDescription)
Description of the observed threat indicator resolved from the IP address used in the action. Host is member of botnet: azorult
Threat intel indicator type
(ThreatIntelIndicatorType)
The type of the threat indicator resolved from the IP address used in the action. Botnet, C2, CryptoMining, Darknet, Ddos, MaliciousUrl, Malware, Phishing, Proxy, PUA, Watchlist
User agent
(UserAgent)
The user agent used in the action. Microsoft Azure Graph Client Library 1.0,
​Swagger-Codegen/1.4.0.0/csharp,
EvoSTS
User agent family
(UserAgentFamily)
The user agent family used in the action. Chrome, Edge, Firefox

ActivityInsights field

The following tables describe the enrichments featured in the ActivityInsights dynamic field in the BehaviorAnalytics table:

Action performed

Enrichment name Baseline (days) Description Sample value
First time user performed action
(FirstTimeUserPerformedAction)
180 The action was performed for the first time by the user. True, False
Action uncommonly performed by user
(ActionUncommonlyPerformedByUser)
10 The action is not commonly performed by the user. True, False
Action uncommonly performed among peers
(ActionUncommonlyPerformedAmongPeers)
180 The action is not commonly performed among user's peers. True, False
First time action performed in tenant
(FirstTimeActionPerformedInTenant)
180 The action was performed for the first time by anyone in the organization. True, False
Action uncommonly performed in tenant
(ActionUncommonlyPerformedInTenant)
180 The action is not commonly performed in the organization. True, False

App used

Enrichment name Baseline (days) Description Sample value
First time user used app
(FirstTimeUserUsedApp)
180 The app was used for the first time by the user. True, False
App uncommonly used by user
(AppUncommonlyUsedByUser)
10 The app is not commonly used by the user. True, False
App uncommonly used among peers
(AppUncommonlyUsedAmongPeers)
180 The app is not commonly used among user's peers. True, False
First time app observed in tenant
(FirstTimeAppObservedInTenant)
180 The app was observed for the first time in the organization. True, False
App uncommonly used in tenant
(AppUncommonlyUsedInTenant)
180 The app is not commonly used in the organization. True, False

Browser used

Enrichment name Baseline (days) Description Sample value
First time user connected via browser
(FirstTimeUserConnectedViaBrowser)
30 The browser was observed for the first time by the user. True, False
Browser uncommonly used by user
(BrowserUncommonlyUsedByUser)
10 The browser is not commonly used by the user. True, False
Browser uncommonly used among peers
(BrowserUncommonlyUsedAmongPeers)
30 The browser is not commonly used among user's peers. True, False
First time browser observed in tenant
(FirstTimeBrowserObservedInTenant)
30 The browser was observed for the first time in the organization. True, False
Browser uncommonly used in tenant
(BrowserUncommonlyUsedInTenant)
30 The browser is not commonly used in the organization. True, False

Country connected from

Enrichment name Baseline (days) Description Sample value
First time user connected from country
(FirstTimeUserConnectedFromCountry)
90 The geo location, as resolved from the IP address, was connected from for the first time by the user. True, False
Country uncommonly connected from by user
(CountryUncommonlyConnectedFromByUser)
10 The geo location, as resolved from the IP address, is not commonly connected from by the user. True, False
Country uncommonly connected from among peers
(CountryUncommonlyConnectedFromAmongPeers)
90 The geo location, as resolved from the IP address, is not commonly connected from among user's peers. True, False
First time connection from country observed in tenant
(FirstTimeConnectionFromCountryObservedInTenant)
90 The country was connected from for the first time by anyone in the organization. True, False
Country uncommonly connected from in tenant
(CountryUncommonlyConnectedFromInTenant)
90 The geo location, as resolved from the IP address, is not commonly connected from in the organization. True, False

Device used to connect

Enrichment name Baseline (days) Description Sample value
First time user connected from device
(FirstTimeUserConnectedFromDevice)
30 The source device was connected from for the first time by the user. True, False
Device uncommonly used by user
(DeviceUncommonlyUsedByUser)
10 The device is not commonly used by the user. True, False
Device uncommonly used among peers
(DeviceUncommonlyUsedAmongPeers)
180 The device is not commonly used among user's peers. True, False
First time device observed in tenant
(FirstTimeDeviceObservedInTenant)
30 The device was observed for the first time in the organization. True, False
Device uncommonly used in tenant
(DeviceUncommonlyUsedInTenant)
180 The device is not commonly used in the organization. True, False
Enrichment name Baseline (days) Description Sample value
First time user logged on to device
(FirstTimeUserLoggedOnToDevice)
180 The destination device was connected to for the first time by the user. True, False
Device family uncommonly used in tenant
(DeviceFamilyUncommonlyUsedInTenant)
30 The device family is not commonly used in the organization. True, False

Internet Service Provider used to connect

Enrichment name Baseline (days) Description Sample value
First time user connected via ISP
(FirstTimeUserConnectedViaISP)
30 The ISP was observed for the first time by the user. True, False
ISP uncommonly used by user
(ISPUncommonlyUsedByUser)
10 The ISP is not commonly used by the user. True, False
ISP uncommonly used among peers
(ISPUncommonlyUsedAmongPeers)
30 The ISP is not commonly used among user's peers. True, False
First time connection via ISP in tenant
(FirstTimeConnectionViaISPInTenant)
30 The ISP was observed for the first time in the organization. True, False
ISP uncommonly used in tenant
(ISPUncommonlyUsedInTenant)
30 The ISP is not commonly used in the organization. True, False

Resource accessed

Enrichment name Baseline (days) Description Sample value
First time user accessed resource
(FirstTimeUserAccessedResource)
180 The resource was accessed for the first time by the user. True, False
Resource uncommonly accessed by user
(ResourceUncommonlyAccessedByUser)
10 The resource is not commonly accessed by the user. True, False
Resource uncommonly accessed among peers
(ResourceUncommonlyAccessedAmongPeers)
180 The resource is not commonly accessed among user's peers. True, False
First time resource accessed in tenant
(FirstTimeResourceAccessedInTenant)
180 The resource was accessed for the first time by anyone in the organization. True, False
Resource uncommonly accessed in tenant
(ResourceUncommonlyAccessedInTenant)
180 The resource is not commonly accessed in the organization. True, False

Miscellaneous

Enrichment name Baseline (days) Description Sample value
Last time user performed action
(LastTimeUserPerformedAction)
180 Last time the user performed the same action. <Timestamp>
Similar action wasn't performed in the past
(SimilarActionWasn'tPerformedInThePast)
30 No action in the same resource provider was performed by the user. True, False
Source IP location
(SourceIPLocation)
N/A The country resolved from the source IP of the action. [Surrey, England]
Uncommon high volume of operations
(UncommonHighVolumeOfOperations)
7 A user performed a burst of similar operations within the same provider True, False
Unusual number of Azure AD conditional access failures
(UnusualNumberOfAADConditionalAccessFailures)
5 An unusual number of users failed to authenticate due to conditional access True, False
Unusual number of devices added
(UnusualNumberOfDevicesAdded)
5 A user added an unusual number of devices. True, False
Unusual number of devices deleted
(UnusualNumberOfDevicesDeleted)
5 A user deleted an unusual number of devices. True, False
Unusual number of users added to group
(UnusualNumberOfUsersAddedToGroup)
5 A user added an unusual number of users to a group. True, False

IdentityInfo table (Public Preview)

After you enable UEBA for your Microsoft Sentinel workspace, data from your Azure Active Directory is synchronized to the IdentityInfo table in Log Analytics for use in Microsoft Sentinel. You can embed user data synchronized from your Azure AD from the in your analytics rules to enhance your analytics to fit your use cases and reduce false positives.

While the initial synchronization may take a few days, once the data is fully synchronized:

  • Changes made to your user profiles in Azure AD are updated in the IdentityInfo table within 15 minutes.

  • Group and role information is synchronized between the IdentityInfo table and Azure AD daily.

  • Every 14 days, Microsoft Sentinel re-synchronizes with your entire Azure AD to ensure that stale records are fully updated.

  • Default retention time in the IdentityInfo table is 30 days.

Note

Currently, only built-in roles are supported.

Data about deleted groups, where a user was removed from a group, is not currently supported.

The following table describes the user identity data included in the IdentityInfo table in Log Analytics.

Field Type Description
AccountCloudSID string The Azure AD security identifier of the account.
AccountCreationTime datetime The date the user account was created (UTC).
AccountDisplayName string The display name of the user account.
AccountDomain string The domain name of the user account.
AccountName string The user name of the user account.
AccountObjectId string The Azure Active Directory object ID for the user account.
AccountSID string The on-premises security identifier of the user account.
AccountTenantId string The Azure Active Directory tenant ID of the user account.
AccountUPN string The user principal name of the user account.
AdditionalMailAddresses dynamic The additional email addresses of the user.
AssignedRoles dynamic The Azure AD roles the user account is assigned to.
City string The city of the user account.
Country string The country of the user account.
DeletedDateTime datetime The date and time the user was deleted.
Department string The department of the user account.
GivenName string The given name of the user account.
GroupMembership dynamic Azure AD Groups where the user account is a member.
IsAccountEnabled bool An indication as to whether the user account is enabled in Azure AD or not.
JobTitle string The job title of the user account.
MailAddress string The primary email address of the user account.
Manager string The manager alias of the user account.
OnPremisesDistinguishedName string The Azure AD distinguished name (DN). A distinguished name is a sequence of relative distinguished names (RDN), connected by commas.
Phone string The phone number of the user account.
SourceSystem string The system where the user data originated.
State string The geographical state of the user account.
StreetAddress string The office street address of the user account.
Surname string The surname of the user. account.
TenantId string The tenant ID of the user.
TimeGenerated datetime The time when the event was generated (UTC).
Type string The name of the table.
UserState string The current state of the user account in Azure AD (Active/Disabled/Dormant/Lockout).
UserStateChangedOn datetime The date of the last time the account state was changed (UTC).
UserType string The user type.

Next steps

This document described the Microsoft Sentinel entity behavior analytics table schema.