IdentityInfo
Microsoft Sentinel UEBA table: stores enriched user identity data from Entra ID including job title, department, manager, and risk score; used to join with sign-in and activity logs for context-aware alerts
UEBA Table
BehaviorAnalytics: the primary Microsoft Sentinel UEBA table; stores per-user anomaly scores and anomalous activity flags based on deviation from individual and peer group baselines
Risk Score
User risk score: a 0-10 score per user generated by Sentinel UEBA; aggregates anomaly signals across time period and activity types; high-score users are prioritized for investigation
Peer group
UEBA groups users by department and job title: a finance analyst's unusual access is compared against other finance analysts' baselines, not the whole organization, reducing false positives

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Insider threat detection cannot rely on rule-based detection alone: insiders use legitimate access, known credentials, and authorized tools. A malicious insider exfiltrating data over SharePoint downloads does not trigger any traditional security rule because the activity is technically authorized.

UEBA addresses this by establishing what is normal for each specific user: this employee downloads an average of 5 files per day, accesses these SharePoint sites, logs in from this location: and alerting when behavior significantly deviates: 500 files downloaded in an hour, access to a SharePoint site never visited before, login from a new country two hours after a domestic login.

Enable Microsoft Sentinel UEBA

Prerequisites:
- Microsoft Sentinel workspace with P1 or P2 Entra ID
- Connector: Microsoft Entra ID
- Connector: Microsoft 365 (for SharePoint/OneDrive/Exchange activity)
- Connector: Microsoft Defender for Endpoint (for endpoint behavior)

Enable UEBA:
Microsoft Sentinel > Configuration > Entity Behavior
Toggle: Enable UEBA for your workspace = On
Select data sources to analyze:
  ✓ Microsoft Entra ID
  ✓ Microsoft Defender for Endpoint  
  ✓ Microsoft 365

# UEBA begins building baselines after the first 7-14 days of data collection
# Full baseline (30-day rolling window) takes 30 days to mature
# Do not create UEBA-based alert rules until baselines are established

Verify UEBA is collecting data:

// Check if BehaviorAnalytics table has data:
BehaviorAnalytics
| where TimeGenerated > ago(7d)
| summarize count() by UserName
| order by count_ desc
| take 20
// Should show users with activity records

// Check IdentityInfo enrichment:
IdentityInfo
| take 10
// Should show: AccountName, AccountUPN, Department, JobTitle, Manager, UserRiskScore

Core UEBA Detection Queries

High-risk users with anomalous activity:

// Show users with elevated risk scores and anomaly flags:
BehaviorAnalytics
| where TimeGenerated > ago(24h)
| where ActivityInsights != "{}"
// Filter to users with meaningful risk scores:
| where InvestigationPriority > 5  // 0-10 scale; >5 = elevated
| join kind=leftouter IdentityInfo on $left.UserName == $right.AccountName
| project TimeGenerated, UserName, Department, JobTitle, Manager,
    InvestigationPriority, ActivityType, ActivityInsights
| order by InvestigationPriority desc

Detect first-time or rare resource access:

// Alert when a user accesses a resource they have never accessed before
// in the previous 90 days (UEBA baseline period)
BehaviorAnalytics
| where TimeGenerated > ago(24h)
| where ActivityInsights has "FirstTimeAccessedResource"
    or ActivityInsights has "RarelyAccessedResource"
| extend Insights = parse_json(ActivityInsights)
| project TimeGenerated, UserName, ActivityType,
    SourceIPAddress, ResourceName = tostring(Insights.ResourceName),
    InvestigationPriority
| where InvestigationPriority > 3

Detect access outside normal hours:

// User accessing systems at hours not in their 30-day behavioral baseline
BehaviorAnalytics
| where TimeGenerated > ago(24h)
| where ActivityInsights has "UncommonHourOfDay"
    or ActivityInsights has "ActivityTimeOfDayAnomaly"
// Pair with sign-in location:
| join kind=leftouter (
    SigninLogs
    | where TimeGenerated > ago(24h)
    | project UserPrincipalName, IPAddress, Location, ResultType
) on $left.UserPrincipalName == $right.UserPrincipalName
| where ResultType == "0"  // Successful logons only
| project TimeGenerated, UserName, ActivityType, Location,
    IPAddress, InvestigationPriority
| order by InvestigationPriority desc

Detect bulk data access (SharePoint/OneDrive exfiltration indicator):

// Bulk file operations in Microsoft 365
OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation in ("FileDownloaded", "FileAccessed")
// Count operations per user per hour:
| summarize
    OperationCount = count(),
    UniqueFiles = dcount(OfficeObjectId),
    Sites = make_set(SiteUrl)
    by UserId, bin(TimeGenerated, 1h)
// Alert on high-volume downloads:
| where OperationCount > 100  // More than 100 file operations/hour
// Enrich with UEBA risk score:
| join kind=leftouter (
    BehaviorAnalytics
    | where TimeGenerated > ago(24h)
    | summarize MaxRisk = max(InvestigationPriority) by UserName
) on $left.UserId == $right.UserName
| project TimeGenerated, UserId, OperationCount, UniqueFiles, Sites, MaxRisk
| order by OperationCount desc
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Detect Compromised Accounts and Insider Exfiltration

Detect impossible travel paired with bulk data access:

// High-confidence insider/compromise: impossible travel + bulk download in same session
let ImpossibleTravel = BehaviorAnalytics
| where TimeGenerated > ago(24h)
| where ActivityInsights has "ImpossibleTravel"
| project UserName, TravelTime = TimeGenerated, SourceIPAddress;

OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation in ("FileDownloaded", "FileSyncDownloadedFull")
| summarize DownloadCount = count() by UserId, bin(TimeGenerated, 1h)
| where DownloadCount > 50
| join kind=inner ImpossibleTravel on $left.UserId == $right.UserName
// Compound signal: impossible travel + bulk download in same hour window:
| where abs(datetime_diff('minute', TimeGenerated, TravelTime)) < 60
| project TimeGenerated, UserId, DownloadCount, TravelSourceIP = SourceIPAddress

Detect DLP policy triggers by high-risk users:

// Alert on DLP events from users with elevated UEBA risk scores
let HighRiskUsers = BehaviorAnalytics
| where TimeGenerated > ago(24h)
| where InvestigationPriority > 6  // High risk threshold
| distinct UserName;

// Microsoft 365 Compliance DLP events:
OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation has "DLP"
| where UserId in (HighRiskUsers)
| project TimeGenerated, UserId, Operation, ClientIP, OfficeObjectId

Correlate resignation/termination with access anomalies:

// Users with recent HR termination notices (from IdentityInfo if HR system feeds Entra)
// or by monitoring accounts flagged as disabled/soon-to-be-disabled:
let TerminatingUsers = IdentityInfo
| where TimeGenerated > ago(30d)
// Flag users whose accounts were recently disabled:
| where AccountEnabled == false and isnotempty(AccountObjectId)
| project AccountName;

// Check for data access activity from terminating users in last 30 days:
OfficeActivity
| where TimeGenerated > ago(30d)
| where UserId in (TerminatingUsers)
| where Operation in ("FileDownloaded", "FileAccessed", "FileSyncDownloadedFull")
| summarize
    TotalDownloads = count(),
    Sites = make_set(SiteUrl)
    by UserId, bin(TimeGenerated, 1d)
| order by TotalDownloads desc

UEBA Investigation Workflow

Build an investigation watchlist from high-risk UEBA users:

// Generate a weekly investigation prioritization list:
BehaviorAnalytics
| where TimeGenerated > ago(7d)
| summarize
    MaxRiskScore = max(InvestigationPriority),
    TotalAnomalies = count(),
    AnomalyTypes = make_set(ActivityType)
    by UserName
| where MaxRiskScore > 5
| join kind=leftouter IdentityInfo on $left.UserName == $right.AccountName
| project UserName, Department, JobTitle, Manager,
    MaxRiskScore, TotalAnomalies, AnomalyTypes
| order by MaxRiskScore desc
// Review top 10-20 users each week with HR and Legal for context

UEBA entity page investigation:

For any high-risk user identified by the queries above:

1. In Sentinel: Entity > Users > Search [username]
2. Review the User Entity page:
   - Investigation Priority score timeline (rising = increasing concern)
   - Anomaly events panel (what specifically triggered alerts)
   - Related incidents (other Sentinel alerts involving this user)
   - Sign-in history (locations, IPs, MFA usage)
   - Activity history (application access, file operations)

3. Cross-reference with HR context:
   - Recent performance issues?
   - Departure notice filed?
   - Disciplinary action?
   - Access level recently reduced (triggering revenge behavior)?

4. Escalate to HR/Legal if evidence supports insider threat concern
   before taking any account action: insider threat investigations
   have legal and HR requirements beyond IT security procedures

The bottom line

Microsoft Sentinel UEBA is enabled in Configuration > Entity Behavior: select Entra ID, MDE, and Microsoft 365 as data sources. Allow 14-30 days for baselines to mature before creating alert rules. Query the BehaviorAnalytics table for InvestigationPriority > 5 and ActivityInsights containing FirstTimeAccessedResource, ImpossibleTravel, or UncommonHourOfDay: join with IdentityInfo for HR context. Pair UEBA risk signals with Microsoft 365 OfficeActivity bulk download detection (>100 FileDownloaded operations per hour) for high-confidence insider threat indicators. Escalate to HR and Legal before taking account action on suspected insiders: there are legal requirements that IT cannot bypass.

Frequently asked questions

What is UEBA and how does it detect insider threats differently than signature-based detection?

UEBA (User and Entity Behavior Analytics) establishes individual behavioral baselines for each user through machine learning: this user typically accesses these applications, at these hours, from these locations, performing this volume of operations. It then alerts when current behavior significantly deviates from that individual baseline, rather than matching against known attack signatures. An insider threat exfiltrating data via authorized SharePoint access at 2am does not match any attack signature, but does deviate from their established baseline of 9am-6pm access with typical download volumes.

How long does Microsoft Sentinel UEBA take to establish baselines?

Microsoft Sentinel UEBA uses a 30-day rolling baseline window. Initial data collection begins immediately after enabling UEBA and connecting data sources (Entra ID, MDE, M365). Useful baselines begin forming after 7-14 days, but the full 30-day baseline needed for accurate anomaly scoring takes approximately 30 days. Detection rules based on UEBA anomaly scores (InvestigationPriority) should not be activated until the baseline is mature: early alerts will have high false positive rates because the model lacks sufficient behavioral history.

What data sources does Microsoft Sentinel UEBA require for insider threat detection?

Sentinel UEBA ingests from multiple data sources to build behavioral baselines: Entra ID sign-in logs (access patterns, locations, MFA behavior), Microsoft 365 audit logs (SharePoint access, email activity, Teams), MDE device events (process execution, USB access), and Azure Activity logs (resource creation, access). The more data sources connected, the richer the behavioral model. Key connector to enable: the Entra ID Identity Protection connector (brings risk events directly into Sentinel). Without Entra ID sign-in logs, UEBA cannot profile authentication behavior, which is the most critical signal for insider threat detection.

How do I tune UEBA alerts to reduce false positives while maintaining insider threat coverage?

UEBA false positive reduction: (1) Apply entity watchlists to exclude known-high-activity accounts like service accounts, automated pipelines, and IT admins whose access patterns are legitimately anomalous. (2) Set InvestigationPriority thresholds higher (alerting on scores above 7 or 8 instead of the default 5) after validating your baseline. (3) Build multi-signal correlation: require both a UEBA anomaly AND a supporting indicator (data exfiltration volume spike, after-hours login, new device). Single-signal UEBA alerts have high false positive rates; correlated UEBA alerts are significantly more precise. (4) Review closed UEBA alerts monthly to identify recurring false positive patterns and add those entity/activity combinations to suppression watchlists.

What is the difference between UEBA and DLP for insider threat detection?

UEBA (User and Entity Behavior Analytics) and DLP (Data Loss Prevention) are complementary controls that detect different aspects of insider threats. UEBA detects behavioral anomalies: working unusual hours, accessing unusual systems, downloading unusual volumes — even through authorized channels. DLP detects policy violations: specific sensitive data (PII, credit card numbers, classified labels) moving to unauthorized destinations (USB, personal email, unapproved cloud storage). UEBA catches the 'unusual but authorized' scenario; DLP catches the 'policy violation regardless of behavior pattern' scenario. A comprehensive insider threat program needs both: UEBA for behavioral signals and DLP for data boundary enforcement.

How do you operationalize UEBA investigation findings without violating employee privacy requirements?

Operationalizing UEBA within privacy constraints requires three procedural controls. First, define a minimum investigation priority threshold in policy (typically InvestigationPriority above 7) below which individual employee data is reviewed only in aggregate, not per-person; this limits fishing-expedition use of the tool. Second, require a two-person authorization process before pulling individual user timelines: one security analyst and one HR or legal representative must co-approve each investigation to prevent unilateral surveillance. Third, document every UEBA investigation in a case management system with the triggering anomaly, the data accessed, the investigation outcome, and whether HR was notified; this creates an audit trail that demonstrates appropriate use if the program is challenged. Country-specific regulations including GDPR Article 22 and German Betriebsverfassungsgesetz impose additional works council or data protection officer notification requirements before deploying behavioral analytics on employee accounts.

Sources & references

  1. Microsoft: Enable Sentinel UEBA
  2. Microsoft: UEBA Reference
  3. MITRE ATT&CK T1078: Valid Accounts

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.