How to Detect Insider Threats with UEBA: User and Entity Behavior Analytics

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Insider threat detection cannot rely on rule-based detection alone: insiders use legitimate access, known credentials, and authorized tools. A malicious insider exfiltrating data over SharePoint downloads does not trigger any traditional security rule because the activity is technically authorized.
UEBA addresses this by establishing what is normal for each specific user: this employee downloads an average of 5 files per day, accesses these SharePoint sites, logs in from this location: and alerting when behavior significantly deviates: 500 files downloaded in an hour, access to a SharePoint site never visited before, login from a new country two hours after a domestic login.
Enable Microsoft Sentinel UEBA
Prerequisites:
- Microsoft Sentinel workspace with P1 or P2 Entra ID
- Connector: Microsoft Entra ID
- Connector: Microsoft 365 (for SharePoint/OneDrive/Exchange activity)
- Connector: Microsoft Defender for Endpoint (for endpoint behavior)
Enable UEBA:
Microsoft Sentinel > Configuration > Entity Behavior
Toggle: Enable UEBA for your workspace = On
Select data sources to analyze:
✓ Microsoft Entra ID
✓ Microsoft Defender for Endpoint
✓ Microsoft 365
# UEBA begins building baselines after the first 7-14 days of data collection
# Full baseline (30-day rolling window) takes 30 days to mature
# Do not create UEBA-based alert rules until baselines are established
Verify UEBA is collecting data:
// Check if BehaviorAnalytics table has data:
BehaviorAnalytics
| where TimeGenerated > ago(7d)
| summarize count() by UserName
| order by count_ desc
| take 20
// Should show users with activity records
// Check IdentityInfo enrichment:
IdentityInfo
| take 10
// Should show: AccountName, AccountUPN, Department, JobTitle, Manager, UserRiskScore
Core UEBA Detection Queries
High-risk users with anomalous activity:
// Show users with elevated risk scores and anomaly flags:
BehaviorAnalytics
| where TimeGenerated > ago(24h)
| where ActivityInsights != "{}"
// Filter to users with meaningful risk scores:
| where InvestigationPriority > 5 // 0-10 scale; >5 = elevated
| join kind=leftouter IdentityInfo on $left.UserName == $right.AccountName
| project TimeGenerated, UserName, Department, JobTitle, Manager,
InvestigationPriority, ActivityType, ActivityInsights
| order by InvestigationPriority desc
Detect first-time or rare resource access:
// Alert when a user accesses a resource they have never accessed before
// in the previous 90 days (UEBA baseline period)
BehaviorAnalytics
| where TimeGenerated > ago(24h)
| where ActivityInsights has "FirstTimeAccessedResource"
or ActivityInsights has "RarelyAccessedResource"
| extend Insights = parse_json(ActivityInsights)
| project TimeGenerated, UserName, ActivityType,
SourceIPAddress, ResourceName = tostring(Insights.ResourceName),
InvestigationPriority
| where InvestigationPriority > 3
Detect access outside normal hours:
// User accessing systems at hours not in their 30-day behavioral baseline
BehaviorAnalytics
| where TimeGenerated > ago(24h)
| where ActivityInsights has "UncommonHourOfDay"
or ActivityInsights has "ActivityTimeOfDayAnomaly"
// Pair with sign-in location:
| join kind=leftouter (
SigninLogs
| where TimeGenerated > ago(24h)
| project UserPrincipalName, IPAddress, Location, ResultType
) on $left.UserPrincipalName == $right.UserPrincipalName
| where ResultType == "0" // Successful logons only
| project TimeGenerated, UserName, ActivityType, Location,
IPAddress, InvestigationPriority
| order by InvestigationPriority desc
Detect bulk data access (SharePoint/OneDrive exfiltration indicator):
// Bulk file operations in Microsoft 365
OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation in ("FileDownloaded", "FileAccessed")
// Count operations per user per hour:
| summarize
OperationCount = count(),
UniqueFiles = dcount(OfficeObjectId),
Sites = make_set(SiteUrl)
by UserId, bin(TimeGenerated, 1h)
// Alert on high-volume downloads:
| where OperationCount > 100 // More than 100 file operations/hour
// Enrich with UEBA risk score:
| join kind=leftouter (
BehaviorAnalytics
| where TimeGenerated > ago(24h)
| summarize MaxRisk = max(InvestigationPriority) by UserName
) on $left.UserId == $right.UserName
| project TimeGenerated, UserId, OperationCount, UniqueFiles, Sites, MaxRisk
| order by OperationCount desc
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Detect Compromised Accounts and Insider Exfiltration
Detect impossible travel paired with bulk data access:
// High-confidence insider/compromise: impossible travel + bulk download in same session
let ImpossibleTravel = BehaviorAnalytics
| where TimeGenerated > ago(24h)
| where ActivityInsights has "ImpossibleTravel"
| project UserName, TravelTime = TimeGenerated, SourceIPAddress;
OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation in ("FileDownloaded", "FileSyncDownloadedFull")
| summarize DownloadCount = count() by UserId, bin(TimeGenerated, 1h)
| where DownloadCount > 50
| join kind=inner ImpossibleTravel on $left.UserId == $right.UserName
// Compound signal: impossible travel + bulk download in same hour window:
| where abs(datetime_diff('minute', TimeGenerated, TravelTime)) < 60
| project TimeGenerated, UserId, DownloadCount, TravelSourceIP = SourceIPAddress
Detect DLP policy triggers by high-risk users:
// Alert on DLP events from users with elevated UEBA risk scores
let HighRiskUsers = BehaviorAnalytics
| where TimeGenerated > ago(24h)
| where InvestigationPriority > 6 // High risk threshold
| distinct UserName;
// Microsoft 365 Compliance DLP events:
OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation has "DLP"
| where UserId in (HighRiskUsers)
| project TimeGenerated, UserId, Operation, ClientIP, OfficeObjectId
Correlate resignation/termination with access anomalies:
// Users with recent HR termination notices (from IdentityInfo if HR system feeds Entra)
// or by monitoring accounts flagged as disabled/soon-to-be-disabled:
let TerminatingUsers = IdentityInfo
| where TimeGenerated > ago(30d)
// Flag users whose accounts were recently disabled:
| where AccountEnabled == false and isnotempty(AccountObjectId)
| project AccountName;
// Check for data access activity from terminating users in last 30 days:
OfficeActivity
| where TimeGenerated > ago(30d)
| where UserId in (TerminatingUsers)
| where Operation in ("FileDownloaded", "FileAccessed", "FileSyncDownloadedFull")
| summarize
TotalDownloads = count(),
Sites = make_set(SiteUrl)
by UserId, bin(TimeGenerated, 1d)
| order by TotalDownloads desc
UEBA Investigation Workflow
Build an investigation watchlist from high-risk UEBA users:
// Generate a weekly investigation prioritization list:
BehaviorAnalytics
| where TimeGenerated > ago(7d)
| summarize
MaxRiskScore = max(InvestigationPriority),
TotalAnomalies = count(),
AnomalyTypes = make_set(ActivityType)
by UserName
| where MaxRiskScore > 5
| join kind=leftouter IdentityInfo on $left.UserName == $right.AccountName
| project UserName, Department, JobTitle, Manager,
MaxRiskScore, TotalAnomalies, AnomalyTypes
| order by MaxRiskScore desc
// Review top 10-20 users each week with HR and Legal for context
UEBA entity page investigation:
For any high-risk user identified by the queries above:
1. In Sentinel: Entity > Users > Search [username]
2. Review the User Entity page:
- Investigation Priority score timeline (rising = increasing concern)
- Anomaly events panel (what specifically triggered alerts)
- Related incidents (other Sentinel alerts involving this user)
- Sign-in history (locations, IPs, MFA usage)
- Activity history (application access, file operations)
3. Cross-reference with HR context:
- Recent performance issues?
- Departure notice filed?
- Disciplinary action?
- Access level recently reduced (triggering revenge behavior)?
4. Escalate to HR/Legal if evidence supports insider threat concern
before taking any account action: insider threat investigations
have legal and HR requirements beyond IT security procedures
The bottom line
Microsoft Sentinel UEBA is enabled in Configuration > Entity Behavior: select Entra ID, MDE, and Microsoft 365 as data sources. Allow 14-30 days for baselines to mature before creating alert rules. Query the BehaviorAnalytics table for InvestigationPriority > 5 and ActivityInsights containing FirstTimeAccessedResource, ImpossibleTravel, or UncommonHourOfDay: join with IdentityInfo for HR context. Pair UEBA risk signals with Microsoft 365 OfficeActivity bulk download detection (>100 FileDownloaded operations per hour) for high-confidence insider threat indicators. Escalate to HR and Legal before taking account action on suspected insiders: there are legal requirements that IT cannot bypass.
Frequently asked questions
What is UEBA and how does it detect insider threats differently than signature-based detection?
UEBA (User and Entity Behavior Analytics) establishes individual behavioral baselines for each user through machine learning: this user typically accesses these applications, at these hours, from these locations, performing this volume of operations. It then alerts when current behavior significantly deviates from that individual baseline, rather than matching against known attack signatures. An insider threat exfiltrating data via authorized SharePoint access at 2am does not match any attack signature, but does deviate from their established baseline of 9am-6pm access with typical download volumes.
How long does Microsoft Sentinel UEBA take to establish baselines?
Microsoft Sentinel UEBA uses a 30-day rolling baseline window. Initial data collection begins immediately after enabling UEBA and connecting data sources (Entra ID, MDE, M365). Useful baselines begin forming after 7-14 days, but the full 30-day baseline needed for accurate anomaly scoring takes approximately 30 days. Detection rules based on UEBA anomaly scores (InvestigationPriority) should not be activated until the baseline is mature: early alerts will have high false positive rates because the model lacks sufficient behavioral history.
What data sources does Microsoft Sentinel UEBA require for insider threat detection?
Sentinel UEBA ingests from multiple data sources to build behavioral baselines: Entra ID sign-in logs (access patterns, locations, MFA behavior), Microsoft 365 audit logs (SharePoint access, email activity, Teams), MDE device events (process execution, USB access), and Azure Activity logs (resource creation, access). The more data sources connected, the richer the behavioral model. Key connector to enable: the Entra ID Identity Protection connector (brings risk events directly into Sentinel). Without Entra ID sign-in logs, UEBA cannot profile authentication behavior, which is the most critical signal for insider threat detection.
How do I tune UEBA alerts to reduce false positives while maintaining insider threat coverage?
UEBA false positive reduction: (1) Apply entity watchlists to exclude known-high-activity accounts like service accounts, automated pipelines, and IT admins whose access patterns are legitimately anomalous. (2) Set InvestigationPriority thresholds higher (alerting on scores above 7 or 8 instead of the default 5) after validating your baseline. (3) Build multi-signal correlation: require both a UEBA anomaly AND a supporting indicator (data exfiltration volume spike, after-hours login, new device). Single-signal UEBA alerts have high false positive rates; correlated UEBA alerts are significantly more precise. (4) Review closed UEBA alerts monthly to identify recurring false positive patterns and add those entity/activity combinations to suppression watchlists.
What is the difference between UEBA and DLP for insider threat detection?
UEBA (User and Entity Behavior Analytics) and DLP (Data Loss Prevention) are complementary controls that detect different aspects of insider threats. UEBA detects behavioral anomalies: working unusual hours, accessing unusual systems, downloading unusual volumes — even through authorized channels. DLP detects policy violations: specific sensitive data (PII, credit card numbers, classified labels) moving to unauthorized destinations (USB, personal email, unapproved cloud storage). UEBA catches the 'unusual but authorized' scenario; DLP catches the 'policy violation regardless of behavior pattern' scenario. A comprehensive insider threat program needs both: UEBA for behavioral signals and DLP for data boundary enforcement.
How do you operationalize UEBA investigation findings without violating employee privacy requirements?
Operationalizing UEBA within privacy constraints requires three procedural controls. First, define a minimum investigation priority threshold in policy (typically InvestigationPriority above 7) below which individual employee data is reviewed only in aggregate, not per-person; this limits fishing-expedition use of the tool. Second, require a two-person authorization process before pulling individual user timelines: one security analyst and one HR or legal representative must co-approve each investigation to prevent unilateral surveillance. Third, document every UEBA investigation in a case management system with the triggering anomaly, the data accessed, the investigation outcome, and whether HR was notified; this creates an audit trail that demonstrates appropriate use if the program is challenged. Country-specific regulations including GDPR Article 22 and German Betriebsverfassungsgesetz impose additional works council or data protection officer notification requirements before deploying behavioral analytics on employee accounts.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
