Not a user yet?
Log in Register for free Suggest a product
Update

New data sources for enhanced User and Entity Behavior Analytics (UEBA)

SentinelSentinel
Microsoft
Update from patrick-devicebaseUpdate from:
patrick-devicebase (expert)

September 2025

New data sources for enhanced User and Entity Behavior Analytics (UEBA) (Preview)

Microsoft Sentinel's UEBA empowers SOC teams with AI-powered anomaly detection based on behavioral signals in your tenant. It helps prioritize threats using dynamic baselines, peer comparisons, and enriched entity profiles.

UEBA now supports anomaly detection using six new data sources:
Microsoft authentication sources:
These sources provide deeper visibility into identity behavior across your Microsoft environment.

  • Microsoft Defender XDR device logon events: Capture logon activity from endpoints, helping identify lateral movement, unusual access patterns, or compromised devices.
  • Microsoft Entra ID managed identity signin logs: Track sign-ins by managed identities used in automation, such as scripts and services. This is crucial for spotting silent misuse of service identities.
  • Microsoft Entra ID service principal signin logs: Monitor sign-ins by service principals - often used by apps or scripts - to detect anomalies, such as unexpected access or privilege escalation.

Third-party cloud and identity management platforms:
UEBA now integrates with leading cloud and identity management platforms to enhance detection of identity compromise, privilege misuse, and risky access behaviors across multicloud environments.

  • AWS CloudTrail login events: Flag risky login attempts in Amazon Web Services (AWS), such as failed multifactor authentication (MFA) or use of the root account—critical indicators of potential account compromise.
  • GCP audit logs - Failed IAM access events: Capture denied access attempts in Google Cloud Platform, helping identify privilege escalation attempts or misconfigured roles.
  • Okta MFA and authentication security change events: Surface MFA challenges and changes to authentication policies in Okta—signals that might indicate targeted attacks or identity tampering.

These new sources enhance UEBA’s ability to detect threats across Microsoft and hybrid environments based on enriched user, device, and service identity data, enhanced behavioral context, and new cross-platform anomaly detection capabilities.

To enable the new data sources, you must be onboarded to the Defender portal.

Version: September 2025 Link
More updatesTo the product
Receive Important Update Messages Stay tuned for upcoming Microsoft Sentinel updates

More from the Apps & Software section

Was the content helpful to you?

Advertisement Advertise here?
Banner Logitech