Not a user yet?
Log in Register for free Suggest a product
Update

New Entity Behavior Analytics (UEBA) experiences in the Defender portal (Preview)

SentinelSentinel
Microsoft

November 2025

New Entity Behavior Analytics (UEBA) experiences in the Defender portal (Preview)
Microsoft Sentinel introduces new UEBA experiences in the Defender portal, bringing behavioral insights directly into key analyst workflows. These enhancements help analysts prioritize investigations and apply UEBA context more effectively.

Anomaly-focused user investigations
In the Defender portal, users with behavioral anomalies are automatically tagged with UEBA Anomalies, helping analysts quickly identify which users to prioritize.

Analysts can view the top three anomalies from the past 30 days in a dedicated Top UEBA anomalies section, available in:

  • User side panels accessible from various portal locations.
  • The Overview tab of user entity pages.
    This section also includes direct links to anomaly queries and the Sentinel events timeline, enabling deeper investigation and faster context gathering.

Drilldown to user anomalies from incident graphs
Analysts can quickly access all anomalies related to a user by selecting Go Hunt > All user anomalies from the incident graph. This built-in query provides immediate UEBA context to support deeper investigation.

Enriched advanced hunting and custom detections queries with behavior insights
Advanced hunting and custom detection experiences now include a contextual banner that prompts analysts to join the UEBA Anomalies table to queries that include UEBA data sources.

All features require UEBA to be enabled and are workspace-scoped to the currently selected workspace.

For more information, see How UEBA empowers analysts and streamlines workflows.

Agentless data connector for Sentinel Solution for SAP now generally available. Learn more from our Tech Community blog.

Deprecation: Containerized SAP data connector will be out of support by September 30th 2026. Migrate to our Agentless SAP data connector today.

Call to action: update queries and automation by July 1, 2026 - standardized account entity naming in incidents and alerts
Microsoft Sentinel is updating how it identifies account entities in incidents and alerts. This change introduces a standardized naming logic to improve consistency and reliability across your analytics and automation workflows.

Sentinel will now select the most reliable account identifier using the following priority:

  1. UPN prefix – the part before “@” in a User Principal Name
    Example: john.doe@contoso.com → john.doe
  2. Name – used if UPN prefix is unavailable
  3. Display Name – fallback if both above are missing
More updatesTo the product
Receive Important Update Messages Stay tuned for upcoming Microsoft updates

More from the Apps & Software section

Was the content helpful to you?

Advertisement Advertise here?
Banner Logitech