Not a user yet?
Log in Register for free Suggest a product
Update

New Entity Behavior Analytics (UEBA) widget in the Defender portal home page (Preview)

SentinelSentinel
Microsoft

January 2026

New Entity Behavior Analytics (UEBA) widget in the Defender portal home page (Preview)
The Defender portal home page now includes a UEBA widget where analysts can immediately have visibility into anomalous user behavior and therefore accelerate threat detection workflows. For more information, see How UEBA empowers analysts and streamlines workflows.

Updated date: Microsoft Sentinel in the Azure portal to be retired March 2027
Microsoft Sentinel is generally available in the Microsoft Defender portal, including for customers without Microsoft Defender XDR or an E5 license. This means that you can use Microsoft Sentinel in the Defender portal even if you aren't using other Microsoft Defender services.

After March 31, 2027, Microsoft Sentinel will no longer be supported in the Azure portal and will be available only in the Microsoft Defender portal.

If you're currently using Microsoft Sentinel in the Azure portal, we recommend that you start planning your transition to the Defender portal now to ensure a smooth transition and take full advantage of the unified security operations experience offered by Microsoft Defender.

UEBA behaviors layer aggregates actionable insights from raw logs in near-real time (Preview)
Microsoft Sentinel introduces a UEBA behaviors layer that transforms high-volume, low-level security logs into clear, human-readable behavioral insights in the Defender portal. This AI-powered capability aggregates and sequences raw events from supported data sources into normalized behaviors that explain "who did what to whom" with MITRE ATT&CK context.

How behaviors bridge the gap between alerts and raw logs
While incoming raw logs are noisy, uncorrelated, and difficult to interpret, and alerts call analysts to take action on potential issues, UEBA behaviors summarize behavior patterns - normal or abnormal - ingested from supported data sources. This creates an abstraction layer that optimizes data for investigations, hunting, and detection. For example, instead of analyzing individual AWS CloudTrail events or firewall logs, analysts see a behavior - like "Inbound remote management session from external address" - that summarizes multiple raw events and maps them to known tactics, techniques, and procedures (TTPs).

UEBA behaviors:

  • Accelerate investigations: Enable faster incident response by aggregating and sequencing behaviors, allowing analysts to focus on meaningful actions rather than sifting through thousands of events.
  • Transform noisy telemetry into actionable insights: Convert fragmented, high-volume logs into clear, human-readable behavioral observations, making it easier to understand security events.
  • Empower all SOC personas: Enhance workflows for SOC analysts, threat hunters, and detection engineers by providing unified, contextual views and building blocks for detection rules and automation.
  • Ensure explainability: Map to MITRE ATT&CK tactics, entity roles, and raw logs for traceability and clarity.

UEBA behaviors can be enabled independently from UEBA anomaly detection.

Supported data sources during public preview: AWS CloudTrail, CommonSecurityLog (CyberArk Vault, Palo Alto Threats), and GCPAuditLogs.

Enable UEBA directly from data connector configuration (Preview)
You can now enable UEBA for supported data sources directly from the data connector configuration page, reducing management time and preventing coverage gaps. When you enable new connectors, you can onboard the data source to UEBA without navigating to a separate configuration page.

This integration allows you to see which data sources feed into UEBA and enable that feed directly from the connector configuration.

New detections for Sentinel solution for SAP BTP
This update expands detection coverage for SAP BTP, strengthening visibility into high‑risk control plane, integration, and identity activities.

  • SAP Integration Suite: Detects unauthorized changes to integration artifacts, access policies, JDBC data sources, and package imports that could enable data exfiltration or backdoors.
  • SAP Cloud Identity Service: Monitors user deletions, privilege grants, and SAML/OIDC configuration changes that weaken authentication controls or create persistent access.
  • SAP Build Work Zone: Identifies mass role deletions and unauthorized access to restricted portal resources.
  • SAP BTP Audit Logging: Detects audit log ingestion gaps and disruptions that reduce security visibility and enable stealthy activity.
More updatesTo the product
Receive Important Update Messages Stay tuned for upcoming Microsoft updates

More from the Apps & Software section

Was the content helpful to you?

Advertisement Advertise here?
Banner Logitech