TTechclick ⚡ XP 0% All lessons
Microsoft · Cloud SIEM · UEBAInteractive · L1 / L2 / L3

Microsoft Sentinel UEBA — Behavioural Baselining & Investigation Priority

Microsoft Sentinel UEBA builds a behavioural baseline for every user and entity in your environment, then scores deviations so the SOC investigates the right people first. This lesson walks through enabling UEBA, how baselining works, what the investigation priority score really means, how peer analysis and blast-radius weighting shape that score, and how to use entity insights and anomalies to cut investigation time.

📅 2026-06-20 · ⏱ 16 min · 4 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master Microsoft Sentinel UEBA (2026): enable entity behaviour analytics, understand behavioural baselining, entity insights, investigation priority score, peer analysis, and blast-radius scoring to accelerate threat investigations.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

What UEBA is

Behavioural ML on every entity, not just alerts.

 2

Enabling UEBA

Data sources, permissions, and the toggle.

 3

Priority & peers

Score, blast-radius, peer analysis.

 4

Entity insights

Anomalies, timelines, investigation path.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Does UEBA fire an alert every time it finds a deviation?

Answered in What UEBA is.

2. Which permission is required to enable UEBA in Microsoft Sentinel?

Answered in Enabling UEBA.

3. What does 'blast radius' mean in the context of an investigation priority score?

Answered in Priority & peers.

Most engineers think…

Most people treat UEBA as another alert rule — 'turn it on and it will fire when something bad happens'. That framing fails in an interview and in a real SOC shift.

Microsoft Sentinel UEBA is a behavioural context layer, not an alert engine. It builds a baseline for every entity, scores deviations relative to that entity's own history and its peer group, weights the score by the entity's blast radius, and surfaces the result as entity insights alongside your existing incidents. Understanding the score — not just reacting to it — is what makes the difference between a 3-hour investigation and a 30-minute one.

① What Microsoft Sentinel UEBA actually is — a behavioural context layer

Sentinel UEBA ingests logs and alerts from your connected data sources and runs machine learning to build behavioural profiles for each entity: users, hosts, IP addresses and applications. The key word is baseline — Sentinel learns what normal looks like for that specific entity before it flags anything as anomalous.

When an entity's behaviour deviates from its own baseline, Sentinel writes an anomaly record to the BehaviorAnalytics table. It also checks whether the deviation is unusual compared to the entity's peer group. If the same action is common among peers, the weight of the anomaly is reduced. If even the peers rarely do it, the signal is stronger.

UEBA does not fire an incident on its own. It enriches existing incidents and provides a prioritised entity view so the SOC can decide where to start. The April 2026 Behaviours Layer adds a further layer: aggregating sequences of events into meaningful behavioural patterns mapped to MITRE ATT&CK, with explainability built in.

Figure 1 — How UEBA builds and uses a baseline
Sentinel ingests logs, builds a per-entity baseline, scores deviations and surfaces them as entity insights alongside existing incidents.How UEBA builds and uses a baselineIngest logsEntra ID, Defender XDRBaselineML per-entity profileDetectdeviation frombaselineScorepriority 0–10Insightsentity pane + anomalytag
Sentinel ingests logs, builds a per-entity baseline, scores deviations and surfaces them as entity insights alongside existing incidents.
Quick check · Q1 of 10 · Understand

Microsoft Sentinel UEBA is best described as…

Correct: b. UEBA builds ML-based behavioural baselines, writes anomaly records to the BehaviorAnalytics table, and enriches incidents with entity insights and a priority score — it does not fire standalone incidents.
👉 So far: Sentinel UEBA = a behavioural context layer, not an alert engine. It baselines each entity using ML, scores deviations, and enriches incidents — it does not fire standalone alerts.

② Enabling UEBA — data sources, permissions and the toggle

To turn on UEBA, navigate to Microsoft Sentinel > Settings > Entity behaviour analytics and switch it on. You need at least Microsoft Sentinel Contributor on the workspace and the workspace must already have data connectors feeding it. UEBA then needs time — typically a 7-day learning period — before it can reliably score deviations.

Which data sources matter most

UEBA draws on several sources. Microsoft Entra ID sign-in logs are the richest signal for user behaviour. Microsoft Defender XDR device logon events cover host activity. As of September 2025, six new sources were added: Microsoft authentication sources, Entra managed identity sign-in logs, and others. Sentinel also enriches entities with Entra ID intelligence — job title, department, manager, group membership and MFA status — so the peer analysis algorithm has organisational context to work with, not just raw log counts.

Once enabled, UEBA populates three key tables: BehaviorAnalytics (per-entity anomaly records), UserPeerAnalytics (top ranked peers per user), and IdentityInfo (Entra context). These are queryable in Log Analytics and surface automatically in the investigation pane.

Figure 2 — UEBA data tables in Log Analytics
Three tables power all UEBA queries, enrichments and the investigation pane.UEBA data tables in Log AnalyticsBehaviorAnalyticsPer-entity anomaly records + priority scoreUserPeerAnalyticsTop-ranked peers per user (TF-IDF)IdentityInfoEntra ID context — role, dept, MFA, groups
Three tables power all UEBA queries, enrichments and the investigation pane.
📊
BehaviorAnalytics table
tap to flip

The primary UEBA output table. Each row is one anomaly record for one entity, with the investigation priority score, anomaly type, and contributing evidence. Query it in Log Analytics for hunting.

👥
Peer analysis (TF-IDF)
tap to flip

Sentinel ranks the most similar users using a TF-IDF-style algorithm on role, department, location and access pattern. A deviation rare among peers weighs more than one common to the group.

💥
Blast radius
tap to flip

A measure of how much organisational damage an entity could cause — based on role, group membership, privileges, hierarchy and access to sensitive resources. A Global Admin always has high blast radius.

🔍
Entity insights pane
tap to flip

The investigation UI surface: shows the priority score, top-3 anomalies from the past 30 days, Entra ID context, and a peer comparison chart. Available in the Defender portal incident view.

Wait 7 days before judging UEBA

UEBA needs at least a week of baseline data before scores are meaningful. If you enable it and immediately see low scores on suspicious users, the model has not yet learned normal. Check the 'Entity behaviour analytics' status blade to confirm baselining is complete before using scores in triage.

Quick check · Q2 of 10 · Remember

Which table stores per-user peer rankings used in UEBA scoring?

Correct: c. UserPeerAnalytics holds the highest-ranked peers for each user, computed using a TF-IDF-style algorithm on role, department, location and access patterns. BehaviorAnalytics holds the anomaly records themselves; IdentityInfo holds Entra ID context.
👉 So far: Three key tables: BehaviorAnalytics (anomaly records + score), UserPeerAnalytics (TF-IDF peer ranks), IdentityInfo (Entra ID context). Enable UEBA with Sentinel Contributor; allow 7 days to baseline.

③ Investigation priority score — peer analysis, blast radius and the 0-10 scale

Every UEBA-enriched entity gets an investigation priority score between 0 and 10. The score is not simply a count of anomalies — it combines three signals: the entity's deviation from its own baseline, its deviation from its peer group, and its blast radius.

Peer analysis uses a TF-IDF-style algorithm to rank the users most similar to a given entity by job role, department, location and access pattern. If a user is doing something their peers all do routinely, the anomaly weight is reduced. If the action is rare even among peers, the weight increases. This is the mechanism that separates a genuine insider threat signal from a noisy outlier on a single rule.

Blast radius weighting

Blast radius gauges how much organisational damage an entity could cause — a Global Admin with access to all Azure resources scores much higher blast radius than a read-only guest. The score factors in role, group memberships, privileges, management hierarchy and access to sensitive resources. A mid-level deviation by a privileged account therefore outranks a large deviation by a low-privilege account. Scores of 6–10 should be investigated within hours; 3–5 warrant a same-shift review; 0–2 indicate near-normal activity.

Figure 3 — What shapes the investigation priority score
The 0–10 score combines the entity's own deviation, peer comparison and blast-radius weight — not just a raw anomaly count.What shapes the investigation priority scorePriority Score0–10Own baselinePeer deviationBlast radiusRole & privilegesGroup membershipSensitive access
The 0–10 score combines the entity's own deviation, peer comparison and blast-radius weight — not just a raw anomaly count.
'High deviation always means high priority' is wrong

A 9/10 deviation on a read-only guest with no sensitive access can produce a lower priority score than a 4/10 deviation on a Global Admin. Forgetting blast-radius weighting causes you to chase noisy, low-risk outliers and miss the real threat buried in the privileged account list.

▶ Watch a compromised admin account get scored and surfaced

How UEBA detects, scores and surfaces a credential-compromise scenario end-to-end. Press Play for the healthy detection path, then Break it to see the classic failure.

① Sign-in anomalyRavi's account signs in from a new country at 03:00 — outside his 6-month baseline of India-only, business-hours logins.
② Peer checkUEBA compares Ravi to his 12-peer finance-manager group. None have logged in from this country. Peer deviation is high.
③ Blast-radius scoreRavi's role is Finance Admin with Key Vault access. Blast radius = high. Score compounds to 8/10 investigation priority.
④ Entity insightsSentinel tags Ravi with UEBA Anomalies. The incident pane shows the score, all three anomalies, and the peer chart. Analyst suspends account in 18 min.
Press Play to step through the credential-compromise detection. Then press Break it.
Quick check · Q3 of 10 · Apply

A global admin performs an action with a deviation score of 4/10, while a read-only guest has a deviation score of 7/10. Which entity gets a higher investigation priority score and why?

Correct: c. Blast-radius weighting means the potential organisational damage matters as much as the raw deviation. A global admin's access to all resources produces very high blast radius, so a moderate deviation can still yield a higher priority score than a larger deviation from a low-privilege guest.
👉 So far: Investigation priority score (0–10) = deviation from own baseline + deviation from peer group + blast-radius weighting. A privileged account's moderate deviation can outrank a large deviation from a low-privilege guest.

④ Entity insights and anomalies — the investigation path

In the Microsoft Defender portal (where Sentinel now surfaces UEBA experiences as of late 2025 preview), analysts open an incident and see an Entity insights pane for each linked user or host. It shows the investigation priority score, the top three anomalies from the past 30 days, the entity's peer group, and Entra ID context. Users with active behavioural anomalies are tagged with a UEBA Anomalies badge so triage is visual.

Clicking an entity opens the full entity page: a timeline of all activity, each event colour-coded by anomaly weight, and a peer comparison chart showing how unusual the action was relative to peers. For a lateral-movement investigation this is decisive — you can see at a glance that the user accessed three new hosts and downloaded 400 MB, actions their entire peer group almost never performs.

For threat hunting, query BehaviorAnalytics directly — filter on InvestigationPriority >= 6, join to IdentityInfo for the user's department, and pivot to UserPeerAnalytics to check peer scores. The combination surfaces high-confidence, high-impact leads without writing a single custom detection rule.

Figure 4 — Low-privilege vs high-privilege anomaly: same deviation, different score
Blast-radius weighting means a privileged account's mild deviation can outrank a large deviation by a low-privilege guest.Low-privilege vs high-privilege anomaly: same deviation, different scoreRead-only guest userDeviation score: 7/10Blast radius: very lowRole: no sensitive accessPeer group: 50 similar guestsFinal priority score: 3Global Admin accountDeviation score: 4/10Blast radius: maximumRole: all Azure resourcesPeer group: 5 similar adminsFinal priority score: 8
Blast-radius weighting means a privileged account's mild deviation can outrank a large deviation by a low-privilege guest.

Priya, a SOC analyst at a Pune-based fintech, faces this

Priya's morning Sentinel dashboard shows 200 new incidents. One mentions a finance manager, Ravi, whose account triggered a medium-severity alert for an unusual sign-in time. Buried in the pile, Priya almost skips it.

Likely cause

Without UEBA context, all 200 incidents look equally urgent. The sign-in time rule fires for shift workers too, so there's no fast way to know if Ravi is genuinely suspicious or just working late.

Diagnosis

Priya opens the entity insight pane for Ravi: investigation priority score 8/10. Three anomalies flagged — new country login, first-time access to the Azure Key Vault, and 2 GB download from SharePoint — all in the same 90-minute window. Ravi's peer group of 12 finance managers has zero similar events. Blast radius: high (finance admin role with Key Vault access).

Sentinel Incident ▸ Entity Insights ▸ Ravi ▸ BehaviorAnalytics ▸ UserPeerAnalytics
Fix

Priya immediately suspends Ravi's account, opens a formal IR ticket, and checks Key Vault access logs. Turns out credentials were phished. Total time from incident to suspension: 18 minutes, because entity insights made the priority obvious.

Verify

After the IR: UEBA anomaly records confirm the three-event sequence; peer comparison shows zero similar events in the peer group in 6 months. The investigation priority score correctly ranked this above 180 lower-risk incidents.

Always check the peer comparison chart, not just the score

The investigation priority score is the headline, but the peer comparison chart is the evidence. Before escalating, open the entity page and confirm the flagged actions are genuinely rare among peers — this single step cuts false escalations and gives you defensible evidence for the IR report.

Quick check · Q4 of 10 · Analyze

You want to hunt for high-confidence insider-threat leads without writing custom detection rules. What is the most direct approach in Sentinel?

Correct: a. The BehaviorAnalytics table with a priority-score filter surfaces high-confidence, high-impact leads already weighted by peer analysis and blast radius. Joining IdentityInfo adds organisational context and UserPeerAnalytics confirms the peer deviation — all without a custom rule.
👉 So far: Entity insights pane shows score, top-3 anomalies, peer chart and Entra context. For hunting, filter BehaviorAnalytics on InvestigationPriority >= 6, join IdentityInfo, pivot to UserPeerAnalytics.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What is the range of the UEBA investigation priority score?

Correct: b. The investigation priority score runs from 0 (near-normal) to 10 (maximally anomalous when blast radius is also high). Scores of 6–10 warrant urgent investigation.
Q6 · Understand

Why does a Global Admin's moderate deviation produce a higher investigation priority score than a read-only guest's larger deviation?

Correct: c. Blast radius measures potential organisational damage based on role, privileges and resource access. A Global Admin has maximum blast radius, so even a moderate deviation scores high. The raw deviation size is only one of three signals.
Q7 · Apply

You enabled UEBA yesterday. A senior analyst is frustrated that all scores show 0–1 and wants to raise a P1 incident. What is the most likely explanation?

Correct: d. UEBA needs approximately 7 days of baseline data to learn normal behaviour before producing meaningful deviation scores. Scores of 0–1 on day 1 simply mean the model has not yet established a baseline, not that there are no threats.
Q8 · Analyze

In the UserPeerAnalytics table, a user shares high peer-similarity with their group, yet their investigation priority score is 9. What most likely explains the high score?

Correct: a. High blast radius amplifies the score, and peer deviation confirms the action is genuinely rare among similar users. Both factors combine to push the score to maximum — this is exactly the scenario UEBA is designed to surface.
Q9 · Evaluate

An analyst asks: 'Should I replace our analytics rules with UEBA?' What is the correct position?

Correct: d. UEBA does not create incidents — it enriches them. Analytics rules (built-in or custom KQL) detect threats and open incidents. UEBA adds the investigation priority score, entity insights and anomaly context that help analysts decide which incident to investigate first.
Q10 · Evaluate

Which KQL approach gives the fastest high-confidence insider-threat leads from UEBA without writing custom detections?

Correct: c. BehaviorAnalytics with InvestigationPriority >= 6 filters to high-priority entities, IdentityInfo adds organisational context, and UserPeerAnalytics confirms peer deviation. This three-table join surfaces the highest-risk, highest-confidence leads already weighted by UEBA's ML model.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: what does the investigation priority score actually measure — and why can a smaller raw deviation on one user score higher than a larger deviation on another? Then compare with the expert version.

Expert version: The investigation priority score (0–10) measures three things at once: how far an entity has deviated from its own historical baseline, how unusual that deviation is compared to the entity's peer group (via TF-IDF peer ranking), and how high the entity's blast radius is — the potential organisational damage based on role, privileges and access to sensitive resources. A smaller raw deviation on a Global Admin can score higher than a large deviation on a read-only guest because the Global Admin's blast radius is maximum — a compromise there could mean full Azure access. UEBA is designed to surface that asymmetry so the SOC investigates the right entity first.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

UEBA (User & Entity Behaviour Analytics)
A Microsoft Sentinel feature that baselines entity behaviour using ML, scores deviations, and enriches incidents with investigation priority scores and entity insights.
Investigation priority score
A 0–10 score per entity combining deviation from own baseline, deviation from peer group, and blast-radius weighting. 6–10 = urgent investigation.
Blast radius
The potential organisational damage an entity could cause, assessed from role, group membership, privileges, hierarchy and access to sensitive resources.
BehaviorAnalytics table
The primary UEBA output table in Log Analytics — each row is one anomaly record with the priority score, anomaly type, and contributing evidence.
UserPeerAnalytics table
Stores the highest-ranked peer users for each entity, produced by Sentinel's TF-IDF peer-ranking algorithm on role, department, location and access patterns.
IdentityInfo table
Entra ID context table — job title, department, manager, group membership, MFA status and licences — used by UEBA for peer analysis and blast-radius scoring.
Peer analysis
A TF-IDF-style algorithm that ranks similar users and determines whether an action is rare among peers, amplifying or dampening the anomaly weight accordingly.
Behaviours Layer
A 2026 UEBA expansion that aggregates event sequences into meaningful behavioural patterns mapped to MITRE ATT&CK, adding explainability to UEBA detections.
Entity insights pane
The Defender portal UI surface showing the priority score, top-3 anomalies, Entra ID context, and peer comparison chart for each entity linked to an incident.
UEBA Anomalies tag
A badge applied to entities in the Defender portal when they have active behavioural anomalies, enabling visual triage across the incident queue.

📚 Sources

  1. Microsoft Learn — Advanced threat detection with UEBA in Microsoft Sentinel. learn.microsoft.com/en-us/azure/sentinel/identify-threats-with-entity-behavior-analytics
  2. Microsoft Learn — Enable entity behaviour analytics to detect advanced threats. learn.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics
  3. Microsoft Learn — Microsoft Sentinel UEBA reference (BehaviorAnalytics, UserPeerAnalytics, IdentityInfo tables). learn.microsoft.com/en-us/azure/sentinel/ueba-reference
  4. Microsoft Tech Community — Introducing Investigation Priority built on UEBA. techcommunity.microsoft.com/blog/microsoft-security-blog/introducing-investigation-priority-built-on-user-and-entity-behavior-analytics
  5. Microsoft Sentinel Update — New data sources for enhanced UEBA (September 2025). devicebase.net/en/microsoft-sentinel/updates/new-data-sources-for-enhanced-user-and-entity-behavior-analytics-ueba
  6. Microsoft Sentinel Update — New UEBA experiences in the Defender portal (Preview, November 2025). devicebase.net/en/microsoft-sentinel/updates/new-entity-behavior-analytics-ueba-experiences-in-the-defender-portal-preview

What's next?

Got UEBA down? Next, explore Microsoft Sentinel Analytics rules and how custom KQL detections combine with UEBA scores to surface high-fidelity, context-rich incidents.

Next · All interview lessons → Practice on exam.techclick.in →