Share via

How to enable UEBA on Sentinel?

Martin Grihangne 20 Reputation points
2023-11-02T04:28:58.3666667+00:00

I have an Azure Sentinel resource in my subscription..

I am following the Azure documentation on how to enable User & Entities Behavior Analytics (UEBA) for Microsoft Sentinel: https://learn.microsoft.com/en-gb/azure/sentinel/enable-entity-behavior-analytics.

As per the prerequisites, I have both:

  • the Security Administrator admin role in Entra Id
  • the Microsoft Sentinel Contributor RBAC role on the entire subscription

From the Entity behavior configuration page in the Portal, I am able to switch on the toggle on step 1, however after I select "Azure Active Directory" on step 2 and click "Apply", I get the following error message:

"Updating the Entity Providers failed."

Screenshot of the error message on the Portal

I can't progress any further on enabling UEBA for Sentinel.

Any help on how to resolve would be greatly appreciated.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,065 questions
Accepted answer
  1. David Broggy 5,701 Reputation points MVP
    2023-11-02T05:08:39.48+00:00

    Hi Martin,

    I suspect you need to be global admin for that switch.

    At least you’ll know it’s a role issue if it works with global admin.

    Then you can either validate your roles are properly applied or try adding additional rules to see where the issue is.

    Have you tried?

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,541 Reputation points Microsoft Employee
    2023-11-03T17:11:56.4566667+00:00

    @Martin Grihangne

    Thank you for your post and I apologize for the delayed response!

    I wasn't able to reproduce your issue, but it does look like you have the necessary permissions to enable UEBA in Microsoft Sentinel. However, the error message that you're receiving Updating the Entity Providers failed indicates that there might be an issue with the configuration of your entity providers.

    To help you troubleshoot this issue, can you try the following steps:

    1. Confirm you met all the pre-requisites to enable User and Entity Behavior Analytics
    2. Set up Data sources / connectors as needed per the Deployment guide for Microsoft Sentinel.
    3. From your screenshot, it looks like you don't have any Data sources / connectors set up, which could be causing your issue. For more info.

    I hope this helps!

    If you're still having issues, please let me know. Thank you for your time and patience throughout this issue.