Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel
For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.
To enable or disable this feature (these prerequisites are not required to use the feature):
Your user must be assigned the Global Administrator or Security Administrator roles in Azure AD.
Your user must be assigned at least one of the following Azure roles (Learn more about Azure RBAC):
- Microsoft Sentinel Contributor at the workspace or resource group levels.
- Log Analytics Contributor at the resource group or subscription levels.
Your workspace must not have any Azure resource locks applied to it. Learn more about Azure resource locking.
- No special license is required to add UEBA functionality to Microsoft Sentinel, and there's no additional cost for using it.
- However, since UEBA generates new data and stores it in new tables that UEBA creates in your Log Analytics workspace, additional data storage charges will apply.
How to enable User and Entity Behavior Analytics
Go to the Entity behavior configuration page. There are three ways to get to this page:
Select Entity behavior from the Microsoft Sentinel navigation menu, then select Entity behavior settings from the top menu bar.
Select Settings from the Microsoft Sentinel navigation menu, select the Settings tab, then under the Entity behavior analytics expander, select Set UEBA.
From the Microsoft 365 Defender data connector page, select the Go the UEBA configuration page link.
On the Entity behavior configuration page, switch the toggle to On.
Mark the check boxes next to the Active Directory source types from which you want to synchronize user entities with Microsoft Sentinel.
- Active Directory on-premises (Preview)
- Azure Active Directory
To sync user entities from on-premises Active Directory, your Azure tenant must be onboarded to Microsoft Defender for Identity (either standalone or as part of Microsoft 365 Defender) and you must have the MDI sensor installed on your Active Directory domain controller. See Microsoft Defender for Identity prerequisites for more information.
Mark the check boxes next to the data sources on which you want to enable UEBA.
Below the list of existing data sources, you will see a list of UEBA-supported data sources that you have not yet connected.
Once you have enabled UEBA, you will have the option, when connecting new data sources, to enable them for UEBA directly from the data connector pane if they are UEBA-capable.
Select Apply. If you accessed this page through the Entity behavior page, you will be returned there.
In this document, you learned how to enable and configure User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel. For more information about UEBA:
- See the list of anomalies detected using UEBA.
- Learn more about how UEBA works and how to use it.
To learn more about Microsoft Sentinel, see the following articles:
- Learn how to get visibility into your data, and potential threats.
- Get started detecting threats with Microsoft Sentinel.
Submit and view feedback for