หมายเหตุ
การเข้าถึงหน้านี้ต้องได้รับการอนุญาต คุณสามารถลอง ลงชื่อเข้าใช้หรือเปลี่ยนไดเรกทอรีได้
การเข้าถึงหน้านี้ต้องได้รับการอนุญาต คุณสามารถลองเปลี่ยนไดเรกทอรีได้
User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel analyzes logs and alerts from connected data sources to build baseline behavioral profiles of your organization's entities—such as users, hosts, IP addresses, and applications. Using machine learning, UEBA identifies anomalous activity that may indicate a compromised asset.
You can enable User and Entity Behavior Analytics in two ways, both with the same result:
- From the Microsoft Sentinel workspace settings: Enable UEBA for your workspace and select which data sources to connect in the Microsoft Defender portal or Azure portal.
- From supported data connectors: Enable UEBA when you configure UEBA supported data connectors in the Microsoft Defender portal.
This article explains how to enable UEBA and configure data sources from your Microsoft Sentinel workspace settings and from supported data connectors.
For more information about UEBA, see Identify threats with entity behavior analytics.
Note
For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.
Important
Microsoft Sentinel is generally available in the Microsoft Defender portal, including for customers without Microsoft Defender XDR or an E5 license.
Starting in July 2026, all customers using Microsoft Sentinel in the Azure portal will be redirected to the Defender portal and will use Microsoft Sentinel in the Defender portal only. Starting in July 2025, many new customers are automatically onboarded and redirected to the Defender portal.
If you're still using Microsoft Sentinel in the Azure portal, we recommend that you start planning your transition to the Defender portal to ensure a smooth transition and take full advantage of the unified security operations experience offered by Microsoft Defender. For more information, see It’s Time to Move: Retiring Microsoft Sentinel’s Azure portal for greater security.
Prerequisites
To enable or disable this feature (these prerequisites aren't required to use the feature):
Your user must be assigned to the Microsoft Entra ID Security Administrator role in your tenant or the equivalent permissions.
Your user must be assigned at least one of the following Azure roles (Learn more about Azure RBAC):
- Microsoft Sentinel Contributor at the workspace or resource group levels.
- Log Analytics Contributor at the resource group or subscription levels.
Your workspace must not have any Azure resource locks applied to it. Learn more about Azure resource locking.
Note
- No special license is required to add UEBA functionality to Microsoft Sentinel, and there's no extra cost for using it.
- However, since UEBA generates new data and stores it in new tables that UEBA creates in your Log Analytics workspace, additional data storage charges apply.
Enable UEBA from workspace settings
To enable UEBA from your Microsoft Sentinel workspace settings:
Go to the Entity behavior configuration page.
Use any one of these three ways to get to the Entity behavior configuration page:
Select Entity behavior from the Microsoft Sentinel navigation menu, then select Entity behavior settings from the top menu bar.
Select Settings from the Microsoft Sentinel navigation menu, select the Settings tab, then under the Entity behavior analytics expander, select Set UEBA.
From the Microsoft Defender XDR data connector page, select the Go the UEBA configuration page link.
On the Entity behavior configuration page, toggle on Turn on UEBA feature.
Select the directory services from which you want to synchronize user entities with Microsoft Sentinel.
- Active Directory on-premises (Preview)
- Microsoft Entra ID
To sync user entities from on-premises Active Directory, you must onboard your Azure tenant to Microsoft Defender for Identity (either standalone or as part of Microsoft Defender XDR) and you must have the MDI sensor installed on your Active Directory domain controller. For more information, see Microsoft Defender for Identity prerequisites.
Select Connect all data sources to connect all eligible data sources, or select specific data sources from the list.
You can only enable these data sources from the Defender and the Azure portals:
- Signin Logs
- Audit Logs
- Azure Activity
- Security Events
You can enable these data sources from the Defender portal only (preview):
- AAD Managed Identity Signin logs (Microsoft Entra ID)
- AAD Service Principal Signin logs (Microsoft Entra ID)
- AWS CloudTrail
- Device Logon Events
- Okta CL
- GCP Audit Logs
For more information about UEBA data sources and anomalies, see Microsoft Sentinel UEBA reference and UEBA anomalies.
Note
After enabling UEBA, you can enable supported data sources for UEBA directly from the data connector pane, or from the Defender portal Settings page, as described in this article.
Select Connect.
Enable anomaly detection in your Microsoft Sentinel workspace:
- From the Microsoft Defender portal navigation menu, select Settings > Microsoft Sentinel > SIEM workspaces.
- Select the workspace you want to configure.
- From the workspace configuration page, select Anomalies and toggle on Detect Anomalies.
Enable UEBA from supported connectors
To enable UEBA from supported data connectors in Microsoft Defender portal:
From the Microsoft Defender portal navigation menu, select Microsoft Sentinel > Configuration > Data connectors.
Select a UEBA supported data connector that supports UEBA. For more information about UEBA supported data connectors and tables, see Microsoft Sentinel UEBA reference.
From the data connector pane, select Open connector page.
On the Connector details page, select Advanced options.
Under Configure UEBA, toggle on the tables you want to enable for UEBA.
For more information about configuring Microsoft Sentinel data connectors, see Connect data sources to Microsoft Sentinel by using data connectors.
Next steps
In this article, you learned how to enable and configure User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel. For more information about UEBA: