| title | description | author | ms.topic | ms.date | ms.author | ms.custom |
|---|---|---|---|---|---|---|
Use entity behavior analytics to detect advanced threats | Microsoft Docs |
Enable User and Entity Behavior Analytics in Microsoft Sentinel, and configure data sources |
yelevin |
how-to |
11/09/2021 |
yelevin |
ignite-fall-2021 |
[!INCLUDE Banner for top of topics]
Important
The UEBA and Entity Pages features are now in General Availability in all Microsoft Sentinel geographies and regions.
[!INCLUDE reference-to-feature-availability]
To enable or disable this feature (these prerequisites are not required to use the feature):
-
Your user must be a member of your organization's Azure Active Directory, and not a guest user.
-
Your user must be assigned the Global Administrator or Security Administrator roles in Azure AD.
-
Your user must be assigned at least one of the following Azure roles (Learn more about Azure RBAC):
- Microsoft Sentinel Contributor at the workspace or resource group levels.
- Log Analytics Contributor at the resource group or subscription levels.
-
Your workspace must not have any Azure resource locks applied to it. Learn more about Azure resource locking.
Note
- No special license is required to add UEBA functionality to Microsoft Sentinel, and there's no additional cost for using it.
- However, since UEBA generates new data and stores it in new tables that UEBA creates in your Log Analytics workspace, additional data storage charges will apply.
-
From the Microsoft Sentinel navigation menu, select Entity behavior.
-
From the top menu bar, select Entity behavior settings.
If you haven't yet enabled UEBA, you will be taken to the Settings page. Select Configure UEBA. -
On the Entity behavior configuration page, switch the toggle to On.
-
Mark the check boxes next to the data sources on which you want to enable UEBA.
[!NOTE]
Below the list of existing data sources, you will see a list of UEBA-supported data sources that you have not yet connected.
Once you have enabled UEBA, you will have the option, when connecting new data sources, to enable them for UEBA directly from the data connector pane if they are UEBA-capable.
-
Select Apply. You will be returned to the Entity behavior page.
In this document, you learned how to enable and configure User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel. To learn more about Microsoft Sentinel, see the following articles:
- Learn how to get visibility into your data, and potential threats.
- Get started detecting threats with Microsoft Sentinel.