You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/investigate-with-ueba.md
+25-2Lines changed: 25 additions & 2 deletions
Original file line number
Diff line number
Diff line change
@@ -13,17 +13,22 @@ ms.devlang: na
13
13
ms.topic: how-to
14
14
ms.tgt_pltfrm: na
15
15
ms.workload: na
16
-
ms.date: 05/09/2021
16
+
ms.date: 07/15/2021
17
17
ms.author: bagol
18
18
19
19
---
20
20
# Investigate incidents with UEBA data
21
21
22
22
This article describes common methods and sample procedures for using [user entity behavior analytics (UEBA)](identify-threats-with-entity-behavior-analytics.md) in your regular investigation workflows.
23
23
24
+
> [!IMPORTANT]
25
+
>
26
+
> Noted features in this article are currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
27
+
>
28
+
24
29
## Prerequisites
25
30
26
-
Before you can use UEBA data in your investigations, you must [enable User and Entity Behavior Analytics (UEBA) in Azure Sentinel](enable-entity-behavior-analytics.md).
31
+
Before you can use UEBA data in your investigations, you must [enable User and Entity Behavior Analytics (UEBA) in Azure Sentinel](enable-entity-behavior-analytics.md).
27
32
28
33
Start looking for machine powered insights about one week after enabling UEBA.
29
34
@@ -101,6 +106,24 @@ For example, to investigate a password spray incident with UEBA insights, you mi
101
106
> You can also run the **Anomalous Failed Logon**[hunting query](hunting.md) to monitor all of an organization's anomalous failed logins. Use the results from the query to start investigations into possible password spray attacks.
102
107
>
103
108
109
+
## URL detonation in the Investigation graph (Public preview)
110
+
111
+
When there are URLs in the logs ingested into Azure Sentinel, those URLs are automatically detonated to help accelerate the triage process. The Investigation graph includes a node for the detonated URL, as well as the following details:
112
+
113
+
-**DetonationVerdict**. The high-level, Boolean determination from detonation. For example, **Bad** means that the side was classified as hosting malware or phishing content.
114
+
-**DetonationFinalURL**. The final, observed landing page URL, after all redirects from the original URL.
115
+
-**DetonationScreenshot**. A screenshot of what the page looked like at the time that the alert was triggered. Select the screenshot to enlarge.
116
+
117
+
For example:
118
+
119
+
:::image type="content" source="media/investigate-with-ueba/url-detonation-example.png" alt-text="Sample URL detonation shown in the Investigation graph.":::
120
+
121
+
> [!TIP]
122
+
> If you don't see URLs in your logs, check that URL logging, also known as threat logging, is enabled for your secure web gateways, web proxies, firewalls, or legacy IDS/IPS.
123
+
>
124
+
> You can also create custom logs to channel specific URLs of interest into Azure Sentinel for further investigation.
125
+
>
126
+
104
127
## Next steps
105
128
106
129
Learn more about UEBA, investigations, and hunting:
0 commit comments