UEBA Essentials

UEBA Essentials Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com/
Categories	domains
Version	3.0.6
Author	Microsoft - support@microsoft.com
First Published	2022-06-27
Last Updated	2026-02-11
Solution Folder	UEBA Essentials
Marketplace	Azure Marketplace · Popularity: 🔵 Medium (67%)

The Microsoft Sentinel UEBA content package will provide you with various queries based on UEBA tables, that allows you to hunt for tailored threat scenarios. You'll be able to investigate and search for anomalous activities over UEBA's enriched data, and get inspired to customize queries according to your own use-cases.

Important : Some of the queries that are part of this solution, make use of Built-in Watchlist Templates and will not work unless the corresponding watchlist is created. Other queries may requires changes to match your environment details.

Data Connectors
Tables Used
Content Items

Data Connectors

This solution does not include data connectors.

This solution may contain other components such as analytics rules, workbooks, hunting queries, or playbooks.

Tables Used

This solution queries 4 table(s) from its content items:

Table	Used By Content
`AuditLogs`	Hunting
`SentinelBehaviorEntities`	Workbooks
`SentinelBehaviorInfo`	Workbooks
`SigninLogs`	Hunting

Internal Tables

The following 3 table(s) are used internally by this solution's content items:

Table	Used By Content
`Anomalies`	Hunting
`BehaviorAnalytics`	Hunting
`IdentityInfo`	Hunting

Content Items

This solution includes 31 content item(s):

Content Type	Count
Hunting Queries	30
Workbooks	1

Hunting Queries

Name	Tactics	Tables Used
Anomalies on users tagged as VIP	-	Internal use: `BehaviorAnalytics`
Anomalous AWS Console Login Without MFA from Uncommon Country	InitialAccess, CredentialAccess	`TacitRed_Findings_CL` Internal use: `BehaviorAnalytics`
Anomalous Activity Role Assignment	PrivilegeEscalation	Internal use: `BehaviorAnalytics`
Anomalous Code Execution on a Virtual Machine	Execution	Internal use: `BehaviorAnalytics`
Anomalous Database Export Activity	Collection	Internal use: `BehaviorAnalytics`
Anomalous Database Vulnerability Baseline Removal	DefenseEvasion	Internal use: `BehaviorAnalytics`
Anomalous Entra High-Privilege Role Modification	Persistence	`AuditLogs`
Anomalous Failed Logon	CredentialAccess	`SigninLogs` Internal use: `BehaviorAnalytics`
Anomalous First-Time Device Logon	InitialAccess, LateralMovement	Internal use: `BehaviorAnalytics`
Anomalous GCP IAM Activity	PrivilegeEscalation, Persistence, CredentialAccess	Internal use: `BehaviorAnalytics`
Anomalous Geo Location Logon	InitialAccess	Internal use: `BehaviorAnalytics`
Anomalous High-Privileged Role Assignment	Persistence	`AuditLogs`
Anomalous High-Score Activity Triage	-	Internal use: `Anomalies`
Anomalous Key Vault Modification by High-Privilege User	-	Internal use: `BehaviorAnalytics`
Anomalous Microsoft Entra ID Account Creation	Persistence	Internal use: `BehaviorAnalytics`
Anomalous Okta First-Time or Uncommon Actions	InitialAccess, CredentialAccess, Persistence	Internal use: `BehaviorAnalytics`
Anomalous Password Reset	Impact	Internal use: `BehaviorAnalytics`
Anomalous RDP Activity	LateralMovement	Internal use: `BehaviorAnalytics`
Anomalous Resource Access	LateralMovement	Internal use: `BehaviorAnalytics`
Anomalous Sign-in by New or Dormant Account	Persistence	`SigninLogs` Internal use: `BehaviorAnalytics`
Anomalous action performed in tenant by privileged user	-	Internal use: `BehaviorAnalytics`
Anomalous connection from highly privileged user	-	Internal use: `BehaviorAnalytics` `IdentityInfo`
Anomalous login activity originated from Botnet, Tor proxy or C2	-	Internal use: `BehaviorAnalytics`
Anomaly Detection Trend Analysis	-	Internal use: `Anomalies`
Anomaly Template Distribution by Tactics and Techniques	-	Internal use: `Anomalies`
Dormant Local Admin Logon	PrivilegeEscalation	Internal use: `BehaviorAnalytics`
Dormant account activity from uncommon country	-	Internal use: `BehaviorAnalytics`
Top Anomalous Source IP Triage	-	Internal use: `Anomalies`
UEBA Multi-Source Anomalous Activity Overview	InitialAccess, CredentialAccess, Persistence, PrivilegeEscalation	Internal use: `Anomalies`
User-Centric Anomaly Investigation	-	Internal use: `Anomalies`

Workbooks

Name	Tables Used
UEBABehaviorsAnalysisWorkbook	`SentinelBehaviorEntities` `SentinelBehaviorInfo`

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.6	10-02-2026	Removed hardcoded PII-like sample values in the UEBA workbook by replacing specific "value" fields with empty strings
3.0.5	05-02-2026	Resolved the UEBA Behaviors Analysis Workbook loading issue
3.0.4	29-01-2026	Added new UEBA Behaviors Analysis Workbook to solution
3.0.3	24-11-2025	Added new Hunting Queries
3.0.2	04-11-2025	Enhance UEBA Essentials with multi-cloud detection capabilities
3.0.1	23-09-2024	Updated query logic in Hunting Query [Anomalous Sign-in Activity]
3.0.0	07-11-2023	Modified text as there is rebranding from Azure Active Directory to Microsoft Entra ID.
4.1.0	23-11-2025	Added new hunting queries: User-Centric Anomaly Investigation, Anomaly Detection Trend Analysis, Anomaly Template Distribution, Anomalous High-Score Activity Triage, Top Anomalous Source IP Triage. Updated solution version.