Microsoft Sentinel Gets AI-Based UEBA Behaviors Layer to Simplify Threat Detection

Microsoft is simplifying security operations with the launch of a new UEBA Behaviors layer in Microsoft Sentinel. This new AI-powered feature is designed to help security teams quickly understand complex activity patterns to speed up the threat detection and investigation process.

Security teams often struggle with the overwhelming volume and complexity of raw logs coming from multiple sources like firewalls, cloud platforms, and identity systems. These logs are often fragmented and lack context, which makes it difficult to track user or entity activity. Consequently, analysts spend significant time manually correlating events, which slows down detection and increases the risk of missing critical threats.

How does the behaviors layer transform logs into contextual insights?

In Microsoft Sentinel, this new User and Entity Behavior Analytics (UEBA) Behaviours layer works by converting raw, fragmented logs into structured, human-readable insights that describe what happened in clear terms. It leverages AI to aggregate and sequence related events, map them to entities, and tag them with MITRE ATT&CK tactics, which creates a contextual view of user or system activity.

These behaviors are stored in dedicated tables for real-time detection and investigation. It allows analysts to quickly trace patterns, hunt threats, and build detection rules without going through thousands of individual logs.

“The UEBA behaviors layer stores behavior records in two dedicated tables, integrating seamlessly with your existing workflows for detection rules, investigations, and incident analysis. It processes all types of security activity – not just suspicious events – and provides comprehensive visibility into both normal and anomalous behavior patterns,” Microsoft explained.

How to enable the UEBA behaviors layer in Microsoft Sentinel?

To enable the Behaviours layer in Microsoft Sentinel, administrators will need to follow the steps listed below:

• Head over to the Defender portal and select System > Settings > Microsoft Sentinel > SIEM workspaces.
• Choose the Sentinel workspace to enable the UEBA behaviors layer.
• Select Enable behavior analytics > Configure UEBA, and then click the “New! Behaviors layer” option.
• Turn on the “Enable Behaviors layer” toggle button.
• Now, click “Connect all data sources” or select the specific data sources from the list.
• Finally, select “Connect” to apply the changes.

Use cases for security analysts, hunters, and engineers

The new Behaviors layer offers several practical use cases for security teams. Investigators can quickly reconstruct a user’s activity timeline without going through thousands of raw logs, which makes incident analysis faster. Moreover, threat hunters can leverage MITRE-tagged behaviors to identify stealthy attacks like credential misuse or lateral movement across cloud environments. Detection engineers can also benefit by building rules based on normalized behavior patterns rather than fragmented events..

Microsoft Sentinel’s new UEBA Behaviors layer is currently in preview, and it’s billed as part of the overall Sentinel pricing based on data ingestion and storage in Log Analytics. Organizations can choose between the flexible Pay‑As‑You‑Go or commitment tiers, and enjoy a 31-day free trial covering up to 10 GB/day of ingested analytics logs.