Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Attention: All Microsoft Sentinel features will be officially retired in Azure in China regions on August 18, 2026 per the announcement posted by 21Vianet.
User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel analyzes logs and alerts from connected data sources to build baseline behavioral profiles of your organization's entities-such as users, hosts, IP addresses, and applications. Using machine learning, UEBA identifies anomalous activity that may indicate a compromised asset.
You can enable User and Entity Behavior Analytics:
- From the Microsoft Sentinel workspace settings: Enable UEBA for your workspace and select which data sources to connect in the Microsoft Defender portal or Azure portal. This article explains how to enable UEBA and configure data sources.
For more information about UEBA, see Identify threats with entity behavior analytics.
Prerequisites
To enable or disable this feature (these prerequisites aren't required to use the feature):
Your user must be assigned to the Microsoft Entra ID Security Administrator role in your tenant or the equivalent permissions.
Your user must be assigned at least one of the following Azure roles (Learn more about Azure RBAC):
- Owner at the resource group level or above.
- Contributor at the resource group level or above.
- (Least privileged) Microsoft Sentinel Contributor at the workspace level or above and Log Analytics Contributor at the resource group level or above.
Your workspace must not have any Azure resource locks applied to it. Learn more about Azure resource locking.
Note
- No special license is required to add UEBA functionality to Microsoft Sentinel, and there's no extra cost for using it.
- However, since UEBA generates new data and stores it in new tables that UEBA creates in your Log Analytics workspace, additional data storage charges apply.
Enable UEBA from workspace settings
To enable UEBA from your Microsoft Sentinel workspace settings:
Go to the Entity behavior configuration page.
Use any one of these three ways to get to the Entity behavior configuration page:
Select Entity behavior from the Microsoft Sentinel navigation menu, then select Entity behavior settings from the top menu bar.
Select Settings from the Microsoft Sentinel navigation menu, select the Settings tab, then under the Entity behavior analytics expander, select Set UEBA.
On the Entity behavior configuration page, toggle on Turn on UEBA feature.
Select the directory services from which you want to synchronize user entities with Microsoft Sentinel.
- Active Directory on-premises (Preview)
- Microsoft Entra ID
To sync user entities from on-premises Active Directory, you must onboard your Azure tenant to Microsoft Defender for Identity and you must have the MDI sensor installed on your Active Directory domain controller. For more information, see Microsoft Defender for Identity prerequisites.
Select Connect all data sources to connect all eligible data sources, or select specific data sources from the list.
You can only enable these data sources:
- Signin Logs
- Audit Logs
- Azure Activity
- Security Events
For more information about UEBA data sources and anomalies, see Microsoft Sentinel UEBA reference.
Note
After enabling UEBA, you can enable supported data sources for UEBA directly from the data connector pane, as described in this article.
Select Connect.
Next steps
In this article, you learned how to enable and configure User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel. For more information about UEBA: