5.2 Investigation, UEBA & Threat Intelligence
Key Takeaways
- User and Entity Behavior Analytics (UEBA) baselines normal behavior per user, host, and IP and surfaces anomalies as enriched insights and a behavioral score, not standalone alerts
- Entity pages give a timeline-driven 360-degree view of an account, host, IP, or Azure resource, consolidating alerts, activities, and UEBA insights for fast investigation
- Threat intelligence is ingested through TI connectors (TAXII, Microsoft Defender Threat Intelligence, the Upload Indicators API) and stored as indicators of compromise in the ThreatIntelligenceIndicator table
- Microsoft security analytics rules and the Sentinel TI matching analytics rule correlate ingested indicators against logs to raise high-fidelity incidents
- Workbooks provide interactive, visual investigation dashboards built on KQL and are the recommended way to monitor TI ingestion and investigation coverage
Investigating Beyond a Single Alert
Real investigations require context that no single alert carries. SC-200 expects you to know the three context engines Microsoft Sentinel provides: UEBA for behavioral anomalies, entity pages for a consolidated object view, and threat intelligence for known-bad correlation. Workbooks then visualize all of it.
User and Entity Behavior Analytics (UEBA)
User and Entity Behavior Analytics (UEBA) is a Sentinel feature that machine-learns a behavioral baseline for each user, host, and IP from connected data sources (sign-in logs, audit logs, security events). It then scores deviations from that baseline.
Key facts the exam tests:
- UEBA must be enabled in Sentinel settings and bound to specific data sources before it produces insights.
- UEBA does not generate its own incidents by default. It writes enrichment to the
BehaviorAnalyticstable and surfaces an investigation priority score and insights (for example, "first time user signed in from this country"). - You operationalize UEBA by writing analytics rules or hunting queries against
BehaviorAnalytics, or by reading its insights on the entity page.
| UEBA Concept | What It Provides |
|---|---|
| Behavioral baseline | Per-entity model of normal activity |
| Investigation priority score | Ranks anomalous activity for triage |
| Anomaly insights | Plain-language reasons (rare country, unusual resource) |
BehaviorAnalytics table | KQL-queryable enrichment for rules and hunting |
Entity Pages
An entity page is a dedicated, timeline-driven profile for a single Account, Host, IP, or Azure resource. From any alert, incident, or graph node you can drill into the entity page to see, in one place:
- All alerts and incidents involving the entity
- A behavioral timeline of activities
- UEBA insights and the investigation priority score
- Threat intelligence matches on the entity (for IPs/URLs)
Entity pages are the fastest way to answer "is this account compromised?" because they aggregate cross-source signal without writing a query. Watching for the time picker and the insights pane on an entity page is a common active-screen scenario.
flowchart TD
A[Incident] --> B[Entities tab]
B --> C[Open Account entity page]
C --> D[Alerts + incidents history]
C --> E[Activity timeline]
C --> F[UEBA insights + priority score]
C --> G[TI matches]
Threat Intelligence in Microsoft Sentinel
Threat intelligence (TI) is curated data about known adversary infrastructure and tooling — malicious IPs, domains, URLs, and file hashes — expressed as indicators of compromise (IOCs). Sentinel ingests TI and correlates it against your logs to raise high-fidelity detections.
TI Ingestion Paths
| Connector / Path | Use For |
|---|---|
| Threat Intelligence – TAXII | Pull indicators from any STIX/TAXII 2.x feed (ISACs, commercial feeds) |
| Microsoft Defender Threat Intelligence (MDTI) | Ingest Microsoft's curated and premium threat intelligence |
| Threat Intelligence Upload Indicators API | Programmatically push your own or partner indicators (STIX format) |
| Threat intelligence platforms (legacy Graph Security API) | Older push path; prefer the Upload Indicators API for new work |
Ingested indicators land in the ThreatIntelligenceIndicator table and appear in the Threat Intelligence blade where you can search, tag, and add indicators manually.
TI Matching
Ingesting indicators does nothing on its own — you must match them against telemetry:
- The built-in Microsoft Threat Intelligence Analytics rule (a Microsoft security rule) and the TI map scheduled rule templates correlate
ThreatIntelligenceIndicatoragainst logs such asCommonSecurityLog,DnsEvents, andSigninLogs. - A match creates an alert/incident enriched with the matched indicator, so the analyst immediately sees why it is malicious and the TI source.
Exam trap: "Indicators are ingested but no incidents fire." The missing step is almost always an analytics rule that matches TI against logs — ingestion and matching are separate.
Workbooks for Investigation
Workbooks are interactive, KQL-backed dashboards in Sentinel. For investigation they:
- Visualize incident volume, MITRE ATT&CK coverage, and analyst workload
- Track TI ingestion freshness and indicator match rates
- Let an analyst pivot interactively (parameters, drill-down) without writing KQL each time
Workbooks are visualization and monitoring, not detection. If a scenario needs an alert, the answer is an analytics rule; if it needs a visual investigation view or coverage report, the answer is a workbook.
A SOC has connected a STIX/TAXII feed and indicators are visible in the ThreatIntelligenceIndicator table, but no incidents are being raised from them. What is the most likely missing step?
Which statement about Microsoft Sentinel UEBA is correct?
Which of the following are valid ways to ingest threat intelligence indicators into Microsoft Sentinel? (Select all that apply.)
Select all that apply