How to Use the UEBA Enrichments in Azure Sentinel

As the UEBA feature of Azure Sentinel is continually being built-out and improved, there’s some capability you should be aware of.

First off, there’s a great enrichment reference here: https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/sentinel/ueba-enrichments.md

Using this reference, you can develop your queries to use the enriched data provided in the rows and columns of this analyzed data. Some of the dynamic field data is still in development, but there’s several columns that already provide valuable returned query information.

To create your queries…

[1] Using the reference link above, use the BehaviorAnalytics table as the basis for your query.

[2] Locate the Field in the reference you want produce results from.

[3] Drop down to the associated Field table in the reference to see what enriched data is contained in it and use the Enriched Name as shown in the image and example KQL query just below.

In my example, I’m using the BehaviorAnalytics table with the UserInsights field and the IsDormantAccount enrichment name.

In the KQL query example, I’m looking for inactive accounts and trying to determine their last activity. See the example. This is how you tie the Field and the Enrichment Name together in the KQL query, i.e., UserInsights.IsDormantAccount

As noted in the reference link, the IsDormantAccount Enrichment column contains two pieces of data: true and false. In my query, I’m trying to identify accounts that are dormant, so I want to supply the true string.

Here’s the example query for you to try yourself.

BehaviorAnalytics
| where UsersInsights.IsDormantAccount == true
| project TimeGenerated, UserName, ActionType

Why is it good to identify dormant accounts?

Particularly with my example in this post, the activity before the account went dormant is a strong indicator that the account could have been compromised and that the threat actor is waiting for just the right moment to come alive and compromise the rest of the environment.

As a method of action, I’d lock out this user account and spend some time determining the account’s access, if the individual is still an actual employee, and verify how the account’s last activity took place. I may eventually delete the account altogether, but I need to do the work first. This could simply be someone who is on medical leave.

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]

Author