updates

Author: guywi-ms

articles/sentinel/entity-behaviors-layer.md

@@ -1,5 +1,5 @@
 ---
-title: Translate raw security logs to behavioral insights using UEBA behaviors in Microsoft Sentinel (Preview)
+title: Translate raw security logs to behavioral insights using UEBA behaviors in Microsoft Sentinel
 description: The Microsoft Sentinel UEBA behaviors layer translates security telemetry into normalized behavioral patterns for investigation, hunting, and detection engineering.
 author: guywi-ms
 ms.author: guywild
@@ -10,7 +10,7 @@ ms.service: microsoft-sentinel
 #Customer intent: As a security analyst, I want to use the UEBA behaviors layer to translate raw security telemetry into human-readable patterns with MITRE ATT&CK context for faster threat detection and investigation.
 ---
 
-# Translate raw security logs to behavioral insights using UEBA behaviors in Microsoft Sentinel (Preview)
+# Translate raw security logs to behavioral insights using UEBA behaviors in Microsoft Sentinel
 
 The User and Entity Behavior Analytics (UEBA) behavior layer in Microsoft Sentinel aggregates and summarizes high-volume raw logs into clear, plain-language patterns of security actions, explaining “who did what to whom” in a structured way.
 
@@ -189,7 +189,7 @@ Behaviors simplify rule logic by providing normalized, high‑quality signals wi
 The list of supported data sources and vendors or services that send logs to these data sources is evolving.
 The UEBA behaviors layer automatically aggregates insights for all supported vendors based on the logs you collect.
 
-During public preview, the UEBA behaviors layer focuses on these non-Microsoft data sources that traditionally lack easy behavioral context in Microsoft Sentinel: 
+The UEBA behaviors layer currently focuses on these non-Microsoft data sources that traditionally lack easy behavioral context in Microsoft Sentinel: 
 
 | Data source | Supported vendors, services, and logs | Connector | Supported behaviors |
 |-------------|---------------------------|-------|----------------|
@@ -241,13 +241,13 @@ To enable the UEBA behaviors layer in your workspace:
 1. Select **Connect**.
 
   > [!IMPORTANT]
-  > During public preview, you can only enable behaviors in a single workspace in your tenant.
+  > You can currently enable behaviors in a single workspace in your tenant.
 
 ## Pricing model
 
 Using the UEBA behaviors layer results in the following costs:
 
-- **No extra license cost:** Behaviors are included as part of Microsoft Sentinel (currently in preview). You don’t need a separate SKU, UEBA add‑on, or additional licensing. If your workspace is connected to Sentinel and onboarded to the Defender portal, you can use behaviors at no extra feature cost.
+- **No extra license cost:** Behaviors are included as part of Microsoft Sentinel. You don’t need a separate SKU, UEBA add‑on, or additional licensing. If your workspace is connected to Sentinel and onboarded to the Defender portal, you can use behaviors at no extra feature cost.
 
 - **Log data ingestion charges:** Behavior records are stored in the `SentinelBehaviorInfo` and `SentinelBehaviorEntities` tables in your Sentinel workspace. Each behavior contributes to your workspace’s data ingestion volume and is billed at your existing Log Analytics/Sentinel ingestion rate. Behaviors are additive - they don’t replace your existing raw logs.
 
@@ -323,9 +323,9 @@ For more information about Kusto Query Language (KQL), see [Kusto query language
 - **I see fewer behaviors than expected**: Our coverage of supported behavior types is partial and growing. For more information, see [Supported data sources and behaviors](#supported-data-sources-and-behaviors). The UEBA behaviors layer might also not be able to detect a behavior pattern if there are very few instances of a specific behavior type.
 - **Behavior counts**: A single behavior might represent tens or hundreds of raw events - this is designed to reduce noise.
 
-## Limitations in public preview 
+## Limitations 
 
-These limitations apply during the public preview of the UEBA behaviors layer:
+These limitations currently apply to the UEBA behaviors layer:
 
 - You can enable behaviors on a single Sentinel workspace per tenant.
 - The UEBA behaviors layer generates behaviors for a limited set of [supported data sources and vendors or services](#supported-data-sources-and-behaviors). 

articles/sentinel/identify-threats-with-entity-behavior-analytics.md

@@ -72,11 +72,11 @@ This table provides an overview of the data in each of the UEBA tables:
 | [BehaviorAnalytics](/azure/azure-monitor/reference/tables/behavioranalytics) | Enriched behavioral data with geolocation and threat intelligence | Contains deviations from baseline with prioritization scores. Data depends on enabled connectors (Entra ID, AWS, GCP, Okta, and so on). |
 | [UserPeerAnalytics](/azure/azure-monitor/reference/tables/userpeeranalytics) | Dynamically calculated peer groups for behavioral baselines | Ranks top 20 peers based on security group membership, mailing lists, and other associations. Uses TF-IDF (term frequency–inverse document frequency) algorithm (smaller groups carry higher weight). |
 | [Anomalies](/azure/azure-monitor/reference/tables/anomalies) | Events identified as anomalous | Supports detection and investigation workflows. |
-| [SentinelBehaviorInfo](/azure/azure-monitor/reference/tables/sentinelbehaviorinfo) (Preview) | Summary of behaviors identified in raw logs | Translates raw security logs into structured "who did what to whom" summaries with natural language explanations and MITRE ATT&CK mappings.  |
-| [SentinelBehaviorEntities](/azure/azure-monitor/reference/tables/sentinelbehaviorentities) (Preview) | Profiles of entities involved in identified behaviors | Information about entities - such as files, processes, devices, and users - involved in detected behaviors. |
+| [SentinelBehaviorInfo](/azure/azure-monitor/reference/tables/sentinelbehaviorinfo) | Summary of behaviors identified in raw logs | Translates raw security logs into structured "who did what to whom" summaries with natural language explanations and MITRE ATT&CK mappings.  |
+| [SentinelBehaviorEntities](/azure/azure-monitor/reference/tables/sentinelbehaviorentities) | Profiles of entities involved in identified behaviors | Information about entities - such as files, processes, devices, and users - involved in detected behaviors. |
 
 > [!NOTE]
-> The [UEBA behaviors layer](#aggregate-behavior-insights-with-the-ueba-behaviors-layer-preview) is a separate capability that you enable independently from UEBA. The `SentinelBehaviorInfo` and `SentinelBehaviorEntities` tables are only created in your workspace if you enable the behaviors layer.
+> The [UEBA behaviors layer](#aggregate-behavior-insights-with-the-ueba-behaviors-layer) is a separate capability that you enable independently from UEBA. The `SentinelBehaviorInfo` and `SentinelBehaviorEntities` tables are only created in your workspace if you enable the behaviors layer.
 
 This screenshot shows an example of data in the `UserPeerAnalytics` table with the eight highest-ranked peers for the user Kendall Collins. Sentinel uses the TF-IDF algorithm to normalize weights when calculating peer ranks. Smaller groups carry higher weight.
 
@@ -123,15 +123,15 @@ The Defender portal home page includes a UEBA widget where analysts immediately
 
 ### UEBA insights in user investigations
 
-Analysts can quickly assess user risk using UEBA context displayed in side panels and the **Overview** tab on all user pages. When unusual behavior is detected, the portal automatically tags users with **UEBA anomalies** helping prioritize investigations based on recent activity. For more information, see [User entity page in Microsoft Defender](https://aka.ms/ueba-entity-details).
+Analysts can quickly assess user risk using UEBA context displayed in side panels and the **Overview** tab on all user pages in the Defender portal. When unusual behavior is detected, the portal automatically tags users with **UEBA anomalies** helping prioritize investigations based on recent activity. For more information, see [User entity page in Microsoft Defender](https://aka.ms/ueba-entity-details).
 
 Each user page includes a **Top UEBA anomalies** section, showing the top three anomalies from the past 30 days, along with direct links to pre-built anomaly queries and the Sentinel events timeline for deeper analysis.
 
 :::image type="content" source="media/identify-threats-with-entity-behavior-analytics/entity-behavior-analytics-user-investigations.png" alt-text="Screenshot that shows the overview tab of the User page for a user with UEBA anomalies in the past 30 days." lightbox="media/identify-threats-with-entity-behavior-analytics/entity-behavior-analytics-user-investigations.png":::
 
 ### Built-in user anomaly queries in incident investigations
 
-During incident investigations, analysts can launch built-in queries directly from incident graphs to retrieve all user anomalies related to the case.
+During incident investigations, analysts can launch built-in queries directly from incident graphs in the Defender portal to retrieve all user anomalies related to the case.
 
 :::image type="content" source="media/identify-threats-with-entity-behavior-analytics/entity-behavior-analytics-incident-investigations.png" alt-text="Screenshot that shows an incident graph, highlighting the Go hunt All user anomalies option, which allows analysts to quickly find all anomalies related to the user." lightbox="media/identify-threats-with-entity-behavior-analytics/entity-behavior-analytics-incident-investigations.png":::
 
@@ -149,7 +149,7 @@ For more information, see:
 - [UEBA data sources](ueba-reference.md#ueba-data-sources).
 - [Anomalies detected by the Microsoft Sentinel machine learning engine](anomalies-reference.md).
 
-## Aggregate behavior insights with the UEBA behaviors layer (Preview)
+## Aggregate behavior insights with the UEBA behaviors layer
 
 While UEBA builds baseline profiles to detect anomalous activity, the new UEBA behaviors layer aggregates related events from high-volume raw security logs into clear, structured, meaningful behaviors that explain "who did what to whom" at a glance.
 
@@ -160,7 +160,7 @@ The behaviors layer enriches raw logs with:
 
 By converting fragmented logs into coherent behavior objects, the behaviors layer accelerates threat hunting, simplifies detection authoring, and provides richer context for UEBA anomaly detection. Together, these capabilities help analysts quickly understand not just *that* something anomalous happened, but *what* happened and *why* it matters.
 
-For more information, see [Translate raw security logs to behavioral insights using UEBA behaviors in Microsoft Sentinel (Preview)](entity-behaviors-layer.md).
+For more information, see [Translate raw security logs to behavioral insights using UEBA behaviors in Microsoft Sentinel](entity-behaviors-layer.md).
 
 ## Pricing model
 

articles/sentinel/whats-new.md

@@ -20,6 +20,20 @@ The listed features were released in the last six months. For information about
 
 ## February 2026
 
+### UEBA behaviors layer is now generally available
+
+The UEBA behaviors layer in Microsoft Sentinel is now generally available, summarizing clear, human‑readable behavioral insights from high-volume, raw security logs. The behaviors layer aggregates and sequences related events into normalized behaviors, helping analysts more quickly understand who did what to whom without manually correlating raw logs. For more information, see [Translate raw security logs to behavioral insights using UEBA behaviors in Microsoft Sentinel](../sentinel/entity-behaviors-layer.md).
+
+To help SOC teams get value from behaviors from day one, the Behaviors Workbook includes guided views and pre‑built, customizable analytics that turn rich behavioral data into actionable insights across three core SOC workflows:
+
+- **Overview**: High‑level metrics and trends that give SOC managers and leadership quick situational awareness  
+- **Investigation**: Deep‑dive, entity‑centric timelines that help analysts accelerate incident response  
+- **Hunting**: Proactive threat discovery for threat hunters using anomaly detection and attack‑chain analysis
+
+For more information about the workbook, see the [Microsoft Sentinel Behaviors Workbook blog post](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/introducing-the-microsoft-sentinel-ueba-behaviors-workbook/4448398).
+
+### 
+
 [Generate playbooks using AI in Microsoft Sentinel](./automation/generate-playbook.md) (preview): The SOAR playbook generator creates python based automation workflows coauthored through a conversational experience with Cline, an AI coding agent. For more information, see [the Playbook Generation blog post](https://aka.ms/PlaybookGenBlog).
 
 ## January 2026