You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/entity-behaviors-layer.md
+7-6Lines changed: 7 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -29,7 +29,7 @@ This article explains how the UEBA behaviors layer works, how to enable the beha
29
29
30
30
Behaviors are part of Microsoft Sentinel’s [User and Entity Behavior Analytics (UEBA)](../sentinel/identify-threats-with-entity-behavior-analytics.md) capabilities, providing normalized, contextualized activity summaries that complement anomaly detection and enrich investigations.
31
31
32
-
### Differences between behaviors, anomalies, and alerts
32
+
### Compare behaviors, anomalies, and alerts
33
33
This table shows how behaviors differ from anomalies and alerts:
34
34
35
35
|**Capability**|**What it represents**|**Purpose**|
@@ -56,6 +56,12 @@ Each behavior record includes:
56
56
-**MITRE ATT&CK mapping**: Every behavior is tagged with relevant MITRE tactics and techniques, providing industry-standard context at a glance. You don't just see *what* happened, but also *how it fits* in an attack framework or timeline.
57
57
-**Entity relationship mapping**: Each behavior identifies involved entities (users, hosts, IP addresses) and their roles (actor, target, or other).
58
58
59
+
### The behaviors abstraction layer
60
+
61
+
This diagram illustrates how the UEBA behaviors layer transforms raw logs into structured behavior records that enhance security operations:
62
+
63
+
:::image type="content" source="media/entity-behaviors-layer/entity-behaviors-data-flow.svg" alt-text="Diagram that shows how the UEBA behaviors layer transforms raw logs into structured behavior records that enhance security operations." lightbox="media/entity-behaviors-layer/entity-behaviors-data-flow.svg" :::
64
+
59
65
### Behavior storage and tables
60
66
61
67
The UEBA behaviors layer stores behavior records in two types of tables:
@@ -67,12 +73,7 @@ These tables integrate seamlessly with your existing workflows for detection rul
67
73
68
74
For information about using behaviors tables, see [Best practices and troubleshooting tips for querying behaviors](#best-practices-and-troubleshooting-tips-for-querying-behaviors).
69
75
70
-
### Data flow diagram
71
-
72
-
This diagram illustrates how the UEBA behaviors layer transform raw logs into structured behavior records that enhance security operations:
73
76
74
-
:::image type="content" source="media/entity-behaviors-layer/entity-behaviors-data-flow.svg" alt-text="Diagram that shows how the UEBA behaviors layer transform raw logs into structured behavior records that enhance security operations." lightbox="media/entity-behaviors-layer/entity-behaviors-data-flow.svg" :::
75
-
76
77
> [!IMPORTANT]
77
78
> Generative AI powers the UEBA Behaviors layer to create and scale the insights it provides. Microsoft designed the Behaviors feature based on **privacy and responsible AI principles** to ensure transparency and explainability. Behaviors don't introduce new compliance risks or opaque "black box" analytics into your SOC. For details about how AI is applied in this feature and Microsoft’s approach to responsible AI, see [Responsible AI FAQ for the Microsoft UEBA behaviors layer](https://aka.ms/miscrosoftsentinelbehaviors).
0 commit comments