MicrosoftDocs
diff --git a/‎articles/sentinel/TOC.yml‎
Lines changed: 9 additions & 1 deletion b/‎articles/sentinel/TOC.yml‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎articles/sentinel/enable-entity-behavior-analytics.md‎
Lines changed: 6 additions & 0 deletions b/‎articles/sentinel/enable-entity-behavior-analytics.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎articles/sentinel/entity-behaviors-layer-rai-faqs.md‎
Lines changed: 68 additions & 0 deletions b/‎articles/sentinel/entity-behaviors-layer-rai-faqs.md‎
Lines changed: 68 additions & 0 deletions
@@ -325,12 +325,14 @@
               href: entity-pages.md
             - name: User and entity behavior analytics (UEBA)
               href: identify-threats-with-entity-behavior-analytics.md
+            - name: Aggregate behavioral insights from raw logs 
+              href: entity-behaviors-layer.md 
             - name: Create custom entity activities
               href: customize-entity-activities.md
         - name: Watchlists
           items:
             - name: Overview
-              href: watchlists.md
+              href: watchlists.md 
             - name: Create watchlists
               href: watchlists-create.md
             - name: Build queries or rules
@@ -1039,6 +1041,12 @@
           href: stix-objects-api.md
         - name: Legacy upload indicator API reference
           href: upload-indicators-api.md
+- name: Responsible AI
+  items:
+    - name: Responsible AI FAQ for UEBA behaviors layer
+      href: entity-behaviors-layer-rai-faqs.md
+    - name: Responsible AI FAQ for Microsoft Sentinel MCP
+      href: datalake/sentinel-mcp-responsible-ai-faq.md
 - name: Microsoft Sentinel blog
   href: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/bg-p/MicrosoftSentinelBlog
 - name: Pricing
 
@@ -121,6 +121,12 @@ To enable UEBA from your Microsoft Sentinel workspace settings:
 
 For more information about configuring Microsoft Sentinel data connectors, see [Connect data sources to Microsoft Sentinel by using data connectors](./configure-data-connector.md).
 
+## Enable the UEBA behaviors layer (Preview)
+
+The UEBA behaviors layer generates enriched summaries of activity observed across multiple data sources. Unlike alerts or anomalies, behaviors don’t necessarily indicate risk - they create an abstraction layer that optimizes your data for investigations, hunting, and detection by enhancing
+
+For more information about the UEBA behaviors layer and how to enable it, see [Enable the UEBA behaviors layer in Microsoft Sentinel](../sentinel/entity-behaviors-layer.md). 
+
 ## Next steps
 
 In this article, you learned how to enable and configure User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel. For more information about UEBA:
 
@@ -0,0 +1,68 @@
+---
+title: Responsible AI FAQ for the Microsoft Sentinel UEBA behaviors layer
+description: This FAQ provides information about the AI technology used in the Microsoft Sentinel UEBA behaviors layer, along with key considerations and details about how AI is used, how it was tested and evaluated, and any specific limitations.  
+ms.date: 01/11/2026  
+ms.custom:  
+  - responsible-ai-faqs  
+ms.topic: contributor-guide  
+author: guywi-ms  
+ms.author: guywild  
+ms.reviewer: mschechter  
+---
+
+# Responsible AI FAQ for the Microsoft Sentinel UEBA behaviors layer
+
+These frequently asked questions (FAQ) describe the AI impact of the [UEBA behaviors layer](../sentinel/entity-behaviors-layer.md) feature in Microsoft Sentinel.
+
+
+## What is the UEBA behaviors layer?
+
+The UEBA behaviors layer is an AI-powered capability in Microsoft Sentinel that transforms fragmented raw logs into contextualized behavioral insights that explain "who did what to whom".
+
+- **Inputs:** Raw security logs from sources, such as the AWS CloudTrail and CommonSecurityLog tables.  
+- **Outputs:** Structured behavior objects enriched with MITRE ATT&CK mappings, entity roles, and natural language explanations.
+
+## What are the capabilities of the UEBA behaviors layer?
+
+The UEBA behaviors layer provides these key capabilities:
+- **Behavior aggregation:** Automatically groups and sequences related security events across multiple data sources. Instead of analysts manually correlating raw logs, the behaviors layer creates unified behavior objects that present "what happened" in a structured way.
+
+- **Contextualization:** Each behavior is enriched with security context, including mapping to MITRE ATT&CK tactics and techniques. This helps analysts understand the intent behind an activity - for example, lateral movement, privilege escalation - without needing deep familiarity with every log format.
+
+- **Explainability:**  Generates natural language summaries of behaviors, making investigations faster and more accessible. Analysts can quickly see what happened and why it matters.
+
+## What is the intended use of the UEBA behaviors layer?
+
+The intended use is to accelerate threat detection and investigation by providing SOC analysts with a unified, AI-driven view of behaviors. It supports:  
+
+- Threat hunting  
+- Detection rule authoring at using large language models (LLMs)  
+- Incident investigation and triage  
+
+
+## How was the UEBA behaviors layer evaluated? What metrics are used to measure performance?
+
+Our AI mechanisms generate behavior rules based on samples logs. The behavior rules use aggregation and sequencing of raw logs to reflect the intent and action behind those logs. The rules also provide the security context by mapping the behaviors to MITRE ATT&CK tactics and techniques, so that if the behavior was ill intended, you can understand the security context of that potential attack.
+
+The AI-generated rules are then validated in various ways to ensure that: 
+- The intent, action, and entities are accurately captured and explained. 
+- The volume of the behaviors this rule generates is above a defined threshold to provide the most value.
+- Sensitive data is protected. 
+
+## What are the limitations of the UEBA behaviors layer? How can users minimize the impact?
+
+- **Limited data source coverage:** Currently supports CommonSecurityLogs and AWSCloudTrail.  
+- **Dependence on log quality:** Incomplete or noisy logs can reduce accuracy.  
+- **Preview feature:** Behavior schema and AI models might evolve.  
+**Mitigation:** Ensure high-quality log ingestion, validate AI-generated queries, and use human review for critical detections.
+
+
+## What operational factors and settings allow for effective and responsible use of the feature?
+
+- **Enable supported connectors** for AWS and CommonSecurityLog sources.  
+- **Review AI-generated outputs** before deploying detection rules.  
+- **Monitor updates** as the feature expands to new sources and schemas.
+
+## See also
+
+- [Translate raw security logs to behavioral insights using UEBA behaviors in Microsoft Sentinel (Preview)](../sentinel/entity-behaviors-layer.md)