Merge pull request #311179 from guywi-ms/wi-444136-ueba-docs-improvements-cxe

Wi 444136 ueba docs improvements cxe

Author: v-shils

articles/sentinel/TOC.yml

@@ -316,17 +316,26 @@
               href: /defender-xdr/custom-detection-rules?toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json
             - name: Manage detection rules
               href: /defender-xdr/custom-detection-manage?toc=/azure/sentinel/TOC.json&bc=/azure/sentinel/breadcrumb/toc.json
+        - name: User and Entity Behavior Analytics (UEBA)
+          items:
+            - name: UEBA overview
+              href: identify-threats-with-entity-behavior-analytics.md
+              displayName: User and Entity Behavior Analytics
+            - name: Enable UEBA
+              href: enable-entity-behavior-analytics.md
+            - name: UEBA investigation examples
+              href: investigate-with-ueba.md
+            - name: Aggregate behavioral insights from raw logs
+              href: entity-behaviors-layer.md
+            - name: UEBA data sources and table schemas
+              href: ueba-reference.md
         - name: Data classification with entities
           items:
             - name: Overview
               href: entities.md
               displayName: data classification, entities
             - name: Entity pages
               href: entity-pages.md
-            - name: User and entity behavior analytics (UEBA)
-              href: identify-threats-with-entity-behavior-analytics.md
-            - name: Aggregate behavioral insights from raw logs 
-              href: entity-behaviors-layer.md 
             - name: Create custom entity activities
               href: customize-entity-activities.md
         - name: Watchlists
@@ -412,8 +421,6 @@
               displayName: close incidents, search incidents, comment on incidents
             - name: Investigate incidents in depth
               href: investigate-incidents.md
-            - name: Tutorial - Investigate with UEBA
-              href: investigate-with-ueba.md
             - name: Relate alerts to incidents
               href: relate-alerts-to-incidents.md
             - name: Create incidents manually

articles/sentinel/anomalies-reference.md

@@ -32,7 +32,21 @@ In the [Anomalies](/azure/azure-monitor/reference/tables/anomalies) table:
 > - Domain generation algorithm (DGA) on DNS domains
 > - Potential domain generation algorithm (DGA) on next-level DNS Domains
 
-[!INCLUDE [unified-soc-preview](includes/unified-soc-preview.md)]
+## Compare UEBA and machine learning-based anomalies
+
+UEBA and machine learning (ML) -based anomalies are complementary approaches to anomaly detection. Both populate the `Anomalies` table but serve different purposes:
+
+| Aspect | UEBA anomalies | ML anomaly detection rules |
+|--------|----------------|----------------------------|
+| **Focus** | *Who* is behaving unusually | *What* activity is unusual |
+| **Detection approach** | Entity-focused behavioral baselines compared against historical activity, peer behavior, and organization-wide patterns | Customizable rule templates using statistical and ML models trained on specific data patterns |
+| **Baseline source** | Each entity's own history, peer group, and organization | Training period (typically 7-21 days) on specific event types |
+| **Customization** | Enabled/disabled using UEBA settings | Tunable thresholds and parameters using the analytics rule UI |
+| **Examples** | Anomalous sign-in, anomalous account creation, anomalous privilege modification | Attempted brute force, excessive downloads, network beaconing |
+
+For more information, see:
+- [UEBA overview](identify-threats-with-entity-behavior-analytics.md)
+- [Customizable ML anomaly detection rules](soc-ml-anomalies.md)
 
 ## UEBA anomalies
 
@@ -667,7 +681,5 @@ Microsoft Sentinel's customizable, machine learning-based anomalies can identify
 ## Next steps
 
 - Learn about [machine learning-generated anomalies](soc-ml-anomalies.md) in Microsoft Sentinel.
-
 - Learn how to [work with anomaly rules](work-with-anomaly-rules.md).
-
 - [Investigate incidents](investigate-cases.md) with Microsoft Sentinel.

articles/sentinel/enable-entity-behavior-analytics.md

@@ -122,15 +122,24 @@ To enable UEBA from your Microsoft Sentinel workspace settings:
 
 For more information about configuring Microsoft Sentinel data connectors, see [Connect data sources to Microsoft Sentinel by using data connectors](./configure-data-connector.md).
 
+## Install the UEBA Essentials solution (optional)
+
+The **UEBA Essentials** solution is a collection of dozens of pre-built hunting queries curated and maintained by Microsoft security experts. The solution includes multi-cloud anomaly detection queries across Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Okta.
+
+Install the solution to get started quickly with threat hunting and investigations using UEBA data, instead of building these detection capabilities from scratch.
+
+For more information, see [Install or update Microsoft Sentinel solutions](sentinel-solutions-deploy.md#install-or-update-content).
+
 ## Enable the UEBA behaviors layer (Preview)
 
-The UEBA behaviors layer generates enriched summaries of activity observed across multiple data sources. Unlike alerts or anomalies, behaviors don’t necessarily indicate risk - they create an abstraction layer that optimizes your data for investigations, hunting, and detection by enhancing
+The UEBA behaviors layer generates enriched summaries of activity observed across multiple data sources. Unlike alerts or anomalies, behaviors don’t necessarily indicate risk - they create an abstraction layer that optimizes your data for investigations, hunting, and detection by enhancing clarity, context, and correlation.
 
 For more information about the UEBA behaviors layer and how to enable it, see [Enable the UEBA behaviors layer in Microsoft Sentinel](../sentinel/entity-behaviors-layer.md). 
 
+
 ## Next steps
 
-In this article, you learned how to enable and configure User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel. For more information about UEBA:
+Learn how to investigate UEBA anomalies and use UEBA data in your investigations:
 
-> [!div class="nextstepaction"]
->>[Identify threats with UEBA](./identify-threats-with-entity-behavior-analytics.md)
+- [Investigate incidents with UEBA data](investigate-with-ueba.md)
+- [UEBA data sources and table schemas](ueba-reference.md)

articles/sentinel/entity-behaviors-layer.md

@@ -1,5 +1,5 @@
 ---
-title: Translate raw security logs to behavioral insights using UEBA behaviors in Microsoft Sentinel (Preview)
+title: Translate raw security logs to behavioral insights using UEBA behaviors in Microsoft Sentinel
 description: The Microsoft Sentinel UEBA behaviors layer translates security telemetry into normalized behavioral patterns for investigation, hunting, and detection engineering.
 author: guywi-ms
 ms.author: guywild
@@ -10,7 +10,7 @@ ms.service: microsoft-sentinel
 #Customer intent: As a security analyst, I want to use the UEBA behaviors layer to translate raw security telemetry into human-readable patterns with MITRE ATT&CK context for faster threat detection and investigation.
 ---
 
-# Translate raw security logs to behavioral insights using UEBA behaviors in Microsoft Sentinel (Preview)
+# Translate raw security logs to behavioral insights using UEBA behaviors in Microsoft Sentinel
 
 The User and Entity Behavior Analytics (UEBA) behavior layer in Microsoft Sentinel aggregates and summarizes high-volume raw logs into clear, plain-language patterns of security actions, explaining “who did what to whom” in a structured way.
 
@@ -25,6 +25,8 @@ This abstraction layer enables faster threat detection, investigation, and respo
 
 This article explains how the UEBA behaviors layer works, how to enable the behaviors layer, and how to use behaviors to enhance security operations.  
 
+Watch the [UEBA behaviors webinar](https://www.youtube.com/watch?v=SqbxmGdMP7c) for a full overview and demo of the UEBA behaviors layer.
+
 ## How the UEBA behaviors layer works
 
 Behaviors are part of Microsoft Sentinel’s [User and Entity Behavior Analytics (UEBA)](../sentinel/identify-threats-with-entity-behavior-analytics.md) capabilities, providing normalized, contextualized activity summaries that complement anomaly detection and enrich investigations. 
@@ -189,7 +191,7 @@ Behaviors simplify rule logic by providing normalized, high‑quality signals wi
 The list of supported data sources and vendors or services that send logs to these data sources is evolving.
 The UEBA behaviors layer automatically aggregates insights for all supported vendors based on the logs you collect.
 
-During public preview, the UEBA behaviors layer focuses on these non-Microsoft data sources that traditionally lack easy behavioral context in Microsoft Sentinel: 
+The UEBA behaviors layer currently focuses on these non-Microsoft data sources that traditionally lack easy behavioral context in Microsoft Sentinel: 
 
 | Data source | Supported vendors, services, and logs | Connector | Supported behaviors |
 |-------------|---------------------------|-------|----------------|
@@ -241,13 +243,13 @@ To enable the UEBA behaviors layer in your workspace:
 1. Select **Connect**.
 
   > [!IMPORTANT]
-  > During public preview, you can only enable behaviors in a single workspace in your tenant.
+  > You can currently enable behaviors in a single workspace in your tenant.
 
 ## Pricing model
 
 Using the UEBA behaviors layer results in the following costs:
 
-- **No extra license cost:** Behaviors are included as part of Microsoft Sentinel (currently in preview). You don’t need a separate SKU, UEBA add‑on, or additional licensing. If your workspace is connected to Sentinel and onboarded to the Defender portal, you can use behaviors at no extra feature cost.
+- **No extra license cost:** Behaviors are included as part of Microsoft Sentinel. You don’t need a separate SKU, UEBA add‑on, or additional licensing. If your workspace is connected to Sentinel and onboarded to the Defender portal, you can use behaviors at no extra feature cost.
 
 - **Log data ingestion charges:** Behavior records are stored in the `SentinelBehaviorInfo` and `SentinelBehaviorEntities` tables in your Sentinel workspace. Each behavior contributes to your workspace’s data ingestion volume and is billed at your existing Log Analytics/Sentinel ingestion rate. Behaviors are additive - they don’t replace your existing raw logs.
 
@@ -323,9 +325,9 @@ For more information about Kusto Query Language (KQL), see [Kusto query language
 - **I see fewer behaviors than expected**: Our coverage of supported behavior types is partial and growing. For more information, see [Supported data sources and behaviors](#supported-data-sources-and-behaviors). The UEBA behaviors layer might also not be able to detect a behavior pattern if there are very few instances of a specific behavior type.
 - **Behavior counts**: A single behavior might represent tens or hundreds of raw events - this is designed to reduce noise.
 
-## Limitations in public preview 
+## Limitations 
 
-These limitations apply during the public preview of the UEBA behaviors layer:
+These limitations currently apply to the UEBA behaviors layer:
 
 - You can enable behaviors on a single Sentinel workspace per tenant.
 - The UEBA behaviors layer generates behaviors for a limited set of [supported data sources and vendors or services](#supported-data-sources-and-behaviors). 

articles/sentinel/feature-availability.md

@@ -188,7 +188,7 @@ For more information, see [Microsoft Defender XDR for US Government customers](/
 |[Entity pages](entity-pages.md) |GA |Yes |Yes |Yes |
 |[Identity info table data ingestion](investigate-with-ueba.md) |GA |Yes |Yes |Yes |
 |[IoT device entity page](/azure/defender-for-iot/organizations/iot-advanced-threat-monitoring#investigate-further-with-iot-device-entities) |Public preview	|Yes |Yes |No |
-|[Peer/Blast radius enrichments](identify-threats-with-entity-behavior-analytics.md#what-is-ueba) |Public preview |Yes |No |No |
+|[Peer/Blast radius enrichments](identify-threats-with-entity-behavior-analytics.md#how-ueba-works) |Public preview |Yes |No |No |
 |[SOC-ML anomalies](soc-ml-anomalies.md#what-are-customizable-anomalies) |GA |Yes |Yes |No |
 |[UEBA anomalies](soc-ml-anomalies.md#ueba-anomalies) |GA |Yes |Yes |No |
 |[UEBA enrichments\insights](investigate-with-ueba.md) |GA |Yes |Yes |Yes |