Merge pull request #309668 from guywi-ms/enable-ueba-via-connector

UEBA connector configuration

Author: v-ccolin

articles/sentinel/configure-data-connector.md

@@ -1,10 +1,10 @@
 ---
-title: Connect Data Sources to Microsoft Sentinel Using Data Connectors
+title: Connect data sources to Microsoft Sentinel by using data connectors
 description: Learn how to connect data sources to Microsoft Sentinel using data connectors for improved threat detection.
-author: batamig
+author: EdB-MSFT
 ms.topic: how-to
 ms.date: 07/09/2025
-ms.author: bagol
+ms.author: edbaynash
 appliesto:
     - Microsoft Sentinel in the Microsoft Defender portal
     - Microsoft Sentinel in the Azure portal
@@ -90,6 +90,12 @@ After you configure the data connector, it might take some time for the data to
 
    :::image type="content" source="media/configure-data-connector/connected-data-connector.png" alt-text="Screenshot of a data connector page with status connected and graph that shows the data received.":::
 
+## Enable User and Entity Behavior Analytics (UEBA) from supported connectors
+
+[User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel](identify-threats-with-entity-behavior-analytics.md) analyzes logs and alerts from connected data sources to build baseline behavioral profiles of your organization's entities—such as users, hosts, IP addresses, and applications. Using machine learning, UEBA identifies anomalous activity that may indicate a compromised asset.
+
+[!INCLUDE [data-connector-behavior-analytics](includes/data-connector-behavior-analytics.md)] 
+
 ## Find your data
 
 After you enable the connector successfully, the connector begins to stream data to the table schemas related to the data types you configured.

articles/sentinel/enable-entity-behavior-analytics.md

@@ -18,9 +18,16 @@ ms.custom: sfi-image-nochange
 
 # Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel
 
-In the previous deployment step, you enabled the Microsoft Sentinel security content you need to protect your systems. In this article, you learn how to enable and use the UEBA feature to streamline the analysis process. This article is part of the [Deployment guide for Microsoft Sentinel](deploy-overview.md).
+User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel analyzes logs and alerts from connected data sources to build baseline behavioral profiles of your organization's entities—such as users, hosts, IP addresses, and applications. Using machine learning, UEBA identifies anomalous activity that may indicate a compromised asset.
 
-As Microsoft Sentinel collects logs and alerts from all of its connected data sources, it analyzes them and builds baseline behavioral profiles of your organization’s entities (such as users, hosts, IP addresses, and applications) across time and peer group horizon. Using various techniques and machine learning capabilities, Microsoft Sentinel can then identify anomalous activity and help you determine whether an asset is compromised. Learn more about [UEBA](identify-threats-with-entity-behavior-analytics.md).
+You can enable User and Entity Behavior Analytics in two ways, both with the same result:
+
+- **From the Microsoft Sentinel workspace settings**: Enable UEBA for your workspace and select which data sources to connect in the Microsoft Defender portal or Azure portal.
+- **From supported data connectors**: Enable UEBA when you configure UEBA supported data connectors in the Microsoft Defender portal.
+
+This article explains how to enable UEBA and configure data sources from your Microsoft Sentinel workspace settings and from supported data connectors. 
+
+For more information about UEBA, see [Identify threats with entity behavior analytics](identify-threats-with-entity-behavior-analytics.md).
 
 [!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
 [!INCLUDE [unified-soc-preview](includes/unified-soc-preview.md)]
@@ -41,14 +48,12 @@ To enable or disable this feature (these prerequisites aren't required to use th
 > - No special license is required to add UEBA functionality to Microsoft Sentinel, and there's no extra cost for using it.
 > - However, since UEBA generates new data and stores it in new tables that UEBA creates in your Log Analytics workspace, **additional data storage charges** apply. 
 
-## How to enable User and Entity Behavior Analytics
+## Enable UEBA from workspace settings
 
-- Users of Microsoft Sentinel in the Azure portal, follow the instructions in the **Azure portal** tab.
-- Users of Microsoft Sentinel as part of the Microsoft Defender portal, follow the instructions in the **Defender portal** tab.
+To enable UEBA from your Microsoft Sentinel workspace settings:
 
 1. Go to the **Entity behavior configuration** page.
 
-
     # [Azure portal](#tab/azure)
 
     Use any one of these three ways to get to the **Entity behavior configuration** page:
@@ -71,7 +76,7 @@ To enable or disable this feature (these prerequisites aren't required to use th
 
 1. On the **Entity behavior configuration** page, toggle on **Turn on UEBA feature**.
 
-    :::image type="content" source="media/enable-entity-behavior-analytics/ueba-configuration.png" alt-text="Screenshot of UEBA configuration settings." lightbox="media/enable-entity-behavior-analytics/ueba-configuration.png":::
+    :::image type="content" source="media/enable-entity-behavior-analytics/entity-behavior-analytics-configuration.png" alt-text="Screenshot of UEBA configuration settings." lightbox="media/enable-entity-behavior-analytics/entity-behavior-analytics-configuration.png":::
 
 1. Select the directory services from which you want to synchronize user entities with Microsoft Sentinel.
 
@@ -104,12 +109,17 @@ To enable or disable this feature (these prerequisites aren't required to use th
 
 1. Select **Connect**. 
 
-1. Enable anomaly detection in your Sentinel workspace:
+1. Enable anomaly detection in your Microsoft Sentinel workspace:
 
     1. From the Microsoft Defender portal navigation menu, select **Settings** > **Microsoft Sentinel** > **SIEM workspaces**.
     1. Select the workspace you want to configure.
     1. From the workspace configuration page, select **Anomalies** and toggle on **Detect Anomalies**. 
 
+## Enable UEBA from supported connectors
+
+[!INCLUDE [data-connector-behavior-analytics](includes/data-connector-behavior-analytics.md)] 
+
+For more information about configuring Microsoft Sentinel data connectors, see [Connect data sources to Microsoft Sentinel by using data connectors](./configure-data-connector.md).
 
 ## Next steps
 

articles/sentinel/feature-availability.md

@@ -182,7 +182,7 @@ For more information, see [Microsoft Defender XDR for US Government customers](/
 
 |Feature  |Feature stage |Azure commercial  |Azure Government |Azure operated by 21Vianet  |
 |---------|---------|---------|---------|---------|
-|[Active Directory sync via MDI](enable-entity-behavior-analytics.md#how-to-enable-user-and-entity-behavior-analytics) |Public preview |Yes |Yes |No |
+|[Active Directory sync via MDI](enable-entity-behavior-analytics.md#enable-ueba-from-workspace-settings) |Public preview |Yes |Yes |No |
 |[Azure resource entity pages](entity-pages.md) |Public preview |Yes |Yes |No |
 |[Entity insights](identify-threats-with-entity-behavior-analytics.md) |GA |Yes |Yes |Yes |
 |[Entity pages](entity-pages.md) |GA |Yes |Yes |Yes |

articles/sentinel/includes/data-connector-behavior-analytics.md

@@ -0,0 +1,17 @@
+---
+title: Enable UEBA from supported data connectors in Microsoft Defender portal
+ms.date: 12/17/2025
+ms.topic: include
+---
+
+<!-- docutune:disable -->
+
+To enable UEBA from supported data connectors in Microsoft Defender portal:
+
+1. From the Microsoft Defender portal navigation menu, select **Microsoft Sentinel > Configuration > Data connectors**.
+1. Select a UEBA supported data connector that supports UEBA. For more information about UEBA supported data connectors and tables, see [Microsoft Sentinel UEBA reference](./../ueba-reference.md#ueba-data-sources). 
+1. From the data connector pane, select **Open connector page**.
+1. On the **Connector details** page, select **Advanced options**.
+1. Under **Configure UEBA**, toggle on the tables you want to enable for UEBA.
+
+    :::image type="content" source="../media/enable-entity-behavior-analytics/entity-behavior-analytics-data-connector.png" alt-text="Screenshot of UEBA configuration in data connector." lightbox="../media/enable-entity-behavior-analytics/entity-behavior-analytics-data-connector.png":::