Skip to content

Add UEBA Behaviors Analysis Workbook to solution #13522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
v-atulyadav merged 4 commits into from
Jan 29, 2026
Merged

Add UEBA Behaviors Analysis Workbook to solution #13522

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
458785f
Add UEBA Behaviors Analysis Workbook to solution
v-shukore Jan 29, 2026
e547dbf
Update ReleaseNotes.md
v-shukore Jan 29, 2026
17faae2
Update UEBA workbook context to array format
v-shukore Jan 29, 2026
eb4a5c4
Update UEBABehaviorsAnalysisWorkbook.json
v-shukore Jan 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion Solutions/UEBA Essentials/Data/Solution_UEBA.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@
"Author": "Microsoft - [email protected]",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">",
"Description": "The Microsoft Sentinel UEBA content package will provide you with various queries based on UEBA tables, that allows you to hunt for tailored threat scenarios. You'll be able to investigate and search for anomalous activities over UEBA's enriched data, and get inspired to customize queries according to your own use-cases.\n\n**Important :** Some of the queries that are part of this solution, make use of [Built-in Watchlist Templates](https://docs.microsoft.com/azure/sentinel/watchlist-schemas) and will not work unless the corresponding watchlist is created. Other queries may requires changes to match your environment details.",
"Workbooks": [
"Workbooks/UEBABehaviorsAnalysisWorkbook.json"
],
"Hunting Queries": [
"Hunting Queries/anomaliesOnVIPUsers.yaml",
"Hunting Queries/anomalousActionInTenant.yaml",
Expand Down Expand Up @@ -37,6 +40,6 @@
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\UEBA Essentials",
"Version": "3.0.3",
"Version": "3.0.4",
"TemplateSpec": true
}
Binary file added Solutions/UEBA Essentials/Package/3.0.4.zip
View file
Open in desktop
Binary file not shown.
44 changes: 43 additions & 1 deletion Solutions/UEBA Essentials/Package/createUiDefinition.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/UEBA%20Essentials/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Microsoft Sentinel UEBA content package will provide you with various queries based on UEBA tables, that allows you to hunt for tailored threat scenarios. You'll be able to investigate and search for anomalous activities over UEBA's enriched data, and get inspired to customize queries according to your own use-cases.\n\n**Important :** Some of the queries that are part of this solution, make use of [Built-in Watchlist Templates](https://docs.microsoft.com/azure/sentinel/watchlist-schemas) and will not work unless the corresponding watchlist is created. Other queries may requires changes to match your environment details.\n\n**Hunting Queries:** 30\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/UEBA%20Essentials/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Microsoft Sentinel UEBA content package will provide you with various queries based on UEBA tables, that allows you to hunt for tailored threat scenarios. You'll be able to investigate and search for anomalous activities over UEBA's enriched data, and get inspired to customize queries according to your own use-cases.\n\n**Important :** Some of the queries that are part of this solution, make use of [Built-in Watchlist Templates](https://docs.microsoft.com/azure/sentinel/watchlist-schemas) and will not work unless the corresponding watchlist is created. Other queries may requires changes to match your environment details.\n\n**Workbooks:** 1, **Hunting Queries:** 30\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
Expand Down Expand Up @@ -51,6 +51,48 @@
}
],
"steps": [
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
}
},
{
"name": "workbooks-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "UEBA Behaviors Analysis Workbook",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Get started with the UEBA behaviors layer analysis and turn complexity into clarity"
}
}
]
}
]
},
{
"name": "huntingqueries",
"label": "Hunting Queries",
Expand Down
174 changes: 141 additions & 33 deletions Solutions/UEBA Essentials/Package/mainTemplate.json
View file
Open in desktop

Large diffs are not rendered by default.

8 changes: 8 additions & 0 deletions Solutions/UEBA Essentials/Package/testParameters.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,13 @@
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
"workbook1-name": {
"type": "string",
"defaultValue": "UEBA Behaviors Analysis Workbook",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
}
}
}
1 change: 1 addition & 0 deletions Solutions/UEBA Essentials/ReleaseNotes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|-------------------------------------------------------------------------------------------|
| 3.0.4 | 29-01-2026 | Added new UEBA Behaviors Analysis **Workbook** to solution |
| 3.0.3 | 24-11-2025 | Added new **Hunting Queries** |
| 3.0.2 | 04-11-2025 | Enhance UEBA Essentials with multi-cloud detection capabilities |
| 3.0.1 | 23-09-2024 | Updated query logic in **Hunting Query** [Anomalous Sign-in Activity] |
Expand Down
Loading
Loading