AI against AI (part 2): What is UEBA in Microsoft Sentinel and why you need it

Traditional cybersecurity has long revolved around detecting anomalies: malware signatures, known attack patterns, and hard-coded detection rules. But modern attacks look different.

Hackers no longer break in. They log in.
Using stolen credentials, OAuth tokens, or abused service accounts, attackers move through environments as if they were legitimate users. To classic SIEM detection rules, this often looks perfectly valid:

- It's an authentic user
- A valid MFA is being used
- The device is legitimate

And yet, things go wrong.

This is where the playing field of AI against AI begins – where defenders no longer look at what someone does, but at how that behavior compares to normal use.

Instead of fixed rules, UEBA uses machine learning to analyze behavior over time.The system builds a baseline of normal behavior for:

- Users
- Devices
- Service accounts
- Applications and workloads

As soon as behavior statistically deviates from that baseline, it is flagged as suspicious.
UEBA doesn't look at a single isolated action, but at the complete context and pattern.

Examples:
- A user always logs in from the Netherlands, but suddenly and consistently from multiple continents.
- A valid user logs in from their Entra joined device. Shortly after, the token from this session is used from a different user agent and a different location.
- An account suddenly downloads far more data than usual.
- A service token is used outside its usual time window and scope.

So not a rule-based alert, but a behavioral anomaly.

Microsoft Sentinel integrates UEBA deeply into the platform. It is not a separate module, but part of analytics, incidents, threat hunting, and risk scores.

The first signals that something is wrong often come from Microsoft Entra ID Protection, for example through risky sign-ins or suspicious account activity. UEBA in Microsoft Sentinel then goes a step further by putting this signal into context and enriching it with behavioral analysis over time.

Sentinel combines data from sources including:

- Microsoft Entra ID
- Microsoft Defender XDR
- Azure Activity Logs
- Endpoint and network telemetry

Where Entra ID Protection looks at individual identity events, UEBA connects them to broader user and entity behavior across the entire environment. Sentinel acts as the central platform where identity risks, UEBA insights, and other security signals come together. Using machine learning, Sentinel automatically builds behavioral profiles and assigns risk scores to users and entities. These models continuously learn. Behavior that changes structurally (for example due to a new role or work location) is automatically incorporated into the baseline.

Attackers use AI to:

- Make phishing attacks more realistic
- Adapt their behavior to the target
- Spread out activities to remain undetected for as long as possible

UEBA uses AI to:
- Recognize subtle anomalies
- Add context to log data
- Base alerting on probability, not certainty

This is the fundamental difference.
Where attackers use AI to minimize detection of malicious activity, the Blue Team uses AI to give that activity meaning after all.

UEBA doesn't ask: "Is this wrong?"
UEBA asks: "Does this make sense, given everything we know?"

Where traditional detection fails, UEBA excels in scenarios involving:

- Compromised accounts - especially with MFA fatigue and token theft.
- Insider threats - deliberate or unintentional abuse of privileges, often spread out over time.
- Lateral movement - behavior that may be legitimate in itself, but deviates from the pattern.
- Abuse of service accounts - non-personal accounts are often barely monitored, yet regularly hold elevated privileges.

In all these cases, the same applies: the action is valid, the behavior is off.

In Microsoft Sentinel, UEBA signals are not presented in isolation. They:

- Enrich existing alerts
- Raise or lower the priority of incidents
- Provide context to SOC analysts

An analyst not only sees what happened, but also:
- How unusual it is
- Compared to whom
- Compared to historical behavior

This reduces alert fatigue and improves the quality of decisions – crucial in a SOC where AI-driven attacks demand speed.

UEBA is often misunderstood. It is not a replacement for proper logging: without reliable and comprehensive log sources, behavioral analysis is impossible. Nor does UEBA violate privacy: it analyzes behavioral patterns and context, not the content of communications. Finally, UEBA is not a "magic button" that automatically solves security problems. Thoughtful configuration, clear governance, and a solid architecture remain essential. UEBA strengthens detection and insight, but never replaces fundamental design choices or Zero Trust principles.

In Zero Trust, the rule is: "Never trust, always verify."
But verification doesn't stop at login.

In hybrid and cloud environments, with:

- SaaS
- Remote work
- APIs
- AI agents
- Non-human identities

... continuously verifying behavior is indispensable.

UEBA thus forms a bridge between:
- Identity
- Detection
- AI-assisted defense

Exactly where the Blue Team can make the difference, taking down that one malicious account before it exfiltrates all the data it has gathered.

In a world where attackers use AI to mimic normal users, behavioral analysis is a pure necessity. UEBA in Microsoft Sentinel shows how AI can be used defensively to bring the playing field back into balance. Not by generating an unnecessary flood of alerts, but by looking more intelligently at what makes sense and monitoring accordingly.

That is what AI against AI is ultimately all about.

Curious what UEBA in Microsoft Sentinel could mean for your organization? Get in touch.