You need to correlate data from the SecurityEvent Log Anarytks table to meet the Microsoft Sentinel requirements for using UEBA. Which Log Analytics table should you use?
User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel correlates security events with identity data to build behavioral baselines. UEBA enriches security signals with identity context from Azure AD, Defender for Identity, and other connected identity sources.
The IdentityInfo table in Log Analytics stores user account metadata and enrichment information, such as department, group membership, job title, and account status. This table is used to correlate events from the SecurityEvent table and others to link activity to known users and entities.
Microsoft documentation states:
“The IdentityInfo table contains enriched identity information from connected identity providers. It is used by UEBA to correlate with the SecurityEvent table and other identity-related logs.”
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit