To enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel and collect Active Directory Domain Services (AD DS) security events, the integration relies on Microsoft Defender for Identity (MDI) . Defender for Identity monitors on-premises domain controllers and provides deep identity-based telemetry that Sentinel consumes for behavioral analytics and threat detection.

Here’s the correct sequence explained step-by-step:

Deploy Microsoft Defender for Identity on the AD DS domain

Defender for Identity sensors must be installed on each domain controller (or dedicated server) in your on-premises AD DS environment.

This step enables continuous monitoring of AD activities like logons, Kerberos authentications, and LDAP queries.

Microsoft documentation states:

“To collect and analyze AD DS activities for UEBA, deploy Microsoft Defender for Identity sensors in your domain controllers.”

Configure the Microsoft Defender for Identity connector in Microsoft Sentinel

In the Sentinel workspace (Sentinel1), go to Data connectors → Microsoft Defender for Identity → Connect .

This connector ingests identity-related alerts and telemetry from Defender for Identity into Sentinel’s Log Analytics workspace.

It allows Sentinel to correlate identity-based security data with other sources for threat detection and investigation.

Enable UEBA in Microsoft Sentinel

After integrating MDI, enable UEBA in Sentinel’s configuration settings.

UEBA uses identit y data (from MDI and Azure AD) and other logs to build behavioral baselines and detect anomalies such as lateral movement or privilege escalation.

Microsoft documentation notes:

“To start analyzing user and entity behaviors, enable UEBA after connecting id entity data sources such as Defender for Identity.”

Other actions listed (such as using legacy connectors or Windows Event Forwarding) are outdated or unnecessary when using MDI and Sentinel’s built-in connectors.