Every SOC has that moment.
If you have spent time in a SOC, you know this feeling all too well.
An alert pops up. Then another. And another. Each one technically valid. Each one slightly different. Somewhere in between access logs, identity signals, firewall entries, and API calls, the real story is hiding. The challenge is not detecting activity anymore. The challenge is understanding it fast enough to matter.
This is exactly where the new UEBA Behaviors layer, now in Public Preview for Microsoft Sentinel, starts to make a real difference. Not by adding more alerts, but by changing how security data is presented to humans.
Why thinking in events no longer works
Modern environments are messy by design. Multi-cloud, SaaS, identity-centric, heavily automated. Every platform produces high-quality telemetry, yet attackers rarely trigger a single obvious signal. Instead, they move quietly, step by step, often staying well within what looks normal when viewed in isolation.
Traditional SIEM workflows force analysts to think in events. One record at a time. One table at a time. Correlation becomes a manual, error-prone process that depends heavily on experience and tribal knowledge.
The Behaviors layer introduces a different mental model: describe activity as behavior, not as isolated facts.
A behavior is not an alert. It is not an anomaly verdict. It is a structured, neutral description of what happened, written in a way humans can immediately reason about.
Who did what.
From where.
Using which privileges.
Across which systems.
And how this maps to known attacker techniques.
That shift alone changes investigations more than any new rule ever could.
Behaviors are explanations, not accusations
One of the most important details, and one that is easy to miss, is this: behaviors do not claim malicious intent. They describe activity.
This matters in practice. Analysts are no longer pushed into binary thinking too early. Instead of jumping straight from raw logs to “incident or false positive,” they get context first. A narrative. Something they can validate, enrich, and challenge.
Each behavior includes a natural-language explanation that answers the classic SOC question: What exactly happened here? Under the hood, this explanation is backed by a unified schema that still links directly to the original raw events. Nothing is hidden. Nothing is abstracted away beyond reach.
Aggregation and sequencing: where signal emerges
Technically, the Behaviors layer works through two core detection patterns.
Aggregated behaviors focus on volume. For example, a large number of resource accesses within a short timeframe. This is not automatically suspicious, but it often deserves attention, especially when combined with other signals.
Sequenced behaviors focus on flow. This is where the layer really shines. It connects events across a defined time window into meaningful chains. A new access key is created. That key is used from a new IP address. Shortly after, privileged API calls appear. Each step on its own might look harmless. Together, they tell a very different story.
This kind of sequencing is notoriously difficult to build and maintain manually. Having it generated consistently and at scale changes how quickly investigations move forward.
Normalized insight across clouds and vendors
Another practical strength of the Behaviors layer is normalization.
Telemetry from AWS CloudTrail, GCP audit logs, Palo Alto, CyberArk, and other sources is mapped into a shared behavioral model and aligned with MITRE ATT&CK tactics and techniques. Analysts no longer need to remember how each vendor names similar actions. The behavior already speaks a common security language.
Each behavior also contains explicit entity relationships. Actors, targets, IPs, users, workloads. These relationships make it far easier to pivot during investigations and understand who played which role in a given activity.
Built for analysts, not just data scientists
From an operational standpoint, the integration is refreshingly pragmatic.
Behaviors are stored in Log Analytics and exposed through two tables: BehaviorInfo and BehaviorEntities. They behave like any other data in Sentinel. You can hunt on them, build analytics rules, enrich incidents, or feed them into automation.
The difference is cognitive load. Analysts no longer need deep schema knowledge of every underlying log source. They can query behaviors directly, filter by MITRE tactics, entity types, or behavior characteristics, and then drill down only when necessary.
If you care about onboarding time, consistency, and analyst burnout, this is not a small improvement.
What to know about the public preview
The Behaviors layer can be enabled today in your Sentinel workspace under Settings → UEBA. During public preview, it is supported for a single workspace per tenant, so it makes sense to choose a workspace with diverse telemetry.
There is no separate licensing cost. Behaviors are included with Sentinel, but they are stored as Log Analytics records and therefore count toward ingestion. From a cost and capacity perspective, that transparency is helpful and predictable.
Coverage will expand over time. If you do not see certain behaviors yet, that is likely a preview limitation rather than missing data.
Final thoughts from the field
Security operations are not getting simpler. But they can become clearer.
The UEBA Behaviors layer does something subtle and powerful. It respects how analysts actually think. It does not replace expertise. It amplifies it by turning fragmented telemetry into understandable narratives.
If your SOC spends more time translating logs than stopping threats, this preview is worth enabling. Explore the behaviors. Build detections on top of them. Let investigations start with understanding instead of guesswork.
That is not automation hype.
That is progress you can feel on a busy shift.
In Part 2 I will get more into the technical details and example queries.
Official Microsoft Blog: Turn Complexity into Clarity: Introducing the New UEBA Behaviors Layer in Microsoft Sentinel | Microsoft Community Hub
Be First to Comment