UEBA Essentials v4.1.0: add new hunting queries (High-Score Triage, Template Distribution, Detection Trend Analysis, User-Centric Investigation, Top Anomalous Source IP) update manifest, remove obsolete AAD Manipulation query, update release notes

Author: ofirga-ms

Solutions/UEBA Essentials/Data/Solution_UEBA.json

@@ -28,10 +28,15 @@
 	"Hunting Queries/UEBA Multi-Source Anomalous Activity Overview.yaml",
 	"Hunting Queries/Anomalous First-Time Device Logon.yaml",
 	"Hunting Queries/Anomalous Okta First-Time or Uncommon Actions.yaml",
-	"Hunting Queries/Anomalous GCP IAM Activity.yaml"
+	"Hunting Queries/Anomalous GCP IAM Activity.yaml",
+	"Hunting Queries/Anomalous High-Score Activity Triage.yaml",
+	"Hunting Queries/Anomaly Template Distribution by Tactics and Techniques.yaml",
+	"Hunting Queries/User-Centric Anomaly Investigation.yaml",
+	"Hunting Queries/Anomaly Detection Trend Analysis.yaml",
+	"Hunting Queries/Top Anomalous Source IP Triage.yaml"
   ],
   "Metadata": "SolutionMetadata.json",
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\UEBA Essentials",
-  "Version": "3.0.2",
+	"Version": "4.1.0",
   "TemplateSpec": true
 }

Solutions/UEBA Essentials/Hunting Queries/Anomalous AAD Account Manipulation.yaml

@@ -0,0 +1,25 @@
+id: a7b8c9d0-e1f2-3456-7890-abcdef123456
+name: Anomalous High-Score Activity Triage
+description: |
+  'Identify the highest-scoring anomalies for rapid triage using Anomalies Table.'
+requiredDataConnectors:
+  - connectorId: BehaviorAnalytics
+    dataTypes:
+      - Anomalies
+tactics:
+relevantTechniques:
+query: |
+  Anomalies 
+  | where TimeGenerated > ago(7d) 
+  | sort by Score desc 
+  | project TimeGenerated, AnomalyTemplateName, Score, Description, UserName, SourceIpAddress, Tactics, Techniques
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: UserName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIpAddress
+version: 1.0.0

Solutions/UEBA Essentials/Hunting Queries/Anomalous High-Score Activity Triage.yaml

@@ -0,0 +1,16 @@
+id: d0e1f2a3-b4c5-6789-0123-def456789012
+name: Anomaly Detection Trend Analysis
+description: |
+  'Visualizes anomaly detection trends over the past 90 days, showing daily counts of triggered anomaly templates. Use this time-series chart to identify patterns, spikes in anomalous behavior, and seasonal trends for baseline establishment and threat hunting prioritization.'
+requiredDataConnectors:
+  - connectorId: BehaviorAnalytics
+    dataTypes:
+      - Anomalies
+tactics:
+relevantTechniques:
+query: |
+  Anomalies 
+  | where TimeGenerated > ago(90d) 
+  | summarize Count = count() by bin(TimeGenerated, 1d), AnomalyTemplateName
+  | render timechart
+version: 1.0.0

Solutions/UEBA Essentials/Hunting Queries/Anomaly Detection Trend Analysis.yaml

@@ -0,0 +1,16 @@
+id: b8c9d0e1-f2a3-4567-8901-bcdef2345678
+name: Anomaly Template Distribution by Tactics and Techniques
+description: |
+  'Provides a statistical overview of anomaly detections over the past 30 days, grouped by template name, MITRE ATT&CK tactics, and techniques. Use this query to identify the most frequently triggered anomaly patterns and their associated threat techniques for trend analysis and detection tuning.'
+requiredDataConnectors:
+  - connectorId: BehaviorAnalytics
+    dataTypes:
+      - Anomalies
+tactics:
+relevantTechniques:
+query: |
+  Anomalies 
+  | where TimeGenerated > ago(30d) 
+  | summarize Count = count() by AnomalyTemplateName, Tactics, Techniques
+  | sort by Count desc
+version: 1.0.0

Solutions/UEBA Essentials/Hunting Queries/Anomaly Template Distribution by Tactics and Techniques.yaml

@@ -0,0 +1,36 @@
+id: e1f2a3b4-c5d6-7890-1234-abcdef567890
+name: Top Anomalous Source IP Triage
+description: |
+  'Identifies the top source IP addresses with multiple distinct anomaly templates over the past 30 days (excluding single noisy hits), then surfaces their most recent (last 24h) high-fidelity anomalous activities for focused investigation, including scores, tactics, techniques, and behavioral insights.'
+requiredDataConnectors:
+  - connectorId: BehaviorAnalytics
+    dataTypes:
+      - Anomalies
+tactics:
+relevantTechniques:
+query: |
+  let TopIPs =
+    Anomalies
+    | where TimeGenerated > ago(30d)
+    | where isnotempty(SourceIpAddress)
+    | summarize TotalAnomalies = count(), DistinctTemplates = dcount(AnomalyTemplateName) by SourceIpAddress
+    | where TotalAnomalies > 1 and DistinctTemplates > 1
+    | top 5 by TotalAnomalies desc
+    | project SourceIpAddress;
+  Anomalies
+  | where TimeGenerated > ago(24h)
+  | where SourceIpAddress in (TopIPs)
+  | project TimeGenerated, SourceIpAddress, AnomalyTemplateName, Score, Description,
+            UserPrincipalName, UserName, StartTime, EndTime,
+            Tactics, Techniques, ActivityInsights, DeviceInsights, UserInsights, AnomalyReasons
+  | order by SourceIpAddress asc, Score desc, TimeGenerated desc
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIpAddress
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: UserName
+version: 1.0.0

Solutions/UEBA Essentials/Hunting Queries/Top Anomalous Source IP Triage.yaml

@@ -0,0 +1,25 @@
+id: c9d0e1f2-a3b4-5678-9012-cdef34567890
+name: User-Centric Anomaly Investigation
+description: |
+  'Investigates all anomalous activities associated with a specific user account over the past 30 days, including anomaly scores, behavioral insights, source locations, and MITRE ATT&CK mappings. Customize by replacing "[email protected]" with the target user principal name for focused threat hunting and incident response.'
+requiredDataConnectors:
+  - connectorId: BehaviorAnalytics
+    dataTypes:
+      - Anomalies
+tactics:
+relevantTechniques:
+query: |
+  Anomalies 
+  | where TimeGenerated > ago(30d) 
+  | where UserPrincipalName == "[email protected]" 
+  | project TimeGenerated, UserName, AnomalyTemplateName, Score, Description, ActivityInsights, UserInsights, SourceIpAddress, SourceLocation, Tactics, Techniques
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: UserName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIpAddress
+version: 1.0.0

Solutions/UEBA Essentials/Hunting Queries/User-Centric Anomaly Investigation.yaml

@@ -3,3 +3,4 @@
 | 3.0.2       | 04-11-2025                     | Enhance UEBA Essentials with multi-cloud detection capabilities        	               |
 | 3.0.1       | 23-09-2024                     | Updated query logic in **Hunting Query** [Anomalous Sign-in Activity]                     |
 | 3.0.0       | 07-11-2023                     | Modified text as there is rebranding from Azure Active Directory to Microsoft Entra ID.   |
+| 4.1.0       | 23-11-2025                     | Added new hunting queries: User-Centric Anomaly Investigation, Anomaly Detection Trend Analysis, Anomaly Template Distribution, Anomalous High-Score Activity Triage, Top Anomalous Source IP Triage. Updated solution version. |