You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/investigate-incidents.md
+2-1Lines changed: 2 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -87,8 +87,9 @@ The ***go hunt*** action takes advantage of the [advanced hunting](advanced-hunt
87
87
- See all available queries – the option returns all available queries for the entity type you're investigating.
88
88
- All Activity – the query returns all activities associated with an entity, providing you with a comprehensive view of the incident's context.
89
89
- Related Alerts – the query searches for and returns all security alerts involving a specific entity, ensuring you don't miss any information.
90
+
- All User anomalies (Preview) – the query returns all anomalies associated with the user from the past 30 days, helping you identify unusual behavior that might be relevant to the incident. Available only for user entities if you have enabled [Microsoft Sentinel User and Entity Behavior Analytics (UEBA)](/azure/sentinel/identify-threats-with-entity-behavior-analytics).
90
91
91
-
:::image type="content" source="./media/investigate-incidents/fig1-gohunt-attackstory.png" alt-text="Selecting the go hunt option on a device in an attack story" lightbox="./media/investigate-incidents/fig1-gohunt-attackstory.png":::
92
+
:::image type="content" source="./media/investigate-incidents/gohunt-attackstory.png" alt-text="Selecting the go hunt option on a device in an attack story" lightbox="./media/investigate-incidents/gohunt-attackstory.png":::
92
93
93
94
The resulting logs or alerts can be linked to an incident by selecting a result and then selecting *Link to incident*.
Copy file name to clipboardExpand all lines: defender-xdr/investigate-users.md
+8-5Lines changed: 8 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -57,17 +57,20 @@ The identity page shows the Microsoft Entra organization and groups, helping you
57
57
58
58
### Entity details
59
59
60
-
The **Entity details** panel on the left side of the page provides information about the user, such as the Microsoft Entra identity risk level, the insider risk severity level (Preview), the number of devices the user is signed in to, when the user was first and last seen, the user's accounts, groups that the user belongs to, contact information, and more. You see other details depending on the integration features you enabled.
60
+
The **Entity details** panel on the left side of the page provides information about the user, such as the Microsoft Entra identity risk level, the insider risk severity level (Preview), the number of devices the user is signed in to, when the user was first and last seen, the user's accounts, groups that the user belongs to, and contact information. This card includes all incidents and alerts associated with the user entity, grouped by severity.
61
61
62
62
> [!NOTE]
63
63
> **Investigation Priority Score** was deprecated on December 3, 2024. The Investigation Priority Score breakdown and the Scored activities cards are no longer available.
64
64
65
-
> [!NOTE]
66
-
> (Preview) Microsoft Defender XDR users with access to [Microsoft Purview Insider Risk Management](/purview/insider-risk-management-solution-overview) can now see a user's insider risk severity and gain insights on a user's suspicious activities in the user page. Select the **insider risk severity** under Entity details to see the risk insights about the user.
67
-
### Visual view of incidents and alerts
65
+
You see other details depending on the services and features you enabled, including:
68
66
69
-
This card includes all incidents and alerts associated with the user entity, grouped by severity.
67
+
- (Preview) Microsoft Defender XDR users with access to [Microsoft Purview Insider Risk Management](/purview/insider-risk-management-solution-overview) can now see a user's insider risk severity and gain insights on a user's suspicious activities in the user page. Select the **insider risk severity** under Entity details to see the risk insights about the user.
68
+
- (Preview) If you enable [Microsoft Sentinel User and Entity Behavior Analytics (UEBA)](/azure/sentinel/identify-threats-with-entity-behavior-analytics), you'll see:
69
+
- The user's top three UEBA anomalies from the last 30 days.
70
+
- Links to launch pre-built advanced hunting queries and view all anomalous behaviors related to the user on the [Sentinel events tab](#microsoft-sentinel-events).
71
+
This is available only for customers who have UEBA enabled.
70
72
73
+
71
74
### Active directory account controls
72
75
73
76
This card highlights important Microsoft Defender for Identity security settings for the user's account. For example, it shows if the user can bypass the password by pressing enter, or if the user's password never expires. Review these flags to identify account settings that might need your attention.
Copy file name to clipboardExpand all lines: unified-secops-platform/whats-new.md
+29Lines changed: 29 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,6 +22,35 @@ ms.topic: concept-article
22
22
This article lists recent features added for unified security operations in the Microsoft Defender portal.
23
23
24
24
25
+
## November 2025
26
+
27
+
### New Entity Behavior Analytics (UEBA) experiences in the Defender portal (Preview)
28
+
29
+
Microsoft Sentinel introduces new UEBA experiences in the Defender portal, bringing behavioral insights directly into key analyst workflows. These enhancements help analysts prioritize investigations and apply UEBA context more effectively.
30
+
31
+
#### Anomaly-focused user investigations
32
+
33
+
In the Defender portal, users with behavioral anomalies are automatically tagged with **UEBA Anomalies**, helping analysts quickly identify which users to prioritize.
34
+
35
+
Analysts can view the top three anomalies from the past 30 days in a dedicated Top UEBA anomalies section, available in:
36
+
37
+
- User side panels accessible from various portal locations.
38
+
- The **Overview** tab of user entity pages.
39
+
40
+
This section also includes direct links to anomaly queries and the Sentinel events timeline, enabling deeper investigation and faster context gathering.
41
+
42
+
#### Drilldown to user anomalies from incident graphs
43
+
44
+
Analysts can quickly access all anomalies related to a user by selecting **Go Hunt > All user anomalies** from the incident graph. This built-in query provides immediate UEBA context to support deeper investigation.
45
+
46
+
#### Enriched advanced hunting and custom detections queries with behavior insights
47
+
48
+
Advanced hunting and custom detection experiences now include a contextual banner that prompts analysts to join the UEBA Anomalies table to queries that include UEBA data sources.
49
+
50
+
All features require UEBA to be enabled and are workspace-scoped to the currently selected workspace.
51
+
52
+
For more information, see [UEBA experiences in the Defender portal empower analysts and streamline workflows](/azure/sentinel/identify-threats-with-entity-behavior-analytics.md#ueba-experiences-in-the-defender-portal-empower-analysts-and-streamline-workflows).
0 commit comments