Microsoft Sentinel UEBA Expands AWS Detection

Introduction

Microsoft is expanding Microsoft Sentinel UEBA to strengthen AWS threat detection with richer behavioral analytics. For security operations teams managing hybrid and multi-cloud environments, this matters because AWS CloudTrail events now arrive with built-in context that can speed up investigations and improve detection quality.

Instead of relying on complex KQL queries, static thresholds, or manually maintained baselines, defenders can use precomputed UEBA insights to identify suspicious behavior in AWS activity more quickly.

What’s new in Microsoft Sentinel UEBA for AWS

Microsoft has added broader UEBA support across multi-cloud and identity data sources, including AWS, GCP, Okta, and more authentication logs. For AWS specifically, the key enhancements include:

• More AWS behavioral enrichments for CloudTrail events at ingestion time
• Binary insights such as:
  • First-time geography
  • Uncommon ISP
  • Unusual action
  • Abnormal operation volume
• BehaviorAnalytics table support for AWS activity, exposing user, device, and activity insights
• Anomalies table with six built-in AWS anomaly detections from Microsoft’s machine learning models
• Defender portal integration for surfacing UEBA anomalies in user entity pages and incident graphs

Microsoft refers to this approach as binary feature stacking, where analysts combine simple true/false behavioral indicators to quickly spot attacker activity that may otherwise blend into normal AWS operations.

Why this matters for security teams

AWS investigations often depend on raw CloudTrail logs and custom logic to determine whether behavior is actually suspicious. That process can be time-consuming and expensive, especially in fast-changing cloud environments.

With Sentinel UEBA, administrators and analysts get:

• Faster triage of AWS alerts
• Less reliance on manually engineered KQL baselines
• Better context for both human and non-human identities
• More consistent anomaly detection across hybrid and multi-cloud estates

The update is especially useful for SOC teams that want to reduce alert fatigue while improving visibility into risky AWS actions such as unusual logons, IAM privilege changes, or previously unseen user agents.

Key implementation details

The AWS behavioral context appears in two main tables:

BehaviorAnalytics

This is the main investigation surface for UEBA-enriched AWS activity. It includes fields such as EventSource, ActivityType, and ActionType, plus dynamic insight fields like UserInsights, DeviceInsights, and ActivityInsights.

Anomalies

This table contains Microsoft’s pre-trained anomaly detections for AWS. Records include:

• MITRE ATT&CK mappings
• AnomalyScore
• AnomalyReasons
• Related behavioral enrichments

What IT and security admins should do next

• Review current AWS CloudTrail detections in Sentinel
• Identify analytics rules that rely on heavy baseline logic
• Test UEBA enrichments in the BehaviorAnalytics and Anomalies tables
• Use Defender portal hunting workflows to investigate user anomalies faster
• Update SOC playbooks to take advantage of precomputed AWS behavioral context

For organizations securing AWS alongside Microsoft environments, this update can simplify detection engineering and improve response efficiency.