Simplifying AWS defense with Microsoft Sentinel UEBA
Microsoft Defender Security Research Team ·
2026-04-28 ·
Read original ↗
ATT&CK techniques detected
7 predictions
T1525Implant Internal Image
75%
"##n identifiers, but it might not apply to aws iam users or aws resource entities that do not map cleanly to a upn. to be clear – anomalies are triggered and available for all identity types ( with upn and without upn ), but are only shown in the ui for entities with a upn. some …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
72%
"##sons, which explains why an event was flagged as an anomaly. here ’ s an example of an aws iam privilege modification anomaly. in this case, the createloginprofile api was invoked from a previously unseen user agent in a new country. the annotated screenshot illustrates how the…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
65%
"start hunting? onboard your aws environment to microsoft sentinel ueba, open advanced hunting, and run the starter query in the practical implementation section to explore the behavioranalytics and anomalies tables in your environment. references ueba onboarding and setting docum…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
53%
", and hardening detections over time. note : the ueba signals column lists examples of relevant binary features, not the exact logic that triggers an anomaly. anomalies are generated by ml models and don ’ t map one - to - one to individual features. use anomalyreasons in the ano…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
53%
"simplifying aws defense with microsoft sentinel ueba with the expansion of microsoft sentinel ueba ( user and entity behavior analytics ) into new data sources, spanning multi - cloud ( aws, gcp ), identity providers ( okta ), and authentication logs ( microsoft defender for endp…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
52%
"go hunt all user anomalies queries for immediate context - driven hunting based on ueba outcomes. for more details, see ueba integration with microsoft sentinel workflows. traditional vs. new approach let ’ s look at a classic aws scenario : unusual anomalous aws logons. you want…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
47%
"baseline user, peer, and device behavior patterns – such as first - time geography, uncommon isp, unusual action, and abnormal operation volume. these clear binary signals help establish behavioral context and inform investigation and detection decisions. this post refers to this…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Learn how Microsoft Sentinel UEBA helps defenders distinguish benign AWS activity from attacker behavior by enriching raw CloudTrail logs with clear, binary behavioral signals derived from baseline user, peer, and device behavior patterns.