MICROSOFT Sentinel UEBA now extends AWS analysis by enriching CloudTrail logs with behavioural context across hybrid environments, surfacing in two tables: BehaviorAnalytics and Anomalies. The approach moves away from heavy baselining and thresholds, instead delivering binary signals such as FirstTimeUserConnectedFromCountry, UncommonHighVolumeOfOperations and BrowserUncommonlyUsedInTenant that can be stacked for detection and investigation, as explained by the Microsoft Defender Security Research Team.
By pre-computing these features, UEBA provides readable, three-line queries that express detection intent while maintaining automatic baseline management across varying enrichment windows, from seven to 180 days. The Anomalies table then presents ML-generated alerts with MITRE ATT&CK mappings, an AnomalyScore and AnomalyReasons to guide pivots from suspect CloudTrail events to correlated entries.
The article notes that UEBA’s AWS coverage includes CloudTrail, identity providers and authentication logs, with capabilities to triage and speed up investigations by pivoting from BehaviorAnalytics to Anomalies for model-driven prioritisation. It also cautions that UEBA coverage is selective and enrichments vary by action, reminding readers to use scores as investigation signals rather than sole triggers.