Entity behavior

This page is essentially a dashboard of all the entities currently tracked in Sentinel. You can see the alerts per entity or search for a specific entity. When you select an entity you get the typical entity page with general information on the left, alerts and activities in the middle, and insights on the right. Most insight originates from UEBA.

On the main page there is a button to the UEBA settings and a button to Customize entity page.

Customize entity page

This is an exciting feature, especially if you have been looking at an entity and felt like the timeline was lacking important information. Using KQL queries you can gather data you would like to show on the timeline. Microsoft has a cool scenario of adding a user scanning into a sensitive physical access area such as a server room in the timeline. Obviously the possibilities here are endless.