Anomalies detected by the Microsoft Sentinel machine learning engine

Microsoft Sentinel detects anomalies by analyzing the behavior of users in an environment over a period of time and constructing a baseline of legitimate activity. Once the baseline is established, any activity outside the normal parameters is considered anomalous and therefore suspicious.

Microsoft Sentinel uses two models to create baselines and detect anomalies.

• UEBA anomalies
• Machine learning-based anomalies

This article lists the anomalies that Microsoft Sentinel detects using various machine learning models.

In the Anomalies table:

• The rulename column indicates the rule Sentinel used to identify each anomaly.
• The score column contains a numerical value between 0 and 1, which quantifies the degree of deviation from the expected behavior. Higher scores indicate greater deviation from the baseline and are more likely to be true anomalies. Lower scores might still be anomalous, but are less likely to be significant or actionable.

UEBA anomalies

Sentinel UEBA detects anomalies based on dynamic baselines created for each entity across various data inputs. Each entity's baseline behavior is set according to its own historical activities, those of its peers, and those of the organization as a whole. Anomalies can be triggered by the correlation of different attributes such as action type, geo-location, device, resource, ISP, and more.

You must enable UEBA and anomaly detection in your Sentinel workspace to detect UEBA anomalies.

UEBA detects anomalies based on these anomaly rules:

• UEBA Anomalous Account Access Removal
• UEBA Anomalous Account Creation
• UEBA Anomalous Account Deletion
• UEBA Anomalous Account Manipulation
• UEBA Anomalous Activity in GCP Audit Logs (Preview)
• UEBA Anomalous Activity in Okta_CL (Preview)
• UEBA Anomalous Authentication (Preview)
• UEBA Anomalous Code Execution
• UEBA Anomalous Data Destruction
• UEBA Anomalous Defensive Mechanism Modification
• UEBA Anomalous Failed Sign-in
• UEBA Anomalous Logon in AwsCloudTrail (Preview)
• UEBA Anomalous MFA Failures in Okta_CL (Preview)
• UEBA Anomalous Password Reset
• UEBA Anomalous Privilege Granted
• UEBA Anomalous Sign-in

Sentinel uses enriched data from the BehaviorAnalytics table to identify UEBA anomalies with a confidence score specific to your tenant and source.

UEBA Anomalous Account Access Removal

Description: An attacker may interrupt the availability of system and network resources by blocking access to accounts used by legitimate users. The attacker might delete, lock, or manipulate an account (for example, by changing its credentials) to remove access to it.

Back to UEBA anomalies list | Back to top

UEBA Anomalous Account Creation

Description: Adversaries may create an account to maintain access to targeted systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access without requiring persistent remote access tools to be deployed on the system.

Back to UEBA anomalies list | Back to top

UEBA Anomalous Account Deletion

Description: Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.

Back to UEBA anomalies list | Back to top

UEBA Anomalous Account Manipulation

Description: Adversaries may manipulate accounts to maintain access to target systems. These actions include adding new accounts to high-privileged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high-Blast Radius users performing "Update user" (name change) to privileged role, or ones that changed users for the first time.

Back to UEBA anomalies list | Back to top

UEBA Anomalous Activity in GCP Audit Logs (Preview)

Description: Failed access attempts to Google Cloud Platform (GCP) resources based on IAM-related entries in GCP Audit Logs. These failures might reflect misconfigured permissions, attempts to access unauthorized services, or early-stage attacker behaviors like privilege probing or persistence through service accounts.

Back to UEBA anomalies list | Back to top

UEBA Anomalous Activity in Okta_CL (Preview)

Description: Unexpected authentication activity or security-related configuration changes in Okta, including modifications to sign-on rules, multifactor authentication (MFA) enforcement, or administrative privileges. Such activity might indicate attempts to alter identity security controls or maintain access through privileged changes.

Back to UEBA anomalies list | Back to top

UEBA Anomalous Authentication (Preview)

Description: Unusual authentication activity across signals from Microsoft Defender for Endpoint and Microsoft Entra ID, including device logons, managed identity sign-ins, and service principal authentications from Microsoft Entra ID. These anomalies may suggest credential misuse, non-human identity abuse, or lateral movement attempts outside typical access patterns.

Back to UEBA anomalies list | Back to top

UEBA Anomalous Code Execution

Description: Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms.

Back to UEBA anomalies list | Back to top

UEBA Anomalous Data Destruction

Description: Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.

Back to UEBA anomalies list | Back to top

UEBA Anomalous Defensive Mechanism Modification

Description: Adversaries may disable security tools to avoid possible detection of their tools and activities.

Back to UEBA anomalies list | Back to top

UEBA Anomalous Failed Sign-in

Description: Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.

Back to UEBA anomalies list | Back to top

UEBA Anomalous Logon in AwsCloudTrail (Preview)

Description: Unusual logon activity in Amazon Web Services (AWS) services based on CloudTrail events such as ConsoleLogin and other authentication-related attributes. Anomalies are determined by deviations in user behavior based on attributes like geolocation, device fingerprint, ISP, and access method, and may indicate unauthorized access attempts or potential policy violations.

Back to UEBA anomalies list | Back to top

UEBA Anomalous MFA Failures in Okta_CL (Preview)

Description: Unusual patterns of failed MFA attempts in Okta. These anomalies might result from account misuse, credential stuffing, or improper use of trusted device mechanisms, and often reflect early-stage adversary behaviors, such as testing stolen credentials or probing identity safeguards.

Back to UEBA anomalies list | Back to top

UEBA Anomalous Password Reset

Description: Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.

Back to UEBA anomalies list | Back to top

UEBA Anomalous Privilege Granted

Description: Adversaries may add adversary-controlled credentials for Azure Service Principals in addition to existing legitimate credentials to maintain persistent access to victim Azure accounts.

Back to UEBA anomalies list | Back to top

UEBA Anomalous Sign-in

Description: Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Persistence.

Back to UEBA anomalies list | Back to top

Machine learning-based anomalies

Microsoft Sentinel's customizable, machine learning-based anomalies can identify anomalous behavior with analytics rule templates that can be put to work right out of the box. While anomalies don't necessarily indicate malicious or even suspicious behavior by themselves, they can be used to improve detections, investigations, and threat hunting.

• Anomalous Azure operations
• Anomalous Code Execution
• Anomalous local account creation
• Anomalous user activities in Office Exchange
• Attempted computer brute force
• Attempted user account brute force
• Attempted user account brute force per login type
• Attempted user account brute force per failure reason
• Detect machine generated network beaconing behavior
• Domain generation algorithm (DGA) on DNS domains
• Excessive Downloads via Palo Alto GlobalProtect
• Excessive uploads via Palo Alto GlobalProtect
• Potential domain generation algorithm (DGA) on next-level DNS Domains
• Suspicious volume of AWS API calls from Non-AWS source IP address
• Suspicious volume of AWS write API calls from a user account
• Suspicious volume of logins to computer
• Suspicious volume of logins to computer with elevated token
• Suspicious volume of logins to user account
• Suspicious volume of logins to user account by logon types
• Suspicious volume of logins to user account with elevated token

Anomalous Azure operations

Description: This detection algorithm collects 21 days' worth of data on Azure operations grouped by user to train this ML model. The algorithm then generates anomalies in the case of users who performed sequences of operations uncommon in their workspaces. The trained ML model scores the operations performed by the user and considers anomalous those whose score is greater than the defined threshold.

Back to Machine learning-based anomalies list | Back to top

Anomalous Code Execution

Description: Attackers may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms.

Back to Machine learning-based anomalies list | Back to top

Anomalous local account creation

Description: This algorithm detects anomalous local account creation on Windows systems. Attackers may create local accounts to maintain access to targeted systems. This algorithm analyzes local account creation activity over the prior 14 days by users. It looks for similar activity on the current day from users who were not previously seen in historical activity. You can specify an allowlist to filter known users from triggering this anomaly.

Back to Machine learning-based anomalies list | Back to top

Anomalous user activities in Office Exchange

Description: This machine learning model groups the Office Exchange logs on a per-user basis into hourly buckets. We define one hour as a session. The model is trained on the previous 7 days of behavior across all regular (non-admin) users. It indicates anomalous user Office Exchange sessions in the last day.

Back to Machine learning-based anomalies list | Back to top

Attempted computer brute force

Description: This algorithm detects an unusually high volume of failed login attempts (security event ID 4625) per computer over the past day. The model is trained on the previous 21 days of Windows security event logs.

Back to Machine learning-based anomalies list | Back to top

Attempted user account brute force

Description: This algorithm detects an unusually high volume of failed login attempts (security event ID 4625) per user account over the past day. The model is trained on the previous 21 days of Windows security event logs.

Back to Machine learning-based anomalies list | Back to top

Attempted user account brute force per login type

Description: This algorithm detects an unusually high volume of failed login attempts (security event ID 4625) per user account per logon type over the past day. The model is trained on the previous 21 days of Windows security event logs.

Back to Machine learning-based anomalies list | Back to top

Attempted user account brute force per failure reason

Description: This algorithm detects an unusually high volume of failed login attempts (security event ID 4625) per user account per failure reason over the past day. The model is trained on the previous 21 days of Windows security event logs.

Back to Machine learning-based anomalies list | Back to top

Detect machine generated network beaconing behavior

Description: This algorithm identifies beaconing patterns from network traffic connection logs based on recurrent time delta patterns. Any network connection towards untrusted public networks at repetitive time deltas is an indication of malware callbacks or data exfiltration attempts. The algorithm will calculate the time delta between consecutive network connections between the same source IP and destination IP, as well as the number of connections in a time-delta sequence between the same sources and destinations. The percentage of beaconing is calculated as the connections in time-delta sequence against total connections in a day.

Back to Machine learning-based anomalies list | Back to top

Domain generation algorithm (DGA) on DNS domains

Description: This machine learning model indicates potential DGA domains from the past day in the DNS logs. The algorithm applies to DNS records that resolve to IPv4 and IPv6 addresses.

Back to Machine learning-based anomalies list | Back to top

Excessive Downloads via Palo Alto GlobalProtect

Description: This algorithm detects unusually high volume of download per user account through the Palo Alto VPN solution. The model is trained on the previous 14 days of the VPN logs. It indicates anomalous high volume of downloads in the past day.

Back to Machine learning-based anomalies list | Back to top

Excessive uploads via Palo Alto GlobalProtect

Description: This algorithm detects unusually high volume of upload per user account through the Palo Alto VPN solution. The model is trained on the previous 14 days of the VPN logs. It indicates anomalous high volume of upload in the past day.

Back to Machine learning-based anomalies list | Back to top

Potential domain generation algorithm (DGA) on next-level DNS Domains

Description: This machine learning model indicates the next-level domains (third-level and up) of the domain names from the last day of DNS logs that are unusual. They could potentially be the output of a domain generation algorithm (DGA). The anomaly applies to the DNS records that resolve to IPv4 and IPv6 addresses.

Back to Machine learning-based anomalies list | Back to top

Suspicious volume of AWS API calls from Non-AWS source IP address

Description: This algorithm detects an unusually high volume of AWS API calls per user account per workspace, from source IP addresses outside of AWS's source IP ranges, within the last day. The model is trained on the previous 21 days of AWS CloudTrail log events by source IP address. This activity may indicate that the user account is compromised.

Back to Machine learning-based anomalies list | Back to top

Suspicious volume of AWS write API calls from a user account

Description: This algorithm detects an unusually high volume of AWS write API calls per user account within the last day. The model is trained on the previous 21 days of AWS CloudTrail log events by user account. This activity may indicate that the account is compromised.

Back to Machine learning-based anomalies list | Back to top

Suspicious volume of logins to computer

Description: This algorithm detects an unusually high volume of successful logins (security event ID 4624) per computer over the past day. The model is trained on the previous 21 days of Windows Security event logs.

Back to Machine learning-based anomalies list | Back to top

Suspicious volume of logins to computer with elevated token

Description: This algorithm detects an unusually high volume of successful logins (security event ID 4624) with administrative privileges, per computer, over the last day. The model is trained on the previous 21 days of Windows Security event logs.

Back to Machine learning-based anomalies list | Back to top

Suspicious volume of logins to user account

Description: This algorithm detects an unusually high volume of successful logins (security event ID 4624) per user account over the past day. The model is trained on the previous 21 days of Windows Security event logs.

Back to Machine learning-based anomalies list | Back to top

Suspicious volume of logins to user account by logon types

Description: This algorithm detects an unusually high volume of successful logins (security event ID 4624) per user account, by different logon types, over the past day. The model is trained on the previous 21 days of Windows Security event logs.

Back to Machine learning-based anomalies list | Back to top

Suspicious volume of logins to user account with elevated token

Description: This algorithm detects an unusually high volume of successful logins (security event ID 4624) with administrative privileges, per user account, over the last day. The model is trained on the previous 21 days of Windows Security event logs.

Back to Machine learning-based anomalies list | Back to top

Next steps

• Learn about machine learning-generated anomalies in Microsoft Sentinel.

• Learn how to work with anomaly rules.

• Investigate incidents with Microsoft Sentinel.