Stop Orchestrating Around Bad Detections

How Microsoft UEBA Moves the Logic Left

June 17, 2026 | 4 min read

Steve Miller and Remco Hofman
Bluevoyant blogs
Microsoft ueba behavioral detection filtering

Introduction

Security operations teams are drowning in telemetry. Rule-based detections still do the heavy lifting, but they often force you to choose between high noise and blind spots, especially when adversaries live off the land and blend into legitimate activity. Over the past year at BlueVoyant, we’ve been testing and deploying Microsoft’s User and Entity Behavioral Analytics (UEBA) capabilities across our customer base, and the results have been eye-opening. Detections that used to be brittle or prohibitively noisy have become both simpler to author and far more actionable. 

At its core, UEBA builds behavioral baselines for users and hosts, then highlights activity that deviates from those norms or from peer groups. In Microsoft’s ecosystem, those baselines and anomalies are exposed through entity- and behavior-centric tables you can query. That means detection engineers can do more than just match on events, we can enrich and filter with context like “first time seen,” “rare for this host/user,” or “atypical for the peer group,” directly inside our KQL. 

The practical impact is significant. Take a classic example: ‘Query User Command Executed’. A straightforward rule will flag every occurrence and quickly flood a SOC with false positives from admins, labs, or legitimate tooling. By intersecting that same detection with UEBA baselines, for example, suppressing alerts when the process is common for a given host or normal within a user’s peer group, we’ve turned a noisy pattern into a high-signal one. In a large tenant, this approach reduced case volume from an unmanageable pile to a small, reviewable set without sacrificing coverage. 

UEBA doesn’t replace rules or expert tuning; it amplifies them. It gives detection engineers ready-made context to: 

  • Prioritize genuinely anomalous activity over routine noise 
  • Design simpler queries that rely on behavior and rarity rather than long exception lists 
  • Speed up triage with entity profiles that explain why something is noteworthy 

In the rest of this post, we’ll break down how we integrated Microsoft’s UEBA into our detection pipeline, the specific tables and features we found most useful for filtering and enrichment, and lessons learned from real-world testing. The goal is to keep it practical so you can apply the same approach to your own high-noise detections and cut through the alert fatigue without losing sight of the adversary. 

Technical Deep Dive 

While ASIM is the primary standard for BlueVoyant Analytical Rule development, there is also an ultra-strong focus on leveraging UEBA; both in terms of optimization and providing our SOC with the richest context possible in order to provide customers highly unique actionable intelligence and output. 

Please see the below the example Analytical Rule ‘Query User Command Executed’.  This was the first ever BlueVoyant developed UEBA optimized Rule but serves as a great example due to its simplicity. 

Analytical rule

To demonstrate the impact of this strategy, BlueVoyant ran the core query of this Rule without the UEBA optimization.  As below, this generated 11,596 lines (Incidents) over a 30-day window across 20% of our customers – before the extreme volume killed the internal tool running the search. 

Ueba optimized version

BlueVoyant then ran the UEBA optimized version over the same period.  This time the query was able to complete across the entire customer based and returned 12 lines containing UEBA enriched output.  This would have equated to 12 Incidents over the 30-day period, each packaged with a UEBA based determination ready for customer escalation.

Ueba use case

In this example, UEBA enabled the Use Case to filter out the legitimate system administrators use of quser.exe and only alert where it had been: 

  • Ran for the first time in the Tenant or by the user, or;  
  • Where it was generally uncommon for users in the environment 

As key indicators of an attacker enumerating sessions and warranting a SOC investigation. 

BehaviorAnalytics isn’t the only table that BlueVoyant leverages as part of this strategy.  IdentityInfo is also used as a means of avoiding the old-fashioned use of constants, whitelists etc.  IdentityInfo and Defender trajectory logs are used to filter in specific customer variables such as the below examples: 

Trajectory logs examples

Conclusion

Microsoft’s UEBA is a genuine step forward for detection engineering. Where we once relied on deterministic rules and long exception lists to keep noise in check, we can now lean on behavioral baselines and peer context to answer questions that rules alone can’t, at scale and with far better signal. It doesn’t replace good detections; it makes them smarter, simpler, and more explainable. 

The value shows up in day-to-day operations: fewer false positives from routine admin activity, faster triage because alerts carry “why this is unusual,” and less maintenance overhead as environments evolve. The catch is that UEBA works only as well as your data quality and entity resolution. Strong normalization, complete telemetry, and clear treatment of service accounts and device roles are what turn behavioral analytics into dependable detections. 

If you’re getting started, a practical path is to augment, not rebuild: 

  • Begin with your noisiest, high-value rules (e.g., LOLBins, suspect remote execution, off-hours admin activity) and add UEBA signals like first/rare for user/host and peer-group deviation. 
  • Use ASIM to normalize your data so UEBA context can be applied consistently across sources. 
  • Track outcomes: precision, false-positive rate, and triage time before and after UEBA filters. 
  • Review peer groups and entity merges regularly; tag service and break-glass accounts to avoid skewed baselines. 
  • Close the loop by feeding analyst labels back into tuning and watchlists. 

We’re also happy to share that, as Microsoft’s largest security partner, BlueVoyant is publishing ASIM parsers and detections in the Microsoft Sentinel Content Hub for anyone to use. 

Pull them down, try them against your own environment, and adapt the patterns to your data. UEBA isn’t magic, but paired with solid normalization and pragmatic detections, it’s a force multiplier that helps SOCs find the real outliers and ignore the rest. 

Related Reading