What Changed
Version bump to 4.1.0 with five new hunting queries added and one obsolete query removed. The new queries focus on efficient anomaly triage and threat pattern analysis using the Anomalies table.
Hunting Queries Added
Anomalous High-Score Activity Triage: Surfaces highest-scoring anomalies for rapid SOC triage based on behavioral analytics scores.
Anomaly Detection Trend Analysis: 90-day time-series visualization of anomaly patterns to identify baseline deviations and threat campaign timing.
Anomaly Template Distribution: Statistical breakdown of anomaly types by MITRE tactics/techniques for detection tuning and threat landscape analysis.
User-Centric Anomaly Investigation: Comprehensive 30-day user activity analysis with behavioral insights and attack technique mapping.
Top Anomalous Source IP Triage: Multi-template IP analysis to identify persistent threat sources beyond single-event noise, with 24-hour activity focus for active threats.
Detection Focus
All queries leverage UEBA behavioral analytics data to enhance threat hunting efficiency:
- Score-based prioritization for limited analyst resources
- MITRE ATT&CK technique correlation for campaign attribution
- Temporal analysis for attack pattern recognition
- User behavior baseline establishment for insider threat detection
- IP reputation analysis for external threat actor tracking
Removed obsolete “Anomalous Entra High-Privilege Role Modification” query (58 lines) that targeted legacy Azure AD operations.
Affected Files
Solutions/UEBA Essentials/Hunting Queries/ (5 new, 1 removed)
(packaging artefacts: Solution_UEBA.json, mainTemplate.json, 3.0.3.zip)