UEBA/BehaviourAnalytics - No table is being created

[Kaloszer]

Describe the bug
Once EntityAnalytics/UEBA are enabled they do not generate a table in the log analytics workspace. This causes analytic rules which depend on BehaviourAnalytics table existing to fail.

To Reproduce
Steps to reproduce the behavior:

1. Create a new sentinel workspace
2. Enable EntityAnalytics/UEBA using a managed identity and Azure CLI with Security Administrator AAD permission on the tenant, Sentinel Contributor/Log Analytics Contributor on rg

az sentinel setting create --name EntityAnalytics --entity-analytics "{entity-providers:['AzureActiveDirectory']}" --resource-group rgname --workspace-name laname
az sentinel setting create --name Ueba --ueba "{data-sources:['AuditLogs','AzureActivity','SecurityEvent','SigninLogs']}" --resource-group rgname --workspace-name laname

4. UEBA gets enabled

5. No table is being created, even with constant az sentinel setting update --ueba (...)

Expected behavior
At least an empty table with columns is created which allows Analytic Rules to be deployed. Or a state that is not 'ready' should be displayed.

** Notes **

This might be an environment issue as even when enabling said setting manually no table is being generated. Albeit in my opinion this should still generate an empty table, validating that the process of enabling it had taken place and was successful. These sort of 'enabled but not available' causes issues for MSSPs who want to have this 'as code'. Without having to rely on a lot of scripting to parse available tables and comparing them to what ARs need.

@edit
BehaviorAnalytics has shown up after having disabled/enabled the settings manually over a period of a day. Not sure if this would be the case if I left it enabled using code. This is unfortunately not viable for automation, this needs to exist 'as soon as it's ready'. Not at random intervals, and definitely not a day after enabling the feature.

[github-actions]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[github-actions]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[github-actions]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[github-actions]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[github-actions]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[v-sudkharat]

Hi @Kaloszer, thanks for flagging this issue, we will soon get back to you on this. Thanks!

[v-sudkharat]

Hello @Kaloszer, we are connecting with our concerned team for this issue, once we get any information on this, we will update you. Thanks!

[Kaloszer]

@v-sudkharat any update?

[v-sudkharat]

Hello @Kaloszer, waiting for reply from concerned team. we will update you, once we get any information on this. Thanks

[Kaloszer]

@v-sudkharat any update?

Had this setting on over the weekend on a dev LA workspace, through CLI, no table had been created during that time...

[v-sudkharat]

Hi @Kaloszer, we connected with concerned "UEBA" team for this issue, and they are looking into this. Once we get any further information, we will update you. Thanks!

[Kaloszer]

@v-sudkharat
Any update?

[v-sudkharat]

Hello @Kaloszer, we are following with the concern team for this issue and will update you ASAP. Thanks

[v-sudkharat]

Hi @Kaloszer, could you please let us know if you are able to access the ICM link provided in previous comment? Thanks

[Kaloszer]

Hey @v-sudkharat,

Unfortunately no, I can't -

sebastian.wiszowaty@softwareone.com
You don't have access to this
Your sign-in was successful but you don't have permission to access this resource.

Error Code: 53003
Request Id: 2dfdb61c-e999-4499-abef-caef35872700
Correlation Id: 30f28b0e-07c3-465d-4f16-00800100009f
Timestamp: 2023-09-12T07:53:23.054Z
App name: msft-sts-adfs
App id: da2b6bc5-3ea6-4315-b8c4-8750b5dcf03d
IP address: 159.205.191.114
Device identifier: eb7e3397-208c-440f-95ab-ccc5e2296578
Device platform: Windows 10
Device state: Registered

PS. doesn't work with my GH email account either

[v-sudkharat]

Hi @Kaloszer,
Apologies for the inconvenience and delay. Can you please raise a support case for this issue? so that support team can connect for any additional details required on the issue and help you in resolving this issue.
Please confirm us once you raise a support case so that we can close this issue from GitHub.
Thanks!

[v-sudkharat]

Hello @Kaloszer,
Based on previous comment, could you please let us know if you have raised a support case for this issue, so we can close this issue from GitHub.
Thanks!

[Kaloszer]

@v-sudkharat as mentioned, I do not have paid support available on my dev subscription so I'm unable to raise a support case

PS: raised a community support case
https://learn.microsoft.com/en-us/answers/questions/1372576/microsoft-sentinel-ueba-connector-not-feeding-data

Also, as this is not working why would this issue be closed in GitHub, there hasn't been any feedback if this is expected behavior, nor does it look like it. If it smells and looks like a bug I'd leave it open until any sort of feedback is given.

[v-sudkharat]

Hello @Kaloszer, we can see there is response on community support case, could you please have a look into that - https://learn.microsoft.com/en-us/answers/questions/1372576/microsoft-sentinel-ueba-connector-not-feeding-data

[Kaloszer]

Yes I've sent an email but haven't received any feedback yet.

[v-sudkharat]

Hi @Kaloszer, just want to know, have you sent Subscription ID in a mail. If not, kindly send the details in the same mail.

[v-sudkharat]

Hi @Kaloszer, could you please have a look on above comment. Thanks!

[Kaloszer]

As I mentioned I have already sent an email last week with the needed information and a followup with the sub id and have received no feedback yet. Just to note - the information about the sub id is already included in the created issue, so by reading the request that could be decoded from the resource id.

[v-sudkharat]

Hi @Kaloszer,
thank you for clarifying, we shared this information with the concern team.

[Kaloszer]

Got feedback but it's not really a good solution for CI/CD

unboard UEBA and then onboard,
if you already tried that and it didn't work - You can manually create the table
Tables - Create Or Update - REST API (Azure Log Analytics) | Microsoft Learn

We can't rely on manually having to enable this for each customer. My re:

When we re-onboard UEBA using GUI it eventually pops up, but that's not something we can accept as our process is using CI/CD with IaC and we can't really rely on having to fix this issue manually every time we onboard customers.
That's why the issue was raised in the first place.
In the GH issue there are replication steps, you should be able to replicate this issue yourself aswell.

[v-sudkharat]

Hi @Kaloszer, Thanks for share update with us.

[v-sudkharat]

Hi @Kaloszer, hope you are doing well. Could you please let us know if your issue is resolved? so, we can close this issue from GitHub. Thanks!

[Kaloszer]

Hey @v-sudkharat, no it is still in progress. Have not received any feedback that would define what the issue is and how/when it would be resolved.

[v-sudkharat]

Hi @Kaloszer, thank you for your response, we received an update from concern team, they are working on this issue. Once we get any further information, we will update you. Thanks!

[v-sudkharat]

Hi @Kaloszer, we received a response from our concern team, our team is working on this issue, and they will share feedback with you. Thanks!

[Kaloszer]

Got a response on e-mail aswell:

[v-sudkharat]

Hi @Kaloszer, we appreciate your understanding and cooperation and thank you for sharing the response with us. We are also taking follow-ups from concern team about this issue, and we will update you. Thanks!

[Kaloszer]

Hey @v-sudkharat, any news?

[v-sudkharat]

Hi @Kaloszer, yes, we received an update from the concern team, the UEBA team is working on this issue, once we get any further information from team, we will share with you.
Thanks!

[Kaloszer]

Hey @v-sudkharat, I'm sorry to be bumping this so frequently but this is really a big concern for us. This is one of the primary blockers for our service to go live. Is there any sort of ETA for a fix or a workaround (other than the manual turn on/turn off in portal)?

[v-sudkharat]

Hi @Kaloszer, Apologies for the inconvenience. We have reached out to the concerned team, but the respective UEBA team is still working on this issue. Currently, we do not have an ETA for this. However, if we receive any further information or ETA about this issue from the team, we will share it with you.
Thanks!

[Kaloszer]

Hey, got an update on email saying that a fix would be available by end of the month :)

[v-muuppugund]

Hi @Kaloszer ,Will post you updates once fix is available and during the process,Thanks

[v-sudkharat]

Hi @Kaloszer, hope this message finds you well. the bug has been fixed by concern team, and it may take 1-2 week to deploy for all regions, could you please check from your end is this issue has been resolved? and please let us know.
Thanks!

[Kaloszer]

@v-sudkharat do you know whether the fix had been deployed to either westeurope/northeurope regions?

I won't be able to test after Friday next week till eom.

[v-sudkharat]

Hi @Kaloszer, Currently we don't have that information with us, but we will check with our concern team and let you know. Meanwhile, it would be great if you test it and share response with us. Thanks!

[v-sudkharat]

Hi @Kaloszer, we are waiting for your response, could you please test it and let us know has your issue get resolved?
Thanks!

[Kaloszer]

@v-sudkharat

UEBA - update test

Initial state:

Update entity/ueba with

az sentinel setting update --name Ueba --ueba "{data-sources:['AuditLogs','AzureActivity','SecurityEvent','SigninLogs']}" --resource-group rgname --workspace-name wkname --etag $uebaEtag

az sentinel setting update --name EntityAnalytics --entity-analytics "{entity-providers:['AzureActiveDirectory']}" --resource-group rgname --workspace-name wkname --etag $entityAnalyticsEtag

---

Wait for 15 minutes

---

Result:

Nothing seems to have changed, update does not create the BehaviorAnalytics westeurope region

[v-sudkharat]

Hi @Kaloszer, thanks for your response. as per concern team update the fix will deploy may be in 1-2 weeks for all regions.
Thanks!

[Kaloszer]

Hey @v-sudkharat - after checking this morning it seems to have showed up. Not sure what the timeframe is.

So it seems whatever was changed, worked?

[v-sudkharat]

Hi @Kaloszer, thanks for your response. could you please let us know if your issue has been resolved. so, we can close it from GitHub.
Thanks!

[Kaloszer]

@v-sudkharat

I think it's fixed, if it is still occuring I will re-open - but let's not keep this open as it seems to have worked for an existing env :)

[v-sudkharat]

Hi @Kaloszer, thank you for your confirmation. Closing this issue. If you still need support for this issue, feel free to re-open it any time. Thank you for your co-operation.