UEBA and Anomaly Detection

Purpose and Scope

User and Entity Behavior Analytics (UEBA) detects threats by identifying deviations from normal behavior patterns. This playbook covers implementing and operationalizing behavior based detection, including AI assisted approaches.

Prerequisites

• Broad telemetry: Authentication, network, endpoint, cloud, and application logs
• UEBA platform: Native SIEM capabilities, Exabeam, Securonix, Microsoft Sentinel, or similar
• Historical data: 30 to 90 days of baseline data for model training
• Identity correlation: Ability to link activity across data sources to specific users and entities

Detection Goals

UEBA helps detect:

• Compromised accounts behaving differently than usual
• Insider threats deviating from normal patterns
• Lateral movement and privilege escalation
• Data exfiltration through unusual access patterns
• Attacks that evade signature based detection

Core UEBA Concepts

Baseline Behavior

Establish what normal looks like for:

• Users: Login times, locations, applications accessed, data volumes
• Hosts: Processes, network connections, resource usage
• Applications: API call patterns, user populations, data access
• Network: Traffic volumes, protocols, destination distributions

Anomaly Detection Methods

• Statistical: Standard deviation, percentiles, rare event detection
• Machine learning: Clustering, isolation forests, autoencoders
• Peer comparison: User behavior compared to similar users
• Sequential: Detecting unusual sequences of events

Risk Scoring

Aggregate anomalies into actionable scores:

• Individual anomalies increase entity risk score
• Scores decay over time without new anomalies
• High risk entities are surfaced for investigation
• Combine with threat intelligence for context

Common UEBA Use Cases

Compromised Account Detection

Indicators that an account may be compromised:

• Login from new location or device
• Impossible travel between locations
• Activity outside normal working hours
• Access to resources never accessed before
• Authentication failures followed by success

Insider Threat Detection

Behavioral indicators of malicious insiders:

• Accessing data outside job function
• Bulk data downloads or exports
• Activity spikes before resignation or termination
• Circumventing security controls
• Use of personal cloud storage or email

Lateral Movement

• Account accessing systems it never accessed before
• Service accounts used interactively
• Workstation to workstation authentication
• Rapid succession of authentications to multiple systems

AI Assisted Detection

Machine Learning Models

Common ML approaches in UEBA:

• Unsupervised learning: Cluster analysis to group similar behavior and identify outliers
• Supervised learning: Train on labeled incidents to classify new activity
• Deep learning: Autoencoders to detect anomalies in complex patterns
• NLP: Analyze command lines, email content, chat messages

Model Considerations

• Models require sufficient training data
• Concept drift: behavior changes over time, models need retraining
• Adversarial evasion: attackers may slowly normalize malicious behavior
• Explainability: analysts need to understand why something is anomalous

Integrating AI Tools

Modern SIEM and security platforms increasingly include AI capabilities:

• Use AI to triage and prioritize alerts
• Automated enrichment and context gathering
• Natural language interfaces for querying
• Automated response recommendations

Operationalizing UEBA

Tuning Thresholds

• Start with higher thresholds to reduce noise
• Lower thresholds as you gain confidence
• Use different thresholds for different user populations
• Account for seasonal and business cycle variations

Investigation Workflow

1. Review high risk score entities daily
2. Examine the specific anomalies contributing to the score
3. Gather context: recent tickets, travel, role changes
4. Correlate with other security alerts and events
5. Determine if anomaly is benign or requires action
6. Document findings to improve future detection

Feedback Loop

• Mark false positives to improve model accuracy
• Confirm true positives to validate detection
• Adjust baselines when legitimate behavior changes
• Incorporate analyst expertise into model tuning

Challenges and Limitations

• Data quality: Incomplete or inconsistent logs degrade detection
• Identity resolution: Difficulty linking activity to specific users
• Noise: Too many low-fidelity anomalies overwhelm analysts
• Slow attacks: Gradual changes may not trigger thresholds
• Novel users: New employees lack baseline for comparison

Response Actions

• Contact user to verify unusual activity
• Require step-up authentication for risky actions
• Temporarily restrict access pending investigation
• Reset credentials if compromise is suspected
• Escalate confirmed incidents to IR team

References

• MITRE ATT&CK: attack.mitre.org
• Gartner UEBA Market Guide
• NIST Cybersecurity Framework: Detect function
• Microsoft Sentinel UEBA: Microsoft documentation