User Behavior Analytics (UBA)
Overview
Leveraging user behavior analytics to analyze patterns of user activities across various systems and detect anomalies that may indicate security threats.
Sample products
- Microsoft Defender For Identity
- Securonix User and Entity Behavior Analytics
- Varonis Security Analytics
Use Case Categories
| Category | Description |
|---|---|
| Anomalous Activity Detection | This use case involves the identification of unusual patterns of behavior that deviate from established norms, potentially indicating security threats or policy violations. UBA tools analyze user and entity activities to detect anomalies in real-time, enabling early identification of potential security incidents. These tools leverage advanced analytics and machine learning to discern between benign anomalies and actions that could signify a security risk, such as unusual access patterns or data movement. |
| Insider Threat Detection | UBA solutions are instrumental in identifying potential insider threats by monitoring and analyzing user behavior for suspicious activities. This includes detecting unauthorized access to sensitive information, abnormal data download or upload activities, and other actions that might indicate malicious intent by insiders. By establishing behavioral baselines, UBA tools can flag activities that deviate from the norm, aiding in the early detection and mitigation of insider threats. |
| Privileged User Monitoring | Monitoring privileged accounts is critical due to their elevated access rights. UBA tools specifically track the activities of privileged users to ensure their actions are compliant with security policies and do not abuse their access. This includes monitoring for unauthorized system changes, access to sensitive data, or any operations that could potentially compromise security. Continuous monitoring helps in preventing, detecting, and responding to misuse of privileged access. |
| Account Compromise Detection | UBA systems play a crucial role in detecting signs of account compromise, such as login attempts from unusual locations, times, or devices, and other indicators of credential misuse. By analyzing behavior patterns, UBA tools can alert administrators to compromised accounts, enabling rapid response to prevent data breaches or further unauthorized access. |
Core Use Cases
| Alert Name | Description |
|---|---|
| Unusual Access Patterns | Identifying access to systems or data at unusual times or from unusual locations |
| Abnormal File Interaction | Detecting unusual file download, upload, or deletion activities |
| Atypical Application Usage | Monitoring for applications being used in a manner that is not consistent with the user's role |
| Anomalous Network Activity | Identifying unexpected amounts of data being transferred |
| Elevated Privilege Abuse | Monitoring for the abuse of elevated privileges by authorized users |
| Data Leakage Activities | Identifying actions that could result in sensitive information being exposed |
| Unauthorized Data Access | Detecting access to sensitive or critical data by users who do not require it for their role |
| Sabotage or Disruption Activities | Identifying activities aimed at disrupting operations or damaging assets |
| Privileged Session Anomalies | Monitoring the activities of privileged users to identify any actions that deviate from established norms |
| Unauthorized System Changes | Detecting unauthorized changes to critical systems or configurations by privileged users |
| Excessive Access Rights | Identifying privileged users with more access rights than required |
| Privileged Account Sharing | Detecting the sharing of privileged accounts among multiple users |
| Password Spray Detection | Identifying attempts to access accounts using common passwords across many accounts |
| Account Lockout Monitoring | Monitoring for accounts being locked out |
MITRE ATT&CK
T1078, T1485, T1204, T1043, T1537, T1583, T1492, T1098, T1110