25 User Behavior Analytics that Indicate Malicious Insider or Compromised Account

Webinar Registration

To catch malicious insiders and compromised account actors as early as possible you can't wait around for a single unambiguous smoking gun to pop up on your SIEM.

You have to actively engage in threat hunting and user behavior analytics. This is where your analytics technology looks at all available activity feeds from your SIEM and elsewhere and builds a baseline of what's “normal” for each endpoint and user. Here's a table of some of the data to consider and the individual risk indicators that should be scored individually.



1.       Logons to new or unusual systems

2.       New or unusual logon session type

3.       Unusual time of day

4.       Unusual geolocation

5.       Unlikely velocity

6.       Shared account usage

7.       Privileged account usage





Cloud apps


Wireless access points

CASB solutions

8.       Unusual program execution

9.       New program execution



10.   High volume file access

11.   Unusual file access patterns

12.   Cloud-based file sharing uploads

File servers, SharePoint, cloud-based file sharing apps

13.   New IP addresses

14.   Bad reputation addresses

15.   Unusual DNS queries

16.   Bandwidth usage

17.   Unusual or suspicious application usage

18.   Dark outbound network connections

19.   Possible command and control connections

Gateway, NIDS, Next gen firewalls

20.   Building entry and exits

Badge readers

21.   High volume printing activity

22.   Unusual time period printing

Printers and OS print queues

23.   Endpoint indicators of compromise

Endpoint security technology like Bit9+CarbonBlack

24.   Sensitive table access

Database audit logs or solutions like Imperva

25.   Compare sensitive data movement combined with other risk indicators

Data Loss Prevention

Obviously, none of these indicators are new or unique. You might already have a number of them popping up on your SIEM dashboard right now. But your analysts never have time to chase down each anomaly individually.

You need to be able to look across all these data and correlate by user and serialize the events into sessions. Then create an additive, aggregate risk score for each user. Finally, surface those users to an analyst and provide him or her with all the context, organizational, identity and tactical data you have about that user visually. Information like a user's job title, department and manager so that the analyst can instantly consider the user's behavior in context with their role in the organization. Allow the analyst to compare that user's behavior against the “normal” baseline for all users in his or her peer group.

If you can see all of the user's activity from disparate systems represented as a coherent session, it's much easier and faster to make an accurate judgement about whether the cluster of anomalies is nefarious or innocent.

In this real training for free ™ event we will dive into user behavior analytics and show you how those 25 indicators and others can be combined to accomplish this. We'll talk about what you can do on your own and with most SIEMs. I'll look at how to enrich event data with identity information from AD and HR. Exabeam is my sponsor and I'll also briefly show you Exabeam's behavior based security intelligence solution that consumes data from your SIEM and other security products and combines it with information extracted from your directory and HR systems.

Threat hunting is the applied, proactive methodology that I think we've been missing in SOC operations. And user behavior analytics is the technology that focuses on the actor and combines

  • dynamic event streams
  • static identity information
  • baselines for the individual and peer groups

Don't miss this real training for free ™ event. Please register now.

First Name:   
Last Name:   
Work Email:  
Job Title:  
Zip/Postal Code:  
Company Size:

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.



Upcoming Webinars
    Additional Resources