DATASHEET-20181102 COPYRIGHT © 2018 NETMONASTERY NSPL. All rights reserved. 

Five Essential ​UEBA Use Cases 

Five fundamental use cases to give your UEBA solution a 
jump-start 
 

   

 
Five Essential UEBA Use Cases 
 
 

Table of Contents 
1. ​Detecting abnormal user behaviour 4 

i) Unusual login attempts 4 

ii) Unusual login failure attempts 5 

2. Detecting brute force attack 6 

3. Detecting dormant account activity 7 

4. Suspicious User account activities 8 

i) User Account Created 8 

ii) User Account Deleted 9 

iii) User Account Password Reset 9 

iv) Audit Policy Changed 10 

5. Monitor removable media 11 

 

   

 
2 
Five Essential UEBA Use Cases 
 
 

We seem to be hearing a lot about threats originating from inside the perimeter 
these days rather than outside. 

Cybersecurity defences and budgets used to be predominantly focused on 

securing the perimeter and keeping intruders out. But in recent times the 
notion of a perimeter surrounding an organisation's IT estate and data has 
become less useful. Increasingly, attacks are originating from within the 
organisation, from employees or intruders using their credentials. In fact, user 
accounts have become critical attack vectors for cyber criminals intent on data 
theft or damaging systems. 

UEBA technology gathers large amounts of data on user activity and behaviour 
from various data sources. The system then learns the behaviour of users and 
entities (devices, servers and other endpoints) by applying scenario-based 
algorithms that use machine learning, statistical analysis, peer group analytics 
and other techniques. 

Once the system has established a baseline of what 'normal' user or entity 
behaviour looks like it can detect and report anomalies and unusual activities 
far quicker than manual checks. 

UEBA focuses on insider threat and user behaviour instead of on tracking 

events and monitoring devices. It tracks users and entities that already have 
access to the system and can then carry out targeted attacks to compromise 
the system on a whole. 

It is a technology that is recently gaining recognition and importance. So here 

are a few use cases to get you started and secure your business from the 
inside out. 

 
3 
Five Essential UEBA Use Cases 
 
 

1. Detecting abnormal user behaviour 

Suspicious behavior could be any number of things that are not necessarily 
serious on their own, but when seen together form a pattern indicating a 
potential threat. It is not easy to predict every step a possible attacker may 
take. It is more helpful to understand what normal behavior is and treat 
anything abnormal with suspicion 

It is simpler to understand what is abnormal user behavior with the help of an 
example. Say, if User A typically logs in at 09:00 a.m, checks their email, 
performs some usual work activities and browses the internet over lunch, then 
all is well. However, if one fine morning User A logs in at 03:00 p.m instead, 
from an overseas location, exports a large amount of data from a company 
database and logs on to a cloud storage website then alarm bells start to ring. 

The second instance here is an example of abnormal behavior by a user. It is 

imperative for a security system to be able to identify and detect such actions 
that deviate from normal user behavior. The following use cases will help 
setup detecting such abnormal behavior in motion. 

i) Unusual login attempts 

Take for instance a user X logs on to his system 10 times a day. Now if user X 
logs in approximately 30% (can be varied as per requirement) more times than 
usual then we might say this is an unusual activity for the user and raise an 
alert for it. 

We can understand this by the following query: 

_fetch * ​from​ event where ​$Duration​=24h ​AND

$SubSystem​=AUTHENTICATION ​AND​ ​$Action​=LOGIN ​AND
$Status​=PASSED​ group ​count_unique ​$User​ limit 200
>>_checkif lookup user_success_auth_ulimit join ​$User​ =

 
4 
Five Essential UEBA Use Cases 
 
 

$User​ int_compare count_unique > ​$ulimit​ include

>>_raise module ueba_pro unusual_user_login_attempts ​$User​ 4
12h
 
Cron Schedule: 0 * * * * 

ii) Unusual login failure attempts 

It is not unusual for a user on occasion to type in the wrong credentials by 
mistake, or perhaps forget their password. This can even happen multiple 
times in a day, sometimes when a user might be in a hurry, it is possible to 
make a mistake multiple times in a row. However, if a user consecutively 
enters the wrong credentials more than, say 10-15 times, we can state this 
activity to be suspicious.  

The security solution should be able to distinguish and detect such suspicious 
activity and block the user out. 

For example, if User A has a tendency to make a mistake while logging in, so 
we set a threshold at 10 times for User A. However, if User A now fails to log in 
say 30% more times than normal, that is 13 times, we can say this is unusual. 

The following query checks for a login failure action and verifies it against the 
predetermined limit. If it exceed the threshold, it raises a module and blocks 
the user out. 

_fetch * ​from​ event where ​$Duration​=24h ​AND

$SubSystem​=AUTHENTICATION ​AND​ ​$Action​=LOGIN_FAIL ​AND
$Status​=FAILED​ group ​count_unique ​$User​ limit 200
>>_checkif lookup user_success_auth_ulimit join ​$User​ = ​$User
int_compare count_unique > ​$ulimit​ include
>>_raise module ueba_pro
unusual_user_login_fail_attempts_on_linux ​$User​ 4 12h
   
Cron Schedule: 0 * * * *

 
5 
Five Essential UEBA Use Cases 
 
 

2. Detecting brute force attack 

The brute force attack which is also known as the exhaustive search is an 
attack that depends on the attacker deducing possible combinations of a 
targeted password until the right password is discovered. It is generally used 
to obtain personal information such as usernames, passwords, PINS etc.  

The longer the password, the higher are the number of combinations that will 
need to be tested; if a password is weak, the attacker will hardly require any 
effort and can crack it within seconds. This is why it is extremely important to 
create strong passwords across all accounts and systems. However, even with 
a strong password, employees can fall victim to insider threats if proper 
measures of security are not set in place. 

Let’s understand this better with the help of the following use case: 

For example, if User A attempts to log into an account and fails more than nine 
times within a time period of about 15 minutes, we can conclude to say that 
User A is attempting a brute force attack.  

The following query will check for consecutive login failures that exceed the 
predetermined limit, in this case nine times, in the set time period, here 15 
minutes. It detects such an action as an attempt of a brute force attack and 
raises an alert. 

_fetch * ​from​ event where ​$Duration​=15m ​AND

$SubSystem​=AUTHENTICATION ​AND​ ​$Action​=LOGIN_FAIL​ group
count_unique ​$User​ limit 100
>>_checkif int_compare count_unique > 9 include
>>_raise module ueba_pro brute_force_attack_on_user ​$User​ 5
12h

Cron Schedule: 0 * * * *

 
6 
Five Essential UEBA Use Cases 
 
 

3. Detecting dormant account activity

Any user account that has not been logged into for over 60 days is considered 
to be a dormant account. This is usually the case if an employee is no longer 
part of the organization and the account has not been deactivated. If there is 
any sign of activity in such a dormant account, the security solution should be 
able to detect this suspicious movement as it may be a sign of an attack.  

For example, if User A has left the organization and implementation of normal 
policies and processes have not deactivated the account. If there’s any activity 
observed in User A’s account after 60 days of leaving the organization, it will be 
considered suspicious and the security solution should provide into employees 
that haven’t used their credentials over a long duration.  

The following query detects any attempt of accessing such a dormant account 
and raises an alert.  

_fetch * from event where $Duration=​30​m AND

$Subsystem=AUTHENTICATION AND $Action=LOGIN AND
$Action=LOGIN_FAIL limit ​1000
>>​_checkif lookup user_last_login join $User = $User
dt_compare $SystemTstamp > $d_time include
>>​_raise ​module​ ​user_entity_package​ ​dormant_user_access
$​User​ 4 12​h
 
Cron Schedule: 0 * * * * 

   

 
7 
Five Essential UEBA Use Cases 
 
 

4. Suspicious User account activities 

A UEBA profiler identifies any typical and atypical behaviour of users and other 
entities that interact with the network. It helps to detect any user or entity that 
might compromise the entire system. The whole idea behind UEBA is to 
observe user patterns and derive a normal pattern for each user from them, 
and detect any behaviour that deviates from these normal patterns that might 
be a potential threat.  

Any action performed with respect to a user account (such as account 

creation, deletion, password reset etc.) must be performed by an authorized 
user. If such an activity is performed by an unauthorized user it is considered 
suspicious and could be a potential attacker. The security solution should be 
able to detect the following scenarios and notify the user. 

i) User Account Created 

Attackers usually enter an organization’s network through one system and use 
that entry point to create new accounts within the network, and compromise 
the entire system. The security solution should monitor such account creation 
behavior and quickly identify anomalous activities such as unauthorized 
credential creation or procedural violations. 

The following query detects such an activity of a new account being created 
by an authorized user and raises an alert. 

_fetch * ​from​ event where ​$SubSystem​=ADMINISTRATION ​AND

$Action​=USR_AC_CREATD ​AND​ ​$Status​=PASSED ​AND​ ​$Duration​=12h
group ​count_unique ​$AdminUser​ limit 100
>>_raise module ueba_pro user_account_created ​$AdminUser​ 7
12h 
 
Cron Schedule: 0 * * * *  

 
8 
Five Essential UEBA Use Cases 
 
 

ii) User Account Deleted 

Once an attacker has entered the organization’s network through one system, 
it is very easy to delete any account as seen with account creation. Once a 
user account is deleted, he will not be able to log into the network using his 
credentials from any system. This can prove to be very dangerous if a user 
account is deleted while the user is logged in. He will immediately lose access 
to all applications, shared folders and other systems. It is therefore essential to 
monitor account deletions and quickly determine who deleted a user account, 
so you can quickly restore any improperly deleted account to minimize the risk 
of business disruption and system unavailability. 

The following query checks for any such action of a user account being 
deleted and verifies if the action is performed by an authorized user, if not it 
detects this suspicious activity and raises an alert.

_fetch * ​from​ event where ​$Status​=PASSED ​AND

$SubSystem​=ADMINISTRATION ​AND​ ​$Action​=USR_AC_DLETD A
​ ND
$Duration​=12h​ group ​count_unique ​$AdminUser​ limit 100
>>_raise module ueba_pro user_account_deleted ​$AdminUser​ 7
12h
 
Cron Schedule:​ ​0 * * * *  

iii) User Account Password Reset 

Only an authorized user is permitted to change or reset the password of the 
account. However, once an attacker gains access and controls of a user 
account, he may reset the password to blockout authorized users. It is very 
important to quickly identify actions of account passwords being reset and 
determine if it is rest by an authorized user. 

 
9 
Five Essential UEBA Use Cases 
 
 

The following query checks for actions of resetting an account password and 
immediately verifies if the action is performed by an authorized of the account. 
It quickly raises an alert if password is reset by anyone other than an 
authorized user. 

_fetch * ​from​ event where ​$Action​=AC_PASSWD_RESET ​AND

$Status​=PASSED ​AND​ ​$SubSystem​=ADMINISTRATION ​AND
$Duration​=12h​ group ​count_unique ​$AdminUser​ limit 100
>>_raise module ueba_pro user_account_password_reset
$AdminUser​ 7 12h
 
Cron Schedule:​ ​0 * * * *  

iv) Audit Policy Changed 

The organization’s security solution should be able to detect if there has been 
any change made to the system’s audit policy by an unauthorized user. This 
could be a sign of the presence of an attacker in the system. 

The following query first checks if the system’s audit policy has been changed, 
if a change is detected, it then verifies if the change has been made by an 
authorized user, and an alert is raised if the action was performed by an 
unauthorized user. 

_fetch * ​from​ event where ​$Status​=PASSED ​AND

$SubSystem​=ADMINISTRATION ​AND​ ​$Action​=AUD_POL_CHNGD ​AND
$Duration​=1h​ group ​count_unique ​$AdminUser​ limit 100
>>_raise module ueba_pro audit_policy_changed ​$AdminUser​ 7
12h
 
Cron Schedule:​ ​0 * * * *    

 
10 
Five Essential UEBA Use Cases 
 
 

5. Monitor removable media 

One of the most common ways of stealing or misusing data is by the use of 
different removable media and writeable disks. It is imperative that the security 
solution be able to detect when any kind of removable media is connected to 
the system and monitor or prevent sensitive information being written from an 
endpoint to a removable media device, such as a USB flash drive, CD/DVD, or 
external hard disk. 

The following query checks if any kind of removable media is connected to a 

system and raises an alert as soon as a device is detected. 

_fetch * from event where $EventID=​4663​ AND

$Category=​'Removable Storage'​ AND $Duration=​30​m group
count_unique $DevSrcIP limit ​100
>>​_checkif int_compare count_unique > ​0​ include
>>​_raise ​module​ ​ueba_pro​ ​removable_media_attached​ $​DevSrcIP
5 1​h 
 
Cron Schedule: 0 * * * *  
 

   

 
11 
Five Essential UEBA Use Cases 
 
 

About DNIF 

DNIF is a first-of-its-kind NextGen SIEM with multi capabilities like UEBA, Log 
Management, SOAR, Security Analytics and Threat Intelligence, all bundled up 
together onto a single platform to bring in process efficiency, better 
manageability and reduced risks. 

​ ttps://dnif.it  
WEB​ h

EMAIL​ ​hello@dnif.it 

​ 1 888 664 8420 (USA) | 1800 123 3643 (INDIA) 

TOLL FREE​ +

USA  INDIA 
2570 N. First Street 2nd Floor, San Jose,  2nd Floor, Reliable House, KanjurMarg 
CA 95131, USA  (w), Mumbai 400078, IN 

 
 

To arrange a demo of DNIF or to speak with one of our security 

architects to see how our platform would be helpful for your 
organization, please contact us at h
​ ello@dnif.it 

 
© 2018 NETMONASTERY NSPL. All rights reserved. NETMONASTERY, DNIF, DQL, The “OPEN” Big Data Analytics Platform are 
trademarks or registered trademarks of NETMONASTERY NSPL and/or its affiliates in the INDIA, and/or US and other countries. 
The title image is a photo by ​Cayetano Gil​ on U
​ nsplash​ and is used with full credit to the owner. 

 
12