In this page
This page covers the underlying architecture and functioning of Log360 Cloud's User and Entity Behavior Analytics (UEBA), how it applies machine learning to monitor the user and entities activities, builds behavioral baselines to identify deviations and detect anomalies based on said deviations. It helps security teams quickly identify insider threats, compromised accounts, and policy violations.
Image 1: ManageEngine Log360 Cloud's UEBA workflow
Log360 Cloud's User and Entity Behavior Analytics (UEBA) leverages sophisticated Machine Learning (ML) techniques to identify abnormal behavior patterns across users and hosts within the network. By highlighting deviations from normal behavior baselines, UEBA helps analysts detect insider threats, compromised accounts, and policy violations with greater accuracy and efficiency.
The first step in the UEBA workflow involves aggregating logs from multiple sources within the monitored network. These include user authentication logs, file access events, process creation logs, system events, and other host or application activity data.
These raw event logs are collected using the Log Collector, which supports collection via various log formats and protocols (e.g., Syslogs, Windows Event Logs, etc.).
Once collected, the logs are routed to the Machine Learning Server, the core processing engine within the UEBA architecture.
The Machine Learning Server is a specialized processing module that handles the ingestion and analysis of event logs using ML-based algorithms. It performs the following operations:
Once the data reaches the ML Server, the UEBA engine performs behavior profiling by constructing baseline models for every user and entity over a defined observation window. These models evolve dynamically as more logs are analyzed.
The behavioral analysis uses three distinct types of models, each leveraging specific mechanisms:
| Model Type | Underlying Mechanism | Purpose |
|---|---|---|
| Time-based model | Robust Principal Component Analysis (RPCA) | Flags deviations in temporal activity patterns (e.g., logging in at unusual hours). |
| Count-based model | Robust Principal Component Analysis (RPCA) | Highlights abnormal frequency of actions (e.g., too many file accesses). |
| Pattern-based model | Markov Chains | Detects deviations in activity sequences (e.g., login followed by data exfiltration pattern). |
RPCA identifies low-rank behavior structures and separates noise or outliers (anomalies). It works well in detecting sudden spikes in behavior.
Markov models track sequences of actions and calculate the probability of an event sequence. When new sequences deviate significantly from the learned transitions, they're flagged as anomalies.
The system does not treat individual logs as anomalies. Instead, it evaluates event occurrences over time across the different models. If a set of actions significantly deviates from the baseline behavior, it is classified as an anomalous behavior.
Examples:
When behavioral anomalies are detected, the Machine Learning Server forwards the anomalous events/logs to the reporting engine. Here’s what happens next:
Security analysts can then investigate the report. If they want to get a notification whenever the anomaly occurs, they can enable alert profile, add that as an incident and remediate it.
Read also
This document elaborated the working architecture behind the functioning of the anomaly models of Log360 Cloud's UEBA. For leveraging the capabilities of UEBA, refer the below articles: