detecting-insider-threat-with-ueba
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/detecting-insider-threat-with-uebaModel normal user activity to detect subtle signs of malicious insider actions.
- Identify deviations from established user and entity patterns to flag suspicious activity.
- Integrates with Elasticsearch/OpenSearch for log analysis and statistical computation.
- Calculates risk scores by comparing individual actions against peer group norms.
- Delivers high-confidence alerts detailing potential data exfiltration or privilege abuse.
SKILL.md
.github/skills/detecting-insider-threat-with-uebaView on GitHub ↗
--- name: detecting-insider-threat-with-ueba description: Implement User and Entity Behavior Analytics using Elasticsearch/OpenSearch to build behavioral baselines, calculate anomaly scores, perform peer group analysis, and detect insider threat indicators such as data exfiltration, privilege abuse, and unauthorized access patterns. domain: cybersecurity subdomain: threat-detection tags: [ueba, insider-threat, anomaly-detection, elasticsearch, behavior-analytics, machine-learning, siem] version: "1.0" author: mahipal license: Apache-2.0 --- # Detecting Insider Threat with UEBA ## Overview User and Entity Behavior Analytics (UEBA) moves beyond static rule-based detection to model normal behavior for users, hosts, and applications, then flag statistically significant deviations that may indicate insider threats. Using Elasticsearch as the analytics backend, this skill covers building behavioral baselines from authentication logs, file access events, and network activity, computing risk scores using statistical deviation and peer group comparison, and correlating multiple low-confidence indicators into high-confidence insider threat alerts. ## When to Use - When investigating security incidents that require detecting insider threat with ueba - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Elasticsearch 8.x or OpenSearch 2.x cluster with security audit data - Log sources: Active Directory authentication, VPN, DLP, file server access, email - Python 3.9+ with elasticsearch client library - Baseline period of 30+ days of normal user activity data - Defined peer groups based on department, role, or job function ## Steps ### Step 1: Ingest and Normalize Activity Logs Configure log pipelines to ingest authentication, file access, email, and network logs into Elasticsearch with a unified user identity field. ### Step 2: Build Behavioral Baselines Calculate per-user baselines for login times, data volume, application usage, and access patterns over a rolling 30-day window using Elasticsearch aggregations. ### Step 3: Calculate Anomaly Scores Compare current activity against baselines using z-score deviation and peer group comparison to generate per-user risk scores. ### Step 4: Correlate and Alert Combine multiple anomalous indicators (unusual hours + large downloads + new system access) into composite risk scores that trigger SOC investigation workflows. ## Expected Output JSON report containing per-user risk scores, anomalous activity details, peer group deviations, and recommended investigation actions.
More from mukul975/Anthropic-Cybersecurity-Skills
- acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
- analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
- analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
- analyzing-api-gateway-access-logs>
- analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
- analyzing-azure-activity-logs-for-threats>
- analyzing-bootkit-and-rootkit-samples>
- analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
- analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
- analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.