Files
Anthropic-Cybersecurity-Skills/skills/detecting-insider-threat-with-ueba/references/api-reference.md
T

2.4 KiB

API Reference: Detecting Insider Threat with UEBA

Elasticsearch Aggregation Queries

Per-User Daily Activity Baseline

{
  "aggs": {
    "users": {
      "terms": {"field": "user.name", "size": 5000},
      "aggs": {
        "daily_events": {"date_histogram": {"field": "@timestamp", "calendar_interval": "day"}},
        "unique_hosts": {"cardinality": {"field": "host.name"}},
        "data_volume": {"sum": {"field": "bytes_transferred"}}
      }
    }
  }
}

Anomaly Detection (Z-Score > 3)

from elasticsearch import Elasticsearch
es = Elasticsearch(["https://localhost:9200"], api_key="base64key")
result = es.search(index="logs-*", body=query)
z_score = (current - baseline_avg) / baseline_std

Insider Threat Indicators

Indicator Detection Method Severity
Activity spike Z-score > 3 standard deviations High
Data exfiltration Volume > 5x daily average Critical
New host access Unique hosts > 2x baseline High
Off-hours activity Login outside 06:00-22:00 Medium
Peer group outlier Activity > 3x peer average Medium
Privilege escalation New admin role assignment Critical
Resignation + download HR flag + high data volume Critical

Elasticsearch Python Client

pip install elasticsearch>=8.0
Method Description
es.search(index, body) Execute aggregation query
es.indices.get_alias("logs-*") List matching indices
es.count(index) Get document count

Risk Scoring Model

Score Range Risk Level Action
0 - 30 Low No action
31 - 60 Medium Monitor
61 - 80 High SOC investigation
81 - 100 Critical Immediate response

MITRE ATT&CK Insider Techniques

Technique ID UEBA Detection
Data from Local System T1005 Volume anomaly on file servers
Exfiltration Over Web Service T1567 Cloud upload volume spike
Account Manipulation T1098 Unusual privilege changes
Valid Accounts T1078 Off-hours or location anomaly

References