API Reference: Detecting Insider Threat with UEBA
Elasticsearch Aggregation Queries
Per-User Daily Activity Baseline
Anomaly Detection (Z-Score > 3)
Insider Threat Indicators
| Indicator |
Detection Method |
Severity |
| Activity spike |
Z-score > 3 standard deviations |
High |
| Data exfiltration |
Volume > 5x daily average |
Critical |
| New host access |
Unique hosts > 2x baseline |
High |
| Off-hours activity |
Login outside 06:00-22:00 |
Medium |
| Peer group outlier |
Activity > 3x peer average |
Medium |
| Privilege escalation |
New admin role assignment |
Critical |
| Resignation + download |
HR flag + high data volume |
Critical |
Elasticsearch Python Client
| Method |
Description |
es.search(index, body) |
Execute aggregation query |
es.indices.get_alias("logs-*") |
List matching indices |
es.count(index) |
Get document count |
Risk Scoring Model
| Score Range |
Risk Level |
Action |
| 0 - 30 |
Low |
No action |
| 31 - 60 |
Medium |
Monitor |
| 61 - 80 |
High |
SOC investigation |
| 81 - 100 |
Critical |
Immediate response |
MITRE ATT&CK Insider Techniques
| Technique |
ID |
UEBA Detection |
| Data from Local System |
T1005 |
Volume anomaly on file servers |
| Exfiltration Over Web Service |
T1567 |
Cloud upload volume spike |
| Account Manipulation |
T1098 |
Unusual privilege changes |
| Valid Accounts |
T1078 |
Off-hours or location anomaly |
References