performing-user-behavior-analytics

Featured

Performs User and Entity Behavior Analytics (UEBA) to detect anomalous user activities including impossible travel, unusual access patterns, privilege abuse, and insider threats using SIEM-based behavioral baselines and statistical analysis. Use when SOC teams need to identify compromised accounts or insider threats through deviation from established behavioral norms.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Performing User Behavior Analytics ## When to Use Use this skill when: - SOC teams need to detect compromised accounts through abnormal authentication patterns - Insider threat programs require behavioral monitoring beyond rule-based detection - Impossible travel or geographic anomalies indicate credential compromise - Privileged account monitoring requires baseline deviation detection **Do not use** as the sole basis for disciplinary action — UEBA findings are indicators requiring investigation, not proof of malicious intent. ## Prerequisites - SIEM with 30+ days of authentication and access log history for baseline creation - VPN, O365, and Active Directory authentication logs normalized to CIM - GeoIP database (MaxMind GeoLite2) for location-based anomaly detection - Identity enrichment data (department, role, manager, typical work hours) - Splunk Enterprise Security with UBA module or equivalent UEBA capability ## Workflow ### Step 1: Build User Authentication Baselines Create behavioral baselines from historical data: ```spl index=auth sourcetype IN ("o365:management:activity", "vpn_logs", "WinEventLog:Security") earliest=-30d latest=-1d | stats dc(src_ip) AS unique_ips, dc(src_country) AS unique_countries, dc(app) AS unique_apps, count AS total_logins, earliest(_time) AS first_login, latest(_time) AS last_login, values(src_country) AS countries, avg(eval(strftime(_time, "%H"))) AS avg_login_hour, ...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-insider-threat-with-ueba

Implement User and Entity Behavior Analytics using Elasticsearch/OpenSearch to build behavioral baselines, calculate anomaly scores, perform peer group analysis, and detect insider threat indicators such as data exfiltration, privilege abuse, and unauthorized access patterns.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-anomalous-authentication-patterns

Detects anomalous authentication patterns using UEBA analytics, statistical baselines, and machine learning models to identify impossible travel, credential stuffing, brute force, password spraying, and compromised account behaviors across authentication logs. Activates for requests involving authentication anomaly detection, login behavior analysis, UEBA implementation, or suspicious sign-in investigation.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-insider-threat-behaviors

Detect insider threat behavioral indicators including unusual data access, off-hours activity, mass file downloads, privilege abuse, and resignation-correlated data theft.

12,642 Updated today
mukul975
AI & Automation Featured

investigating-insider-threat-indicators

Investigates insider threat indicators including data exfiltration attempts, unauthorized access patterns, policy violations, and pre-departure behaviors using SIEM analytics, DLP alerts, and HR data correlation. Use when SOC teams receive insider threat referrals from HR, detect anomalous data movement by employees, or need to build investigation timelines for potential insider threats.

12,642 Updated today
mukul975
AI & Automation Listed

anomaly-detector

Compare recent activity against a historical baseline to identify behavioral anomalies and help Claude explain which users or patterns warrant deeper investigation.

0 Updated 1 months ago
maxwellokumu