We have heard tons of User Behaviour Analytics tools that claims to facilitate detections of cyber-attacks. However, it generates tons of alerts every time that causes “Alert fatigue” to SOC analysts and stealthy attacks performed by attackers are often missed. It is often difficult to understand how these alerts are generated as models from these commercial off the shelf products are close-sourced.
I will present a real case example of how I built our own analytics models and threat profile by leveraging machine learning techniques from 3 different use cases: Web Access Anomaly, Windows Access Anomaly and Core Application Anomaly such that everyone could replicate it in their own environment. I will also show examples of how the anomaly user activities could be used as the starting point for proactive threat hunting. The results of the opensource analytics model will be presented and how this was used to replace the UEBA tools we had.