UEBA and Baseline

What is UEBA?

UEBA stands for User and Entity Behavior Analytics. It analyzes various behavior patterns with large amounts of data within a sufficient time period to understand normal user behavior. And by defining these baselines, it can identify suspicious behavior, potential threats, and attacks that traditional methods may not detect. The key thing in UEBA is it identifies anomalous activities by looking at context information from a series of activities and establishing the correlation between them. 

Anomaly Detection and Baseline

Warden Threat Detection analyzes logs from your infrastructure to perform UEBA to detect anomalies after learning the normal behavior of the users in the organization. It establishes a baseline for each organization or each user based on their previous activity patterns. It can detect any anomalous behavior when there are deviations from these “normal baseline” patterns. It can be due to a credential compromise, crypto-jacking, or an early sign of insider threats.


The current baseline period for anomaly detection is 30 days. Warden detection model observes recent 30 days of activity data to establish a baseline. It generates an anomaly alert when it found an activity that was not observed during the baseline period.

The first two weeks after you integrated the logs are considered the baseline training period. During this period, no anomaly alerts will be activated. After two weeks, the anomaly detection will be activated if the number of events satisfies the minimum baseline requirement.

As more activity data is observed in the baseline, Warden Threat Detection develops a more accurate picture of what activity is normal in your organization and what activity is unusual.

Anomaly Detection Examples:

1. User Accessed from a New Geolocation

It triggers when an IAM user or service account accessed cloud environment from anomalous locations, based on the geolocation of the requesting IP addresses.

2. Abnormal Provisioning of Compute Instances

It triggers when a high number of cloud instances were created accidentally or for crypto-jacking.

It means the cloud credentials with write access are very likely leaked. The attacker could use the credentials to continue performing harmful activities to other resources. It will have a financial impact on the company if the resources are used for expensive computing activities such as crypto mining.

3. Abnormal Provision of Resource in an Unused Region

It triggers when cloud resources were created in an unusual region.

For example, you can be alerted immediately when a user creates a compute instance in a new region that your organization rarely uses and flag early signs of an abnormal number of instances created in a short period of time which is highlikely a crypto jacking event.