ABCs of UEBA: J is for JSON

A mature User and Entity Behavior Analytics (UEBA) solution integrates with as many of your enterprise applications as possible. You want to ingest data feeds from applications, infrastructure (Systems, AD/LDAP, Devices, etc.), and cyber security feeds (threat intelligence, DLP, Firewall, etc.). You also want to integrate UEBA with relevant applications to facilitate security orchestration – like ticketing systems to automatically open service tickets to investigate risky behavior. One of the primary formats for UEBA data ingestion and integration is JSON (JavaScript Object Notation), the lightweight data-interchange format.

JSON has a more compact style than XML. With JSON, it is very easy to transform data from UEBA solutions to other applications with little overhead. It has become the standard for UEBA API integrations.

UEBA Data Ingestion Supports JSON

Data ingestion is key for a successful UEBA deployment. Gurucul’s advanced analytics engine ingests a range of data types from various enterprise and cloud applications and platforms. This includes identity, access, activity logs, transactions, communication logs (voice, chat, SMS), flow data (NetFlow / PCap), external Threat Intelligence feeds, social media, device allocations, and more.

Gurucul provides more than 300 out-of-the-box connectors for a majority of standard Commercial Off The Shelf (COTS) platforms. It also provides a native Flex-Connector Framework which allows customers to quickly build and configure a generic connector.

Gurucul UEBA supports stream, flat file (CSV, XML, JSON), database, LDAP and API connections, allowing customers to connect to virtually any data source. Our APIs utilize the JSON lightweight data-interchange format because JSON offers open, standards based data portability.


Gurucul UEBA provides a collection of REST Application Programming Interfaces (APIs) which allow external programs to use the core product functionality by integrating the APIs with existing IT infrastructures and third-party applications. The API output is in JSON format, and the key here is that the integration is open. Gurucul offers open analytics on open choice of big data using open APIs for data ingestion and integration. Not all UEBA products offer APIs based on JSON. This is a clear differentiator in easily connecting UEBA to all your applications, infrastructure, and cyber logs using an open, standard format.

Following are some of the key use cases and business processes executed by existing customers using Gurucul JSON APIs:

  • Drive risk based authentication by making an API call to Gurucul UEBA to retrieve a user’s risk score in-line with user authentication flow
  • Trigger automated risk response actions based on risk score and threat indicators using API based integration
  • Fetch user risk score for making access request approvals as a part of IDM workflows
  • Open a ServiceNow ticket to investigate a user with a high risk score
  • Obtain risky account entitlements to launch risk-based access certifications

The Gurucul REST API conforms to the Representational State Transfer (REST) architectural style that essentially exploits the existing technology and protocols of the Web. REST architecture has the following properties:

  • Separation of concerns, such as data storage and access mechanisms, between a client and a server.
  • A stateless client-server interaction, where there is no concept of a session. Clients supply all information in server requests without relying on stored state on the server.
  • Optional data caching to improve request-response performance.
  • A generalized, uniform interface for simplicity.
  • A layered arrangement of architectural components.

These architectural properties align with a REST API implementation that accesses domain resources with corresponding endpoints, using the HTTP and HTTPS protocol.

The Gurucul UEBA API categories include:

  • Users/Identities: API’s to retrieve users and identities. Example: retrieve a list of all users or entities.
  • Accounts: API’s to retrieve accounts. Example: retrieve list of all high privileged accounts.
  • Entitlements: API’s to retrieve account entitlements. Example: retrieve all accounts for a given entitlement.
  • Risk: API’s to retrieve risk score, behavior anomaly etc. Examples: retrieve list of active accounts for terminated users, retrieve behavioral anomalies triggered for a given resource.
  • Activity: API’s to retrieve activity information
  • Case Management: API’s to retrieve Case related information. Example: retrieve list of all cases for a given status.
  • Job Scheduler Auditing: API’s to retrieve job related information. Example: retrieve list of jobs based on job status.

Coding languages oriented to network based resources provide libraries supporting HTTP GET/POST protocols, most commonly JAVA and Python. Typical implementations may begin as UNIX shell scripts or on the command-line. A single command-line call to ‘curl’ can invoke the API. Our API guide provides interesting examples. The UI uses the API to interact with the backend.  All application functions can be built using the API.

In addition, Gurucul supports range of Hadoop Big Data distributions which can be queried programmatically to access raw data stored in HDFS/HBase using standard interfaces like Phoenix, Impala, Hive, etc.


Prev: ABCs of UEBA: I is for Insider Threat Next: ABCs of UEBA: K is for Known