Find threats – unknown unknowns – quickly with no manual threat hunting and no configuration. Get immediate results without writing queries, rules or signatures.

Request a Demo

Gurucul’s User and Entity Behavior Analytics (UEBA) uses machine learning models on open choice big data to detect unknown threats via predictive risk scoring early in the kill chain. Utilized in both on-premises and hybrid cloud environments, UEBA focuses on the detection of risks and threats beyond the capabilities of signatures, rules and patterns.

Using big data, Gurucul provides risk-based behavior analytics delivering actionable intelligence for security teams with low false positives. Gurucul leads the market in demonstrating UEBA results where others cannot because we consume the most data sources out-of-the-box and leverage the largest machine learning library. We deliver a single unified prioritized risk score per user and entity, making it trivial to uncover true findings and deliver quick time to value.

Gurucul UEBA Use Cases


Insider Threat Detection and Deterrence

Provide risk-based analytics, data mining, anomaly and behavior detection, to help identify high-risk profiles. Help security teams by creating a baseline using profiling attributes from HR records, events, access repository, log management solutions and more, to easily detect and predict abnormal user behavior associated with potential sabotage, data theft or misuse.

Account Compromise, Hijacking and Sharing(2018)

Account Compromise, Hijacking and Sharing

Detect attacks using machine learning algorithms tuned to inspect various parameters like timestamp, location, IP, device, transaction patterns, high-risk event codes and network packets, to identify any deviation from the normal behavior of an account and corresponding transactions.


Privileged Access Abuse

Monitor privileged accounts with contextual information, around who accesses your IP and regulated data. Provide risk-based alerting of anomalous behavior and the ability to prevent and deter a threat before it occurs.


Data Exfiltration, DLP and IP Protection

Identify data exfiltration and protect intellectual property by ingesting data sources such as DLP and data classification to uncover important data locations, access and application activity. Risk scoring DLP alerts is a primary benefit of UEBA machine learning because it significantly reduces alert fatigue and prioritizes ‘find-fix’ resources.


Adaptive Authentication

Adaptive authentication leverages the UEBA risk score of a user or entity to dynamically determine the levels of authentication for access. A low-risk score may result in a simple password challenge while a high-risk score may result in multiple authentication challenges (e.g., password, MFA access code and answering questions). The solution supports bidirectional integration with industry standard adaptive authentication solutions by using ready-to-use connectors and API interfaces.


SIEM and DLP Risk Intelligence

Eliminate alert fatigue issue of SIEM and DLP solutions by aggregating the risk scores at the user and entity level, rather than generating a huge number of alerts at the transaction or event level. This use case employs bidirectional integration via APIs enabling SIEM and DLP data ingestion into UEBA as it provides risk scores back to these systems to allocate ‘find-fix’ resources.


Self-Audit and ID Theft Detection

Deputize users into a collaborative relationship with security analysts to provide context and relevance not available to SOC teams. This multiplier of ‘eyes on glass’ applies to employees, business partners and suppliers, agents in hub-spoke organizations, and in some cases, customers. All these parties are likely to have one or more accounts with access entitlements to critical applications and data. A frequently issued (usually weekly) self-audit report provides visibility for access, devices, locations and risk-scored anomalous behavior providing both detection and deterrence for end users.


Cyber Fraud Detection and Deterrence

Provide a flexible data model open to attributes from commercial or homegrown treasury and accounting systems to be considered for behavioral analytics from machine learning models. Ingest access and activity data from treasury, accounting and payment systems to detect anomalies with predictive risk scoring. UEBA allows organizations to integrate their cyber fraud models and risk frameworks providing significant benefit of leveraging existing investments and security models in alignment with business context.


Trusted Host and Entity Compromise

Detect advanced persistent threat (APT) attacks and attack vectors and predict data exfiltration by performing entity-centric anomaly detection. In addition to monitoring anomalous user behavior with UEBA, it is critical for organizations to monitor closely all the endpoints (devices and hosts) connected to the network. UEBA correlates a wide range of parameters associated with an entity, including: endpoint security alerts, vulnerability scan results, risk levels of users and accounts used, targets accessed, packet level inspection of the requested payloads, and more. This correlation facilitates detection of any anomalous activities or events to determine predictive risk scores.


Stateful Session Tracking

Provide greater visibility into user activities across multiple resources or applications with stateful session tracking. UEBA builds and tracks the user session state, even when a user navigates across heterogeneous resources or applications using different accounts and devices at different times. Leveraging machine learning, UEBA dynamically builds session correlation attributes used to build session context in order to link any subsequent activities based on a confidence factor. This enables the identification of valid IP switching due to transitions between wired and wireless networks, a workstation and a handheld/mobile device, or accessing enterprise resources from various onsite locations or remotely over VPN. UEBA’s ability to track user sessions across these various parameters ensures a significant reduction in false positives while simultaneously delivering greater visibility into the sequence of events.


Anomalous Behavior and Watch Lists

Address anomalous behavior with watch lists to quickly profile and maintain an eye on unknowns and apply escalating predictive risk scores. Machine learning behavior models are designed to deliver feedback on false positives and negatives and then update self-learning and self-training models to adapt to time-based norms and conditions unique to each customer deployment. Watch lists come pre-defined within UEBA for common high-risk groups like new hires, departing users, terminated users, and high-risk users. These groups are easily accessed in dashboard drop-down menus to analyze risk scores, anomalies, accounts, access, activity and timelines.


Hybrid Infrastructure

Provide UEBA platforms for both on-premises and cloud applications, removing the need for any large data transfers between environments. These transfers can be expensive and impede the use of important data for advanced security analytics. UEBA and identity analytics runs on-premises. The cloud analytics portion is an API-based cloud access security broker (CASB). The CASB API architecture enables direct data collection from cloud data sources while providing users a transparent access experience from any location. Proxy-based CASBs are a data source into cloud analytics for shadow IT use, cloud DLP, and more. UEBA, identity and cloud security analytics share combined processes and models to provide 360-degree visibility for identity, accounts, access and activities in hybrid environments.

Gurucul UEBA Benefits

Results are the most important benefit. We are not threat hunters, we are threat finders. We’ve done all the hunting for you.

Empowered Security Capabilities and Quality


The mature capabilities of UEBA provide robust and optimal advanced security analytics across a range of on-premises and hybrid environments, scoring the gray areas of unknowns and minimizing false positives. The result is improving the focus of ‘find-fix’ resources, and optimizing the time of security analysts, efficiency in the SOC, and making operations and people more productive.

Extended and Optimized, Discovery, Monitoring and Visibility


View the full context of a user’s access and activities, both legitimate and anomalous. Obtain a combined 360-degree view for identity, and risk-scored behavior anomalies driven by machine learning.

Improved Productivity and Cost Savings


Provide risk-ranked alerts with contextual visibility for the security team to shorten prevention, detection, investigation, and remediation cycle of risks and threats. Offer a manageable number of true positives that allows businesses to combat threats effectively. By having holistic visibility across all an organization’s environments, users and devices, SOC teams’ efficiencies are maximized, delivering cost savings. In addition, as enterprises migrate to cloud applications, the ability to expand platforms without adoption of additional solutions helps to minimize costs.

Gurucul really stood out because the analytics engine was the most powerful. The machine learning algorithms are the strongest. We saw results very, very quickly. There’s an amazing value for this type of solution.

– Bill Scandrett, CISO, Allina Health

Share this page: