How to detect abnormal User behaviour (sequence of actions)

Elastic Security SIEM
1

Hi,

Need help - how to detect abnormal User behaviour (sequence of actions) using Elastic ML (or other tools)?

For example - user can perform following actions:

  • Login
  • Read Patients List
  • Read Patient Info
  • Read Clinical Notes of Patient
  • Add Clinical Note to a Patient
  • Logout
    (Nurse opened application, found a Patient, reviewed recent Clinical Noted and added a new one, then left the application)

I like to be able to automatically detect abnormal behaviour like

  • Login
  • Add Clinical Note to a Patient
  • Logout
  • Logout
  • Logout
    (Suspicious user/bot was able to select Patient without viewing List of Patients and immediately added Clinical Note without viewing list of existing notes, plus hit Logout URL 3 times in a row)

There are many-many possible actions, different types of users (Nurse, Doctor, Personal Support Worker, Clinic Manager, etc.) users may also open multiply browser tabs, etc. User role is not recorded in events and different Clinics may have own roles

So like to automatically classify each user actions, group users with common sequences actions in groups and generate alert when User started behaving differently, then its group or itself.

Thank you in advance for your ideas/suggestions.

2

Hey @GlebCA,

Elastic's unsupervised anomaly detection jobs would be suitable for this use case. It can learn what the typical actions for a user are against a given page/url, and alert you when abnormal page interactions are detected.

However, you can also build sequence queries with EQL, and create detections on specific sequences of events (or mismatch of sequences).

If you wanted to look for something exactly like you described, you can create a sequence rule like:

sequence by user.name,source.ip with maxspan=1m
[ authentication where event.action:"login"]
[ any where event.action:"<action representing notes>"]
[ authentication where event.action:"logout"] with runs=3

You can build any sequence that you'd like to be alerted on.

You can try EQL here - eqlplaygound.io

Additionally, here's are some examples for the unsupervised anomaly approach - we include these as part of the default Elastic security content. Security anomaly detection configurations | Elastic Docs

James

3

Er, that URL doesn't work (for me)

4

Oops, typo :wink:

eqlplayground.io

James