Early in the Netenrich 2.0 build, one of our data science leads surfaced a problem that seemed simple and proved to be genuinely hard: why traditional UEBA (User and Entity Behavior Analytics) platforms fail when the same entity appears under completely different identifiers in different source systems.
A user might appear as their SAM account name in Windows Active Directory logs, their email address in cloud IAM events, a numeric user ID in SaaS application logs, a display name in collaboration tool events, and an IP address in network logs when they are the only active user on a specific subnet. One person. Five different identifiers. In a security data environment without entity resolution, these look like five separate analytical subjects.For any organization relying on legacy UEBA, this identity fragmentation makes comprehensive behavioral anomaly detection nearly impossible.
The security consequences of this fragmentation are specific and significant. When identity data remains siloed, the core promises of user and entity behavior analytics fall apart across three critical areas:
An adversary who has compromised a credential and is moving from system to system appears as a different entity in each system's logs. Each individual system shows unremarkable activity. The cross-system view — which would reveal the pattern — is impossible without knowing that these different identifiers refer to the same entity.
A user's complete behavioral pattern across all systems — endpoints, servers, cloud environments, SaaS applications — cannot be built if each system's records are attributed to different entities. The behavioral baseline is therefore based on a subset of actual activity, making anomaly detection less reliable and less specific.
When an analyst asks to see all activity by a specific user across all systems, the query can only return records attributed to the identifiers the analyst knows to specify. The activity attributed to unresolved identifiers is invisible.
Solving entity resolution at scale — hundreds of thousands of entities, dozens of source systems, new identifiers appearing continuously — required several capabilities working together.
A Canonical Entity Store: A continuously maintained registry of known entities and their observed identifiers, continuously updated as new identifiers are discovered
Identity Linkage Logic: Advanced deterministic rules and ML models that link new identifiers to known entities based on corroborating evidence — these two identifiers were observed in the same authentication session, or are associated with the same device, or match patterns indicating the same person.
Confidence Scoring: Systematically acknowledging that some linkages are certain and some are probabilistic, and propagating that confidence through the analytics.
At Netenrich, we built entity resolution into the Resolution Intelligence Cloud as infrastructure — not as an analytical feature but as the foundational layer that every analytical capability sits on. It runs continuously. Every new identifier that appears in the telemetry is evaluated against the canonical entity store and either matched to an existing entity or flagged for review.
Tired of siloed tools missing lateral movement because your identity telemetry is fragmented? Deploy a Netenrich Agentic SOC in 30 Days to achieve native entity resolution, clean up your behavioral baselines, and catch sophisticated attack paths before data leaves your environment.
The payoff was immediate and significant. Once entity resolution was working reliably, cross-source behavioral analysis became coherent. Lateral movement patterns that crossed system boundaries became visible at the behavioral level. Investigation queries returned complete pictures. The analytical capabilities built on top — behavioral baselines, peer group analysis, graph traversal — all became more powerful because the entity foundation they depended on was sound.
Entity resolution is foundational work. It is invisible to the analyst who benefits from it. It is the precondition for every meaningful multi-source security intelligence capability. Getting it right is worth the investment.
*Part of my ongoing series on data science and the future of security operations.*