Skip to the main content.
  • Netenrich /
  • Blog /
  • Situational Awareness Is Key to Faster, Better Threat Detection

2 min read

Situational Awareness Is Key to Faster, Better Threat Detection

Threats start with risks. Understanding risks is really just situational awareness. And that awareness leads to faster and better detection. The convergence of situational awareness, stitching risks and events together to find patterns that show malicious intent or misuse, is the point of User and Entity BEHAVIORAL ANALYTICS.

With machine learning, the right data (and enough data), and the right patterns, we can reduce mean time to detect and mean time to resolution (hint, integrate SOAR and workflow). It’s not rocket science and it doesn’t take a thousand rules.


UEBA is just one step in the threat detection  journey

Risk mitigation driven by situational awareness can go a long way toward preventing the unthinkable at a business. So, if you’re thinking about Cybersecurity Mesh Architecture (CSMA) now and tying vulnerabilities and configurations to events and actions, you’re thinking the way we are at Netenrich.

UEBA is just one step on the journey. It’s part of why we offer vulnerability management and patch management services and link the analytics to workflow and playbooks.

RISKS+IDENTITY+SIEM+UEBA+TIP+SOAR = Netenrich Resolution Intelligence Cloud

Resolution Intelligence Cloud is a platform that aggregates everything, converging collection, detection, and response at Google scale and speed.


What log sources should you apply UEBA to?

It depends on where you keep your business-critical data. For example, where is your intellectual property, customer data, employee data, or financial transactions data? That’s the key data.

You need to collect those logs to get visibility around how users are interacting with the business-critical data.

Finally, make sure you have enough context around the data so that an analyst can make sense of the events. Threat intelligence, geo location, and peer attributes are incredibly valuable to show with an event, and to compare events from one user to another.

The tables below outline the key data sources and use cases to help you gain situational awareness and improve threat detection and response.


Key data sources

Collected data about From For
Identity IAM, HR, Physical Access Peers, Entitlements, Hire/Fire
Authentication AD, SSO, VPN, Citrix Source, App Requested
Application File Share, Banking, CRM, DB Records Accessed/Transactions
Email End User Events Data Exfiltration Channel
Proxy End User Events Data Exfiltration Channel
Firewall In/Out Bytes
Threat intel TIP - OSINT - MISP Enrichment & Context
Geo Location MaxMind Enrichment & Context



Use cases — Triggers and log sources

Trigger Log Source
Activity by Terminated User Authentication (VPN, AD, SSO, Citrix)
Rare Login - Unusual Country Authentication (VPN, AD, SSO, Citrix)
Rare File or Folder Accessed SharePoint, Box, Windows
Rare Transaction Application Log
Spike in Events Any
Spike in Total Bytes Firewall, Proxy, Flow
Spike in Total Currency Transacted Application Log
Unusual File or Folder Accessed SharePoint, Box, OneDrive
Rare Login - Unusual Time Authentication (VPN, AD, SSO, Citrix)
Physical Security - Unusual Door or Location Badge Reader/Physical Access
Email to Competitor Domain Email
Employee Risk - Resume/CV Sent Email
Employee Risk - Browsing Job Sites Proxy
Physical Security - Login without Badging In Badge Reader, Auth
Impossible Travel Authentication (VPN, AD, SSO, Citrix)+GEOIP [MaxMind]
Physical Security - Lexus/Nexus Finding Lexus/Nexus


Security information and event management

4 min read

SIEM 101 – Best Practices for Implementation

Security information and event management (SIEM) is about collecting, detecting, and responding. That is, collecting data into a single pane of glass...

Read More

1 min read

Netenrich at RSA Conference  2023

Visit Netenrich at booth #4241 in Moscone South Expo during RSAC in San Francisco on April 24 - 27, 2023. Netenrich will present and demo Resolution...

Read More
Increase situational awareness

2 min read

Looking “Left of Bang” to Increase Situational Awareness

At Netenrich, part of what we’re doing is looking "left of bang." Bang (!) is geek speak for when we see detonation of malicious content. What...

Read More