SANS Puts LogRhythm’s UEBA Capabilities to the Test

Key Elements of LogRhythm’s UEBA Solution

The threat landscape grows increasingly unpredictable and dangerous as threat actors expand in number and their attacks increase in sophistication. From motivated insiders to well-armed nation-states, threats to your organization are increasing in number and difficulty of detection.

When threats occur, understaffed security operations centers (SOCs) often lack sufficient access to contextual information. This lack of visibility is a key problem that LogRhythm CloudAI for User and Entity Behavior Analytics (UEBA) is designed to solve.

CloudAI-Powered UEBA

LogRhythm CloudAI for UEBA can help your organization detect advanced threats with artificial intelligence (AI) and machine learning (ML). Utilizing both supervised and unsupervised ML to establish baselines and monitor user behavior, CloudAI applies AI against environmental data to detect previously hidden threats.

Key Elements of a Comprehensive UEBA Solution

A comprehensive UEBA solution includes a number of key components that work together to help you effectively surface potential user-based threats.

Key Elements of LogRhythm’s UEBA Solution

Figure 1: Key Elements of LogRhythm’s UEBA Solution (Click to Enlarge)

Optimally Prepared Data

When it comes to analytics, the adage of garbage in, garbage out holds true. Your analytics are only as good as your data.

The full UEBA solution utilizes LogRhythm Machine Data Intelligence (MDI) Fabric. LogRhythm’s MDI Fabric processes and enriches data from across your environment to optimally prepare it for accurate analysis through various tools, such as CloudAI. Leveraging classification, contextualization, and time normalization, the LogRhythm MDI Fabric uniquely enables effective machine analytics. The MDI Fabric works out of the box, ensuring rapid time to value. This means your team can focus solely on security rather than developing and maintaining rulesets.

Scenario and Behavior Analytics

Scenario and behavior analytics provide the depth of analytics you need to deliver comprehensive visibility across the full spectrum of attacks facing your organization. LogRhythm’s UEBA solution detects advanced threats via scenario analytics, as well as behavior analytics using ML and AI through CloudAI. Scenario Analytics provides customers with a set library of field-proven, user-based threat scenarios that operate in coordination with ML-observed activities. This is done in an effort to corroborate security relevancy for greater precision in identifying threats.

Threat Hunting Visualizations

LogRhythm’s UEBA solution further incorporates threat hunting visualizations to enable user monitoring and embedded security orchestration, automation, and response to streamline the work of your security team.


LogRhythm TrueIdentity™ consolidates a user’s multiple accounts—such as VPN access, work email, personal email, cloud storage—and account identifiers into a single identity. This consolidation ensures deeper visibility into a user’s activity and provides greater analytics accuracy.

Security Orchestration, Automation, and Response (SOAR)

Case Management plays a key role in LogRhythm UEBA. Case Management enables rapid case creation to decrease your Mean Time to Detect (MTTD) a cyberthreat and facilitates efficient incident investigation.

Finally, LogRhythm’s UEBA solution features SmartResponse™. This SOAR security solution is a powerful and flexible automation framework that streamlines incident response by reducing the time needed to perform common investigation and mitigation steps. It also allows semi-automated, approval-based operations so users can review a situation before countermeasures are executed.

SANS Reviews CloudAI for UEBA

SANS put LogRhythm CloudAI for UEBA to the test to ensure the solution delivers streamlined threat detection and response. Dave Shackleford, senior SANS instructor, reviewed LogRhythm CloudAI and demonstrated various use cases, such as insider threat, account compromise, and admin abuse.

Shackleford starts by running through CloudAI’s capability to sift through the noise and pull out actionable intelligence from large data sets. His review validated the platform’s ability to record and analyze user behavior to create a risk score.

When it comes to difficulty of operations and the ability to glean insights, Shackleford commented that he was “impressed, as always… with the ease of use.” He wraps up his review on CloudAI for UEBA, stating “Adding in UEBA on top of the existing analytics and processing capabilities has made this really a much more powerful platform to do deep analysis and reporting around anomalies.”

Watch the full webcast now to learn more about LogRhythm CloudAI for UEBA and how it can help you detect dangerous user behavior and rapidly mitigate threats.

Watch Webcast