Skip to main content
Question

Incorporating UEBA Techniques in Detection Rules

  • August 25, 2025
  • 2 replies
  • 184 views
L
Forum|alt.badge.img+1

Hi there,

I’m trying to incorporate user behavior patterns (UEBA techniques) into SecOps rules. For example, let’s say I want to create a rule that triggers an alert whenever a user clears Windows event logs. I only want that to trigger an alert if the user has not previously ran similar commands in the last 30-90 days. If they haven’t ran those commands previously, then that is considered ‘anomalous’ and an alert will be triggered. I took a look at using metrics but only certain functions are supported.

Is this possible? I figured with playbooks in SOAR it is, but was hoping to accomplish this within the rule itself.

Thanks!

n0lmes
imaxbr

2 replies

kentphelps
Staff
Forum|alt.badge.img+11
  • kentphelps
  • Staff
  • September 4, 2025

Please take a look at this blog post to see if it can point in the right direction:
UEBA - A Key Detection Ingredient

L
L
Forum|alt.badge.img+1
  • liamhv
  • Author
  • New Member
  • September 8, 2025

Please take a look at this blog post to see if it can point in the right direction:
UEBA - A Key Detection Ingredient

Thanks ​@kentphelps . I gave this and the other linked articles within it a read and it looks like there’s a heavy reliance on the use of metrics, and metrics only has a limited number of functions that it supports. I don’t think this would work for my use case unfortunately.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.