Skip to main content

Hi there,

I’m trying to incorporate user behavior patterns (UEBA techniques) into SecOps rules. For example, let’s say I want to create a rule that triggers an alert whenever a user clears Windows event logs. I only want that to trigger an alert if the user has not previously ran similar commands in the last 30-90 days. If they haven’t ran those commands previously, then that is considered ‘anomalous’ and an alert will be triggered. I took a look at using metrics but only certain functions are supported.

Is this possible? I figured with playbooks in SOAR it is, but was hoping to accomplish this within the rule itself.

Thanks!

Please take a look at this blog post to see if it can point in the right direction:
UEBA - A Key Detection Ingredient

Please take a look at this blog post to see if it can point in the right direction:
UEBA - A Key Detection Ingredient

Thanks ​@kentphelps . I gave this and the other linked articles within it a read and it looks like there’s a heavy reliance on the use of metrics, and metrics only has a limited number of functions that it supports. I don’t think this would work for my use case unfortunately.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.