Docs · SecOps
UEBA — Behavioral Analytics
Securonix-style entity behavior analytics. Nexus learns what normal looks like for each entity from real history, then scores deviations with reasons you can read — never a black box.
- Best-of
- Securonix · Exabeam
- Module
nexus_secops/ueba.py- Edition
- Free — needs ~14 days of history to baseline
- API
/api/v1/ueba/train · /ueba/scan · /ueba/scores · /ueba/peers
What it does
For each entity (by default the agent/host) UEBA builds a baseline from real events: a time-of-day activity profile, the set of activity types it normally produces, and its usual severity rate. It then scores the recent window against that baseline and explains every point of the score.
How to use it
POST /api/v1/ueba/train { "lookback": 1209600 } # ~14 daysPOST /api/v1/ueba/scan { "window": 86400, "emit": true }/ueba/peers lists failed-login peer outliers.Anomaly signals
- volume_spike — activity far above the entity's daily baseline.
- off_hours — events in hours the entity was never active.
- new_activity — an event type the entity has never produced.
- severity_escalation — a jump in high/critical events versus baseline.
- peer_outlier — far from the median of its peers (median + MAD).
High-band entities emit a behavior_anomaly event (rule NEXUS-UEBA-001) with the contributing reasons attached as evidence.
How it feeds the pipeline
A behavior anomaly is just another signal: XDR can fuse it with a suspicious process or IOC contact into XDR-UEBA-001 (possible account/host takeover), and the AI boosts the priority of any incident that includes one.
Tips
- Re-train periodically so the baseline tracks how your environment actually changes.
- Read the reasons before acting — UEBA tells you why an entity looks abnormal.
- A spike during a known maintenance window is expected; UEBA flags it, you dismiss it, the AI learns.