User and Entity Behavior Analytics (UEBA)
CaseBender includes a built-in UEBA engine that establishes behavioral baselines for every user and detects anomalies that may indicate compromised accounts or malicious activity.
Behavioral Categories Monitored
| Category | What’s Tracked | Example Anomaly |
|---|
| Authentication | Login times, locations, devices, MFA usage | Login from new country at unusual hour |
| Data Access | Cases viewed, searches performed, exports | Bulk case access outside normal pattern |
| Case Operations | Cases created, modified, closed, reassigned | Unusual volume of case closures |
| Administrative | Settings changes, user management, role changes | Privilege escalation outside change window |
| API Usage | Endpoint access patterns, data volumes | Sudden spike in API calls from a key |
| Communication | Comments, notifications, sharing patterns | Mass sharing of restricted cases |
How Baselines Work
- Learning Period: The system observes user behavior for a configurable baseline window (default: 30 days)
- Feature Extraction: Behavioral features are extracted (time patterns, volume patterns, entity patterns)
- Baseline Establishment: Statistical baselines are created per user and per peer group
- Continuous Comparison: Every action is compared against the user’s baseline and their peer group
- Anomaly Scoring: Deviations are scored based on magnitude, frequency, and risk context
Peer Group Analysis
Users are automatically grouped by role, team, and behavior patterns. Anomalies are evaluated both against individual baselines and peer group norms:
- A SOC analyst accessing 50 cases per day is normal if their peers do the same
- The same access pattern from a user who normally accesses 5 cases per day is anomalous
- Peer group deviations are weighted differently from individual deviations
Risk Scoring
Each user maintains a dynamic risk score:
| Risk Level | Score Range | Response |
|---|
| Critical | 90-100 | Immediate alert to security team, session review, potential account suspension |
| High | 70-89 | Alert generated, enhanced monitoring enabled, manager notified |
| Medium | 40-69 | Logged for review, included in daily security digest |
| Low | 10-39 | Normal monitoring, baseline adjustment |
| Minimal | 0-9 | Standard operations |
ML Adapter
CaseBender’s UEBA engine includes an ML adapter interface for organizations that want to integrate advanced machine learning models:
- Feature vector extraction for external ML pipelines
- Anomaly prediction integration
- Model health monitoring
- Supports custom model deployment alongside built-in statistical detection
Insider Threat Detection
CaseBender provides dedicated insider threat detection capabilities that go beyond UEBA to include investigation workflows, watchlists, and escalation management.
Threat Indicators
The system monitors for indicators across multiple categories:
- Data Exfiltration: Unusual export volumes, bulk downloads, access to cases outside assignment
- Privilege Abuse: Unauthorized configuration changes, role manipulation, PAM misuse
- Policy Violations: Access outside business hours, from unauthorized locations, bypassing controls
- Behavioral Changes: Sudden changes in work patterns, increased access to sensitive data
- Pre-Departure Risk: Access pattern changes correlated with HR signals (resignation, termination)
Investigation Workflow
When indicators are detected:
- Alert Generation: Insider threat alert created with risk score and indicator details
- Triage: Security team reviews the alert and determines if investigation is warranted
- Investigation: Dedicated investigation workspace with timeline, evidence collection, and notes
- Watchlist: Users can be placed on enhanced monitoring watchlists with configurable monitoring levels
- Escalation: Configurable escalation rules route investigations to appropriate teams (security, HR, legal)
- Resolution: Investigations are closed with documented findings and actions taken
Integration Points
- HR Systems: Receive employment status changes (resignation, termination, role change) to adjust risk scoring
- SIEM: Forward insider threat events to your SIEM for correlation with other security data
- Legal Hold: Automatically initiate legal holds when investigations reach certain severity thresholds
- Notification: Alert security managers, HR, and legal teams based on escalation rules
DDoS Protection
CaseBender includes application-layer DDoS detection and mitigation:
Detection Methods
- Traffic Analysis: Real-time monitoring of request rates, patterns, and sources
- Request Fingerprinting: Identifies coordinated attacks from distributed sources
- Geo-Blocking: Configurable country-level blocking for regions with no legitimate users
- Anomaly Detection: Statistical analysis of traffic patterns against established baselines
Mitigation
- Automatic Rate Limiting: Progressive rate limiting as attack severity increases
- Challenge Pages: CAPTCHA challenges for suspicious traffic patterns
- IP Blocking: Temporary or permanent blocking of identified attack sources
- Alerting: Real-time alerts to operations team with attack details and mitigation status
CaseBender’s DDoS protection operates at the application layer. For volumetric network-layer DDoS protection, deploy CaseBender behind a dedicated DDoS mitigation service (e.g., Cloudflare, AWS Shield, or on-premise appliances).
SIEM Integration
CaseBender forwards security events to your existing SIEM for centralized monitoring and correlation.
Supported Destinations
| SIEM | Protocol | Format |
|---|
| Splunk | HTTP Event Collector (HEC) | JSON, CEF |
| Elastic / ELK | Elasticsearch API | JSON (ECS) |
| IBM QRadar | Syslog | LEEF |
| Microsoft Sentinel | Log Analytics API | JSON |
| Generic Syslog | Syslog (TCP/UDP/TLS) | CEF, LEEF, JSON |
| Custom Webhook | HTTPS POST | JSON |
Events Forwarded
- Authentication events (login, logout, MFA, lockout)
- Authorization events (access granted, denied, elevated)
- Data access events (entity viewed, exported, modified)
- Security events (anomaly detected, threat indicator, policy violation)
- Administrative events (configuration change, user management)
- System events (service health, error conditions)
Configuration
SIEM forwarding is configured per organization:
- Multiple destinations can be configured simultaneously
- Event filtering controls which event types are forwarded
- Buffering and retry logic ensures no events are lost during SIEM outages
- TLS encryption for all forwarded events
