> ## Documentation Index
> Fetch the complete documentation index at: https://docs.casebender.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Threat Detection

> User and Entity Behavior Analytics (UEBA), insider threat detection, DDoS protection, and SIEM integration.

## User and Entity Behavior Analytics (UEBA)

CaseBender includes a built-in UEBA engine that establishes behavioral baselines for every user and detects anomalies that may indicate compromised accounts or malicious activity.

### Behavioral Categories Monitored

| Category            | What's Tracked                                  | Example Anomaly                            |
| ------------------- | ----------------------------------------------- | ------------------------------------------ |
| **Authentication**  | Login times, locations, devices, MFA usage      | Login from new country at unusual hour     |
| **Data Access**     | Cases viewed, searches performed, exports       | Bulk case access outside normal pattern    |
| **Case Operations** | Cases created, modified, closed, reassigned     | Unusual volume of case closures            |
| **Administrative**  | Settings changes, user management, role changes | Privilege escalation outside change window |
| **API Usage**       | Endpoint access patterns, data volumes          | Sudden spike in API calls from a key       |
| **Communication**   | Comments, notifications, sharing patterns       | Mass sharing of restricted cases           |

### How Baselines Work

1. **Learning Period**: The system observes user behavior for a configurable baseline window (default: 30 days)
2. **Feature Extraction**: Behavioral features are extracted (time patterns, volume patterns, entity patterns)
3. **Baseline Establishment**: Statistical baselines are created per user and per peer group
4. **Continuous Comparison**: Every action is compared against the user's baseline and their peer group
5. **Anomaly Scoring**: Deviations are scored based on magnitude, frequency, and risk context

### Peer Group Analysis

Users are automatically grouped by role, team, and behavior patterns. Anomalies are evaluated both against individual baselines and peer group norms:

* A SOC analyst accessing 50 cases per day is normal if their peers do the same
* The same access pattern from a user who normally accesses 5 cases per day is anomalous
* Peer group deviations are weighted differently from individual deviations

### Risk Scoring

Each user maintains a dynamic risk score:

| Risk Level   | Score Range | Response                                                                       |
| ------------ | ----------- | ------------------------------------------------------------------------------ |
| **Critical** | 90-100      | Immediate alert to security team, session review, potential account suspension |
| **High**     | 70-89       | Alert generated, enhanced monitoring enabled, manager notified                 |
| **Medium**   | 40-69       | Logged for review, included in daily security digest                           |
| **Low**      | 10-39       | Normal monitoring, baseline adjustment                                         |
| **Minimal**  | 0-9         | Standard operations                                                            |

### ML Adapter

CaseBender's UEBA engine includes an ML adapter interface for organizations that want to integrate advanced machine learning models:

* Feature vector extraction for external ML pipelines
* Anomaly prediction integration
* Model health monitoring
* Supports custom model deployment alongside built-in statistical detection

## Insider Threat Detection

CaseBender provides dedicated insider threat detection capabilities that go beyond UEBA to include investigation workflows, watchlists, and escalation management.

### Threat Indicators

The system monitors for indicators across multiple categories:

* **Data Exfiltration**: Unusual export volumes, bulk downloads, access to cases outside assignment
* **Privilege Abuse**: Unauthorized configuration changes, role manipulation, PAM misuse
* **Policy Violations**: Access outside business hours, from unauthorized locations, bypassing controls
* **Behavioral Changes**: Sudden changes in work patterns, increased access to sensitive data
* **Pre-Departure Risk**: Access pattern changes correlated with HR signals (resignation, termination)

### Investigation Workflow

When indicators are detected:

1. **Alert Generation**: Insider threat alert created with risk score and indicator details
2. **Triage**: Security team reviews the alert and determines if investigation is warranted
3. **Investigation**: Dedicated investigation workspace with timeline, evidence collection, and notes
4. **Watchlist**: Users can be placed on enhanced monitoring watchlists with configurable monitoring levels
5. **Escalation**: Configurable escalation rules route investigations to appropriate teams (security, HR, legal)
6. **Resolution**: Investigations are closed with documented findings and actions taken

### Integration Points

* **HR Systems**: Receive employment status changes (resignation, termination, role change) to adjust risk scoring
* **SIEM**: Forward insider threat events to your SIEM for correlation with other security data
* **Legal Hold**: Automatically initiate legal holds when investigations reach certain severity thresholds
* **Notification**: Alert security managers, HR, and legal teams based on escalation rules

## DDoS Protection

CaseBender includes application-layer DDoS detection and mitigation:

### Detection Methods

* **Traffic Analysis**: Real-time monitoring of request rates, patterns, and sources
* **Request Fingerprinting**: Identifies coordinated attacks from distributed sources
* **Geo-Blocking**: Configurable country-level blocking for regions with no legitimate users
* **Anomaly Detection**: Statistical analysis of traffic patterns against established baselines

### Mitigation

* **Automatic Rate Limiting**: Progressive rate limiting as attack severity increases
* **Challenge Pages**: CAPTCHA challenges for suspicious traffic patterns
* **IP Blocking**: Temporary or permanent blocking of identified attack sources
* **Alerting**: Real-time alerts to operations team with attack details and mitigation status

<Warning>
  CaseBender's DDoS protection operates at the application layer. For volumetric network-layer DDoS protection, deploy CaseBender behind a dedicated DDoS mitigation service (e.g., Cloudflare, AWS Shield, or on-premise appliances).
</Warning>

## SIEM Integration

CaseBender forwards security events to your existing SIEM for centralized monitoring and correlation.

### Supported Destinations

| SIEM                   | Protocol                   | Format          |
| ---------------------- | -------------------------- | --------------- |
| **Splunk**             | HTTP Event Collector (HEC) | JSON, CEF       |
| **Elastic / ELK**      | Elasticsearch API          | JSON (ECS)      |
| **IBM QRadar**         | Syslog                     | LEEF            |
| **Microsoft Sentinel** | Log Analytics API          | JSON            |
| **Generic Syslog**     | Syslog (TCP/UDP/TLS)       | CEF, LEEF, JSON |
| **Custom Webhook**     | HTTPS POST                 | JSON            |

### Events Forwarded

* Authentication events (login, logout, MFA, lockout)
* Authorization events (access granted, denied, elevated)
* Data access events (entity viewed, exported, modified)
* Security events (anomaly detected, threat indicator, policy violation)
* Administrative events (configuration change, user management)
* System events (service health, error conditions)

### Configuration

SIEM forwarding is configured per organization:

* Multiple destinations can be configured simultaneously
* Event filtering controls which event types are forwarded
* Buffering and retry logic ensures no events are lost during SIEM outages
* TLS encryption for all forwarded events

## Related Documentation

* [Access Control](/en/security/access-control) — RBAC and PAM that generate the events UEBA monitors
* [Audit Logging](/en/security/audit-logging) — The audit trail that feeds UEBA and SIEM
* [Security Architecture](/en/security/architecture) — Zero Trust design that UEBA enforces
