Product · Insider threat (UEBA)

Insider Threat Analytics

Behavioral analytics that spot the risk from the inside.

User and entity behavior analytics (UEBA) that learn what normal looks like for every user, then flag the deviations that signal insider risk — mass downloads, off-hours egress, privilege changes. It’s a behavioral analytics layer that runs on the intSignal SIEM, so it correlates behavior with everything else the SIEM sees.

Live, interactive demo — click around to explore.
Per-user baselinesRisk scoringAnomaly detectionExplainable risk storiesPeer-group analysisRuns on the SIEM
Insider Threat Analytics · UEBALIVE
Runs onintSignal SIEMbehavioral analytics layer
User risk leaderboardupdated live
1ACa.chen
After-hours mass download + USB
88
2MLm.lee
New access to sensitive repo
64
3SEsvc-etl
Unusual off-hours data egress
52
4JDj.doe
Within normal baseline
21

Requirement

Built into the SIEM — you need a security platform

Insider Threat Analytics is a behavioral analytics layer, not a standalone agent. It runs on the intSignal SIEM (or the intSignal Security Suite) and uses the identity, endpoint, network, and data signals they already collect. If you don’t run one of those, this can’t work on its own — start with the SIEM or Security Suite, then switch this on.

Requires intSignal SIEM

Or the intSignal Security Suite — it needs their data to analyze behavior.

No new agents

Reuses the telemetry the platform already ingests.

Correlated, not siloed

Behavior is analyzed alongside every other SIEM signal.

Turn on when ready

Add it to an existing deployment in a few clicks.

Baselining

Learn each user’s normal — then watch for the swing

The platform builds a behavioral baseline for every user and entity: how many files they touch, when they work, how much data they move. When today’s behavior swings far from that baseline — or from their peers — it stands out.

Data movement · a.chen · last 14 days
▲ anomalyDay 1Today
Normal range (baseline)Actual activity
baselineLearns each user’s normal — then the spike outside the band stands out.

Per-user baselines

Normal is different for a developer, an exec, and a service account.

Peer-group analysis

Compare each user to similar roles, not a global average.

Entity behavior

Service accounts and machines get baselines too.

Continuous learning

Baselines adapt as roles and habits change.

Detection

Catch the pattern, not just the event

A single download is nothing. The sequence — download, USB, upload attempt, at 10 pm — is the story.

Stitch events into a risk story

Related anomalies are chained into one explainable narrative and escalated when the risk crosses a threshold.

Sequence detectionRecognize multi-step insider patterns, not isolated events.
Auto-escalationCross a risk threshold → the SOC is notified with context.
SIEM correlationBehavior tied to endpoint, identity, and network signals.
Risk story · a.chen · score climbing
22:14Mass download — 2,431 files34
22:31USB mass-storage connected58
22:44Upload to personal cloud blocked79
22:47Threshold crossed — SOC notified88
correlateEach event alone is minor — chained together the risk score climbs to escalation.

Full platform

Everything in Insider Threat Analytics

Baselining, detection, and response — grouped. Expand any area for the full list.

Behavioral baselining (UEBA)7
Per-user baselinesPer-entity baselinesPeer-group analysisContinuous learningWorking-hours modelingData-access modelingAccess-pattern modeling
Detection9
Anomaly detectionMass-download detectionData-exfiltration signalsOff-hours activityUSB / removable-media eventsPrivilege & access changesImpossible travelSequence / multi-stage detectionSentiment / HR-flag inputs
Risk scoring6
Per-user risk scoreExplainable factorsWeighted & tunableRisk trendsWatchlistsThreshold-based escalation
Response (via SIEM/SOC)7
Auto-escalation to the SOCCase creationDisable identityRevoke sessionsIsolate endpointEvidence & audit trailPost-incident review
Delivery6
Runs on intSignal SIEMOr intSignal Security SuiteNo new agentsUses existing telemetryMulti-tenantOptional intSignal-managed operations

Add behavioral analytics to your SIEM

Already running the intSignal SIEM or Security Suite? We can switch on insider-threat analytics in a few clicks.

Request a demo  ⟶

Frequently asked questions

Can I buy Insider Threat Analytics on its own?

No — it’s a behavioral analytics layer, not a standalone product. It runs on the intSignal SIEM (or the intSignal Security Suite) and uses the telemetry they already collect. You need one of those platforms in place for it to work.

What is UEBA?

UEBA (user and entity behavior analytics) builds a baseline of normal behavior for each user and entity, then flags meaningful deviations — like a user suddenly downloading thousands of files or moving data off-hours — that can indicate insider risk or a compromised account.

Does it require new agents on endpoints?

No. It reuses the identity, endpoint, network, and data telemetry the SIEM or Security Suite already ingests, so there’s nothing new to deploy on endpoints.

Are the risk scores explainable?

Yes. Every score breaks down into the weighted factors behind it — data-exfiltration signals, off-hours activity, privilege changes, peer-group deviation — so analysts can see why a user is flagged and act with confidence.

What happens when someone is flagged?

When a user’s risk crosses a threshold, the SOC is notified with the full risk story, a case can be created, and response actions — disable identity, revoke sessions, isolate endpoint — run through the SIEM’s orchestration.