You are here

User and Entity Behavior Analysis


OUSD (R&E) CRITICAL TECHNOLOGY AREA(S): Integrated Network Systems-of-Systems


OBJECTIVE: This User and Entity Behavioral Analysis (UEBA) will streamline authentication to the network and services while transparently securing mission critical services such a warfighting applications, through granular role-based access control. As implemented, this UEBA solution will be a critical enabler to the Army’s Zero Trust Architecture (ZTA) implementation. It would substantially improve the tactical network’s cybersecurity posture.


DESCRIPTION: The U.S. Army requires a novel User and Entity Behavioral Analysis (UEBA) capability that serves as or feeds a Policy Decision Point (PDP) in the Tactical Zero Trust Architecture (ZTA). Behavior analysis is the process of collecting activity data on people and nonperson entities, applying advanced analytics and comparing the results to accepted baselines and peer activities. This UEBA will leverage data that is already collected and normalized by the Elastic Stack. This data includes Active Directory Domain, Active Directory Certificate Services, Windows endpoint, Linux endpoint, Palo Alto Firewall, Suricata Intrusion Detection System, Zeek Network Sensor, Netflow, and Cisco IOS events. It will also incorporate Nessus Security Center vulnerability and asset scan reports. This capability can execute within the Elastic Stack as a collection of detection engine rules, entity analytics or a Machine Learning model, or it can execute as a stand-alone virtual machine or container. The UEBA should include a well-documented and flexible REST API that enables Policy Enforcement Points (PEPs) to obtain necessary telemetry to obtain and enforce authorization decisions.


PHASE I: The government is looking for a proof of concept, in the form of a whitepaper, that details the feasibility of developing a novel User and Entity Behavioral Analysis (UBEA) capability that serves as a policy decision point. The proof of concept will assume the ability to utilize data already collected by systems in the PEO C3T portfolio and normalized by the Elastic Stack implementation deployed on the tactical network. The model shall determine a user's normal battle rhythm and be able to alert a human in the loop of a change in the user's risk score. The authoritative human in the loop will be able to make a decision to terminate the user's session or elevate for further analysis.


PHASE II: The prototype will be developed to demonstrate the UEBA ability to collect and interpret data. The demonstration shall also show the ability to display a risk score change of a user based on behavioral anomalies and the ability for a human in the loop to make a decision on access based on that alert.



  • UEBA seeks to embed AI/ML pattern recognition into cybersecurity operations to automatically detect anomalous behavior in a digital environment. 
  • Regarding zero trust (ZT) requirements, corporate research underscores that UEBA architecture inherently gives users a ZT solution as it provides maximum network visibility into all users, devices, asset, and entities. 
  • Corporates and investors forecast start-ups augmenting current UEBA technology will imbue it with predictive analytics, creating “contextually aware” multimodal algorithms, and/or ensuring more robust interoperable and API infrastructure. 
  • Current market applications, including start-up usage, for UEBA are:
    • Internet of Things (IoT) – UEBA can monitor both human activity on devices as well as anomalous behavior on connected devices.
    • Healthcare – similar to IoT, the healthcare use case includes patient portals and securing hardware.
    • Finance – track and flag suspicious behavior across a myriad of devices. 






KEYWORDS:  User and Entity Behavioral Analysis (UEBA); Zero Trust Architecture; Authentication; Network; Data; Active Directory

US Flag An Official Website of the United States Government