Anomaly Detection ML / UEBA


Everything that makes employees’ lives easier makes yours harder. Detecting insider threats - both employees and cybercriminals pretending to be employees - has never been more difficult or more important. The cloud technologies that make everyone else more efficient can make security less efficient. They’re noisy. They send a lot of alerts. You’re tired. You’re overworked. You’re overloaded. 

Graylog anomaly detection will help you sleep better at night. Still, you won’t be as exhausted because our AI/ML behavioral analysis can automatically give you the high-fidelity alerts necessary to mitigate insider threats. 


Anomaly Detection, one of the powerful features in Graylog Security, provides you with UEBA capabilities at scale, running Artificial Intelligence / Machine Learning (AI/ML) that identifies deviations from “normal” behavior for users and entities (UEBA), creating high-fidelity alerts.

Custom Anomaly Detectors

Graylog Security provides numerous out-of-the-box anomaly detectors through the Illuminate content pack that can be run simultaneously so security analysts can easily analyze data from different sources for unusual behavior. In addition to the out-of-the-box anomaly detectors, security analysts can now add additional detection capabilities by customizing anomaly detectors in OpenSearch that can be shared with the Graylog Community.

Real Learning With Dynamic AI

Spend less time reacting and more time securing with Graylog’s AI/ML Anomaly Detection that can:

  • Self-learn with a minimum amount of historical data
  • Improve over time without manual tuning
  • Adapt to new data sets, organizational priorities, custom use cases, and more
  • Incorporate out-of-the-box scenarios mapped Community standards, and real-life adversarial examples
  • Search for and identify unusual activity by users and entities

Defining Baselines

Know your “normal.” Defining normal user behavior to prevent insider threats is increasingly challenging, with people wearing different hats while accessing and sharing more data.

Anomaly Detection AI/ML uses your data to define baselines by combining:

  • User and Entity profiling based on real-life insider threat use cases
  • Network profiling learns networks and automatically adapts to environments

Risk-Modeling For Insider Threat Detection

Use built-in knowledge from real-life examples mapped to the MITRE ATT&CK framework, including:

  • Corporate espionage
  • Sabotage
  • Data exfiltration
  • Fraud

Visibility Into Credential-Based Attacks

Gain visibility into the risky activities that indicate credential-based attacks. Graylog Anomaly Detection provides high-fidelity alerts that detect attacks that “hardcoded” correlation alerts might miss.

Graylog’s Anomaly Detection can detect credential-based attacks, like brute force,  and lateral movement within your environment by aggregating, normalizing, and correlating events like:

  • Unauthorized web activity
  • New host authentication
  • Authentication using  new application
  • Account creation
  • Account deletion
  • Short-lived account creation
  • Local privilege escalation
  • Global privilege escalation
  • Singe host malware infection spikes
  • Multiple host malware outbreaks
  • Audit log deletion

Cloud-Access Monitoring

Not every data change or download is necessary. Sometimes, it’s accidental, and other times malicious.

Graylog’s Anomaly Detection gives you the visibility you need by detecting risky activity spikes like:

  • File permission changes
  • File modifications
  • File deletions

Prevent malicious or inappropriate data exfiltration by reviewing download activity across:

  • Rare websites
  • Webmail
  • Email servers
  • Removable media
  • Rare processes
  • DNS

Scalability and Speed

Get alerts that make investigations meaningful by reducing the noise from cloud applications and engaging in lightning-fast investigations.

Graylog Anomaly Detection aggregates and correlates insights from across your environment, bringing together UEBA, event log, and threat intelligence data for high-fidelity alerts with the ability to:

  • Ingest any log source from anywhere
  • Easily parse, enrich, and normalize data
  • Seamlessly integrate with common security tools
  • Intuitively investigate threats  paired with Graylog’s lightning-fast search engine to get to the root cause and eliminate cybersecurity risks in hours, not weeks or months
  • Search terabytes in milliseconds
  • Easily provide meaningful context
  • Leverage integrated dashboards and alerts


What does AI / ML for Graylog Security look for?
Graylog Security’s AI/ML combs security data for unusual activity by users and entities.

What does Graylog Security Anomaly Detection Include?

Graylog Security Anomaly Detection includes:

  • Multiple Dashboards and 15 OOB Anomaly Detectors, covering any product supported by Illuminate
  • MLbased on the Intelligence Community standards for Insider Threat, plus real-life adversarial examples
  • Risk models that identify metrics and dynamically adapt to your organization and priorities
  • Click-through user stories to investigate anomalies

Is there any limit to the data that Graylog Security Anomaly Detection works with? 

Graylog Security Anomaly Detection works with any relevant data within your organization, and there is no penalization for missing data sources.






Commercial Apps

Custom Apps

Change Mgmt






Storage Mgmt