Skip to main content

Exabeam Entity Analytics

Behavior-based threat detection for enterprise assets

Entity Behavior Analysis

Advanced threats often traverse laterally though a network, leveraging multiple users and machines in their search for high value data. Seemingly innocuous machines like medical devices, office printers, manufacturing machinery, and database servers often fall victim and are used by bad actors as stepping stones; thus, they demand the same level of security monitoring and control as their human counterparts. Entity Analytics establishes a baseline of normal behavior for all assets in an organization—including communication patterns, ports and protocols used, and operating activity. It automatically identifies risky, anomalous device activity that may be indicative of a security incident or compromise.

Enterprise-Wide Visibility

Security teams rely on tens to hundreds of point products to monitor networks. Each may yield incident behavioral artifacts which, if viewed in isolation, appear benign. However, such artifacts serve as powerful data source for holistic behavioral analysis.

Entity Analytics ingests and models machine data from hundreds of popular security solutions to provide full enterprise visibility. Security alerts are combined with data from AD, CMDBs, and other sources. Machine learning and behavioral modeling then analyze it all to detect complex threats that would otherwise go undetected.

Prebuilt Incident Timelines

Entity Analytics automatically creates prebuilt timelines for all discovered incidents. Unlike competitive solutions, Exabeam’s timelines include all lateral movement—there are no gaps or manual steps required to follow the attacks as they move between users or entities.

Our timelines detail what happened during an incident, as well as surrounding behavioral context to determine if the activity is normal. For your security analyst team, this greatly reduces the tedious steps and manual effort required to gather evidence and perform an investigation.

Automatic IP Mapping

In most IT environments machines are dynamically assigned IP addresses by way of DHCP. If an incident occurs, security teams must match which assets correlate with the targeted addresses. This can be a tedious, manual process. Entity Analytics not only performs IP association on current addresses, but also all past DHCP IP addressing over time.

Rule and Signature-Free Detection

Correlation rules and threat signatures create false positives due to their lack of user or machine context. They suffer from false negatives as they cannot detect unknown attacks; maintenance consumes large blocks of analysts’ time.

Instead of leveraging basic pattern matching or correlation rules, Entity Analytics uses behavioral modeling and machine learning to look for abnormal activity. Sensing potential compromise and risk, this method detects anomalous events—without the tuning, maintenance, and false positives that drain analyst productivity.

Industry-Specific Applications

Not all networks are equal. Specific businesses may necessitate specialized, high-tech equipment—such as medical devices, manufacturing apparatuses, and sensors—which are increasingly internet-connected. Such seemingly innocuous devices frequently fall outside of the prevue of standard security controls due to their specialized use. Compounding matters, they may be running proprietary or outdated software and be unpatched, thus creating vulnerabilities that can be exploited to gain a foothold in a network.


Hospitals and clinics have a high density of specialized equipment, including life support systems, MRI units, and CT scanners. Connected to the corporate network, they’re frequently not subject to the same level of security scrutiny as other endpoint devices. For example, it’s unlikely for an MRI unit to be running anti-virus, or for regular OS patches to have been applied.

Entity Analytics helps security teams monitor all machines for signs of compromise. It baselines their behavior, identifying deviations from common activity—such as abnormal communication patterns or endpoint activity.


Imagine the implications of compromised equipment in a high-tech manufacturing plant. Such a device could be leveraged to gain a network foothold, injecting flaws into products or damaging other attached equipment and factory lines.

Entity Analytics learns the normal machine behavior and who is accessing them—such that anomalous activity or access can be easily identified and investigated.


From power plants to electrical grids, the energy sector is filled with proprietary systems—many of which are internet connected. Modern grids can be sophisticated enough to use Microsoft Active Directory and domain controllers.

Entity Analytics helps security teams monitor such systems through the use of machine learning and behavioral analytics to ensure they are operating as expected and have not been compromised by bad actors.