Skip to main content



The Exabeam behavior-based security intelligence platform combines advanced data science with powerful security analytics to create Stateful User Tracking capabilities. Stateful User Tracking is what enables Exabeam UEBA to proactively hunt for threats, follow a user's tracks wherever they go in your network, automatically identify risky behavior, and present risky profiles to your security analysts—saving them hours and days in sifting through thousands of alerts and false positives. diagram-stateful-user-tracking

Stateful User Tracking

Transforming User and Entity Behavior Analytics

Exabeam uniquely transforms security analytics by connecting individual user events into activity sessions. Stateful User Tracking automatically stitches together users’ activities into a distinctive session data model as they use different account credentials, change devices, and appear under different IP addresses. The resulting detailed timeline tells a security story about each session. As a result, Exabeam immediately identifies anomalous and “out-of-character” behaviors, enabling accurate threat detection and accelerated response.

Security systems that are designed to detect, prevent, or alert on certain events quickly overwhelm analysts, making it impossible for them to know “Who is the user for this alert, what has she done since coming to the office, what happened after the alert, and is all of this normal?” Only Exabeam’s Stateful User Tracking holds state as each user changes credentials, devices, and locations over the course of the day to prioritize and deliver truly risky user profiles.

Advanced Data Science

Analysis and Data Science with Embedded Security Expertise

Exabeam flags risky activity using advanced statistical analysis with baseline profiling for deviation measurement. Analysis is based on categorical data, numerical data, and contextual information. Categorical data includes events that fall into specific quantifiable categories, such as the number of logons for a user from a specific country. Numerical data—such as number of assets accessed, duration of a user session, and time of day—is processed using real-time unsupervised clustering for discretization. Contextual information provides additional insight, such as whether an asset is a workstation or server; whether an account is a human or service account; or if a device belongs to a privileged user. Context is estimated by multiple machine learning methods and helps calibrate and sharpen alerts. Then we take analysis several steps farther. Exabeam’s techniques also support broader monitoring, such as cloud access, file-level access, database table access, and application log monitoring. As data science and security threats evolve, the Exabeam platform architecture supports new data science techniques to meet new security challenges.



Pure Data Science Is Good—But Not Enough

Exabeam believes that pure data science is not enough—and we have proven it in large, demanding customer locations. We know that effective data science also requires security domain expertise. That’s why we built our platform on “security-infused” data science. For example, we pre-process and transform input data for machine learning models through proprietary interpretation of Active Directory events. At Exabeam, our security research team dictates data science direction. In turn, our security research direction is enhanced by data science findings.

Simplicity is Imperative

Exabeam is adamant that simplicity makes for better security. We hide data analytics complexity for end-users’ benefit. Although the rules exposed to users look simple, it takes exceptional design and engineering effort to give users the power to easily leverage deep, embedded security domain expertise and modeling sophistication that are critical for any data science-based effort. The result is data science output that users can easily understand and interpret.

Threat Hunting

Ask New Questions

Threat Hunter is an Exabeam security intelligence query tool that uses Stateful User Tracking session data models to complement user behavior analysis. Exabeam Threat Hunter enables security analysts to search and pivot across multiple dimensions of user activity to find sessions that contain specific unusual behaviors or find users that match certain criteria. For example, an analyst might ask to see “all sessions where a user logged into the VPN from a foreign country for the first time, then accessed a new server for the first time, after which FireEye created a malware alert.” This level of analysis across disjoint activities and systems is simple with Exabeam. Now analysts can ask new questions. With Threat Hunter, machine learning provides intelligent answers, in addition to alerts.