Tracking security events by user or entity is all about preserving state. What suspicious behavior have we observed from the user over the past month? Have they been clicking on malicious URLs, failing an abnormally high number of authentications, connecting to unusual network segments? And what is the state of their machine? Was there a recent virus infection? Does it have multiple unpatched vulnerabilities?

Detections find the needles in the haystacks. But preserving, aggregating and analyzing these findings requires implementing state machines for users and entities. That's where transforms shine. We use transforms to maintain user and entity state, pivoting on user name, UUID, source IP and source hostname. Using transforms, we can now write 2nd-level detections to trigger high-severity alerts based on aggregated user or entity behavior. Analysts, during triage or investigation, can now quickly determine a user or entity state. And if we summarize these transforms, executives can now view and track a composite enterprise risk profile aggregated across all the user and entity states.

This presentation will briefly introduce the concepts of Detections & Transforms, and then build a quick transform live to create a user state machine based on observed behavior. If time permits, we will also create a quick detection to monitor user state and trigger on certain conditions.