performing-user-behavior-analytics▌
mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
Performs User and Entity Behavior Analytics (UEBA) to detect anomalous user activities including impossible travel, unusual access patterns, privilege abuse, and insider threats using SIEM-based behavioral baselines and statistical analysis. Use when SOC teams need to identify compromised accounts or insider threats through deviation from established behavioral norms.
| name | performing-user-behavior-analytics |
| description | 'Performs User and Entity Behavior Analytics (UEBA) to detect anomalous user activities including impossible travel, unusual access patterns, privilege abuse, and insider threats using SIEM-based behavioral baselines and statistical analysis. Use when SOC teams need to identify compromised accounts or insider threats through deviation from established behavioral norms. ' |
| domain | cybersecurity |
| subdomain | soc-operations |
| tags | - soc - ueba - user-behavior - insider-threat - anomaly-detection - splunk - baseline |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - DE.CM-01 - DE.AE-02 - RS.MA-01 - DE.AE-06 |
Performing User Behavior Analytics
When to Use
Use this skill when:
- SOC teams need to detect compromised accounts through abnormal authentication patterns
- Insider threat programs require behavioral monitoring beyond rule-based detection
- Impossible travel or geographic anomalies indicate credential compromise
- Privileged account monitoring requires baseline deviation detection
Do not use as the sole basis for disciplinary action — UEBA findings are indicators requiring investigation, not proof of malicious intent.
Prerequisites
- SIEM with 30+ days of authentication and access log history for baseline creation
- VPN, O365, and Active Directory authentication logs normalized to CIM
- GeoIP database (MaxMind GeoLite2) for location-based anomaly detection
- Identity enrichment data (department, role, manager, typical work hours)
- Splunk Enterprise Security with UBA module or equivalent UEBA capability
Workflow
Step 1: Build User Authentication Baselines
Create behavioral baselines from historical data:
index=auth sourcetype IN ("o365:management:activity", "vpn_logs", "WinEventLog:Security")
earliest=-30d latest=-1d
| stats dc(src_ip) AS unique_ips,
dc(src_country) AS unique_countries,
dc(app) AS unique_apps,
count AS total_logins,
earliest(_time) AS first_login,
latest(_time) AS last_login,
values(src_country) AS countries,
avg(eval(strftime(_time, "%H"))) AS avg_login_hour,
stdev(eval(strftime(_time, "%H"))) AS stdev_login_hour
by user
| eval avg_daily_logins = round(total_logins / 30, 1)
| eval login_hour_range = round(avg_login_hour, 0)." +/- ".round(stdev_login_hour, 1)." hrs"
| table user, unique_ips, unique_countries, unique_apps, avg_daily_logins,
login_hour_range, countries
Step 2: Detect Impossible Travel
Identify logins from geographically distant locations within impossible timeframes:
index=auth sourcetype IN ("o365:management:activity", "vpn_logs")
action=success earliest=-24h
| iplocation src_ip
| sort user, _time
| streamstats current=f last(lat) AS prev_lat, last(lon) AS prev_lon,
last(_time) AS prev_time, last(City) AS prev_city,
last(Country) AS prev_country, last(src_ip) AS prev_ip
by user
| where isnotnull(prev_lat)
| eval distance_km = round(
6371 * acos(
cos(pi()/180 * lat) * cos(pi()/180 * prev_lat) *
cos(pi()/180 * (lon - prev_lon)) +
sin(pi()/180 * lat) * sin(pi()/180 * prev_lat)
), 0)
| eval time_diff_hours = round((_time - prev_time) / 3600, 2)
| eval speed_kmh = if(time_diff_hours > 0, round(distance_km / time_diff_hours, 0), 0)
| where speed_kmh > 900 AND distance_km > 500
| eval alert = "IMPOSSIBLE TRAVEL: ".prev_city.", ".prev_country." -> ".City.", ".Country
| table _time, user, prev_city, prev_country, City, Country, distance_km,
time_diff_hours, speed_kmh, alert
| sort - speed_kmh
Step 3: Detect Anomalous Login Timing
Identify logins outside a user's normal working hours:
index=auth action=success earliest=-7d
| eval hour = strftime(_time, "%H")
| eval day_of_week = strftime(_time, "%A")
| eval is_weekend = if(day_of_week IN ("Saturday", "Sunday"), 1, 0)
| eval is_off_hours = if(hour < 6 OR hour > 22, 1, 0)
| join user type=left [
search index=auth action=success earliest=-60d latest=-7d
| eval hour = strftime(_time, "%H")
| stats avg(hour) AS baseline_avg_hour, stdev(hour) AS baseline_stdev_hour,
perc95(hour) AS baseline_latest_hour by user
]
| where (is_off_hours=1 OR is_weekend=1) AND
(hour > baseline_latest_hour + 2 OR hour < baseline_avg_hour - baseline_stdev_hour * 2)
| stats count, values(hour) AS login_hours, values(day_of_week) AS login_days,
values(src_ip) AS source_ips
by user, baseline_avg_hour, baseline_latest_hour
| where count > 0
| sort - count
Step 4: Detect Unusual Data Access Patterns
Monitor for abnormal file or database access volumes:
index=file_access OR index=sharepoint earliest=-24h
| stats sum(bytes) AS total_bytes, dc(file_path) AS unique_files,
count AS access_count by user
| join user type=left [
search index=file_access OR index=sharepoint earliest=-30d latest=-1d
| stats avg(eval(count)) AS baseline_avg_files,
stdev(eval(count)) AS baseline_stdev_files,
avg(eval(sum(bytes))) AS baseline_avg_bytes
by user
]
| eval bytes_gb = round(total_bytes / 1073741824, 2)
| eval z_score_files = round((unique_files - baseline_avg_files) / baseline_stdev_files, 2)
| where z_score_files > 3 OR bytes_gb > 5
| eval anomaly_level = case(
z_score_files > 5, "CRITICAL",
z_score_files > 3, "HIGH",
bytes_gb > 10, "CRITICAL",
bytes_gb > 5, "HIGH",
1=1, "MEDIUM"
)
| sort - z_score_files
| table user, unique_files, bytes_gb, baseline_avg_files, z_score_files, anomaly_level
Step 5: Detect Privilege Abuse Patterns
Monitor privileged account usage anomalies:
index=wineventlog sourcetype="WinEventLog:Security"
(EventCode=4672 OR EventCode=4624 OR EventCode=4648) earliest=-24h
| eval is_privileged = if(EventCode=4672, 1, 0)
| eval is_explicit_cred = if(EventCode=4648, 1, 0)
| stats sum(is_privileged) AS priv_events,
sum(is_explicit_cred) AS explicit_cred_events,
dc(ComputerName) AS unique_hosts,
values(ComputerName) AS hosts_accessed
by TargetUserName, src_ip
| join TargetUserName type=left [
search index=wineventlog EventCode IN (4672, 4624, 4648) earliest=-30d latest=-1d
| stats dc(ComputerName) AS baseline_hosts,
avg(eval(count)) AS baseline_daily_events by TargetUserName
]
| where unique_hosts > baseline_hosts * 2 OR priv_events > baseline_daily_events * 3
| eval risk_score = (unique_hosts / baseline_hosts * 30) + (priv_events / baseline_daily_events * 20)
| sort - risk_score
| table TargetUserName, src_ip, unique_hosts, baseline_hosts, priv_events,
baseline_daily_events, risk_score, hosts_accessed
Step 6: Generate Risk Score and Prioritize Investigation
Aggregate all UEBA signals into a composite risk score:
| inputlookup ueba_impossible_travel.csv
| append [| inputlookup ueba_off_hours_access.csv]
| append [| inputlookup ueba_data_access_anomaly.csv]
| append [| inputlookup ueba_privilege_abuse.csv]
| stats sum(risk_points) AS total_risk,
values(anomaly_type) AS anomaly_types,
dc(anomaly_type) AS anomaly_count
by user
| lookup identity_lookup_expanded identity AS user
OUTPUT department, managedBy, priority AS user_priority
| eval final_risk = total_risk * case(
user_priority="critical", 2.0,
user_priority="high", 1.5,
user_priority="medium", 1.0,
1=1, 0.8
)
| sort - final_risk
| head 20
| table user, department, managedBy, anomaly_types, anomaly_count, total_risk, final_risk
Key Concepts
| Term | Definition |
|---|---|
| UEBA | User and Entity Behavior Analytics — behavioral analysis detecting anomalies against established baselines |
| Impossible Travel | Login events from geographically distant locations within timeframes making physical travel impossible |
| Behavioral Baseline | Statistical profile of normal user activity patterns built from 30-90 days of historical data |
| Z-Score | Statistical measure of how many standard deviations an observation is from the mean — values > 3 indicate anomalies |
| Risk Score | Composite numerical score aggregating multiple behavioral anomalies weighted by asset criticality |
| Peer Group Analysis | Comparing a user's behavior to others in the same department/role to identify outliers |
Tools & Systems
- Splunk UBA: Dedicated User Behavior Analytics module integrating with Splunk ES for ML-driven anomaly detection
- Microsoft Sentinel UEBA: Built-in UEBA capability in Azure Sentinel with entity pages and investigation graphs
- Exabeam Advanced Analytics: Standalone UEBA platform with session stitching and automatic timeline creation
- Securonix: Cloud-native SIEM/UEBA with pre-built behavioral models for insider threat detection
Common Scenarios
- Compromised Account: Impossible travel + off-hours login + unusual app access = likely credential compromise
- Insider Data Theft: Employee accessing 10x normal file volume in notice period before departure
- Privilege Escalation Abuse: Admin account used from unusual location accessing systems outside normal scope
- Shared Account Detection: Service account logging in from multiple geographies simultaneously
- Dormant Account Reactivation: Account with no activity for 90+ days suddenly performing privileged operations
Output Format
UEBA ANOMALY REPORT — Weekly Summary
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Period: 2024-03-11 to 2024-03-17
Users Baselined: 2,847
Anomalies Detected: 23
TOP RISK USERS:
# User Dept Risk Anomalies
1. jsmith Finance 94.5 Impossible travel (NYC->Moscow, 2h), off-hours access, 15GB download
2. admin_svc01 IT Ops 82.0 Login from 12 new IPs, 47 hosts accessed (baseline: 8)
3. mwilson HR 67.3 Off-hours file access (2AM), 3x normal download volume
INVESTIGATION STATUS:
jsmith: Escalated to Tier 2 — possible account compromise (IR-2024-0445)
admin_svc01: Under review — may be new automation deployment (checking with IT Ops)
mwilson: Pending HR context — employee on notice period, monitoring increased
How to use performing-user-behavior-analytics on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add performing-user-behavior-analytics
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches performing-user-behavior-analytics from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate performing-user-behavior-analytics. Access the skill through slash commands (e.g., /performing-user-behavior-analytics) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
Exploratory Data Analysis
Quickly understand datasets, identify patterns, and generate insights
Example
Analyze CSV with 100K rows, identify outliers, visualize correlations, suggest hypotheses
Reduce EDA time from hours to minutes, uncover insights faster
Data Cleaning & Transformation
Write scripts to clean messy data, handle missing values, normalize formats
Example
Generate Python/SQL to fix date formats, impute missing values, remove duplicates
Automate 80% of data preprocessing work
Statistical Analysis
Perform hypothesis testing, regression, and statistical modeling
Example
Run A/B test analysis, calculate confidence intervals, interpret p-values
Get statistically sound analysis without PhD in statistics
Data Visualization
Create charts, dashboards, and visual reports
Example
Generate matplotlib/seaborn code for time series plots, distribution charts, heatmaps
Build presentation-ready visualizations 3x faster
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client
- ›Python environment (pandas, numpy, matplotlib) or SQL database access
- ›Basic understanding of data analysis concepts
- ›Sample datasets for testing skill capabilities
Time Estimate
20-40 minutes to set up and run first analysis
Installation Steps
- 1.Install data analysis skill using provided command
- 2.Prepare a sample dataset (CSV, JSON, or database connection)
- 3.Start with descriptive statistics: 'Summarize this dataset'
- 4.Progress to visualization: 'Create a scatter plot of X vs Y'
- 5.Advanced analysis: 'Run linear regression and interpret results'
- 6.Validate outputs: check calculations, verify visualizations make sense
- 7.Document analysis workflow for reproducibility
Common Pitfalls
- ⚠Not validating statistical assumptions before applying tests
- ⚠Accepting visualizations without checking data accuracy
- ⚠Overlooking data quality issues (missing values, outliers)
- ⚠Misinterpreting correlation as causation
- ⚠Using wrong statistical test for data distribution
- ⚠Not considering sample size and statistical power
Best Practices▌
✓ Do
- +Always validate data quality before analysis
- +Check statistical assumptions (normality, independence, etc.)
- +Visualize data before running statistical tests
- +Document analysis steps for reproducibility
- +Cross-validate findings with domain experts
- +Use skill for initial exploration, then dive deeper manually
- +Save generated code for reuse on similar datasets
✗ Don't
- −Don't trust analysis without verifying data quality
- −Don't apply statistical tests without checking assumptions
- −Don't make business decisions solely on AI-generated analysis
- −Don't ignore outliers without investigating cause
- −Don't skip data validation and sanity checks
- −Don't use for mission-critical financial or medical analysis without expert review
💡 Pro Tips
- ★Describe data context: 'This is user behavior data from e-commerce site'
- ★Ask for interpretation: 'What does this correlation mean for business?'
- ★Request multiple approaches: 'Show 3 ways to handle missing data'
- ★Combine AI analysis with domain expertise for best insights
- ★Use for rapid prototyping, then refine analysis manually
When to Use This▌
✓ Use When
Use for exploratory data analysis, data cleaning, statistical testing, visualization prototyping, and learning new analysis techniques. Best for initial exploration and rapid insights.
✗ Avoid When
Avoid for mission-critical financial analysis, medical research requiring regulatory compliance, production ML models, or when deep statistical expertise is required for nuanced interpretation.
Learning Path▌
- 1Basic: descriptive statistics, data cleaning, simple visualizations
- 2Intermediate: hypothesis testing, regression, correlation analysis
- 3Advanced: time series analysis, clustering, predictive modeling
- 4Expert: causal inference, experimental design, advanced statistical methods
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.5★★★★★73 reviews- ★★★★★Benjamin Rao· Dec 24, 2024
Useful defaults in performing-user-behavior-analytics — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- ★★★★★Benjamin Ramirez· Dec 24, 2024
Keeps context tight: performing-user-behavior-analytics is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Mia Ghosh· Dec 24, 2024
Registry listing for performing-user-behavior-analytics matched our evaluation — installs cleanly and behaves as described in the markdown.
- ★★★★★Sophia Gill· Dec 20, 2024
performing-user-behavior-analytics is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Zara Menon· Dec 16, 2024
Solid pick for teams standardizing on skills: performing-user-behavior-analytics is focused, and the summary matches what you get after install.
- ★★★★★Anaya Martinez· Dec 12, 2024
performing-user-behavior-analytics reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Maya Reddy· Dec 8, 2024
We added performing-user-behavior-analytics from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Maya Sethi· Dec 8, 2024
Useful defaults in performing-user-behavior-analytics — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- ★★★★★Anika Taylor· Dec 4, 2024
Keeps context tight: performing-user-behavior-analytics is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Rahul Santra· Nov 27, 2024
Keeps context tight: performing-user-behavior-analytics is the kind of skill you can hand to a new teammate without a long onboarding doc.
showing 1-10 of 73