UEBAMay 20259 min read

UEBA Baseline Building — The 30-Day Model Explained

How DKTrace's ml-engine builds statistical behavioural baselines for every user and entity — and exactly what triggers a deviation alert, including the composite risk score formula.

T1078 T1098

DKTrace Research Team

Security Engineering · Threat Research

Why 30 Days?

UEBA without good baselines generates alert fatigue. DKTrace spends the first 30 days in learning mode — observing every entity's behaviour before firing a single UEBA alert.

30 days captures:

Weekly work patterns (Monday behaviour vs. Friday behaviour)

Monthly cycles (month-end finance activity spikes)

Enough data for statistical significance (p < 0.05 for most behavioural metrics)

What DKTrace Learns Per Entity

For each user, workstation, server, and service account:

Feature	Examples
Auth timing	Login hours, day-of-week patterns
Auth location	IP ranges, countries, VPN vs. direct
Resource access	Shares, databases, APIs, services
Process execution	Which binaries, which parent processes
Network peers	Which other hosts this entity communicates with
Data volume	GB/hr transferred, per protocol

The Composite Risk Score

python

risk_score = (
    0.35 * ueba_deviation_score     # distance from personal baseline
  + 0.25 * peer_group_score         # distance from peer group baseline
  + 0.20 * threat_intel_score       # IOC matches, TI context
  + 0.20 * vulnerability_score      # CVEs on entity's known hosts
) * recency_weight                   # events in last 2 hrs weighted 2×

Score	Threshold	Action
0–69	Normal	Log only
70–89	Alert	SOC notification
90–100	P1	Immediate escalation

Peer Group Modelling

DKTrace automatically clusters entities into peer groups using k-means on 90-day access pattern vectors.

A CFO accessing servers their peer group (other C-suite executives) has never accessed in 90 days triggers a peer_group_score spike — even if the CFO themselves has accessed it before.

This catches legitimate credential compromise where the attacker uses the real account normally but accesses targets the account's peer group would never touch.

Preventing Day-30 Alert Storms

DKTrace ramps alert sensitivity gradually to avoid the "turn it on and get flooded" problem:

Period	Alert Threshold
Days 1–7	95 (extreme anomalies only)
Days 8–14	85
Days 15–21	75
Days 22+	70 (full sensitivity)

See It Live

Watch DKTrace detect this threat in your environment

Our engineers will run a live detection simulation against a sample of your log telemetry — no agents, no commitment.

Request a Live Demo

DKTrace High-Availability Architecture — Zero-Downtime SOC

SS7 Protocol Fraud Detection for Telecom SOC Teams

UEBA

Impossible Travel Detection: Building a Geospatial UEBA Model

9 min read