The unusual suspects: Effectively identifying threats via unusual behaviors

Stop us if you’ve heard this one before: you get an alert like “This user did something for the first time!” or “This user is acting weird!” and it turns out to be a real employee checking their email on vacation. This is a seemingly harmless false positive, but for security teams, these vague alerts lead to countless hours investigating ambiguous behaviors that are often benign.

In identity, cloud, and SaaS environments, adversaries rely almost solely on legitimate functionality to achieve their goals. This legitimate functionality often blends seamlessly with normal user activity, which makes it incredibly difficult to discern between unusual-but-acceptable actions and genuine threats. This camouflage burdens security teams, leaving them to untangle subtle indicators of malicious intent from a sea of routine actions.

In identity, cloud, and SaaS environments, adversaries rely almost solely on legitimate functionality to achieve their goals.

Fortunately, adversaries often make mistakes that keep them from blending in perfectly. Our intelligence-driven approach to threat detection shows that real threats typically come with internet service providers (ISP), geolocations, or devices that are either sketchy or at the very least unusual for a given customer environment. In the world of identity, cloud, and SaaS, it’s necessary to move beyond detecting explicitly malicious behaviors to detecting unusual behaviors as well.

At Red Canary, we understand this challenge—and we’re tackling it head on.

The challenge

Detecting unusual activity with user entity and behavioral analytics (UEBA) is not new, though it is somewhat surprising that after years in the market, anomaly detection alerting often generates more noise than actionable insights. At Red Canary, we thought we could do better, and we combined our expertise in security operations with a threat-driven, practical approach to tackle this problem from the ground up.

The problem with cybersecurity products generating traditional UEBA alerts is that they’re limited to determining if activity is unusual. The hard part is investigating those alerts to not just determine why a behavior was unusual but also evaluate whether or not it’s malicious, and that’s the challenge we decided to tackle.

In order to filter out noise and deliver high-quality threat detections to customers, we’ve made a number of improvements to our platform to both detect and investigate unusual behaviors at scale.

By refining our approach to identify threat detection and response, we help customers scale their defenses, uncover true threats faster, and reduce the noise that hampers decision-making.

Delivering quality detections from unusual behavior

The key to delivering quality detections from unusual behavior is improving how we investigate unusual behaviors. To address this challenge, Red Canary is making a large investment in agentic flow investigations. These workflows are designed to gather contextual data from many different sources, analyze it, and provide human-readable recommendations to a human analyst to assess any potential risk.

This approach means that our investigations leverage automation to consistently extract useful insights from this contextual data. These insights enable our cybersecurity experts to more accurately identify when unusual behaviors look malicious, and we also pass these insights onto our customers to clearly articulate why they should be concerned by an unusual behavior.

How we do it

To account for this anomalous behavior, we had to implement the following process:

1. Create user baselines to enable better detection and threat hunting
2. Quickly detect unusual behaviors at scale
3. Perform analysis with agentic flow investigations to reduce noise and create context

Create user baselines

The first step is to create user baselines to enable better detection and threat hunting. Red Canary’s data platform already processes massive amounts of identity telemetry from many different sources, and we can use this data to create baselines for both individuals and organizations to establish what is considered normal.

From a practical perspective, we create these baselines by doing a bunch of counting. For instance, how many times has a particular user successfully logged in from a particular ISP, geolocation, or operating system? We store these counts in a place where they can be easily accessed from multiple parts of our platform.

From an engineering perspective, this approach allows us to efficiently and repeatedly query these baselines without having to comb through every single historical login every time we want to determine if a behavior is normal. From a cybersecurity perspective, this approach gives us a flexible way to use this data in any part of our platform, enabling better detection and threat hunting.

Detect unusual behaviors at scale

The next step is to quickly detect unusual behaviors at scale. Because these user baselines are designed to be efficiently and repeatedly queried, we can use them in real time as we stream massive amounts of data into our detection engine. For instance, we’ll look at every successful login, query our user baseline data, and determine if the originating ISP is typical for the specific user or customer environment.

The goal of this step is less about generating high-fidelity detections and more about identifying things we want to further investigate using our agentic flow investigations. These workflows are complicated enough that we can’t run them on every login, but if we use our detection engine to filter down the number of things we feed into them, we can still process tons of data at scale.

Agentic workflows and final output

Once we’ve identified an unusual behavior, we feed them into our agentic flow investigations to reduce noise and create context. These workflows gather additional context from diverse data sources, and pose 40+ targeted questions generated by Red Canary’s cybersecurity experts to assess threat potential. Examples include:

• Is one authentication attribute like ISP unusual but others like geolocation, operating system, or browser consistent with previous behavior?
• Is the source of the login a known bad VPN or a TOR node?
• Did the login session perform some follow-on action like modify MFA (multi-factor authentication) or create a new authentication token?
• Is the device registered with the identity provider?
• Is the ISP associated with a common false positive like a common proxy service?
• Does the IP belong to the customer (e.g., a remote worker visits the office for the first time)?

Finally, the agents articulate findings in human-readable language to enable a human analyst to use their judgement to assess the potential risk. Below is a sample report:

This report analyzes a suspicious login activity for the user johnsmith@grandscaleind.com from Grand Scale Industries, classified as Suspicious Activity (User Account Compromise). The login occurred on January 2, 2025, from an IP address (203.0.113.42) associated with Surfshark VPN, located in Boston, Massachusetts. The login was successful and utilized the Office365 Shell WCSS-Client application. The IP address has a high fraud score of 100, indicating recent abusive behavior and high abuse velocity. The login was flagged by multiple detectors due to the use of a VPN, rare ISP organization, and suspicious VPN login patterns. The user’s typical login patterns, based on the User Logins Baseline Report, predominantly show logins from Atlanta, Georgia, using various VPNs but rarely from Surfshark VPN and Boston. This deviation from the user’s usual behavior, combined with the high fraud score and recent abuse associated with the IP address, raises concerns about potential account compromise. The alert was classified as suspicious due to these anomalies and the potential risk of unauthorized access.

Why it works

Our approach leads to faster and more accurate threat detection in identity, cloud, and SaaS environments. Focusing on unusual behaviors means that we catch the mistakes we see real adversaries make every single day. Agentic flow investigations generate analytic context that helps our analysts more effectively use their expert judgment to better understand and communicate real threats. Our combination of UEBA, agentic flow investigations, and experts-in-the-loop delivers highly contextualized insights that keep security professionals focused on what matters most.