Unveiling Anomalies: Leveraging Machine Learning for Internal User Behaviour Analysis – Top 10 Use Cases

Abstract

Insider threats pose a significant risk to organizations, as traditional Security Information and Event Management (SIEM) systems struggle to detect subtle, evolving anomalies in user behaviour. While machine learning (ML) offers promise, the absence of a structured approach to prioritize and validate high-impact threat scenarios limits its practical adoption. This research addresses this gap by systematically identifying and validating the top 10 critical insider threat use cases—including data exfiltration, privilege escalation, and lateral movement—through a methodology combining MITRE ATT&CK tactics, Verizon Data Breach Investigations Report (DBIR) statistics, and related research papers. We then integrate the Random Cut Forest (RCF) algorithm into the Wazuh/OpenSearch SIEM platform, tailoring its unsupervised learning capabilities to detect these prioritized threats in real time. By correlating ML-driven anomaly scores with rule-based alerts, our solution reduces false positives by 35% and achieves a 94% true positive rate for high-risk use cases like unauthorized access. Validation in a production environment confirms the framework’s efficacy, with detection times under 3 minutes for 80% of anomalies. Beyond technical integration, this work establishes a replicable blueprint for aligning ML models with operational priorities, empowering organizations to focus resources on the most damaging insider threats.