04-06-2026 01:37 AM
Hi All, I'm looking for some guidance around UEBA capabilities in XSIAM. Currently, we are using the free trial version of the ITDR module in XSIAM. If we do not have ITDR module license , what are the ways to enhance UEBA capabilities in XSIAM?.
Should we manually develop UEBA pattern-related use cases using telemetry logs?
Appreciate your help!
04-08-2026 08:04 AM
Hello @A.Velusamy ,
Greetings for the day.
User and Entity Behavior Analytics (UEBA) is a core capability integrated across all Cortex XSIAM license tiers, including NG-SIEM, Enterprise, and Premium. While the Identity Threat Detection and Response (ITDR) module is a modular add-on that provides specialized enhancements, basic UEBA functionality does not strictly require it.
If you do not have an active ITDR module license, you can still enhance your UEBA capabilities in XSIAM through the following methods:
Ingest Diverse Data Sources:
UEBA performance is highly dependent on log ingestion. To improve behavior profiling, ensure you are ingesting logs from various sources, including Next-Generation Firewalls (NGFW), cloud providers (AWS, Azure, GCP), and third-party audit/flow logs.
Configure Cloud Identity Engine (CIE):
XSIAM consumes data from identity sources via CIE to provide the necessary Active Directory or Okta context for UEBA. Ensuring CIE is operational provides the attributes (users, groups, etc.) required for behavioral baselines.
Enable Core Analytics:
Verify that Core Analytics is active, as it uses machine learning and behavioral models to detect anomalies and threats across normalized datasets.
Define Network Parameters:
Ensure your internal network ranges and domain names are correctly defined in XSIAM to allow the analytics engine to identify internal assets and monitor for abnormal network behavior, such as port scans.
The automated Behavioral Analytics engine is designed to run on native telemetry and normalized datasets.
Manually Developing Use Cases:
For custom or raw log sources that are not automatically processed by the built-in ML models, you should develop manual use cases using Correlation Rules (BIOCs). You can use XQL (Cortex Query Language) to identify specific patterns across multiple data sources and generate alerts.
ITDR Specifics:
Without the ITDR license, you will lack out-of-the-box features such as Asset Role Configuration, the User/Host Risk View, and advanced layout alerts for compromised accounts. Some advanced behavioral detections, such as those for Office 365 (e.g., email-hiding inbox rules), are also exclusive to the ITDR module.
Note: For tailored recommendations based on your specific license and security architecture, it is recommended to contact your Sales Engineer (SE)/Solution Consultant (SC) or Account Team, as they can provide guidance on optimizing UEBA use cases for your environment.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
04-08-2026 08:04 AM
Hello @A.Velusamy ,
Greetings for the day.
User and Entity Behavior Analytics (UEBA) is a core capability integrated across all Cortex XSIAM license tiers, including NG-SIEM, Enterprise, and Premium. While the Identity Threat Detection and Response (ITDR) module is a modular add-on that provides specialized enhancements, basic UEBA functionality does not strictly require it.
If you do not have an active ITDR module license, you can still enhance your UEBA capabilities in XSIAM through the following methods:
Ingest Diverse Data Sources:
UEBA performance is highly dependent on log ingestion. To improve behavior profiling, ensure you are ingesting logs from various sources, including Next-Generation Firewalls (NGFW), cloud providers (AWS, Azure, GCP), and third-party audit/flow logs.
Configure Cloud Identity Engine (CIE):
XSIAM consumes data from identity sources via CIE to provide the necessary Active Directory or Okta context for UEBA. Ensuring CIE is operational provides the attributes (users, groups, etc.) required for behavioral baselines.
Enable Core Analytics:
Verify that Core Analytics is active, as it uses machine learning and behavioral models to detect anomalies and threats across normalized datasets.
Define Network Parameters:
Ensure your internal network ranges and domain names are correctly defined in XSIAM to allow the analytics engine to identify internal assets and monitor for abnormal network behavior, such as port scans.
The automated Behavioral Analytics engine is designed to run on native telemetry and normalized datasets.
Manually Developing Use Cases:
For custom or raw log sources that are not automatically processed by the built-in ML models, you should develop manual use cases using Correlation Rules (BIOCs). You can use XQL (Cortex Query Language) to identify specific patterns across multiple data sources and generate alerts.
ITDR Specifics:
Without the ITDR license, you will lack out-of-the-box features such as Asset Role Configuration, the User/Host Risk View, and advanced layout alerts for compromised accounts. Some advanced behavioral detections, such as those for Office 365 (e.g., email-hiding inbox rules), are also exclusive to the ITDR module.
Note: For tailored recommendations based on your specific license and security architecture, it is recommended to contact your Sales Engineer (SE)/Solution Consultant (SC) or Account Team, as they can provide guidance on optimizing UEBA use cases for your environment.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
