ASSURED

Baseline comparison

How baseline comparison works

A baseline is a model of normal for a specific Entity A person, system, or organization that interacts with or affects a security incident. . The entity might be a User An individual who interacts with a system, network, or application. , a host, a service account, an application, or a network segment. The baseline is built over time from continuous Telemetry Collection and transmission of security-relevant data from remote sources for monitoring and analysis. and captures the rhythm of that entity’s usual behavior: when it operates, what it connects to, which processes it runs, how much data it moves, who it interacts with.

When an alert fires for an entity, the analyst compares the alert’s claim against the entity’s baseline. The deviation (or its absence) is what turns a generic alert into a specific answer. Many alerts that look alarming in the abstract become routine when set against the actual history of the entity involved.

Baseline platforms such as Microsoft Sentinel Cloud-native SIEM/SOAR; AI-driven analytics across on-prem, cloud, and hybrid with rich connector library. UEBA, Splunk MLTK, Exabeam Next-gen SIEM with built-in UEBA; user-behavior timelines and automated investigation workflows. Advanced Analytics, and Securonix let security teams encode “normal” and surface deviations automatically. The quality of the baseline depends on the quality of the underlying telemetry and the stability of the operational environment.

What the baseline contains

🕐 Temporal patterns

When the entity is active. Hours, days, week, month, season. Daily standups, end-of-quarter pushes, holiday slowdowns, and overnight maintenance windows all show up in the temporal model.

🔗 Communication graph

Who the entity talks to. Internal systems, external destinations, peer accounts, and recurring collaborators. Each edge in the graph has its own typical cadence.

📊 Volume metrics

How much the entity does. Bytes transferred, queries issued, processes spawned, files touched. Volume baselines catch staged exfiltration before it leaves the building.

🧩 Behavioral signatures

Which actions the entity typically takes. The process tree of a developer’s laptop looks nothing like the process tree of an accountant’s, and the baseline captures that without anyone having to write a rule.

Example: PowerShell at 03:00

Case study

Developer workstation, off-hours scripting

An EDR alert fires on PowerShell execution from a developer's workstation at 03:00 local time. The alert flags the off-hours timing as suspicious.

In isolation, the alert is concerning. PowerShell A command-line shell and scripting language built on the .NET framework, commonly used for system administration and potentially for malicious purposes. at 03:00 is a common adversary fingerprint. The job of baseline comparison is to test whether the alert is consistent with what this specific entity actually does.

The analyst pulls the baseline for this user and host:

  • VPN history shows the developer routinely works overnight on Tuesdays and Wednesdays. Two of the last four weeks have similar 03:00 sessions.
  • Process baseline shows PowerShell is one of this developer’s most-used utilities. They invoke it dozens of times per shift.
  • Change calendar shows a global release window scheduled for 02:00 to 04:00 UTC. The developer is one of the on-call engineers.
  • Command-line history shows the script being executed matches the signature of a known build pipeline that has run this way for months.

The four signals converge: this is expected behavior with corroborating context from four independent sources. The alert is downgraded to informational, the closure note records the reasoning, and the validation logic feeds back into the detection so the next firing for the same pattern is suppressed.

Without baseline comparison, the same alert would cost an hour of investigation, no clearer answer, and no improvement to the detection.

What if even one signal disagreed?

The same alert would deserve more investigation. If the developer’s VPN history did not place them on the laptop at 03:00, the analyst would treat the PowerShell Execution The attacker successfully runs malicious code on a system, typically using interpreters, scripts, payloads, or legitimate tools. as unauthenticated and pivot to the question of how the script ran. If the change calendar showed no scheduled release, the analyst would look for an unplanned production change. Baseline comparison is most powerful when all signals agree; partial agreement is itself a signal worth investigating.

Operational practice

  • Refresh baselines regularly. Treat them as a living artifact, not a one-time configuration. A baseline that has not been retrained in six months is starting to describe an organization that no longer exists.
  • Coordinate with change management. Planned modifications should be reflected in the baseline source data so they do not produce noise.
  • Adjust for cyclical patterns. End-of-month closeouts in finance, tax season in accounting, semester boundaries in education, and holiday Traffic The flow of data between devices, systems, or servers on a network. in retail all reshape baselines temporarily.
  • Enrich the baseline from authoritative sources. HR systems, business calendars, change-management tickets, and identity providers each carry context the SIEM does not have on its own.

Next up

Attack chains and multi-event correlation

The second strategy: link discrete events into sequences that reveal adversary intent across time.

Read attack chains