Machine Learning-based user and entity behavior analysis for network security

What is claimed is: 1 . A non-transitory computer-readable storage medium having computer-readable code stored thereon for programming one or more processors to perform steps of: utilizing a grouping model to identify a function of a user of a tenant; utilizing one or more behavior models to identify normal behavior and abnormal behavior of the user based on the function; utilizing an orchestration model with a plurality of rules to score one or more of current and historical behavior of the user, based on the one or more behavior models; and utilizing an active learning model to improve the orchestration model. 2 . The non-transitory computer-readable storage medium of claim 1 , wherein the steps further include causing a security technique based on the score. 3 . The non-transitory computer-readable storage medium of claim 1 , wherein the steps further include providing feedback based on the score to the one or more behavior models. 4 . The non-transitory computer-readable storage medium of claim 1 , wherein the steps further include providing multi-tenant insights as feedback. 5 . The non-transitory computer-readable storage medium of claim 1 , wherein the grouping model utilizes a clustering technique to identify the function from a plurality of functions. 6 . The non-transitory computer-readable storage medium of claim 1 , wherein the orchestration model includes a plurality of input features from the one or more behavior models and leverage correlation among different behavior models to reduce false positives. 7 . The non-transitory computer-readable storage medium of claim 1 , wherein the one or more behavior models define the normal behavior and the abnormal behavior for the function in terms of one or more of Uniform Resource Locator (URL) access, bandwidth, device and app usage. 8 . The non-transitory computer-readable storage medium of claim 1 , wherein the abnormal behavior includes the user being suspected of leaving the tenant. 9 . A system comprising: a network interface; a processor communicatively coupled to the network interface; and memory storing computer-executable instructions that, when executed, cause the processor to utilize a grouping model to identify a function of a user of a tenant; utilize one or more behavior models to identify normal behavior and abnormal behavior of the user based on the function; utilize an orchestration model with a plurality of rules to score one or more of current and historical behavior of the user, based on the one or more behavior models; and utilize an active learning model to improve the orchestration model. 10 . The system of claim 9 , wherein the instructions that, when executed, further cause the processor cause a security technique based on the score. 11 . The system of claim 9 , wherein the instructions that, when executed, further cause the processor provide feedback based on the score to the one or more behavior models. 12 . The system of claim 9 , wherein the instructions that, when executed, further cause the processor provide multi-tenant insights as feedback. 13 . The system of claim 9 , wherein the grouping model utilizes a clustering technique to identify the function from a plurality of functions. 14 . The system of claim 9 , wherein the orchestration model includes a plurality of input features from the one or more behavior models and leverage the correlation among different behavior models to reduce false positives. 15 . The system of claim 9 , wherein the one or more behavior models define the normal behavior and the abnormal behavior for the function in terms of one or more of Uniform Resource Locator (URL) access, bandwidth, device and app usage. 16 . A method comprising: utilizing a grouping model to identify a function of a user of a tenant; utilizing one or more behavior models identify normal behavior and abnormal behavior of the user based on the function; utilizing an orchestration model with a plurality of rules to score one or more of current and historical behavior of the user, based on the one or more behavior models; and utilizing an active learning model to improve the orchestration model. 17 . The method of claim 16 , further comprising causing a security technique based on the score. 18 . The method of claim 16 , further comprising providing feedback based on the score to the one or more behavior models. 19 . The method of claim 16 , further comprising providing multi-tenant insights as feedback. 20 . The method of claim 16 , wherein the grouping model utilizes a clustering technique to identify the function from a plurality of functions, wherein the orchestration model includes a plurality of input features from the one or more behavior models and leverage the correlation among different behavior models to reduce false positives, and wherein the one or more behavior models define the normal behavior and the abnormal behavior for the function in terms of one or more of Uniform Resource Locator (URL) access, bandwidth, device, and app usage.