As the digitalization of everyday life develops and the use of information technology in various business domains increases with it, the demand for the existence of automatic tools for information protection and security also increases. In recent decades, information technology specialists have learned to sufficiently protect information systems against the evil actions of external attackers and to identify potential points, where systems can be hacked, but information systems insiders’ threats for unauthorized use of information are increasing. One of the approaches to reduce the risk of unauthorized data use by internal users of information systems is to base the monitoring of information systems usage on the analysis of users behaviour. The authors of the paper have implemented such an approach in the product “e-StepControl”, in which the work of each user in the information system can be analysed according to the typical behaviour model of this individual, and in cases where the user acts differently from the expected behaviour, a security incident can be identified due to the unexpected (therefore, suspicious) activity of the user. Also, such security incidents can be identified by comparing the behaviour of an individual user with other users with the same or similar behaviour within the information system usage, in other words – with the expected behaviour of the representatives of this user’s group or class. This grouping of users is essentially the machine learning-based performance of the task of clustering users of information systems according to such parameters as the activities performed by the user and their regularity, the sequence of activities to be performed, attributes of users and user sessions. Both individual and group user behaviour models can serve to identify security incidents, which are further confirmed or rejected by a security specialist by drawing relevant conclusions.