Cyber security is one of the prominent global challenges due to the significant increase in the number of cyberattacks over the last few decades. The amount of transferred data is growing, and a quick reaction to cyber incidents is needed. The paper is a contribution to this effort. There is a possibility to save time and resources by concentrating only on a subgroup of potential threats caused by a specific group of users. The main source of information about a selected group of users is the web access log file, where all the necessary data is stored. The contribution also presents the concept of preprocessing data from the log files to a form useful for clustering. In the next step, a densitybased spatial clustering algorithm is applied to create the clusters. Clustering algorithms have been applied to many fields (marketing, business, etc.), but not for the purposes of cyber defence. The created clusters were analysed according to our definition of risky behaviour. After analysis of the clustering results, it was possible to select a potentially dangerous group of users in the specific cluster. The presented method has potential use in different areas of cyber defence and other applications where intelligent classification is required.