UEBA is a cyber security process that analyzes users’ behavior. ML, statistical analysis, and algorithms are used to analyze deviations from the usual users’ patterns. UEBA also analyzes logs and reports data, files, and flow.
User and Entity Behavior Analytics
UEBA (User and Entity Behavior Analytics) is a cyber security process that analyzes user behaviors. Any deviation from their usual behavior or pattern is analyzed and triggers for the necessary action.
UEBA also takes note of insider threats, such as people who already have access to your system and may carry out fraud attempts and cyber attacks.
UEBA uses machine learning, statistical analysis, and algorithms to know when there is any activity that doesn’t follow normal patterns. UEBA also analyzes logs, report data, file, flow, and packet information.
Pillars of UEBA

Data
UEBA solutions utilize data repositories such as data warehouse, data lake, and SIEM.
- Deep learning
- Network flows and packets
- Business context
- HR and user context
- External threat intelligence
Use Cases
Used to report the user behavior by monitoring and alerting anomalies.
- Malicious insider
- Compromised user
- APT and zero-day
- Known threats
Analytics
Segregates the anomalies via advanced analytics like machine learning and statistical models.
- Supervised machine learning
- Unsupervised machine learning
- Statistical modeling
- Rule-based system
Future
- Generative
- Ensemble networks
- Deep learning
Main Components of UEBA

-
User Monitoring and Data Collection System
The user and entity activities are monitored for anomalies. Different behavioral factors are analyzed from generally visited websites to typically used applications.
-
Machine Learning System
A large amount of data generated by user monitoring systems is used and analyzed by machine learning system to detect anomalies.
Use Cases
Detecting Abnormal User Behavior
Incidents such as unusual and failed login attempts.
Detecting Brute Force Attack
When a user tries to access their account but fails more than 10 times within 5 minutes.
Detecting Dormant Account Activity
When a user has left the organization and there’s an activity in his account after 60 days of leaving the organization, it is a dormant account activity.
Monitor Removable Media
Monitor and analyze the information being transferred to the removable media connected to a system.
UEBA vs SIEM
Security Information and Event Management (SIEM) tools are also an option for teams looking to understand user behaviors.
The following are the key differences between UEBA and SIEM tools.
UEBA | SIEM |
---|---|
Operates in real-time.
|
Point-in-time analysis of event data.
|
Machine learning models and algorithms are used to analyze data in real time.
|
Manual effort is mostly required to analyze the data.
|
Provides risk scoring that rank the threats efficiently.
|
Alerts are generated based on events that may or may not be malicious.
|
Processes huge amounts of structured and unstructured data.
|
Processes structured logs only.
|
Sample UEBA Report
Security Events
Risk Levels
- Medium
- High
Anomalous Reasons
- Suspicous Endpoint
- Unusual User Location
- Unusual User Login Time
- Unusual Application Access
Anomalous Activity
Risk Level | Timestamp | Result | User | Application | Access Device | Second Factor |
---|---|---|---|---|---|---|
High
Unusual Application Access The activity is: Normal Unnormal |
10:39 PM
January 04, 2021 |
DeniedEndpoint is not Trusted
|
Jmarty
|
Python Web SDK (kmb)
|
> iOS 14.4
|
Passcode
|
High
Unusual Application Access |
08:24 PM
January 04, 2021 |
DeniedEndpoint is not Trusted
|
Psmith
|
Microsoft OWA 166
|
> iOS 14.3
|
Passcode
|
Medium
Suspicious Endpoint |
06:05 PM
January 04, 2021 |
DeniedEndpoint is not Trusted
|
Bjoseph
|
Juniper SSL VPN 10
|
> iOS 13.5
|
Passcode
|
Best Practices

- Identify the sources of data for user behavior, network flows, and system logs.
- Enable active directory auditing to track user activity on your systems.
- Audit the systems with sensitive information.
- Track details on account creation and account logins.
- Frequently review account permissions.
- Provide UBA solution with all the data.
- Regularly review UBA reports and investigate incidents.
- Create relevant use cases and use datasets to find security solutions.
- Utilize tools like Microsoft Advanced Threat Analytics and Incydr.
Have Suggestions?
We would love to hear your feedback, questions, comments and suggestions. This will help us to make us better and more useful next time.
Share your thoughts and ideas at knowledgecenter@qasource.com