UEBA (User and Entity Behavior Analytics)
Security analysis technology that establishes behavioral baselines for users and systems and detects statistically significant deviations. UEBA identifies insider threats and compromised accounts even when no known IoCs are available.
UEBA (User and Entity Behavior Analytics) learns the normal behavior of each user and each system—and raises an alarm when behavior deviates significantly. Instead of searching for known attack patterns (IoCs), UEBA detects anomalous behavior regardless of the attack vector.
The UEBA Principle
Normal behavior of user "max.müller":
- Login: 8:30–9:00 AM, from Berlin, Windows laptop
- File access: ~200 documents/day, "Projects/Client-A" folder
- Email: ~50 incoming/outgoing, no attachments > 10 MB
- VPN: never outside business hours
Anomaly Detection:
| Event | Risk Score |
|---|---|
| Login at 3:17 AM from Thailand | +40 |
| 5,000 documents in 2 hours | +60 |
| 2 GB ZIP file to USB | +50 |
| 847 MB email sent to gmail.com | +70 |
Combined Risk Score: 220 → critical alert
Use Cases
Insider Threat Detection
Scenario: Employee resigns and exfiltrates data
Without UEBA:
- Download of 50,000 files to USB not detected
- No known IoC, no malware
With UEBA:
- Baseline: 150 file accesses/day
- Anomaly: 50,000 accesses in 3 hours
- Risk Score critical → Alert → Analyst investigates
Compromised Account
Scenario: Credential stuffing successful – account taken over
Without UEBA:
- Login with real password → no firewall alert
- Standard SIEM has no alert trigger
With UEBA:
- Login from unknown country → +30
- Login at unusual time → +25
- Access to folder never visited before → +40
- Total: "Account Takeover Risk" alert
Privilege Escalation Detection
Scenario: Attacker escalates from normal to admin account
Patterns detected by UEBA:
- Account accesses domain controller for the first time
- Unusual admin tool usage (PsExec, Mimikatz)
- New service installed on server at an unusual time
UEBA Technology
UEBA uses machine learning:
| Method | Description |
|---|---|
| Statistical Analysis | Deviations from personal average |
| Peer Group Analysis | Comparison with similar users (e.g., all accountants) |
| Time Series Analysis | Time-based patterns (time of day, day of the week) |
| Entity Graphs | Relationships between users and assets |
Data Sources:
| Source | Data |
|---|---|
| AD/Entra ID | Login events, group changes |
| EDR | Process launches, file operations |
| DLP | File transfers, email attachments |
| Network | Connections, bandwidth |
| Cloud | Azure/AWS API calls, configuration changes |
UEBA vs. SIEM
| SIEM | UEBA | |
|---|---|---|
| Basis | Known rules/signatures | Behavioral baselines |
| Unknown attacks | Not detected | Detected (anomaly) |
| False positives | Can be high | Lower (context-aware) |
| Insider threats | Limited | Strength of UEBA |
| Complexity | Medium | High (ML models) |
SIEM and UEBA are complementary—most modern SIEM platforms (Microsoft Sentinel, Splunk, Elastic) integrate UEBA capabilities.
Market Overview
- Microsoft Sentinel - Integrated UEBA (Entity Behavior Analytics)
- Splunk UBA - Standalone UEBA solution
- Exabeam - Specializes in UEBA + SIEM
- Securonix – Cloud-native UEBA
- IBM QRadar UBA – Enterprise focus
- Varonis – Focus on file access and cloud data
For SMBs, Microsoft Sentinel with Entity Behavior Analytics enabled is recommended – already included in M365 E5.
