Definition
User and Entity Behavior Analytics (UEBA) applies machine learning to baseline normal patterns of user and entity activity, then flags significant deviations as potential threats. UEBA detects threats that signature-based tools miss: compromised credentials used differently from the legitimate user, insider threats accessing unusual data, lateral movement patterns, and impossible-travel logins. UEBA is increasingly built into SIEM (Microsoft Sentinel, Splunk) and CASB (Symantec CloudSOC) rather than sold as standalone products. The hardest part is baseline quality - UEBA against a 7-day baseline catches different things than against a 90-day baseline; against a 6-month baseline different things again.
Related terms
- SIEM (Security Information and Event Management) - Platform that aggregates security events from across the environment for correlation, search, and alerting.
- CASB (Cloud Access Security Broker) - Security layer between users and cloud apps; provides visibility, governance, and DLP for SaaS.
- SOC (Security Operations Center) - Centralized team responsible for monitoring, detecting, investigating, and responding to security incidents.