UEBA — User and Entity Behavior Analytics — is the part of modern security monitoring that learns what normal looks like for each user and system, then flags the behaviour that deviates. It catches threats that static rules miss: a compromised account, an insider going rogue, or lateral movement that each looks individually harmless. This guide explains what UEBA is, how it works, and how it fits a SIEM.
What is UEBA?
User and Entity Behavior Analytics (UEBA) is a security technology that uses statistical analysis and machine learning to build a behavioral baseline for users and entities, then detects anomalies that may indicate a threat. Rather than asking "did this match a known-bad rule?", UEBA asks "is this behaviour normal for this user or system?"
Why the "Entity" matters
The earlier term was UBA — just user behavior analytics. The E was added because attacks do not only involve user accounts. An entity can be a host, server, application, service account, or IP address. Modelling entities as well as users catches threats that have no human at the keyboard — a compromised service account, a server beaconing to a command-and-control host, or a database accessed in a way it never normally is.
How UEBA works
- Baseline — learn each user's and entity's normal pattern (login times, locations, data volumes, peer-group behaviour).
- Compare — measure current activity against that baseline, accounting for daily and weekly rhythms.
- Score the anomaly — the more abnormal the behaviour, the higher the risk it contributes.
- Feed risk — anomaly risk is attributed to the user or entity and, in a modern SIEM, added to its overall risk score.
What UEBA catches
- Compromised accounts — credentials used from a new location, device, or at an impossible travel speed.
- Insider threats — a user suddenly accessing or exfiltrating data outside their normal scope.
- Lateral movement — an entity reaching systems it has never touched before.
- First-seen activity and volume spikes — new behaviours and unusual surges that no static threshold anticipated.
UEBA and SIEM
UEBA is most useful as part of a SIEM rather than a standalone tool. The SIEM collects and correlates the evidence; UEBA turns behaviour into a risk signal; and risk-based alerting combines that with detections and threat intel into one prioritised view. Together they help analysts decide which entity actually needs attention. See what is SIEM for the bigger picture.
Anomalies vs. thresholds
Static thresholds catch the problems you can name in advance. UEBA anomalies catch the ones you cannot — behaviour that is wrong for this entity even while still inside a fixed limit.
How LogPulse does UEBA
In LogPulse, behavioral analytics — impossible travel, first-seen activity, and volume spikes — feed the same risk model as detections and threat intelligence. Each anomaly contributes to an entity's bounded 0–100 risk score, so behaviour and known-bad signals are weighed together rather than in separate tools. See Security Monitoring (SIEM) for how UEBA, detections and threat intel converge on one score.