User and Entity Behavior Analytics (UEBA) explained

August 19, 2020  |  Nick Cavalancia

This blog was written by a third party author

What is UEBA?

User and Entity Behavior Analytics (UEBA) is an area of cybersecurity that focuses on analyzing activity – specifically user behavior, device usage, and security events ­– within your network environment to help companies detect potential insider threats and compromised accounts. While the concept has been around for some time, it was first defined in detail by Gartner in 2015 in its Market Guide for User and Entity Analytics.

How Does UEBA Work?

In essence, UEBA solutions create a baseline of standard behavior for users and entities within a corporate network and look for deviations to the baseline, alerting network admins or security teams to anything that could indicate a potential security threat.

To do this, UEBA solutions collect live data that includes user actions (such as applications used, interactions with data, keystrokes, mouse movement, and screenshots), activity on devices attached to the network (such as servers, routers, and data repositories), as well as security events from supported devices and platforms. Advanced analytical methods are then applied to this data to model the baseline of activity. Once this baseline of behavior has been established, the UEBA solution will continuously monitor behavior on the network and compare it to the established baseline, looking for behavior that extends beyond an established activity threshold to alert appropriate teams of the detected anomaly.

Award Winning SIEM

Threat detection, incident response, and compliance management in one, unified solution.

Learn more


Initially this technology was referred to simply as User Behavior Analytics (UBA). As the name implies, this concept focused exclusively on activity at the user level in order to indicate potential threats. However, Gartner later added the “entity” to reflect the fact that “other entities besides users are often profiled in order to more accurately pinpoint threats”. Gartner defined these other entities as including managed and unmanaged endpoints, servers, and applications (whether cloud-based, mobile-based, or on-premises based).

This expanded scope then includes looking for any “suspicious” or anomalous activity that may be based on network traffic or requests sent from a specific endpoint to unusual ports or external IP addresses, operating system process behavior, privileged account activity on specific devices, the volume of information being accessed or altered, or the type of systems being accessed.

By broadening the scope of its focus to cover non-human processes and machine entities, Gartner’s UEBA definition means UEBA can analyze both sources of data to gain greater context and insight around activity to produce a more accurate profile of the baseline of activity within an IT network.

This results in the solution being able to more accurately pinpoint anomalies and potential threats, including things that would often have gone unnoticed by “traditional” security monitoring processes such as SIEM or DLP.

Does SIEM offer UEBA? 

With many corporate security teams having already implemented security information and event management (SIEM) solutions, a common question is whether UEBA and SIEM offer the same protection. After all, they both collect security-related information that can indicate a potential or active threat.

UEBA solutions typically include the following benefits:

  • The ability to use behavioral baselining to accurately detect compromised user accounts
  • Automation to create improved security efficiency
  • The use of advanced behavioral analytics helps to reduce the attack surface by frequently updating IT security staff and network admins about any potential weak points within the network

The key difference is that SIEM solutions are traditionally more focused on log and event data, which wouldn’t allow you to create a standard baseline of overall user and network environment behavior in the same way that a UEBA-focused solution would. However, it’s important to note, that similar to UEBA solutions, this information gathered by SIEM solutions comes from a wide range of different IT network endpoints and is then collated and analyzed within a central system.

Sound familiar? It should; the line between UEBA and SIEM can be rather thin, depending on the collection and analysis capabilities of a given SIEM solution.

With the right input data, the SIEM solution can process the collected data, combine it with real-time event analysis, and present it in a format that helps provide security analysts and system administrators with actionable insights into anomalies that may indicate a threat.

The use of SIEM solutions is becoming increasingly widespread within the corporate landscape as they do offer organizations a number of important benefits, these include:

  • Improved handling of cybersecurity incident and response
  • Improved security defenses
  • The ability to automate compliance reporting to help organizations achieve compliance with the relevant regulations – GDPR, HIPAA, and PCI DSS etc – for their industry.

To be able to more accurately predict potential threats through user and entity activity, SIEM solutions need to both a) be able to collect needed and relevant activity and behavioral data, and b) have the ability to accurately analyze that data in the context of finding anomalous threat-related activity to produce more targeted and actionable alerting.

As you can see, there are some differences between the two solutions. But, as long as SIEM solutions can be set up to comprehensively collect enough similar data to provide the same value as a traditional UEBA solution, and provide the needed conclusive analysis to identify leading and active indicators of threat activity, SIEM solutions become a viable option in an organizations journey to implement UEBA.

Share this with others

Featured resources



2024 Futures Report

Get price Free trial