User and Entity Behavior Analytics (UEBA) is a cybersecurity solution that uses machine learning algorithms to detect anomalies in the behavior of users, devices, and other entities on a network, identifying threats that traditional rule-based systems miss.

How is UEBA different from SIEM?

Traditional SIEM relies on predefined rules and signatures to detect known threats. UEBA establishes a baseline of 'normal' behavior and alerts on deviations, allowing it to detect unknown threats and insider attacks.

What are common UEBA use cases?

Common use cases include detecting compromised accounts (unusual login times/locations), insider threats (data exfiltration by employees), and lateral movement by attackers using legitimate credentials.

What is UEBA? | Alterra Solutions Security Glossary

The Context Problem

A user downloading 500MB of data isn't inherently bad. But a user downloading 500MB of data at 3 AM on a Saturday, from a Finance folder they've never accessed before? That's suspicious. UEBA provides the context needed to spot the difference.

How UEBA Works

Unlike traditional SIEMs that look for specific signatures (e.g., "3 failed login attempts"), UEBA creates a baseline of "normal" for every user and device in the network.

1. Baselining

The system ingests logs over a period (usually 2-4 weeks) to learn standard patterns:

Typical working hours
Frequently accessed servers and applications
Normal data transfer volumes
Usual geographic locations (geo-velocity)

2. Anomaly Detection

Once the baseline is established, the AI scores every action against it. If a user's behavior deviates significantly (statistical outliers), their risk score increases.

3. Peer Analysis

UEBA also compares a user to their peer group. If everyone in the Marketing department uses Dropbox, but Bob starts using MegaUpload, Bob stands out—even if he hasn't done anything strictly "malicious" yet.

Key Use Cases

Insider Threats

Malicious insiders already have valid credentials. Firewalls won't stop them. UEBA detects the subtle shifts in their behavior—such as slowly exfiltrating small amounts of data or accessing sensitive files they don't need for their job.

Compromised Accounts

If an attacker steals a user's password, they become that user. However, an attacker rarely navigates the network exactly like the employee. They probe, scan, and move laterally. UEBA spots this "impossible travel" or "unusual resource access."

Data Exfiltration

Detecting "low and slow" data theft where attackers trickle data out over weeks to avoid triggering threshold-based DLP (Data Loss Prevention) rules.

UEBA vs. SIEM

Feature	Traditional SIEM	UEBA
Detection Method	Rules & Signatures	Machine Learning / Algorithms
Focus	Events & Logs	Users & Entities
Unknown Threats	Poor (Requires new rules)	Excellent (Detects correct deviation)
False Positives	High	Lower (Context-aware)

Alterra's Implementation

Our modern security architectures typically integrate UEBA not as a standalone tool, but as a core component of the SOC (Security Operations Center) stack, feeding high-fidelity signals directly into SOAR platforms for automated response.