What is UEBA and How Does It Work?

User and Entity Behavior Analytics (UEBA) is a cybersecurity solution that analyzes the behavior of users and machine entities using machine learning algorithms and other analytics to build a baseline of what is normal activity and behavior. Through monitoring of subsequent analysis any anomalies that occur in comparison to the baseline are then determined as to whether they are a risky enough to trigger an event. UEBA is often used to help security teams determine security threats such as a malware, data theft and/or an insider threat.

UEBA Overview

UEBA uses advanced algorithms to create user and entity behavior baselines from activity from users, applications, network devices, endpoints, servers, etc. Once behavior baselines are established, user behavior analytics is used to monitor and compare how users and entities are behaving in real-time, compare and contrast that to normal behaviors for the purposes of identifying anomalous activity, which may indicate a threat. Real-time is the key here: analytics ingests massive amounts of data and provides insight into what’s going on with users and entities in your organization, as it’s happening. This can provide an early indication of an attack, and when analyzed (not just correlated) with other analytics, build the required detection results to determine an attack campaign is being executed against an organization.

Why Companies Need a UEBA Solution

Phishing attacks and credential-based attacks are the primary ways threat actors compromise organizations and are extraordinarily difficult to prevent. Organizations must assume their infrastructure can be and will be compromised, which leaves the onus on the security operations team to monitor various systems, such as endpoints, networks, cloud networks, applications, servers and of course, users in order to detect malicious activity as early as possible. Traditional log-based solutions, network packet capture and rules-based systems are not enough to handle advanced threat variants and new attacks being created on a daily basis.

Consider, too, that many more entities, including cloud applications, have access to resources in an organization’s IT infrastructure these days. Among them are non-traditional entities such as Printers, surveillance cameras, badge systems, and industry-specific devices like medical equipment, hospital beds, machine interface devices, HVAC controllers, and more. In many cases, it’s difficult to secure network access to these devices, which makes them vulnerable to compromise.

Account takeover, often through the use of phishing and social engineering, is one of the most common ways to gain illegitimate access to networks and is when a bad actor uses a legitimate user’s credentials to hide their malicious intent. As they have the same access privileges as the real user, their movements and activities can be hard to detect unless the organization is closely watching for anomalous activity that is out of place or uncharacteristic of the real user.

Account abuse occurs with insiders as well — people like employees, contractors, and vendors who have been assigned credentials and access rights. The abuse can be accidental or intentional. Either way, the only way to know that someone is doing something inappropriate is to monitor their behavior and compare it to a known baseline.

Unusual behavior – whether it’s coming from a human user or a machine entity – is a leading threat indicator. Observing behavior in real-time, flagging risky behavior as predicator to malicious behavior, are key to getting ahead of a threat actor early in the kill chain. before a successful campaign can be executed.

How User and Entity Behavior Analytics Work

The UEBA process starts with ingestion of massive amounts of activity and other data from sources spanning the enterprise. This would include, but not necessarily be limited to:

  • Security data and intelligence from firewall, IDS/IPS, anti-virus, threat intelligence feeds, and more
  • Infrastructure logs from gateways, servers, DNS, and so on
  • Application audit logs
  • Network logs, including NetFlow and packet capture
  • Device attributes and configuration details
  • Cloud services

All this data goes into a big data lake, where it is normalized for consistency, correlated, and can also be analyzed alongside Gurucul’s Identity and Access Analytics according to identity privileges, entitlements, and access groups in order to build behavioral baselines and a picture of expected behavior patterns for every user and entity against what they are supposed to be doing. As new data comes in – as it does continuously – it is fed into an engine where machine learning models analyze the data in near-real time. With the inclusion of Gurucul Identity and Access analytics, an individual identity’s data is compared to its own baseline, as well as to its peer group baseline, to look for anomalies.

When an anomaly is found, Gurucul will then put it into context with more data (endpoint, network, cloud, IoT), feed it through our enterprise-class risk engine and a dynamic risk score is calculated. When a risk score reaches a predetermined threshold, an alert is raised for an analyst to investigate further. If the platform is integrated with a SOAR (Security Orchestration, Automation, and Response) solution, an automated response may be issued.

The Benefits of User and Entity Behavior Analytics

UEBA provides both technical and business benefits, such as:

Address a Wide Range of Cyber-Attacks

Because UEBA works on subtle changes in behavior of both human users and machine entities, it is able to detect a variety of cyber-attacks, including insider threats, account takeovers, ransomware activity, potentially compromised devices, and more. UEBA is the early warning system that combined with other telemetry can provide better accuracy to uncover risk from known as well as unknown threats.

Reduce Alert Fatigue in an Overworked Staff

Security teams are often overwhelmed with too many alerts requiring follow-on investigation or some sort of response. UEBA, done correctly, and with a mature set of battle-tested models, reduces false positives and prioritizes alerts so that only the most important events demand attention. This makes it possible for your security experts to focus on the most credible, high-risk alerts, and may even reduce the need for additional technical staff. Other UEBA engines are often guilty of throwing out more alerts and generating false positives due to the fact they are siloed analytics and not linked together with other telemetry and analytics, such as identity and network.

Lower Risk to the Organization

As potentially risky anomalies are discovered earlier in the kill chain, the organization has a chance to respond to minimize the potential of damage. The longer an undetected infection lives in the enterprise environment, the more damage it can do. Take, for example, a ransomware attack. If UEBA can detect risky behaviors in the earliest stages, it can accelerate the process in validating an actual attack is under way and an early response can be executed. The result is exactly what organizations are looking to achieve in avoiding loss of data, business disruption, and a potential large ransom payout. Without this additional early warning added to detection and response, the damage could easily cost millions of dollars due to loss of business and restoration of files.


Security information and event management (SIEM) is a solution that ingests mostly logs and then with the right parsers in place, correlates events together based on IP address and timestamp. The SIEM tool, using a generic set of rule-based models, attempts to identify threats by correlating all the information it gathers from these stored logs. In a next generation SIEM, like Gurucul’s SIEM, Correlation rules are combined with real-time analysis of events, and machine learning models to help detect threats.

Sounds very similar to how we just described UEBA, no? While SIEM tends to be more focused on log and event information related to suspicious network behavior, UEBA software emphasizes user and entity behavior. While some vendors have bolted on UEBA, it produces a separate set of alerts that security analysts must chase down rather than where a SIEM should be leveraging UEBA to reduce the number of random alerts and improve detection accuracy.

The Differences Between UEBA and NTA

Network Traffic Analysis (NTA) is the discipline of monitoring all traffic flows across on-premise, edge, and cloud infrastructures, providing a holistic overview of network traffic communications. While such monitoring can have cybersecurity applications, NTA is also used for network performance monitoring, capacity planning, troubleshooting, availability monitoring, and SLA compliance enforcement.

Similar to UEBA, NTA uses analytics to discover network communication patterns, build a baseline of normal traffic patterns, and monitor for potential threats. For example, a device on the network that has recently been infected with malware might be observed suddenly communicating with an external IP address that is known to be a malicious site (a command & control site, or C2). This anomalous behavior can trigger an alert for a security analyst to investigate.

Here are some ways that NTA can be applied toward cybersecurity:

  • Detect traffic to/from unusual geo locations that may be indicative of account sharing, account takeover, or improper use of a VPN.
  • Expose DNS tunneling to detect traffic to unusual DNS servers and surges in outbound DNS queries.
  • Identify unknown IoT devices on the network.
  • Monitor complex cloud, hybrid or on-premise architectures with east-west network traffic, which can help identify attacker lateral movement and spreading of an infection across resources, as well as north-south traffic for command and control activity to external malicious hosts that could be for downloading more malware, sharing encryption keys for ransomware or even externally monitoring current ransomware status, and data exfiltration.

But unlike UEBA, NTA does not create baselines for user and entity behavior or compare such behavior to that of peer groups. Observations of network traffic patterns are far different from observations of what humans and machines actually do on a network. The two solutions – NTA and UEBA – are distinct in what they observe and measure, but they can be complementary security solutions in a large enterprise environment.

Download Gurucul NTA Datasheet.

UEBA with Gurucul

Gurucul leads the market in demonstrating UEBA results where others cannot. The product consumes the most data sources out-of-the-box and leverages the largest machine learning library. Using big data, Gurucul provides user and entity behavior analytics delivering actionable intelligence for security teams while reducing false positives.

Gurucul UEBA delivers a single unified prioritized risk score per user and entity. This risk score is the key indicator used to drive down-stream automated security controls and processes. Find threats, including unknown unknowns, quickly with no manual threat hunting and no configuration. Get immediate results without writing queries, rules, or signatures.

  • Learn more about Gurucul’s UEBA solution at User & Entity Behavior Analytics (UEBA) | Gurucul

Some common use cases for Gurucul UEBA include:

Insider Risk and Threat Monitoring

Identify high-risk profiles with risk-based user and entity behavior analytics, data mining, anomaly, and behavior detection. Help security teams by creating a baseline using profiling attributes from HR records, events, access repository, log management solutions and more.

Host / Device Compromise Detection

Detect advanced persistent threat (APT) attacks and attack vectors and predict data exfiltration by performing entity-centric anomaly detection with our UEBA solution. Correlate a wide range of parameters including endpoint security alerts, vulnerability scan results, risk levels of users and accounts used, targets accessed, packet level inspection of the requested payloads, and more.

Anomalous Activity Monitoring

The Gurucul UEBA solution detects attacks using ML algorithms tuned to inspect various parameters like timestamp, location, IP address, device, transaction patterns, high-risk event codes and network packets. Identify any deviation from the normal behavior that may be indicative of a threat.

Lateral Movement Detection

Gurucul UEBA can detect techniques used by threat actors as part of an attack campaign. Identify unusual activity and suspicious access as threat actors attempt to traverse the network in search of better vantage points to download additional malware, communicate to external servers, and eventually find the location of sensitive data.


UEBA transforms behavior data into risk-prioritized insight that enables security teams to respond to threats in the environment. UEBA is an important layer of cybersecurity that is especially adept at detecting a variety of attacks, including malicious insider activity, account compromise/takeover, social engineering attacks, ransomware attacks, compromised devices, and more. Using true machine learning to detect unusual behavior of users and machine entities, UEBA can detect risky behavior in its earliest stages, helping to minimize potential damage.

UEBA is complementary to other cybersecurity solutions such as SIEM, Identity and Access Analytics, NTA, and SOAR. There are numerous use cases for and benefits of UEBA.


About The Author

Nilesh DherangeNilesh Dherange, Chief Technology Officer, Gurucul

Nilesh Dherange is responsible for development and execution of Gurucul’s technology vision. Nilesh brings a wealth of experience in inventing, designing, and building software from inception to release. Nilesh has been a technologist and leader at three startups and at one of the largest software development companies in the world. Prior to founding Gurucul, Nilesh was an integral member of a company that built a Roles and Compliance product acquired by Sun Microsystems. Nilesh was also a co-founder and VP of Engineering for BON Marketing Group where he conceptualized and created BON Ticker — an innovative patented bid management system which used predictive analytics to determine advertising bids for PPC marketing campaigns on search engines like Google, Yahoo, MSN etc. Nilesh holds a B.A in Social Science, B.E in Computer Engineering from University of Mumbai and M.S in Computer Science from University of Southern California.