UEBA (User and Entity Behaviour Analytics) is a security analytics method that models normal behaviour for each user (and each system entity) and flags deviations as potential insider threats or compromised accounts. Instead of relying on predefined rules ("alert if someone copies more than 100 files"), UEBA learns what each user normally does and surfaces statistical anomalies — for example, a user who normally logs in from Bangalore between 9 AM and 7 PM suddenly accessing the customer database from Bucharest at 2 AM.
Why UEBA exists
Rules-based security catches what you already know is bad. UEBA catches what is suspicious without being explicitly defined. The three threat categories where this matters:
- Insider threats — an employee preparing to resign starts copying customer lists at 2 AM for two weeks. No single action breaks a hard rule. UEBA spots the pattern.
- Compromised accounts — an attacker who steals an employee's password logs in from a new geography, accesses systems that user normally doesn't touch, and downloads unusual volumes. Each individual action might be allowed; the combination is anomalous.
- Privilege misuse — an admin who has legitimate access to a database starts running queries far outside their normal pattern. The access is authorised; the behaviour is not.
How UEBA actually works
Every UEBA system follows the same four-stage pipeline:
1. Collect
Ingest activity logs from many sources — endpoint agents (Headx, EDR), identity provider (Azure AD, Okta), network traffic, cloud apps, database queries, file servers. The richer the input, the more accurate the baseline.
2. Baseline
For each user (and each entity), build a profile of "normal" along multiple dimensions: usual login times, usual geographies, usual applications, usual data volumes, usual peer group activity. Typical baseline window: 30-90 days.
3. Score
For each new event, compute how much it deviates from the baseline. Multiple small deviations on the same user accumulate into a "risk score." Some platforms use ML models (anomaly detection); simpler systems use statistical methods (z-scores, percentiles).
4. Surface
Display the top-N risky users on a dashboard. Provide drill-down into why each user scored high — which events triggered, what the baseline looked like, what peer-group comparison shows. Analysts investigate, escalate, or close out as false positive.
Signals UEBA watches
| Signal category | Example anomalies |
|---|---|
| Login time and location | Login from new country; off-hours access; impossible-travel (login from Mumbai then Delhi 5 minutes later) |
| Authentication patterns | Multiple failed logins; password reset followed by privileged action; MFA bypass attempts |
| Application usage | User suddenly opens admin tools they never use; using a banned app; using developer tools as a non-developer |
| Data access volume | Downloading 10× their normal daily volume; accessing files outside their team's scope; reading records of customers they don't normally serve |
| USB and removable media | USB usage by a user who never uses USB; large copy to external drive; copy of specific high-value file types |
| Cloud uploads | Personal Dropbox upload by a user who normally only uses corporate Drive; upload size spike; new cloud service usage |
| Email behaviour | Sending large attachments to personal email; new external domain communication; sudden uptick in outbound volume |
| Printing | Printing 100× normal pages in a day; printing of confidential-marked documents; printing during off-hours |
| Peer group deviation | User behaves very differently from others in same role/team/department |
| Lifecycle events | Activity changes after resignation submitted, role change, or performance review |
Real-world UEBA catches
Example 1 — The departing salesperson
A senior salesperson submits her resignation on Monday with a 2-month notice period. UEBA flags her risk score climbing over the following two weeks: she's downloading customer lists outside her territory, copying CRM data to USB on three consecutive evenings, and emailing herself project proposals. Each action individually is something her job allows. The pattern is unmistakable. Security intervenes before she walks out with the customer base.
Example 2 — The compromised admin account
Late on a Sunday night, an admin account logs in from a residential IP in Eastern Europe. The admin lives in Pune. UEBA scores this 95/100 because: new geography, off-hours, login from a device with no prior history, immediately followed by SSH to a production database. Security locks the account within 15 minutes. Forensic investigation later confirms credential theft via a phishing email two weeks earlier.
Example 3 — The developer with second-job problem
A backend engineer's productivity score quietly drops over six weeks. UEBA notices: he's idle on the company laptop during business hours but spikes USB writes at 4 PM daily. Investigation finds he is working for a competitor in parallel during his contracted hours and copying internal architecture documents to a personal drive. HR resolves through separation; legal pursues IP claim.
UEBA vs SIEM vs DLP — how they differ
| Tool | What it does | Strengths | Limitations |
|---|---|---|---|
| SIEM | Centralises security logs; runs predefined correlation rules | Comprehensive log collection; mature alerting workflows | Rule-bound; cannot detect novel patterns; high alert volume |
| UEBA | Models user behaviour; flags statistical deviations | Catches subtle insider threats; lower alert volume; learns over time | Needs 30-90 days to baseline; struggles with low-activity users; harder to explain to auditors |
| DLP | Watches data movement against defined sensitivity rules | Prevents data exfiltration in real time; works on day one | Rule-bound; high false-positive rate without tuning; doesn't see context outside the data event |
Modern security stacks use all three. SIEM is the log substrate. DLP is the data-movement enforcement. UEBA is the behavioural intelligence on top. The three feed each other: DLP fires alerts → SIEM correlates with other events → UEBA scores the user → analyst gets a prioritised risk-ranked view.
Deploying UEBA
- Decide what entities to monitor. Start with all employees and contractors. Add machine identities (service accounts) in phase 2.
- Connect data sources. Minimum useful sources: endpoint agent activity, identity provider login logs, file server access. Better: also network traffic, cloud app logs, database query logs.
- Run a 60-day baseline. Do not act on alerts during this window — let the model learn what normal looks like. You will tweak the baseline window for low-activity users (sales travelling) and high-activity admin accounts.
- Tune signal weights. Generic UEBA models often over-weight "new login geography." Indian businesses with WFH staff who travel during Diwali break will see false positives. Tune to your context.
- Pair with HR data. UEBA gets dramatically more accurate when it knows who has resigned, who has had a performance review, who has changed role, who is on a PIP. Establish a feed from your HRMS.
- Establish a response playbook. Risk score 80+ = SOC investigation within 4 hours. Risk score 95+ = immediate account suspension pending review. Document and rehearse.
- Communicate transparently. Tell employees UEBA is in place, what signals it watches, what triggers a review. Surprise drives resentment; clarity drives trust.
FAQ
Is UEBA the same as User Behaviour Analytics (UBA)?
UEBA is the evolved form. UBA only covered human users; UEBA extends to "entities" — service accounts, devices, applications, IoT. Gartner formalised the UEBA term around 2015.
Can UEBA work without an endpoint agent?
Yes, but with reduced accuracy. Agentless UEBA pulls from identity provider, network traffic, and cloud app logs. It catches account-compromise scenarios well. For insider-threat scenarios (USB copy, clipboard, screen capture of confidential data), endpoint signals are usually decisive — agentless UEBA struggles there.
How long until UEBA starts producing useful alerts?
Minimum 30 days of baseline, ideally 60-90 days. The longer the baseline, the lower the false-positive rate. Most organisations run UEBA in "observe only" mode for the first 90 days, then switch to "alert and act."
Does UEBA replace SIEM?
No. UEBA augments SIEM. The two are complementary — SIEM gives you log collection, compliance reporting, and rule-based detection; UEBA adds behavioural intelligence on top. Most enterprises run both, with UEBA fed by SIEM data or directly by endpoint/identity sources.
Will UEBA flag every employee who works late occasionally?
A well-tuned UEBA will not. Baselines learn each person's normal hours. An employee who has historically worked late on Wednesdays won't generate an alert when they do it again. The risk score combines many signals — a single anomaly rarely triggers action.
Does Headx Monitor include UEBA?
Yes, UEBA risk scoring is built into the Headx security dashboard at no extra cost on every plan. See how Headx UEBA compares to Teramind's enterprise UEBA →
Ready to try Headx on your team?
Cloud from ₹1,900/PC/month or On-Premise from ₹1,499/PC/month. 30-day money-back guarantee on the Cloud plan.
Get Started