What is User and Entity Behaviour Analytics (UEBA), and what threats does it catch?
Short answer
UEBA (User and Entity Behaviour Analytics) builds behavioural baselines for users and entities (hosts, service accounts, devices) and uses statistics or machine learning to score deviations as risk. It excels at threats that have no clean signature: compromised credentials, insider misuse, and lateral movement — e.g. a user suddenly accessing systems they never touch, at unusual hours, or moving abnormal data volumes. It complements rule-based detection rather than replacing it, and needs tuning to avoid false positives from legitimate behaviour change.
UEBA — User and Entity Behaviour Analytics — answers a question signatures cannot: is this account or device behaving like itself? Instead of matching known-bad patterns, it learns each user's and entity's normal behaviour and flags meaningful deviation.
Users and entities
The "U" is users; the "E" is everything else that acts in your environment — hosts, service accounts, IoT devices, applications. Service accounts are especially valuable to profile: they should behave predictably, so a service account that suddenly performs interactive logons or touches new systems is a strong signal.
How it works
UEBA establishes a per-entity baseline, then applies statistical models or machine learning to score how far current activity strays from it. Rather than a single binary alert, it typically produces a risk score that accumulates across multiple weak signals — odd login time, plus unusual resource access, plus abnormal data volume — surfacing the riskiest entities for analyst review.
What it catches
- Compromised credentials — the login is valid, but the behaviour after it is not.
- Insider threat — an employee accessing or exfiltrating data outside their role.
- Lateral movement — an entity reaching systems it has no history with.
Limits
UEBA is not magic. Legitimate change — a promotion, a project, travel — produces deviations too, so it generates false positives and needs tuning and analyst context. It augments rule-based and TTP detection; it does not replace them.
Why this matters
Interviewers want to see that you know UEBA targets behaviour-based threats that signatures miss, understand risk scoring, and respect its false-positive cost — not that you treat it as a silver bullet.
Likely follow-ups
- How does UEBA differ from a static anomaly threshold?
- Why are service accounts often good entities to profile?
- What kinds of false positives does UEBA generate, and how do you handle them?