Skip to content

What is User and Entity Behaviour Analytics (UEBA), and what threats does it catch?

Short answer

UEBA (User and Entity Behaviour Analytics) builds behavioural baselines for users and entities (hosts, service accounts, devices) and uses statistics or machine learning to score deviations as risk. It excels at threats that have no clean signature: compromised credentials, insider misuse, and lateral movement — e.g. a user suddenly accessing systems they never touch, at unusual hours, or moving abnormal data volumes. It complements rule-based detection rather than replacing it, and needs tuning to avoid false positives from legitimate behaviour change.

UEBA — User and Entity Behaviour Analytics — answers a question signatures cannot: is this account or device behaving like itself? Instead of matching known-bad patterns, it learns each user's and entity's normal behaviour and flags meaningful deviation.

Users and entities

The "U" is users; the "E" is everything else that acts in your environment — hosts, service accounts, IoT devices, applications. Service accounts are especially valuable to profile: they should behave predictably, so a service account that suddenly performs interactive logons or touches new systems is a strong signal.

How it works

UEBA establishes a per-entity baseline, then applies statistical models or machine learning to score how far current activity strays from it. Rather than a single binary alert, it typically produces a risk score that accumulates across multiple weak signals — odd login time, plus unusual resource access, plus abnormal data volume — surfacing the riskiest entities for analyst review.

What it catches

  • Compromised credentials — the login is valid, but the behaviour after it is not.
  • Insider threat — an employee accessing or exfiltrating data outside their role.
  • Lateral movement — an entity reaching systems it has no history with.

Limits

UEBA is not magic. Legitimate change — a promotion, a project, travel — produces deviations too, so it generates false positives and needs tuning and analyst context. It augments rule-based and TTP detection; it does not replace them.

Why this matters

Interviewers want to see that you know UEBA targets behaviour-based threats that signatures miss, understand risk scoring, and respect its false-positive cost — not that you treat it as a silver bullet.

Likely follow-ups

  • How does UEBA differ from a static anomaly threshold?
  • Why are service accounts often good entities to profile?
  • What kinds of false positives does UEBA generate, and how do you handle them?

Sources

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.