What is User and Entity Behavior Analytics (UEBA)?

5 min. read

User and entity behavior analytics (UEBA), or user behavior analytics (UBA), is a type of cybersecurity solution or feature that discovers threats by identifying activity that deviates from a normal baseline. While UEBA can be used for a variety of reasons, it is most commonly used to monitor and detect unusual traffic patterns, unauthorized data access and movement, or suspicious or malicious activity on a computer network or endpoints.

Why Companies Need UEBA

Security operations often use security information and event management (SIEM) platforms to monitor and identify potential security threats. SIEMs aggregate event logs and security alerts but have difficulty detecting unknown or advanced security threats that don’t involve malware – such as credential theft – or internal and external attackers who have already gained access to the network previously.

What's Next for Next-Gen Antivirus

Two main categories of cybersecurity analytics tools have emerged to fill this gap: 

  • User and entity behavior analytics (UEBA)
  • Network traffic analysis (NTA), also referred to as network detection and response (NDR)

The Differences Between UEBA and NTA

UEBA solutions are typically offered as either packaged offerings or embedded in traditional security products, such as cloud access security brokers (CASBs) and detection and response platforms. They work by analyzing activity from network users and other entities, such as hosts, applications, data repositories, network traffic.  They apply machine learning to real-time and historical data to develop a baseline of normal activity.

Once they establish this baseline, UEBA solutions apply a host of analytics methods, such as simple statistics, pattern matching, and rules that leverage signatures, to look for anomalies that indicate potentially suspicious or malicious activity. For UEBA solutions to perform behavior analytics effectively, a company must first have a robust and integrated data set for the machine learning tools.

UEBA systems can detect insider threats, malware, and advanced attacks by applying machine learning and behavioral analytics to users, machines, and entities. They provide the insights to find abnormal activity in real time and provide investigative insights so  analysts can quickly verify and mitigate threats before they cause further damage.

NTA solutions use machine learning, advanced analytics and rule-based detection to monitor and analyze all traffic and flow records on enterprise networks in order to identify potential attacks, insider abuse, suspicious activity and malware. This includes monitoring and analyzing all north-south traffic that traverses the enterprise perimeter as well as all east-west communications from network sensors.

Benefits and Drawbacks of UEBA and NTA




  • Allows application of analytics and data science to log data to uncover security threats that might otherwise remain hidden in massive repositories.
  • Enables tracking and monitoring of all users and other entities that use the network. 
  • Reduces security events and significantly improves operational efficiency.
  • Offers a narrow view of network behaviors and events since UEBA logs are only enabled on a small part of a company’s network.
  • Isn’t able to pinpoint specific security attacks.
  • Relies on third-party logs to monitor, identify and analyze potential threats and assign risk scores – if/when a third-party logger fails, a UEBA can’t do its job.
  • Deploys slowly – many vendors claim UEBA can be deployed in a few days, but Gartner clients report it often takes 3–6 months in simple use cases and up to 18 in complex ones. 
  • Requires lots of cross-functional approvals and system configuration.




  • Allows companies to see all events, not just logged ones, across their entire network, including every aspect of an attacker’s activities and techniques, from early to late stages of an attack. 
  • Enables companies to profile network devices and user accounts.
  • Deploys with relative ease.
  • Pays for itself in a short time, but still requires the expertise of a security team to know which types of security issues to look for and how to identify them.
  • Offers coverage that, although wide, is shallow.
  • Isn’t able to track local events.

UEBA capabilities are increasingly converging with other tools, giving SecOps teams better and more advanced analytics with which to detect potential security threats. Gartner predicts that, by 2021, the stand-alone UEBA market will no longer exist. Instead, it will be used to modernize SIEMs and other tools with advanced analytics, embedding UEBA features and functionality directly into their platforms.1

XDR: A New Approach to Security 

UEBA capabilities are also converging with a new breed of threat detection and response tools called XDR. The “X” in XDR stands for any data source, such as a network, endpoint or cloud. XDR emerged as an evolution of endpoint detection and response (EDR) tools, recognizing a need for threat visibility that went deeper than a SIEM but wasn’t limited to endpoints. XDR speeds up investigations and uses automation to multiply the productivity of security operations team members.

XDR combines all the capabilities of EDR, UEBA, NTA, next-gen antivirus and other tools into a single solution to deliver the best security possible. It does this by providing comprehensive visibility and robust behavioral analytics companies need across their entire infrastructure – including network, clouds and endpoints – to identify, hunt down, investigate and respond to potential security threats. XDR offers companies numerous capabilities and benefits, as shown in figure 1.

XDR allows companies to track visibility, integrate with tools, use large-scale analytics, and simplify investigations. XDR allows analysts to respond to threats faster and more proactively.

Figure 1: Capabilities of XDR

Click here to read more about XDR.

Cortex XDR, the industry's first extended detection and response platform, includes an Identity Analytics feature for comprehensive user behavior analytics (UBA). Identity Analytics detects risky and malicious user behavior that traditional tools can’t see. It pinpoints attacks such as credential theft, brute force and “the impossible traveler” with unparalleled accuracy by detecting behavioral anomalies indicative of attack. 

Identity Analytics provides a 360-degree user view of every user, including a user risk score and related alerts, incidents, artifacts and recent activity. It also provides user context by gathering data from HR apps like Workday, security solutions like SailPoint, and leading identity providers. Out-of-the-box UBA detections reveal evasive threats by examining multiple types of data.


  1. “Market Guide for User and Entity Behavior Analytics”, Gartner, May 21, 2019, https://www.cbronline.com/wp-content/uploads/dlm_uploads/2018/07/gartner-market-guide-for-ueba-2018-analyst-report.pdf.