[](https://www.paloaltonetworks.com/?ts=markdown) * Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get Support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) ![x close icon to close mobile navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg) [![Palo Alto Networks logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)](https://www.paloaltonetworks.com/?ts=markdown) ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [](https://www.paloaltonetworks.com/?ts=markdown) * Products ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Products [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [AI Security](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise Device Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical Device Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [OT Device Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex AgentiX](https://www.paloaltonetworks.com/cortex/agentix?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Exposure Management](https://www.paloaltonetworks.com/cortex/exposure-management?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Cortex Advanced Email Security](https://www.paloaltonetworks.com/cortex/advanced-email-security?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Unit 42 Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * Solutions ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Solutions Secure AI by Design * [Secure AI Ecosystem](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [Secure GenAI Usage](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) Network Security * [Cloud Network Security](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Data Center Security](https://www.paloaltonetworks.com/network-security/data-center?ts=markdown) * [DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Intrusion Detection and Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Device Security](https://www.paloaltonetworks.com/network-security/device-security?ts=markdown) * [OT Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown) * [5G Security](https://www.paloaltonetworks.com/network-security/5g-security?ts=markdown) * [Secure All Apps, Users and Locations](https://www.paloaltonetworks.com/sase/secure-users-data-apps-devices?ts=markdown) * [Secure Branch Transformation](https://www.paloaltonetworks.com/sase/secure-branch-transformation?ts=markdown) * [Secure Work on Any Device](https://www.paloaltonetworks.com/sase/secure-work-on-any-device?ts=markdown) * [VPN Replacement](https://www.paloaltonetworks.com/sase/vpn-replacement-for-secure-remote-access?ts=markdown) * [Web \& Phishing Security](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) Cloud Security * [Application Security Posture Management (ASPM)](https://www.paloaltonetworks.com/cortex/cloud/application-security-posture-management?ts=markdown) * [Software Supply Chain Security](https://www.paloaltonetworks.com/cortex/cloud/software-supply-chain-security?ts=markdown) * [Code Security](https://www.paloaltonetworks.com/cortex/cloud/code-security?ts=markdown) * [Cloud Security Posture Management (CSPM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-security-posture-management?ts=markdown) * [Cloud Infrastructure Entitlement Management (CIEM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-infrastructure-entitlement-management?ts=markdown) * [Data Security Posture Management (DSPM)](https://www.paloaltonetworks.com/cortex/cloud/data-security-posture-management?ts=markdown) * [AI Security Posture Management (AI-SPM)](https://www.paloaltonetworks.com/cortex/cloud/ai-security-posture-management?ts=markdown) * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Cloud Workload Protection (CWP)](https://www.paloaltonetworks.com/cortex/cloud/cloud-workload-protection?ts=markdown) * [Web Application \& API Security (WAAS)](https://www.paloaltonetworks.com/cortex/cloud/web-app-api-security?ts=markdown) Security Operations * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Security Information and Event Management](https://www.paloaltonetworks.com/cortex/modernize-siem?ts=markdown) * [Network Security Automation](https://www.paloaltonetworks.com/cortex/network-security-automation?ts=markdown) * [Incident Case Management](https://www.paloaltonetworks.com/cortex/incident-case-management?ts=markdown) * [SOC Automation](https://www.paloaltonetworks.com/cortex/security-operations-automation?ts=markdown) * [Threat Intel Management](https://www.paloaltonetworks.com/cortex/threat-intel-management?ts=markdown) * [Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Attack Surface Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management?ts=markdown) * [Compliance Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/compliance-management?ts=markdown) * [Internet Operations Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/internet-operations-management?ts=markdown) * [Extended Data Lake (XDL)](https://www.paloaltonetworks.com/cortex/cortex-xdl?ts=markdown) * [Agentic Assistant](https://www.paloaltonetworks.com/cortex/cortex-agentic-assistant?ts=markdown) Endpoint Security * [Endpoint Protection](https://www.paloaltonetworks.com/cortex/endpoint-protection?ts=markdown) * [Extended Detection \& Response](https://www.paloaltonetworks.com/cortex/detection-and-response?ts=markdown) * [Ransomware Protection](https://www.paloaltonetworks.com/cortex/ransomware-protection?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/cortex/digital-forensics?ts=markdown) [Industries](https://www.paloaltonetworks.com/industry?ts=markdown) * [Public Sector](https://www.paloaltonetworks.com/industry/public-sector?ts=markdown) * [Financial Services](https://www.paloaltonetworks.com/industry/financial-services?ts=markdown) * [Manufacturing](https://www.paloaltonetworks.com/industry/manufacturing?ts=markdown) * [Healthcare](https://www.paloaltonetworks.com/industry/healthcare?ts=markdown) * [Small \& Medium Business Solutions](https://www.paloaltonetworks.com/industry/small-medium-business-portfolio?ts=markdown) * Services ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Services [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Assess](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [AI Security Assessment](https://www.paloaltonetworks.com/unit42/assess/ai-security-assessment?ts=markdown) * [Attack Surface Assessment](https://www.paloaltonetworks.com/unit42/assess/attack-surface-assessment?ts=markdown) * [Breach Readiness Review](https://www.paloaltonetworks.com/unit42/assess/breach-readiness-review?ts=markdown) * [BEC Readiness Assessment](https://www.paloaltonetworks.com/bec-readiness-assessment?ts=markdown) * [Cloud Security Assessment](https://www.paloaltonetworks.com/unit42/assess/cloud-security-assessment?ts=markdown) * [Compromise Assessment](https://www.paloaltonetworks.com/unit42/assess/compromise-assessment?ts=markdown) * [Cyber Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/cyber-risk-assessment?ts=markdown) * [M\&A Cyber Due Diligence](https://www.paloaltonetworks.com/unit42/assess/mergers-acquisitions-cyber-due-diligence?ts=markdown) * [Penetration Testing](https://www.paloaltonetworks.com/unit42/assess/penetration-testing?ts=markdown) * [Purple Team Exercises](https://www.paloaltonetworks.com/unit42/assess/purple-teaming?ts=markdown) * [Ransomware Readiness Assessment](https://www.paloaltonetworks.com/unit42/assess/ransomware-readiness-assessment?ts=markdown) * [SOC Assessment](https://www.paloaltonetworks.com/unit42/assess/soc-assessment?ts=markdown) * [Supply Chain Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/supply-chain-risk-assessment?ts=markdown) * [Tabletop Exercises](https://www.paloaltonetworks.com/unit42/assess/tabletop-exercise?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Respond](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Cloud Incident Response](https://www.paloaltonetworks.com/unit42/respond/cloud-incident-response?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/unit42/respond/digital-forensics?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond/incident-response?ts=markdown) * [Managed Detection and Response](https://www.paloaltonetworks.com/unit42/respond/managed-detection-response?ts=markdown) * [Managed Threat Hunting](https://www.paloaltonetworks.com/unit42/respond/managed-threat-hunting?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Transform](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [IR Plan Development and Review](https://www.paloaltonetworks.com/unit42/transform/incident-response-plan-development-review?ts=markdown) * [Security Program Design](https://www.paloaltonetworks.com/unit42/transform/security-program-design?ts=markdown) * [Virtual CISO](https://www.paloaltonetworks.com/unit42/transform/vciso?ts=markdown) * [Zero Trust Advisory](https://www.paloaltonetworks.com/unit42/transform/zero-trust-advisory?ts=markdown) [Global Customer Services](https://www.paloaltonetworks.com/services?ts=markdown) * [Education \& Training](https://www.paloaltonetworks.com/services/education?ts=markdown) * [Professional Services](https://www.paloaltonetworks.com/services/consulting?ts=markdown) * [Success Tools](https://www.paloaltonetworks.com/services/customer-success-tools?ts=markdown) * [Support Services](https://www.paloaltonetworks.com/services/solution-assurance?ts=markdown) * [Customer Success](https://www.paloaltonetworks.com/services/customer-success?ts=markdown) [![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/logo-unit-42.svg) UNIT 42 RETAINER Custom-built to fit your organization's needs, you can choose to allocate your retainer hours to any of our offerings, including proactive cyber risk management services. Learn how you can put the world-class Unit 42 Incident Response team on speed dial. Learn more](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * Partners ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Partners NextWave Partners * [NextWave Partner Community](https://www.paloaltonetworks.com/partners?ts=markdown) * [Cloud Service Providers](https://www.paloaltonetworks.com/partners/nextwave-for-csp?ts=markdown) * [Global Systems Integrators](https://www.paloaltonetworks.com/partners/nextwave-for-gsi?ts=markdown) * [Technology Partners](https://www.paloaltonetworks.com/partners/technology-partners?ts=markdown) * [Service Providers](https://www.paloaltonetworks.com/partners/service-providers?ts=markdown) * [Solution Providers](https://www.paloaltonetworks.com/partners/nextwave-solution-providers?ts=markdown) * [Managed Security Service Providers](https://www.paloaltonetworks.com/partners/managed-security-service-providers?ts=markdown) * [XMDR Partners](https://www.paloaltonetworks.com/partners/managed-security-service-providers/xmdr?ts=markdown) Take Action * [Portal Login](https://www.paloaltonetworks.com/partners/nextwave-partner-portal?ts=markdown) * [Managed Services Program](https://www.paloaltonetworks.com/partners/managed-security-services-provider-program?ts=markdown) * [Become a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=becomepartner) * [Request Access](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=requestaccess) * [Find a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerlocator) [CYBERFORCE CYBERFORCE represents the top 1% of partner engineers trusted for their security expertise. Learn more](https://www.paloaltonetworks.com/cyberforce?ts=markdown) * Company ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Company Palo Alto Networks * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Management Team](https://www.paloaltonetworks.com/about-us/management?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com) * [Locations](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Ethics \& Compliance](https://www.paloaltonetworks.com/company/ethics-and-compliance?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Military \& Veterans](https://jobs.paloaltonetworks.com/military) [Why Palo Alto Networks?](https://www.paloaltonetworks.com/why-paloaltonetworks?ts=markdown) * [Precision AI Security](https://www.paloaltonetworks.com/precision-ai-security?ts=markdown) * [Our Platform Approach](https://www.paloaltonetworks.com/why-paloaltonetworks/platformization?ts=markdown) * [Accelerate Your Cybersecurity Transformation](https://www.paloaltonetworks.com/why-paloaltonetworks/nam-cxo-portfolio?ts=markdown) * [Awards \& Recognition](https://www.paloaltonetworks.com/about-us/awards?ts=markdown) * [Customer Stories](https://www.paloaltonetworks.com/customers?ts=markdown) * [Global Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Trust 360 Program](https://www.paloaltonetworks.com/resources/whitepapers/trust-360?ts=markdown) Careers * [Overview](https://jobs.paloaltonetworks.com/) * [Culture \& Benefits](https://jobs.paloaltonetworks.com/en/culture/) [A Newsweek Most Loved Workplace "Businesses that do right by their employees" Read more](https://www.paloaltonetworks.com/company/press/2021/palo-alto-networks-secures-top-ranking-on-newsweek-s-most-loved-workplaces-list-for-2021?ts=markdown) * More ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) More Resources * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Unit 42 Threat Research](https://unit42.paloaltonetworks.com/) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Tech Insider](https://techinsider.paloaltonetworks.com/) * [Knowledge Base](https://knowledgebase.paloaltonetworks.com/) * [Palo Alto Networks TV](https://tv.paloaltonetworks.com/) * [Perspectives of Leaders](https://www.paloaltonetworks.com/perspectives/?ts=markdown) * [Cyber Perspectives Magazine](https://www.paloaltonetworks.com/cybersecurity-perspectives/cyber-perspectives-magazine?ts=markdown) * [Regional Cloud Locations](https://www.paloaltonetworks.com/products/regional-cloud-locations?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Security Posture Assessment](https://www.paloaltonetworks.com/security-posture-assessment?ts=markdown) * [Threat Vector Podcast](https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/) * [Packet Pushers Podcasts](https://www.paloaltonetworks.com/podcasts/packet-pusher?ts=markdown) Connect * [LIVE community](https://live.paloaltonetworks.com/) * [Events](https://events.paloaltonetworks.com/) * [Executive Briefing Center](https://www.paloaltonetworks.com/about-us/executive-briefing-program?ts=markdown) * [Demos](https://www.paloaltonetworks.com/demos?ts=markdown) * [Contact us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) [Blog Stay up-to-date on industry trends and the latest innovations from the world's largest cybersecurity Learn more](https://www.paloaltonetworks.com/blog/) * Sign In ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Language * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) * [Demos and Trials](https://www.paloaltonetworks.com/get-started?ts=markdown) Search All * [Tech Docs](https://docs.paloaltonetworks.com/search) Close search modal [Deploy Bravely --- Secure your AI transformation with Prisma AIRS](https://www.deploybravely.com) [](https://www.paloaltonetworks.com/?ts=markdown) 1. [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) 2. [Security Operations](https://www.paloaltonetworks.com/cyberpedia/security-operations?ts=markdown) 3. [Threat Detection \& Prevention](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba?ts=markdown) 4. [What is UEBA (User and Entity Behavior Analytics)?](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba?ts=markdown) Table of Contents * What is UEBA (User and Entity Behavior Analytics)? * [How UEBA works](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#how?ts=markdown) * [Benefits of Implementing UEBA](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#benefits?ts=markdown) * [Examples of UEBA](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#examples?ts=markdown) * [Common Use Cases for UEBA](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#common?ts=markdown) * [Challenges and Considerations in UEBA Deployment](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#challenges?ts=markdown) * [Diverse Threats Addressed by UEBA](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#diverse?ts=markdown) * [Integrating UEBA and XDR](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#integrate?ts=markdown) * [UEBA vs NTA](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#nta?ts=markdown) * [UEBA vs SIEM](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#siem?ts=markdown) * [UEBA vs IAM](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#iam?ts=markdown) * [Future Trends and Developments in UEBA](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#future?ts=markdown) * [Choosing the Right UEBA Solution](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#choose?ts=markdown) * [UEBA FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#faqs?ts=markdown) * [What Is Threat Prevention? \[Definition, Explanation, + How-tos\]](https://www.paloaltonetworks.com/cyberpedia/what-is-threat-prevention?ts=markdown) * [Why is threat prevention important?](https://www.paloaltonetworks.com/cyberpedia/what-is-threat-prevention#why-is-threat-prevention-important?ts=markdown) * [How does threat prevention work?](https://www.paloaltonetworks.com/cyberpedia/what-is-threat-prevention#how-does-threat-prevention-work?ts=markdown) * [What are the differences between threat prevention, detection, and protection?](https://www.paloaltonetworks.com/cyberpedia/what-is-threat-prevention#what-are-the-differences-between-threat-prevention-detection-and-protection?ts=markdown) * [What are the different types of threat prevention?](https://www.paloaltonetworks.com/cyberpedia/what-is-threat-prevention#what-are-the-different-types-of-threat-prevention?ts=markdown) * [Top 5 threat prevention tips, tricks, and best practices](https://www.paloaltonetworks.com/cyberpedia/what-is-threat-prevention#top-5-threat-prevention-tips-tricks-and-best-practices?ts=markdown) * [Why threat prevention is harder than it sounds (yet more achievable than it used to be)](https://www.paloaltonetworks.com/cyberpedia/what-is-threat-prevention#why-threat-prevention-is-harder-that-it-sounds?ts=markdown) * [Threat prevention FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-threat-prevention#threat-prevention-faqs?ts=markdown) * [What Is Penetration Testing?](https://www.paloaltonetworks.com/cyberpedia/what-is-penetration-testing?ts=markdown) * [Why Is Security Penetration Testing Important?](https://www.paloaltonetworks.com/cyberpedia/what-is-penetration-testing#why?ts=markdown) * [Pen Testing's Role in Compliance](https://www.paloaltonetworks.com/cyberpedia/what-is-penetration-testing#pen?ts=markdown) * [Pen Testing Approaches to Assessments](https://www.paloaltonetworks.com/cyberpedia/what-is-penetration-testing#testing?ts=markdown) * [What Is Teaming in Pen Testing?](https://www.paloaltonetworks.com/cyberpedia/what-is-penetration-testing#what?ts=markdown) * [Types of Pen Testing](https://www.paloaltonetworks.com/cyberpedia/what-is-penetration-testing#types?ts=markdown) * [7 Stages of the Penetration Testing Process](https://www.paloaltonetworks.com/cyberpedia/what-is-penetration-testing#stages?ts=markdown) * [Pen Testing Tools](https://www.paloaltonetworks.com/cyberpedia/what-is-penetration-testing#tools?ts=markdown) * [Penetration Testing FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-penetration-testing#faqs?ts=markdown) * [3 Challenges to Identifying Evasive Threats](https://www.paloaltonetworks.com/cyberpedia/3-challenges-to-identifying-evasive-threats?ts=markdown) * [](https://www.paloaltonetworks.com/cyberpedia/3-challenges-to-identifying-evasive-threats#threats?ts=markdown) * [](https://www.paloaltonetworks.com/cyberpedia/3-challenges-to-identifying-evasive-threats#traditional?ts=markdown) * [](https://www.paloaltonetworks.com/cyberpedia/3-challenges-to-identifying-evasive-threats#helps?ts=markdown) * [](https://www.paloaltonetworks.com/cyberpedia/3-challenges-to-identifying-evasive-threats#protect?ts=markdown) * [What is a Port Scan?](https://www.paloaltonetworks.com/cyberpedia/what-is-a-port-scan?ts=markdown) * [How a Port Scan Works](https://www.paloaltonetworks.com/cyberpedia/what-is-a-port-scan#how?ts=markdown) * [Types of Port Scans](https://www.paloaltonetworks.com/cyberpedia/what-is-a-port-scan#types?ts=markdown) * [Port Scanning Results](https://www.paloaltonetworks.com/cyberpedia/what-is-a-port-scan#port?ts=markdown) * [How Bad Actors Use Port Scanning as an Attack Method](https://www.paloaltonetworks.com/cyberpedia/what-is-a-port-scan#method?ts=markdown) * [Port Scan FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-a-port-scan#faqs?ts=markdown) # What is UEBA (User and Entity Behavior Analytics)? 5 min. read Table of Contents * * [How UEBA works](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#how?ts=markdown) * [Benefits of Implementing UEBA](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#benefits?ts=markdown) * [Examples of UEBA](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#examples?ts=markdown) * [Common Use Cases for UEBA](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#common?ts=markdown) * [Challenges and Considerations in UEBA Deployment](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#challenges?ts=markdown) * [Diverse Threats Addressed by UEBA](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#diverse?ts=markdown) * [Integrating UEBA and XDR](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#integrate?ts=markdown) * [UEBA vs NTA](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#nta?ts=markdown) * [UEBA vs SIEM](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#siem?ts=markdown) * [UEBA vs IAM](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#iam?ts=markdown) * [Future Trends and Developments in UEBA](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#future?ts=markdown) * [Choosing the Right UEBA Solution](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#choose?ts=markdown) * [UEBA FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#faqs?ts=markdown) 1. How UEBA works * * [How UEBA works](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#how?ts=markdown) * [Benefits of Implementing UEBA](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#benefits?ts=markdown) * [Examples of UEBA](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#examples?ts=markdown) * [Common Use Cases for UEBA](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#common?ts=markdown) * [Challenges and Considerations in UEBA Deployment](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#challenges?ts=markdown) * [Diverse Threats Addressed by UEBA](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#diverse?ts=markdown) * [Integrating UEBA and XDR](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#integrate?ts=markdown) * [UEBA vs NTA](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#nta?ts=markdown) * [UEBA vs SIEM](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#siem?ts=markdown) * [UEBA vs IAM](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#iam?ts=markdown) * [Future Trends and Developments in UEBA](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#future?ts=markdown) * [Choosing the Right UEBA Solution](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#choose?ts=markdown) * [UEBA FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba#faqs?ts=markdown) User Entity Behavior Analytics (UEBA) is an evolving cybersecurity solution that uses advanced analytics to detect user and entity behavior anomalies within an organization's network. Unlike traditional security measures, UEBA focuses on the patterns and nuances of user activities, leveraging this insight to identify potential security threats. UEBA emerged as a response to the increasing sophistication of cyber threats, especially those involving insider attacks and [advanced persistent threats (APTs)](https://www.paloaltonetworks.com/cyberpedia/what-is-advanced-persistent-threat-apt?ts=markdown). Over time, UEBA has evolved from simple anomaly detection to incorporate [machine learning](https://www.paloaltonetworks.com/cyberpedia/machine-learning-ml?ts=markdown), [AI](https://www.paloaltonetworks.com/cyberpedia/artificial-intelligence-ai?ts=markdown), and big data analytics, offering a more dynamic and predictive approach to cybersecurity. ## How UEBA works ### Data Collection and Analysis UEBA systems gather comprehensive data, including user activities, network traffic, and access logs. This data forms the backbone of UEBA's analysis, feeding into sophisticated algorithms that scrutinize every aspect of user behavior within the network. ### Establishing Baseline Behavior and Anomaly Detection The core of UEBA functionality lies in its ability to establish a baseline of "normal" behavior for each user and entity. It then continuously compares current activities against this baseline, flagging anomalies that could indicate potential security threats, such as [data exfiltration](https://www.paloaltonetworks.com/cyberpedia/data-exfiltration?ts=markdown), insider threats, or compromised accounts. ## Benefits of Implementing UEBA UEBA significantly enhances the detection of complex and subtle cyber threats, particularly those that evade traditional security measures. Its behavioral analysis approach is particularly practical against insider threats and APTs, making it increasingly vital for businesses and offering several key features and benefits: * **[Insider Threat](https://www.paloaltonetworks.com/cyberpedia/insider-threat?ts=markdown) Identification**: UEBA is particularly effective in identifying malicious or negligent activities by insiders. Since these users have legitimate access to systems, their harmful actions can be more complex to detect with conventional security tools. * **Behavioral Profiling and Risk Scoring**: UEBA tools often include behavioral profiling and risk scoring mechanisms. These features help prioritize security alerts, allowing security teams to focus on the most critical issues. * **Compliance and Regulatory Requirements**: Many industries have stringent data protection and privacy requirements. UEBA helps meet these requirements by providing detailed insights into user behaviors and ensuring that anomalous activities are quickly identified and addressed. * **Advanced Threat Detection**: UEBA systems use advanced analytics to identify abnormal behavior or anomalies in user activities. This is crucial in detecting sophisticated cyber threats that traditional security measures might miss, such as insider threats, compromised accounts, or advanced persistent threats (APTs). * **Improved Security Posture**: By integrating UEBA into their security strategy, businesses can enhance their security posture. UEBA provides a deeper and more nuanced view of user activities, which helps identify and mitigate risks more effectively. * **[Data Loss Prevention](https://www.paloaltonetworks.com/cyberpedia/cloud-data-loss-prevention?ts=markdown)** : UEBA can help prevent data breaches and loss by monitoring user behavior. It can detect unusual access patterns or data transfers that may indicate a [data leak](https://www.paloaltonetworks.com/cyberpedia/data-leak?ts=markdown) or theft attempt. * **Efficient Incident Response**: In the event of a security incident, UEBA tools can provide detailed context and user activity records. This information is crucial for a rapid and effective incident response, helping minimize the impact of security breaches. * **Automated Response and Remediation** : Advanced UEBA solutions can integrate with other security tools to automate responses to detected threats. This reduces the time and effort required for remediation and enhances the overall efficiency of the [security operations center (SOC)](https://www.paloaltonetworks.com/cyberpedia/what-is-a-soc?ts=markdown). * **Long-term Trend Analysis and Forensics** : UEBA tools can store and analyze long-term data, which is valuable for trend analysis and [forensic investigations after a security incident](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response?ts=markdown). * **Adapting to Evolving Threat Landscape**: UEBA systems can adapt as cyber threats evolve by continuously learning from new data patterns. This helps businesses stay ahead of emerging threats. ## Examples of UEBA The following examples illustrate the versatility and importance of UEBA solutions in modern cybersecurity strategies. Here are some examples of UEBA applications in various contexts: * Insider Threat Detection: UEBA solutions can identify potentially malicious activities by insiders, such as employees accessing or downloading sensitive data at unusual times or in unusually large quantities, which could indicate data theft. * Compromised Account Identification: If a user's behavior suddenly changes - for example, accessing different systems or data they don't normally use, especially at odd hours - it could suggest their account has been compromised. * Anomaly Detection in IT Systems: UEBA tools can detect anomalies in IT systems and networks, such as unusual login locations or times, unexpected data flows, or spikes in data access or usage. * Fraud Detection: In financial or e-commerce settings, UEBA can be used to spot fraudulent activities like unusual transaction patterns, indicating potential fraud or financial crime. * Healthcare Privacy Monitoring: In healthcare, UEBA can help ensure compliance with privacy laws by monitoring access to patient records and identifying if staff are accessing records without a legitimate need. * Advanced Persistent Threat (APT) Detection: UEBA can be instrumental in detecting APTs, where attackers infiltrate systems and remain undetected for long periods, as it can spot subtle, long-term changes in behavior. * Data Exfiltration Prevention: By monitoring data access and movement, UEBA can identify potential data exfiltration attempts, such as copying large volumes of data to external drives or uploading it to cloud services. * Phishing Attack Detection: UEBA can sometimes detect the aftermath of phishing attacks, such as when credentials are used unusually following a successful [phishing](https://www.paloaltonetworks.com/cyberpedia/what-is-phishing?ts=markdown) expedition. * Integration with Other Security Systems: UEBA often works with security systems like [SIEM (Security Information and Event Management)](https://www.paloaltonetworks.com/cyberpedia/what-is-siem?ts=markdown), enhancing overall threat detection and response capabilities. * Automated Alerting and Incident Response: UEBA systems can automate alerting security teams about suspicious activities and sometimes integrate with response systems to take immediate action, like blocking a user or changing access controls. ## Common Use Cases for UEBA UEBA is a valuable tool for detecting cyber threats and security breaches. It is particularly useful in identifying insider threats, preventing [data breaches](https://www.paloaltonetworks.com/cyberpedia/data-breach?ts=markdown) and fraud, and complementing existing security systems. ### Insider Threat Detection UEBA can detect insider threats by identifying unusual activities that might go unnoticed by standard security tools. These activities include unauthorized access to sensitive data or anomalous data transfers. ### Preventing Data Breaches and Fraud UEBA can identify unusual transaction patterns or data access, critical indicators of data breaches, and fraud. UEBA can prevent security breaches and protect sensitive data by detecting these patterns. ### Integrating UEBA with Existing Security Systems UEBA can complement other security tools like SIEM and enhance the overall effectiveness of an organization's security infrastructure. By integrating UEBA with existing systems, an organization can create a more nuanced and comprehensive view of potential threats. ### The Role of UEBA in a Holistic Security Strategy UEBA should be viewed as a component of a broader security strategy, complementing other tools and processes to create a multi-layered defense against cyber threats. By implementing UEBA alongside other security measures, an organization can better protect itself from cyber attacks. ## Challenges and Considerations in UEBA Deployment UEBA deployment involves balancing security and privacy concerns, managing false positives, and keeping up with emerging cybersecurity threats. One of the key challenges in implementing UEBA is ensuring that monitoring and analysis of user behavior are conducted in a manner that respects privacy and complies with legal and regulatory standards. ### Managing False Positives and User Experience UEBA systems must be finely tuned to minimize false positives, which can overwhelm security teams and potentially impact the user experience. By managing false positives, an organization can reduce the workload of security teams and improve the user experience. ## Diverse Threats Addressed by UEBA UEBA systems are designed to detect, prevent, and mitigate a broad spectrum of cyber threats. Their capabilities extend to: * Anomalous User Behavior: Detection of deviations from normal activity patterns, like unusual login times or changes in user behavior, signaling potential security breaches. * Account Compromise Indicators: Identifying suspicious login attempts, including brute-force attacks and unauthorized access with stolen credentials, pointing to potential account takeovers. * Privilege Abuse: Spotting misuse of extensive access rights, unauthorized attempts to alter permissions, and other forms of privilege abuse that could compromise security. * Internal Threat Landscape: Addressing insider threats, including malicious insider activities, unauthorized data or application access, and data theft or sabotage efforts. * Data Exfiltration Tactics: Detecting attempts to transfer data unusually or access files in a way that suggests potential data exfiltration. * Malware and Ransomware Activities: Identifying signs of malware or [ransomware](https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware?ts=markdown) infections, including [endpoint](https://www.paloaltonetworks.com/cyberpedia/what-is-an-endpoint?ts=markdown) anomalies and patterns typical of ransomware, such as widespread file encryption. * Policy Violation Identification: Recognizing actions where users bypass security controls or access restricted resources, violating established policies. * Phishing and Social Engineering Attempts: Detecting user interactions with malicious links or email attachments indicative of phishing or [social engineering](https://www.paloaltonetworks.com/cyberpedia/what-is-social-engineering?ts=markdown) exploits. * Advanced Persistent Threats (APTs): Uncovering ongoing, sophisticated attacks that might elude standard security measures, providing an added detection layer. * Zero-Day Exploit Detection: Identifying previously unknown vulnerabilities and exploits crucial for defending against novel and emerging threats. ## Integrating UEBA and XDR ![XDR allows companies to track visibility, integrate with tools, use large-scale analytics, and simplify investigations. XDR allows analysts to respond to threats faster and more proactively.](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/ueba.png "XDR benefits") UEBA capabilities are now integrating with [XDR (Extended Detection and Response)](https://www.paloaltonetworks.com/cyberpedia/what-is-extended-detection-response-XDR?ts=markdown), an advanced threat detection tool that evolved from [EDR (Endpoint Detection and Response)](https://www.paloaltonetworks.com/cyberpedia/what-is-endpoint-detection-and-response-edr?ts=markdown). XDR represents a significant progression, offering deeper insights and a broader scope than traditional SIEM products . It enhances threat visibility across various data sources like networks, endpoints, and clouds. XDR amalgamates the functionalities of EDR, UEBA, NTA (Network Traffic Analysis), and next-gen antivirus into a unified solution, providing comprehensive visibility and sophisticated behavioral analytics. This integration not only accelerates investigation processes but also significantly boosts the efficiency of security teams through automation, ensuring a more robust defense against security threats across the entire infrastructure. ## UEBA vs NTA UEBA and NTA solutions use machine learning and analytics to detect near real-time suspicious or malicious activity. While UEBA systems analyze user behavior, NTA systems monitor all network traffic and flow records to identify potential attacks. Both solutions provide investigative insights to mitigate threats before they cause damage. |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **Benefits and Drawbacks of UEBA and NTA** || | **UEBA** || | **Benefits** | **Drawbacks** | | \* Allows application of analytics and data science to log data to uncover security threats that might otherwise remain hidden in massive repositories. \* Enables tracking and monitoring of all users and other entities that use the network. \* Reduces security events and significantly improves operational efficiency. | \* Offers a narrow view of network behaviors and events since UEBA logs are only enabled on a small part of a company's network. \* Isn't able to pinpoint specific security attacks. \* Relies on third-party logs to monitor, identify and analyze potential threats and assign risk scores -- if/when a third-party logger fails, a UEBA can't do its job. \* Deploys slowly -- many vendors claim UEBA can be deployed in a few days, but Gartner clients report it often takes 3--6 months in simple use cases and up to 18 in complex ones. \* Requires lots of cross-functional approvals and system configuration. | | **NTA** || | **Benefits** | **Drawbacks** | | \* Allows companies to see all events, not just logged ones, across their entire network, including every aspect of an attacker's activities and techniques, from early to late stages of an attack. \* Enables companies to profile network devices and user accounts. \* Deploys with relative ease. | \* Pays for itself in a short time, but still requires the expertise of a security team to know which types of security issues to look for and how to identify them. \* Offers coverage that, although wide, is shallow. \* Isn't able to track local events. | ## UEBA vs SIEM Instead of UEBA's focus on user and entity behavior, SIEM concentrates on security event data. This means SIEM collects and analyzes data from such sources as security logs, firewall logs, intrusion detection and prevention logs, and network data traffic, compared to UEBA's utilization of user and entity-related sources and many different kinds of logs. SIEM's primary use case is real-time security monitoring, event correlation, incident detection, and response. UEBA focuses on detecting insider threats, account compromises, privilege abuse, and other abnormal behavior or data movement-related activities. UEBA uses machine learning algorithms and statistical modeling to create "normal" behavior baselines, while SIEM uses rule-based correlation and pattern recognition. UEBA can also be integrated with SIEM systems to enhance their user and entity behavior analytics, while SIEM solutions often include UEBA features as a module. ## UEBA vs IAM Compared with UEBA's attention to user and entity behavior, [Identity Access Management (IAM)](https://www.paloaltonetworks.com/cyberpedia/what-is-identity-and-access-management?ts=markdown) addresses the management of user identities and access privileges and ways to identify attempts to manipulate identities to gain unauthorized access to data, applications, systems, and other digital resources. IAM primarily relies on user identity and access data, such as user profiles, roles, permissions, authentication logs, and access control lists (ACLs). It manages and governs the creation, modification, and removal of user identities and access privileges. UEBA uses various data sources for individual users and entities, such as endpoints, servers, and other infrastructure. While UEBA focuses on threat detection and insider threat mitigation using sophisticated, normalized analytics, IAM is used for identity lifecycle management, access provisioning, [role-based access control (RBAC)](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac?ts=markdown), single sign-on (SSO), and enforcing access policies. ## Future Trends and Developments in UEBA The future of UEBA is closely tied to advancements in AI and machine learning, which promise further to enhance the predictive capabilities and efficiency of UEBA solutions. UEBA is expected to evolve in response to emerging cybersecurity threats, incorporating more advanced analytics and predictive models to stay ahead of sophisticated attackers. ## Choosing the Right UEBA Solution When selecting a UEBA solution, it's essential to consider scalability, integration capabilities, machine learning algorithms, and the ability to handle diverse data sources. It's also important to evaluate vendors based on their track record, customer support, solution flexibility, and the ongoing development of their products. ## UEBA FAQs ### How is identity analytics used in UEBA? Cortex XDR, the industry's first extended detection and response platform, includes an Identity Analytics feature for comprehensive UEBA . Identity Analytics detects risky and malicious user behavior that traditional tools can't see. It pinpoints attacks such as credential theft, brute force, and "the impossible traveler" with unparalleled accuracy by detecting behavioral anomalies indicative of an attack. Identity analytics provides a 360-degree user view of every user, including a user risk score and related alerts, incidents, artifacts, and recent activity. It also provides user context by gathering data from HR apps like Workday, and other security solutions for Identity management and Governance, and leading identity providers. Out-of-the-box UEBA detections reveal evasive threats by examining multiple types of data. ### Is UEBA used proactively or in reaction to a potential event? UEBA can be used proactively and in reaction to a potential event. Cybersecurity teams or service providers proactively use it to detect attacks as they occur to trigger a response, preferably automated. In a reactive stance, UEBA reviews logs and other security event data to investigate attacks that have already happened. ### What are the three pillars of UEBA? The three pillars of UEBA (User and Entity Behavior Analytics), as defined by Gartner, are: * Use Cases: UEBA solutions should monitor, detect, and alert user and entity behavior anomalies across various use cases. * Data Sources: UEBA systems should be capable of ingesting data from general data repositories or through a SIEM without deploying agents directly in the IT environment. * Analytics: UEBA employs various analytical methods, including statistical models, machine learning, and more, to detect anomalies. These pillars underscore the comprehensive approach of UEBA in monitoring and analyzing behavior to identify security threats. Related content [AI SOC Solutions Today's hybrid enterprise generates many times the security data of a few years ago. Yet the typical SOC still operates on data silos, limited cloud visibility, aging SIEM technolo...](https://www.paloaltonetworks.com/cyberpedia/revolutionizing-soc-operations-with-ai-soc-solutions?ts=markdown) [Why Cortex? Learn about our integrated suite of AI-driven, intelligent products for the SOC](https://www.paloaltonetworks.com/cortex/whycortex?ts=markdown) [Cortex XSIAM Using a security-specific data model and applying machine learning, XSIAM automates data integration, analysis, and triage to respond to most alerts.](https://www.paloaltonetworks.com/resources/datasheets/cortex-xsiam-aag?ts=markdown) [XDR for Dummies Download this audiobook to get up to speed on everything XDR](https://start.paloaltonetworks.com/xdr-for-dummies.html) ![Share page on facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/facebook-circular-icon.svg) ![Share page on linkedin](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/linkedin-circular-icon.svg) [![Share page by an email](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/email-circular-icon.svg)](mailto:?subject=What%20is%20UEBA%20%28User%20and%20Entity%20Behavior%20Analytics%29%3F&body=Learn%20how%20User%20Entity%20Behavior%20Analytics%20%28UEBA%29%20detects%20a%20range%20of%20threats%2C%20from%20insider%20attacks%20to%20zero-day%20exploits%2C%20mitigating%20evolving%20cyber%20threats.%20at%20https%3A//www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba) Back to Top [Next](https://www.paloaltonetworks.com/cyberpedia/what-is-threat-prevention?ts=markdown) What Is Threat Prevention? \[Definition, Explanation, + How-tos\] {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2025 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language