User and entity behavior analytics is the use of behavioral patterns to identify activity that differs from expected norms for users, devices, or services.
User and entity behavior analytics, usually called UEBA, is the use of behavioral patterns to identify activity that differs from expected norms for users, devices, or services. In plain language, it looks for unusual patterns that may deserve investigation even when no single event looks obviously malicious on its own.
UEBA matters because many real security problems do not look dramatic in one log event. The signal often appears through unusual combinations of timing, location, access pattern, or system behavior.
It also matters because compromised accounts and insider misuse can be harder to spot when the activity still uses valid identities and legitimate tools.
UEBA appears in SIEM platforms, Threat Hunting, Detection Engineering, identity monitoring, and cloud activity review. Teams connect it to Anomaly Detection, Identity Provider, Alert Fatigue, and Threat Intelligence.
It is most useful when unusual behavior is reviewed in context instead of treated as automatic proof of compromise.
A user account that normally signs in during business hours from one region suddenly downloads large amounts of data from unfamiliar systems late at night. UEBA-style analysis flags that pattern for review even if the individual actions were technically valid.
UEBA is not the same as a simple signature or rule match. It relies more on patterns, deviation, and context over time.
It is also different from Threat Hunting. Hunting is an analyst-driven investigative process, while UEBA usually refers more specifically to behavioral analytics used as an operational signal.