Behavioral analytics (UEBA)

Baseline normal, flag meaningful deviation.

Expert30 min · lesson 9 of 15

Signature and rule-based detections catch known patterns; behavioral analytics catches the subtle, novel, or insider activity that no static rule anticipated. It works by learning what normal looks like and flagging meaningful deviation.

Baseline normal, flag anomalies

User and Entity Behavior Analytics (UEBA) builds a statistical baseline of normal behavior for each user, service account, host, and workload — typical login times and locations, usual resources accessed, normal data volumes — and surfaces anomalies against it: impossible travel, a service account suddenly reading secrets it never touched, a user pulling far more data than usual, access at an unheard-of hour. These signals catch what rules miss because they do not require knowing the specific attack in advance; they require only that the malicious behavior deviates from the established norm, which compromise and insider threats usually do.

behavioral deviation as a signal
# Rule-based (known pattern): secret read by principal NOT in an allowlist
# Behavioral (deviation): secret read by a principal that has a BASELINE,
# but this access is far outside it —
#
# principal: service-account/reporting
# baseline: reads {reports-db-creds} from asn 12345, business hours
# observed: reads {root-signing-key} from asn 99999, 03:14 UTC
# ⇒ high anomaly score → alert (no prior rule named this exact case)
#
# Anomaly detection catches the novel; rules catch the known. Use both.

Strengths, limits, and combination

Behavioral analytics excels at the unknown and the insider, but it has a cost: anomalies are not always malicious, so tuning and context are essential or it becomes a noise source, and it needs enough clean history to build a trustworthy baseline. The mature approach combines both worlds — precise rule/TTP detections for known techniques, behavioral analytics for deviation, and correlation to raise confidence when multiple weak signals align. A single anomaly might be benign; an anomaly plus a suspicious API call plus data movement is an incident. Behavioral signals also make excellent hunting leads. Together, rules and analytics cover both the known and the novel.

Rules + analytics
1baseline normal
per user/entity behavior
2flag deviation
impossible travel, unusual access
3correlate
anomaly + other weak signals
4alert or hunt lead
high-confidence, or investigate
Rules catch the known; analytics catch the deviation. Correlating the two turns weak anomalies into confident incidents.
Untuned anomaly detection is a noise generator
Behavioral analytics flags deviation, and not all deviation is malicious — a naive deployment floods responders with benign anomalies. Tune it with context, require enough baseline history, and correlate anomalies with other signals so alerts represent real risk rather than statistical noise.