AIMultiple ResearchAIMultiple ResearchAIMultiple Research
We follow ethical norms & our process for objectivity.
This research is not funded by any sponsors.
Cybersecurity
Updated on May 2, 2025

Top 15 UEBA Use Cases for Today's SOCs in 2025

Headshot of Cem Dilmegani
MailLinkedinX

Traditional measures such as web gateways, firewalls, IPS tools, and VPNs are no longer sufficient to keep corporate systems secure from modern cyber attacks.

UEBA systems help detect modern threats by enhancing the context and quality of security alerts by monitoring non-user entities (e.g. servers) and leveraging machine learning. This provides SOC teams with behavioral security insights and improves zero-trust security initiatives.

1. Detecting malicious insiders

Malicious insiders are internal or former employees who intentionally harm an organization by misusing their access to systems and data.

Data alone, such as log files or event logs, cannot always identify these individuals; however, UEBA may. UEBA offers information about individuals rather than IP addresses, hence, it may detect individual users who violate security standards by identifying and correlating:

  • insider activities based on variances in user/device activity compared to self/peer group baselines, 
  • suspicious or malicious activity, 
  • alerts from external tools

Real-life example: A cloud access security broker (CASB) API + UEBA solution detected an insider who authenticated using numerous IP addresses.

The solution sent alerts of “access attempts from certain IP blocks” and generated the “risky countries” alert that shows IP addresses from countries.1

2. Detecting user account compromise

One of the most common insider use cases is the breach of a trusted user account, where user credentials are hacked and used by a party other than the legitimate user. This use case includes detecting shared account activity and overall account fraud.

UEBA can employ behavior modeling to detect any variation from regular user activity, indicating that the account is operated by someone other than the legitimate owner. Detection includes:

  • detecting anomalous AD activity 
  • disabled accounts
  • account recovery
  • terminated users

Real-life example: A DLP + UEBA solution detected a user who downloaded over 2,000 files from a corporate OneDrive instance and uploaded over 400 files to personal Google Drive.

Detections involved:

  • Potential sensitive file movement
  • Potential corporate data movement
  • A user-based spike in sensitive data uploaded to personal apps
  • A user-based spike in files downloaded2

3. Detecting device compromise

Detecting endpoints that have been penetrated or infected with malware is difficult.

This differs from the previously mentioned “Compromised User Account” use case (above), since malicious behavior on a host may be detected, however, it may not always be associated with a specific user account.

UEBA can detect malware activity using behavior-based modeling, regardless of how the initial infection was delivered. Detection strategies include tracking changes in:

  • communication patterns of devices
  • communication with external domains or IP addresses, and domain characteristics.

Real-life example: Law firm Winthrop & Weinstine implemented a UEBA solution for detecting and responding to cyber-attacks. The firm centralized security data and displayed communication patterns of IP addresses. This helped find the host and device compromises.3

4. Detecting lateral attacks 

Lateral movement by a trusted insider entails screening and expanding access to multiple resources. 

UEBA solutions can effectively identify lateral attacks by monitoring user and entity behavior trends throughout the network. UEBA solutions can detect deviations in typical behavior baselines by analyzing:

  • Sudden privilege escalation
  • Unusual access to sensitive resources
  • Abnormal authentication patterns

Some examples of lateral movement that UEBA can detect include:

  • Pass the hash (PtH) – a credential theft in which an attacker retrieves authentication to create a new user
  • Brute force logins – a trial and error to crack login credentials,
  • Internal spearphishing
  • SSH hijacking

5. Identifying network policy breaches

Companies use policies against sharing user accounts to maintain adequate user access. However, implementing these standards may be difficult, particularly in large workplaces with numerous people and systems.

UEBA can identify simultaneous or near-simultaneous logins from geographically diverse places, which is unlikely to occur in typical individual use. This entails:

  • Monitoring unusual data transfers: Policies usually govern data movement within and outside an organization. UEBA can recognize deviations, such as sudden large data transfers and transfers to unauthorized networks, which could indicate a policy breach.
  • Detecting unauthorized device connections: Many policies restrict which devices can connect to corporate networks. If an unknown device attempts to connect, UEBA can identify this as a breach and alert the security team. This is critical in securing BYOD environments.
  • Enforcing role-based access control (RBAC): UEBA can help enforce RBAC policies by analyzing each role’s access patterns. If a user accesses files or systems beyond their role permissions, UEBA identifies this as a violation. For more: RBAC examples.

6. Detecting data exfiltration 

This use case is important even if your team is already capable of detecting compromised accounts and endpoints. Since authorized users may engage in data exfiltration.

UEBA can identify the loss or theft of confidential data outside the company via several attack vectors, including:

  • network security infrastructure (firewalls and proxies)
  • online cloud storage
  • attached storage (USB), and email

7. Privileged access misuse prevention

A privileged account is a user account with more access and permissions than a standard account. These accounts are used by system administrators and managers.

Serious consequences, such as data breaches or system disruption, may occur if these accounts are compromised.

UEBA helps to reduce this risk by continuously monitoring privileged user behavior patterns. If a privileged person accesses sensitive data or systems outside of their normal scope or at unusual times, UEBA can identify this as anomalous behavior and alert the SOC team.

8. Security alert automation and investigation

Organizations may encounter alerts from security products such as anti-malware, DLP, and network access control that require further investigation. For example, SOCs need help with alerts that lack essential information such as the host, file hash, and user data. 

UEBA solutions can provide detailed context for third-party security alerts, enabling SOC teams to quickly access all relevant information by simply entering the alert ID.

Real-life example: Union Bank implemented a UEBA solution to collect all DLP events and establish a baseline activity for detecting unusual behavior. The solution allowed the bank to filter out false positives and focus on high-risk situations.4

9. Account lockout investigation

Account lockouts are a major drain on administrative resources, particularly in larger companies. It is usual for large-scale companies to dedicate a full-time position each year just to researching user accounts. Admins spend hours for every locked-out account examining whether it is a simple error or a possible hijacking of an account. 

A UEBA system can automate this process by checking:

  • The domain controller’s event logs to find the cause of the lockout.
  • The user’s device for any cached credentials that may be causing the lockout.
  • Active sessions that could be causing the lockout. 

10. Account creation monitoring

Attackers may infiltrate a network by installing malware on one system and then using this entry point to create unrelated new accounts. Even if IT restores the compromised machine, the attackers remain in the system using a new credential. 

A UEBA solution can monitor account creation and quickly detect:

  • unauthorized credential creation
  • fraudulent digital accounts using stolen or synthetic IDs
  • accounts have been used for spamming or violating the rules

11. Third-party and supply chain risk monitoring

Organizations commonly allow third-party suppliers or partners access to their systems as part of their operational procedures. However, this exposure raises the risk of external cyber threats.

UEBA tools can monitor third-party activities and interactions with the organization’s resources in prioritization and investigate supply chain threats such as unauthorized access attempts and data exfiltration.

Real-life example: Lineas, the largest private rail freight company in Europe, deployed a UEBA solution to allow its users to focus on behavioral supply chain analytics rather than logs and existing use cases.

With the UEBA solution, the company was able to add a multitude of logs and gain insights, which helped them gain visibility into hosts, accounts,  network traffic, and data repositories.5

12. Insider risk monitoring

UEBA captures and analyzes how users regularly interact with your IT systems. Any difference from conventional employee behavior (for example, unusual working hours) is reported for further inquiry, assisting in the detection of insider threats.

This helps SOCs obtain an overview of user activity analytics and identify and reduce insider risks caused by malevolent intent or negligent behavior.

13. Forecasting software and hardware breakdowns

Software: UEBA can also collect and analyze application logs and response times in software applications. If it detects an increase in errors or a slower response time in transactions that have previously resulted in software crashes, it may send a software issue alert.

Hardware: UEBA may monitor resource consumption indicators such as CPU, memory, and network traffic in hardware components such as servers, storage devices, and network equipment. If it detects spikes or deviations from standard operating processes, it alerts to a hardware issue.

14. Adhering to GDPR compliance

The European Union’s General Data Protection Regulation (GDPR) places obligations on enterprises to keep account of who accesses personal data, how it is used, and when it is removed. UEBA solutions can assist businesses in complying with GDPR by monitoring user activity and access to sensitive data.

15. Maintaining zero trust security

A zero-trust architecture requires complete visibility into all network users, devices, assets, and entities. UEBA provides security analysts with detailed, real-time insight into all end-user and entity activity, including which devices are seeking access to the network and which individuals tare rying to exceed their rights.

Open source UEBA tools

Last Updated at 05-02-2025
ToolFunctionality
OpenUBAIngests and analyzes logs for abnormal behaviors using machine learning and behavioral profiling models
GraylogCollects logs from servers and applies machine learning-based anomaly detection through its interface
WazuhMonitors telemetry data for threat detection and anomaly analysis
Apache-MetronProvides real-time insights into security telemetry through big data platforms
HELKProvides threat hunting capabilities using the ELK stack and Apache Spark for real-time data analysis
Apache-SpotDetects network traffic anomalies indicating suspicious user or entity activities

Read more: Open source UEBA tools.

UEBA vs SIEM

Last Updated at 11-03-2024
FeatureUEBA solutionsSIEM solutions
Detection approachSelf-learning, behavior-based threat detectionRule-based, using predefined rules and thresholds
Machine learning usageUses both supervised and unsupervised machine learningTypically lacks advanced machine learning capabilities
Suitability for insider threatsStrong for insider threat detectionLimited effectiveness in detecting insider threats
Ability to detect sophisticated attacksGreat for detecting low-and-slow attacks (e.g., lateral movement, data exfiltration)Limited to signature-based attacks and known attack patterns
ScalabilityIdeal for larger businesses with complex security needsSuitable for small to large businesses; may require tuning for scalability
ExamplesExabeam, Rapid7 InsightIDR, Varonis UEBAManageEngine Log360, Splunk, IBM QRadar
  • SIEM focuses on security event data rather than user or entity behavior. This means that SIEM collects and analyzes data from security logs, firewall logs, intrusion prevention logs, and network traffic, whereas UEBA uses user and entity-related sources and a variety of logs.

    The core use case for SIEM is real-time security monitoring, event correlation, incident detection, and response.
  • UEBA can detect insider threats, account compromises, privilege abuse, and other abnormal behavior or data transfer activities. UEBA uses machine learning algorithms and statistical modeling to establish “normal” behavior baselines, whereas SIEM employs rule-based correlation and pattern recognition.

    UEBA can also be integrated into SIEM systems to improve user and entity behavior analytics, and SIEM solutions frequently offer UEBA capabilities as modules. Some vendors such as ManageEngine Log360 or Microsoft Sentinel offer unified SIEM products that provide SIEM and UEBA capabilities in a single solution.

FAQ

What is a UEBA system used for?

A UEBA system identifies and responds to cybersecurity threats by monitoring user and network activity. It aids in the detection of anomalous behaviors, misconfigurations, and potential vulnerabilities, allowing security teams to take necessary steps to secure their systems.

What are the three pillars of UEBA?

Gartner defines the three pillars of UEBA (user and entity behavior analytics) as follows:

1. Use cases: UEBA systems should monitor, detect, and alert to deviations in user and entity activity across multiple use cases.

2. Data sources: UEBA systems should be able to retrieve data from generic data repositories or via a SIEM without deploying agents directly in the IT environment.

3. Analytics: To discover anomalies, UEBA uses several analytical tools such as statistical models, and machine learning

How do UEBA tools help organizations?

UEBA tools collect logs and alerts from all connected data sources and analyze them to create baseline behavioral profiles of your organization’s entities (e.g. users, hosts, IP addresses, and apps) over time and peer group boundaries.

These tools can then leverage anomaly-based threat detection to provide comprehensive user and entity insights into unusual activity and assist you in determining if an asset has been hacked. This helps SOCs to prioritize investigation and incident response. For more: Incident response tools.

Note that, unlike user behavior analytics (UBA), UEBA has an extended scope. While UBA focuses only on evaluating user activity, UEBA encompasses the behavior of both users and network entities, including:

-network devices
-routers
-databases

Further reading

Share This Article
MailLinkedinX
Cem has been the principal analyst at AIMultiple since 2017. AIMultiple informs hundreds of thousands of businesses (as per similarWeb) including 55% of Fortune 500 every month.

Cem's work has been cited by leading global publications including Business Insider, Forbes, Washington Post, global firms like Deloitte, HPE and NGOs like World Economic Forum and supranational organizations like European Commission. You can see more reputable companies and resources that referenced AIMultiple.

Throughout his career, Cem served as a tech consultant, tech buyer and tech entrepreneur. He advised enterprises on their technology decisions at McKinsey & Company and Altman Solon for more than a decade. He also published a McKinsey report on digitalization.

He led technology strategy and procurement of a telco while reporting to the CEO. He has also led commercial growth of deep tech company Hypatos that reached a 7 digit annual recurring revenue and a 9 digit valuation from 0 within 2 years. Cem's work in Hypatos was covered by leading technology publications like TechCrunch and Business Insider.

Cem regularly speaks at international technology conferences. He graduated from Bogazici University as a computer engineer and holds an MBA from Columbia Business School.
Mert Palazoglu is an industry analyst at AIMultiple focused on customer service and network security with a few years of experience. He holds a bachelor's degree in management.

Next to Read

Comments

Your email address will not be published. All fields are required.

0 Comments