UBA (User Behavior Analytics)
What it is
User Behavior Analytics (UBA) looks at how people normally use accounts and devices, then flags weird activity. Think “baseline of normal” for logins, file access, and app use. If something suddenly looks off - like midnight logins from a new country or mass file downloads - UBA raises a hand early.
Why it matters
Insiders and stolen accounts often look “legit” at first. UBA spots the unusual patterns fast, helping catch misuse before it turns into data theft or ransomware.
How it works
-
Learn normal: collects everyday signals (times, places, apps, volume).
-
Score risk: compares new actions to the baseline and gives a risk score.
-
Alert: pings security when behavior jumps from normal to suspicious.
-
Assist: helps responders see the who/what/when in one timeline.
Red flags
-
Many failed logins followed by a success from a new location/device.
-
Off-hours access to sensitive files or sudden bulk downloads.
-
Privilege changes or new admin tools used by accounts that never needed them.
-
A single account touching lots of systems it normally doesn’t.
Do it right
-
Turn on UBA/UEBA features in your security suite or cloud apps if available.
-
Pair with strong basics: MFA, least privilege, and quick offboarding of old accounts.
-
Review alerts regularly; tune noisy rules so real issues stand out.
-
Respect privacy: collect only what you need and protect those logs.
Glossary (A–Z)
Related Articles
XDR (Extended Detection and Response)
What it is XDR is a security system that watches your company’s devices, email, cloud, and network together and connects the dots. Instead of separate tools, XDR pulls all the signals into one place, spots attacks faster, and can auto-block bad ...
EDR (Endpoint Detection and Response)
What it is EDR is your always-on security team for laptops and servers. It watches what’s happening on each device, spots attacks in progress, and helps you respond fast - quarantine, investigate, and clean up. For details on capabilities and use ...
SIEM (Security Information and Event Management)
What it is A SIEM is a central alarm system for security. It collects logs and alerts from your apps, servers, firewalls, and cloud accounts, then puts them in one place so patterns are easier to spot. Two ideas power it: SEM (watches events live and ...
NDR (Network Detection And Response)
What it is Network Detection and Response (NDR) watches live network traffic to spot and investigate suspicious behavior in real time. Instead of relying on signatures, it analyzes patterns and anomalies to catch threats moving across your ...
Zero Trust
What it is Zero Trust is a security approach that treats every request as untrusted until it is verified. It checks the user, the device, and the request each time - even inside your own network - instead of assuming “inside = safe.” Quick explainer ...