Behavior-based detections in User and Entity Behavior Analytics (UEBA) identify unusual or risky activity by comparing current behavior against learned historical baselines. Rather than relying on fixed rules, these detections use statistical models and machine learning to determine what is normal for a specific user or asset, then flag deviations that might indicate a potential threat or compromised account.

Each behavior-based detection is associated with one or more entities and generates intermediate findings when it detects behavior that significantly differs from an established baseline. These findings contribute to the Entity Risk Score (ERS), which represents the overall risk level for a user or asset based on recent findings.

You can tune how behavior-based detections behave through configuration options such as adjusting thresholds, modifying suppression logic, or excluding known safe behaviors. However, you can't modify the underlying SPL or detection logic of behavior-based detections.