User and entity behavior analytics (UEBA) overview in Splunk Enterprise Security
User and Entity Behavior Analytics (UEBA) identifies anomalies by comparing current activity against learned baselines for users and assets. It helps analysts detect insider threats, reduce false positives, and prioritize investigations based on risk.
UEBA collects and correlates data features from multiple sources, such as authentication logs, endpoints, and network traffic, to:
- Extract behavioral features, such as login frequency or data access volume
- Baseline normal activity for each user or entity
- Measure deviations from those baselines
- Assign entity risk scores that indicate potential threats
With UEBA, you can detect suspicious behavior early, focus on high-risk anomalies rather than isolated alerts, and maintain compliance and investigation visibility. By modeling normal behavior and scoring deviations, UEBA helps you detect threats faster and more precisely across users and entities.
Example: Alex, Detection Engineer
Alex uses UEBA to understand which entities and assets in their environment are exhibiting behavior that is abnormal compared to their traditional baseline. Alex can visualize deviations from normal behavior and drill down to the underlying raw logs to verify. The detections automatically tune by:
- Adjusting thresholds for behavior-based detections to reduce false positives
- Applying macros and suppression logic to exclude known safe behavior
- Refining detection logic and risk scoring so that findings contributing to the Entity Risk Score (ERS) more accurately reflect true risk
They can also manage Finding exclusions to remove intermediate findings from a specific detection for a set time range or indefinitely, so that detection results are tailored to their environment.
Alex and other analysts can use Entity lists to focus dashboard results on specific assets or identities, or filter them out to concentrate on other entities. These lists enhance investigation efficiency by narrowing the behavioral context.