User behavior analytics

User Behavior Analytics (UBA) examines user activities—logins, file access, network usage—and applies statistical or machine learning models to detect anomalies that may indicate insider threats or compromised accounts. For example, if an employee who typically downloads 10MB/day of data suddenly downloads gigabytes, or logs in at unusual times, UBA flags it for investigation.

How does it affect identity security?

Even legitimate credentials can be misused by attackers or malicious insiders. Basic security checks (e.g., password rules) won’t catch an authorized user exfiltrating data. UBA identifies suspicious patterns that deviate from a user’s “normal” profile. It helps address insider threats, lateral movement, and stealthy infiltration. By combining contextual data (location, time, resource type) with historical baselines, UBA provides a powerful layer of identity monitoring.

Cloud providers offer user and entity behavior analytics as part of their security suites (e.g., Microsoft Defender for Cloud Apps, AWS GuardDuty). These tools leverage IAM logs to detect anomalies—like a developer account calling unusual APIs. Integrations with identity providers also feed data on sign-in attempts, MFA usage, etc. 

A strong UBA pipeline in a cloud environment can quickly highlight compromised credentials, especially if an attacker uses an authorized token for suspicious tasks. UBA supports zero trust strategies by continuously verifying user behavior.

Case study

A financial advisor copied large sets of client data. UBA flagged his abnormal query volume and times. Investigations confirmed he tried selling the data. Without UBA, his usage might have appeared legitimate.

‍