What are the main differences between UEBA and SIEM solutions?
Hi community members,
Let's discuss what are the main differences between UEBA (User and Entity Behavior Analytics) and SIEM (Security Information and Event Management) solutions.
1. SIEM is designed to store events for extended periods (typically 365 days), UEBA violations/rule triggers add to risk scores but generally function on real-time data and < 30-day old data.
2. SIEMs are generally Rule-Based - "If X Happens Y Times in Z Time Interval" or simple If X happens. UEBA rules look for anomalies - If X Happens and it's NEVER Happened Before. "If Y happens and other Users (or machines E in UEBA), runs an executable or executes a transaction they've never done"
3. SIEMs group by field in rules is normally an IP address. In UEBA the group is the user or machine and may join events (threats - See Mitre ATT&CK Framework https://attack.mitre.org/). With SIEM I target a 99.999% event reduction with UEBA I look for another order of magnitude (99.9999%) reduction by cross-correlating user movement throughout the enterprise as they move from one host to another, and as they show up in various logs with variations on their user name (or no user field at all with IP to User lookup).
4. UEBA enriches data to give it context - Who is the user? What Department are they in? Is this IP/URL on a black list? Has the user had a bad employee review from HR? Does the user have risks from Lexus/Nexus-like bankruptcy, divorce, or pending court case?
5. UEBA rules commonly link events over longer periods of time with risk scores (probabilities an event represents a compromise), and scores grow as more threats are seen over days, weeks, or months.
6. SIEMs typically work with security devices logs (Firewalls, IDS, AV...), while some of the best UEBA use cases are based on application logs. EX: ATM Machine 1 ran an EXE the other 500 ATMs have never run AND Connected to a Foreign IP address, AND Spit out $5,000 in 10 minutes when normal cash withdrawals are <$500/hour.
7. SIEM rules compare events in real-time to new events. UEBA rules have to "learn normal" by building profiles about the user/entity's past actions to compare new events to determine if they match prior behavior patterns. UEBA rules are often based on 3X spikes by hour/day/week/month vs. X happened Y times static thresholds.
Search for a product comparison in Security Information and Event Management (SIEM)
Many SIEM solutions like QRadar are using UEBA in a SIEM solution.
User and Entity Behavior Analytics (UEBA) use machine learning to detect anomalies in the behavior of users and devices connected to a corporate network.
Find out what your peers are saying about Splunk, Wazuh, Microsoft and others in Security Information and Event Management (SIEM). Updated: January 2025.
Security Information and Event Management (SIEM) tools offer comprehensive visibility and management of an organization’s security events through real-time analysis and correlation of data from multiple sources.
SIEM solutions provide a centralized platform for managing security alerts and logs from various sources such as network devices, servers, and applications. They help identify and mitigate potential threats by analyzing event data for unusual patterns and correlations. These tools...
SIEM vs UEBA
1. SIEM is designed to store events for extended periods (typically 365 days), UEBA violations/rule triggers add to risk scores but generally function on real-time data and < 30-day old data.
2. SIEMs are generally Rule-Based - "If X Happens Y Times in Z Time Interval" or simple If X happens. UEBA rules look for anomalies - If X Happens and it's NEVER Happened Before. "If Y happens and other Users (or machines E in UEBA), runs an executable or executes a transaction they've never done"
3. SIEMs group by field in rules is normally an IP address. In UEBA the group is the user or machine and may join events (threats - See Mitre ATT&CK Framework https://attack.mitre.org/). With SIEM I target a 99.999% event reduction with UEBA I look for another order of magnitude (99.9999%) reduction by cross-correlating user movement throughout the enterprise as they move from one host to another, and as they show up in various logs with variations on their user name (or no user field at all with IP to User lookup).
4. UEBA enriches data to give it context - Who is the user? What Department are they in? Is this IP/URL on a black list? Has the user had a bad employee review from HR? Does the user have risks from Lexus/Nexus-like bankruptcy, divorce, or pending court case?
5. UEBA rules commonly link events over longer periods of time with risk scores (probabilities an event represents a compromise), and scores grow as more threats are seen over days, weeks, or months.
6. SIEMs typically work with security devices logs (Firewalls, IDS, AV...), while some of the best UEBA use cases are based on application logs. EX: ATM Machine 1 ran an EXE the other 500 ATMs have never run AND Connected to a Foreign IP address, AND Spit out $5,000 in 10 minutes when normal cash withdrawals are <$500/hour.
7. SIEM rules compare events in real-time to new events. UEBA rules have to "learn normal" by building profiles about the user/entity's past actions to compare new events to determine if they match prior behavior patterns. UEBA rules are often based on 3X spikes by hour/day/week/month vs. X happened Y times static thresholds.
SIEM is the platform where we can see all of the security events. Here we can analyze, investigate, correlate, create reports, dashboards, etc.
UEBA is used to find out the unusual behaviour, compare data with various sources and analyze the found issues.
Hope it is informative!!
Thanks!!!
Many SIEM solutions like QRadar are using UEBA in a SIEM solution.
User and Entity Behavior Analytics (UEBA) use machine learning to detect anomalies in the behavior of users and devices connected to a corporate network.
Hi @Ken Shaurette , @Nuwan Chathuranga , @Muhammad Moqeet and @Paresh-Makwana. Can you help please?