Installer Guides

UEBA

User and Entity Behavior Analytics (UEBA)

This document explains the User and Entity Behavior Analytics (UEBA).

After reading this document, you will be able to:

  • Navigate the UEBA dashboard to monitor user activities across data sources

  • View activity analytics and behavioral patterns

  • Configure anomaly detection and ransomware policies

  • Investigate security incidents and alerts

  • Take protective actions against identified threats

Overview

What is UEBA?

User and Entity Behavior Analytics (UEBA) is a security feature that tracks and analyzes user activities across your organization to detect anomalous behavior. By establishing baselines of normal user behavior using machine learning algorithms, UEBA identifies when users deviate from expected patterns, potentially indicating compromised accounts or insider threats.

UEBA monitors activities such as:

  • Read operations (file access and viewing)

  • Write operations (file creation and modification)

  • Download events

  • Delete operations

Getting Started

Accessing the UEBA Dashboard

Follow these steps to access UEBA analytics:

  1. Navigate to Datasources from the main menu

  2. Select specific datasource (e.g., lb-sharepoint)

  1. Scroll down to view Aggregate Company Wide Activity section

The UEBA dashboard provides comprehensive activity monitoring:

Activity Metrics:

  • Total activities: Combined count of all user operations

  • Read operations: File access and viewing events

  • Write operations: File creation and modification activities

  • Downloads: File download events

  • Delete operations: File and folder deletion activities

  1. Use the filtering options to customize your view

    1. Time Period Options:Last 24 hours: Hourly breakdown showing recent patterns • Last one week: Daily activity trends across business days • Last one month: Long-term behavioral analysis

b. Data Scope Selection:

  • All Data: Shows activities across all files (e.g., 1K total activities)

  • Sensitive Data: Filters to classified files only (e.g., 400 total activities)

Example: For the last 24 hours across all data:

  • Total: 1K activities

  • Read: 324 operations

  • Write: 684 operations

  • Download: 0 operations

  • Delete: 0 operations

Navigating to Detailed Activity Logs

To view detailed user activities:

  1. Click on any activity type (Read, Write, Download, or Delete) in the graph.

  2. This redirects to the Activity Log page.

  3. Review the detailed activity breakdown by user and timeframe.

The Activity Log provides three viewing modes:

  1. Hourly View

  • Time period (e.g., "6th August 6 PM to 7 PM")

  • User identification

  • Number of activities performed

  • Unique objects accessed

  • Event type breakdown

  1. Weekly View

  • Aggregated activities across weekly periods

  • Useful for identifying weekly patterns

  1. Monthly View

  • Long-term activity analysis

  • Helps establish normal behavioral patterns

Investigating Individual Activities

To examine specific file-level activities:

  1. Click on any row in the Activity Log.

  2. The Hourly Detail popup displays: • Individual file names accessed • Number of sensitive attributes per file • Event types (Read/Write) for each operation • Exact timestamps and last modified dates

Example File-Level Detail:

Name: paystub-11-788x1019.pdf
Attributes: 2
Event Type: Write  
Date & Time: 15 Aug 2025, 11:27 PM
Last Modified: 08 Feb 2023, 07:14 AM

Accessing User Profiles

Navigate to individual user analytics through:

  1. From Activity Log: Click on any username in the activity table

    • Access the Activity Log under Governance

    • Select a user (e.g., "Himanshu Shukla") from the hourly activity list

    • This redirects to the user's detailed profile page

  1. From User Management:

  • Navigate to the data source (e.g., lb-sharepoint)

  • Click Governance in the left sidebar

  • Select Users

  • Browse the user list organized by departments

  • Click on any user name (e.g., "Jimmy Phipps") to access their profile

  1. From Alerts: Access user profiles directly from incident reports (covered in UEBA section)

Understanding Behaviour Analytics

Each user profile displays a behavior analysis graph showing:

  • Dotted line: ML-predicted baseline activity (expected behavior)

  • Solid line: Actual user activity levels

  • Time periods: 24 hours, one week, or one month views

Analyzing Normal vs. Anomalous Behavior

Normal Behavior Patterns:

Example: Himanshu Shukla (24-hour view)

  • Total activities: 504

  • Breakdown: 151 Read, 353 Write, 0 Download, 0 Delete

  • Graph shows solid line tracking close to the dotted baseline (~260)

  • Consistent activity throughout business hours

  • Status: Normal behavior pattern

Identifying Anomalous Behavior

The monthly view for Jimmy Phipps reveals significant behavioral anomalies when analyzing the one-month activity pattern:

Baseline and Normal Activity Range:

  • The dotted horizontal line indicates the ML-predicted baseline at approximately 5,500 activities

  • Normal daily activity fluctuations typically range between 5,000-6,000 activities

  • The graph spans from July 14 to August 18, showing approximately 5 weeks of data

Detected Anomalies (marked with red circles):

  1. First Spike - July 21st:

    • Actual activities: ~8,500

    • Baseline: ~5,500

    • Deviation: +3,000 activities (55% increase above baseline)

    • This represents a significant departure from normal behavior

  2. Second Spike - August 11th:

    • Actual activities: ~7,000

    • Baseline: ~5,500

    • Deviation: +1,500 activities (27% increase above baseline)

    • While less extreme than the first spike, still notably anomalous

Pattern Analysis:

  • Both anomalies show sharp increases followed by immediate drops back to or below baseline

  • The activity on August 18th shows a dramatic decrease to near zero, which could indicate:

    • Account suspension

    • User vacation/absence

    • System intervention

Monthly Totals Breakdown:

  • Total: 16K activities

  • Read: 5.9K operations

  • Write: 9.9K operations

  • Download: 0

  • Delete: 0

This pattern suggests potential security concerns requiring investigation, as the spikes represent:

  • 55% and 27% increases above expected behavior

  • Concentrated bursts of activity rather than gradual increases

  • Unusual timing that doesn't align with typical business patterns

Such anomalies would typically trigger UEBA alerts for security team review to determine if the activity represents legitimate business needs or potential security threats.

Using Predictive Analysis

The UEBA module employs predictive analysis to forecast future activity and proactively detect threats by identifying deviations from established behavioral norms.

Activity Forecasting on the Dashboard

The Aggregate Company Wide Activity graph visualizes not only past and present activity but also forecasts future trends.

  • Prediction Bar: The system projects the expected volume of activity for a future period, displayed as a distinct, hatched bar labeled "Prediction".

  • Purpose: This provides administrators with a forward-looking view of anticipated user activity levels, helping to contextualize daily fluctuations.

Proactive Anomaly Detection

The system's core security function is to compare real-time user actions against the ML-generated baseline. When an activity significantly deviates from the predicted pattern, an alert is triggered for investigation.

Example: Anomaly Alert

  • Predicted Behavior: A user's baseline for hourly read operations is 88.

  • Anomalous Activity: The user performs 381 read operations within one hour, a deviation of over 300%.

  • Result: The system flags this as a significant anomaly and generates an incident. This deviation is visualized in the alert details, showing the actual activity (solid bar) spiking far above the predicted baseline (striped bar), prompting immediate review.

About LightBeam

LightBeam automates Privacy, Security, and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs, and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.For any questions or suggestions, please get in touch with us at: [email protected].​PreviousNetDocumentsNextAzure Blob

PreviousAccess ReviewNextPrivacy At Partners

Last updated