User Entity Behavior Analytics (UEBA)

Exabeam’s behavior-based security intelligence uses advanced machine learning techniques to detect and assess risky activity on your network. Exabeam connects user activities across multiple accounts, devices, and IP addresses to create a coherent timeline. Then, Exabeam UEBA presents risky user profiles to your analysts so that they can respond to incidents quickly with full understanding of what happened and which systems were affected..


  • STATEFUL USER TRACKING: Stateful User Tracking automatically stitches together users’ activities into a distinctive session data model as they use different account credentials, change devices, and appear under different IP addresses.
  • ADVANCED DATA SCIENCE: Exabeam flags risky activity using advanced statistical analysis with baseline profiling for deviation measurement. Analysis is based on categorical data, numerical data, and contextual information.
  • THREAT HUNTING Threat Hunter is an Exabeam security intelligence query tool that uses Stateful User Tracking session data models to complement user behavior analysis.


  • INSIDER THREATS Insider threats come from employees and contractors using their access rights to steal confidential data. Exabeam first creates behavioral baselines for every user to determine normal access. Then, we also compare each user to peers, monitors shared, and privileged accounts.
  • USER AND ENTITY BEHAVIOR ANALYTICS Many breaches use valid—but-stolen—credentials, which a hacker uses to impersonate an employee and gain access to sensitive data.Exabeam uses a variety of techniques, driven by per-user baselines, to determine when an account is exhibiting unusual and risky behavior.
  • ACCOUNT LOCKOUTS Locked-out accounts provide a strong signal of compromised accounts.
  • RANSOMWARE Exabeam applies behavioral analytics to system processes to detect anomalous behavior, no signatures required. It also applies research-driven knowledge of ransomware file extensions, names, etc. to determine whether unusual process-behavior matches activity of similar malware.
  • CLOUD ANALYTICS Exabeam accepts log data directly from cloud services, such as Salesforce.com event log files; web proxies that track cloud access, such as SonicWALL; and from cloud security brokers, such as Skyhigh Networks, that control access to multiple cloud services.
  • DATA LOSS PREVENTION Exabeam integrates with data loss prevention (DLP) products from McAfee, Symantec, and others to provide risk context around sensitive data.
  • PRIVILEGED ACCOUNT MONITORING Exabeam uses special analytics for privileged and shared accounts and can flag unusual behavior within both types..