UEBA applies machine learning to baseline normal user/device behavior — detecting anomalies like impossible travel, unusual data access patterns, and insider threats that signature-based tools miss.
UEBA excels at detecting insider threats and compromised accounts (normal credentials, abnormal behavior). Requires significant data history to establish baselines. Often integrated into SIEM platforms (Splunk UBA, Microsoft Sentinel).