Are user and entity behaviour anomalies (UEBA) monitored?
Demonstrate that the organization continuously monitors and analyzes user and entity behavior to detect and alert on anomalies indicative of credential compromise, insider threats, privilege abuse, or advanced persistent threats.
Description
What this control does
User and Entity Behavior Analytics (UEBA) monitoring establishes baselines of normal behavior for users, devices, and applications, then detects statistical anomalies that may indicate compromised credentials, insider threats, lateral movement, or privilege abuse. UEBA systems correlate behavioral signals—such as abnormal login times, unusual data access patterns, geographic impossibilities, or deviations in application usage—across identity and asset contexts. This control enables detection of threats that bypass traditional signature-based defenses by identifying behavior that is unusual for a given entity, even when individual actions appear benign.
Control objective
What auditing this proves
Demonstrate that the organization continuously monitors and analyzes user and entity behavior to detect and alert on anomalies indicative of credential compromise, insider threats, privilege abuse, or advanced persistent threats.
Associated risks
Risks this control addresses
- Compromised credentials used to access sensitive systems without detection due to absence of behavioral analysis
- Insider threats exfiltrating data through legitimate access channels that evade rule-based monitoring
- Lateral movement by attackers undetected after initial foothold because activity appears authorized
- Privilege escalation and abuse by legitimate users performing anomalous administrative actions
- Account takeover through credential stuffing or phishing remaining undetected until significant damage occurs
- Advanced persistent threats establishing persistence through low-and-slow techniques invisible to signature-based tools
- Data exfiltration via authorized users accessing unusual volumes or categories of data outside normal patterns
Testing procedure
How an auditor verifies this control
- Obtain the inventory of UEBA tools, platforms, or services deployed, including vendor names, versions, and deployment architecture (on-premises, SaaS, hybrid).
- Review UEBA configuration settings to confirm data sources integrated (authentication logs, directory services, endpoint telemetry, cloud application logs, network flows, DLP events).
- Examine the baseline period and statistical models applied to establish normal behavior for users, devices, service accounts, and applications.
- Select a sample of five diverse user accounts (privileged administrator, standard employee, service account, contractor, executive) and review their behavioral profiles, including established baselines and recent anomaly scores.
- Review alert definitions, thresholds, and risk scoring methodologies used to trigger notifications when anomalous behavior is detected.
- Examine security incident records from the past six months and identify cases where UEBA alerts led to investigation, including analyst workflow and remediation actions taken.
- Test UEBA alerting by simulating anomalous scenarios (off-hours access by test account, access from new geographic location, unusual data volume access) and verify alert generation and analyst notification.
- Review tuning and false-positive reduction activities, including documented adjustments to models, whitelisting of known-good anomalies, and feedback loops from security analysts.