A machine learning-based technique for user behavior analysis that detects when users deviate from expected behavior. In this approach, a set of user groups are provided, preferably based on information provided from a user registry. A set of training data for each of the set of user groups is then obtained, preferably by collecting security events generated for a collection of the users over a given time period (e.g., a last thirty (30) days). A machine learning system is then trained using the set of training data to produce a model that includes a set of clusters in user behavior model, wherein a cluster is a learned user group that corresponds to a defined user group. Once the model is built, it is used to identify users that deviate from their expected group behavior. In particular, the system compares a current behavior of a user against the model and flags anomalous behavior. The user behavior analysis may be implemented in a security platform, such as a SIEM.