Traditional information security methods, such as access control and firewalls, cannot always provide effective protection against internal threats. Analysis of user behavior allows us to identify anomalous actions that may indicate an attempt to gain unauthorized access to information or commit other illegal actions. The most common sign about suspicious user behavior is changing system usage patterns, atypical data queries, an attempt to access unallowed resources, sudden change in workload, etc. Various methods can be used to analyze user behavior, such as collection and analysis of data about user actions in the system and application of machine learning methods to identify anomalous patterns. All these methods analyze the behavior of individual users relative to their usual behavior. Such an analysis may be inaccurate if it is determined that the user regularly makes unauthorized use of information systems. This paper proposes grouping users according to their behavior patterns and analyze the behavior of each individual user against the behavior that is expected for the group. Then, by excluding user behavior data from the group's expected behavior pattern, the behavior pattern of the individual user can be analyzed against the behavior of the remained users in the group. The novelty consists in obtaining more precise behavioral analyzes by introducing the concept of subgroups (groups consisting of the users remaining after the extraction of the respective user, which is analyzed against expected behavior model of its group).