There's no strict requirements except ability to detect unusual behavior and most of rules are not too complicated in myvision .
The lookups will be limited by hundreds or several thousands rows with max, avg, stdev mode etc values for several fields and some of values option for another 1 or 2 by a particular factor or group (e.g. max(date_hour) avg(date_hour) mode(action) sum(action) ... by user, file). And having this it's pretty fast to evaluate the deviations OR search NOT comparisons.
So beyond the fastness of summary indexes is there any benefits? Like I'm afraid the apporach with lookups may not provide the ability to use commands for anomaly detection and predictions in full scope, however it's not a super big data scopes.

I've never seems UBA case where 2 years of data was anything but HUGE data. But again, you should wait until you have the full requirements, understand exactly what you'll be correlating with, and then decide how to proceed. You're just wasting cycles currently.

Sorry for my persistence and probably incomplete explanation, but here's exact example - detect if the user connects on unusual time and downloads more data than usual (exceeds avg*2 or max count per hour).
I have csv list #1 with user avg_count_per_hour max_count_per hour, csv list #2 with user values(work_hours). The search correlates current result for last hour with these 2 csv.
And there's not much of cases like this each with 2 or 3 conditions. The count of events is approx 1mln per month (hundreds of mb).
Does it make sense to turn on accelearations or summaries?

24mln events (2 years * 1mln/month) isn't very much. You probably don't even need accelerations or summaries if you built according to Splunk recommended hardware specs.

I'd create a report for each of your use cases and if they run slow, accelerate them.

OK, I'll follow your recommendations, thank you!