OpenSourceUserBehaviorAnalytics

AI-Powered Anomaly Detection. Open Model Standard. SIEM Agnostic.
Discover and install community-driven detection models.

What's New in OpenUBA

A complete rewrite with enterprise-grade features for security operations, powered by modern AI and data engineering.

Role-Based Access Control

Fine-grained RBAC with permission-based navigation. Control who sees what across the entire platform.

LLM AI Agent

Built-in AI assistant powered by LLMs. Ask questions, get insights, and automate investigation workflows.

Rule Studio

Visual flow-graph rule builder for complex detection logic. Drag-and-drop nodes to create sophisticated alert rules.

Real-Time Alerts

Rules fire alerts in real-time. Investigate, triage, and escalate anomalies as they happen.

K8s Model Orchestration

Kubernetes-native operator with custom CRDs. Ephemeral containers for model training and inference jobs.

Job Logging & Monitoring

Real-time training and inference job logs with GraphQL subscriptions. Monitor model performance live.

The OpenUBA Dashboard

A unified security operations interface for monitoring user behavior, managing data pipelines, and investigating anomalies at scale.

OpenUBA Dashboard — entity monitoring, risk scoring, data management, and anomaly detection

Entity Monitoring

Track 10,000+ users with real-time risk scoring and behavioral baselines across your entire organization.

Anomaly Detection

Surface high-risk users and anomalous behavior patterns automatically with ML-powered models.

Multi-Source Ingestion

Connect Spark, Elasticsearch, and CSV data sources. Monitor ingestion volumes and job status live.

Risk Trending

Visualize security risk over time with interactive charts. Spot escalations before they become incidents.

Job Orchestration

Run ingestion and model training jobs on demand. Track completion status, row counts, and failures.

Case Management

Investigate anomalies with built-in case workflows. Triage, escalate, and resolve from a single pane.

Open Model Standard

Every model follows a simple, standardized interface. A model.yaml for configuration and a MODEL.py with train() and infer() methods.

model.yaml
1name: model_sklearn
2version: 1.0.0
3runtime: sklearn
4description: Isolation Forest Anomaly Detection
5parameters:
6  contamination:
7    type: float
8    default: 0.1
9  random_state:
10    type: integer
11    default: 42
MODEL.py
1class Model:
2    def train(self, ctx) -> Dict[str, Any]:
3        X = ctx.df.select_dtypes(include=[np.number]).values
4        self.model = IsolationForest(contamination=0.1)
5        self.model.fit(X)
6        return {"status": "success", "n_samples": len(X)}
7
8    def infer(self, ctx) -> pd.DataFrame:
9        predictions = self.model.predict(X)
10        scores = self.model.decision_function(X)
11        return pd.DataFrame(results)

Model Library

Browse community-driven anomaly detection models. Install them like packages — each model follows the Open Model Standard.

basic_model

v1.0.0

Basic model demonstrating Spark, Elasticsearch, and local CSV data adapters. Supports both v1 (execute) and v2 (train/infer) interfaces for backward compatibility.

Pythondata-adapterspark

model_1

v0.1.0

Mock model for testing the V2 model interface. Simulates training with 95% accuracy and generates sample inference results. Great reference implementation for building new models.

Pythonmocktesting

model_sklearn

v1.0.0

Isolation Forest anomaly detection using scikit-learn. Identifies statistical outliers using tree-based ensemble methods. Returns risk scores on a 0-100 scale with anomaly classifications.

scikit-learnisolation-forestanomaly-detection

model_tensorflow

v1.0.0

TensorFlow Dense Autoencoder for reconstruction-error-based anomaly detection. Uses a symmetric encoder-decoder architecture with MSE loss to identify anomalous patterns in numeric data.

TensorFlowautoencoderdeep-learning

model_pytorch

v1.0.0

PyTorch Autoencoder for reconstruction-error-based anomaly detection. Uses an encoder-decoder architecture with ReLU activations and MSE loss, trained with Adam optimizer.

PyTorchautoencoderdeep-learning

model_keras

v1.0.0

LSTM Autoencoder for sequential and temporal anomaly detection. Uses Keras LSTM layers with RepeatVector architecture, treating features as time steps for sequence reconstruction.

Keraslstmautoencoder

model_networkx

v1.0.0

Graph-based anomaly detection using NetworkX. Constructs graphs from entity relationships and uses PageRank centrality to identify anomalous nodes with high connectivity or influence.

NetworkXgraph-analysispagerank

How It Works

From raw data to actionable intelligence — OpenUBA handles the full detection pipeline.

Step 1

Ingest

Connect to Elasticsearch, Spark, or CSV data sources

Step 2

Analyze

Run anomaly detection models on K8s

Step 3

Score

Generate risk scores and classifications

Step 4

Act

Visualize, alert, and investigate in the dashboard

Resources

Blog posts, architecture deep dives, and announcements from the OpenUBA project.

Introducing OpenUBA V2: Modern Security Analytics for All
Blog

Introducing OpenUBA V2: Modern Security Analytics for All

A deep dive into the new features of OpenUBA v0.0.2

Introducing OpenUBA: an open source user behavior analytics platform
Blog

Introducing OpenUBA: an open source user behavior analytics platform

Powered by the scientific computing ecosystem — read the original announcement on Medium.

The OpenUBA Technology Stack v1
Architecture

The OpenUBA Technology Stack v1

Using the scientific computing ecosystem to enable behavior-based modeling.

Join the Community

OpenUBA is fully open source. Contribute your own detection models, improve existing ones, or build integrations. Every PR makes the security community stronger.