github.com/GACWR/OpenUBA ↗

About GACWR/OpenUBA

OpenUBA is an open-source User and Entity Behavior Analytics (UEBA) framework designed for security analytics and threat detection. Built by data scientists and security analysts from the cybersecurity industry, it takes a transparent "open-model" approach where all detection logic is inspectable and auditable, contrasting with proprietary black-box platforms. The system detects anomalies and security threats by analyzing user and entity behavior patterns across networks.

The platform is architected as a Kubernetes-native application with a modular, containerized design. It features a Next.js frontend dashboard with real-time GraphQL subscriptions, a FastAPI backend for model orchestration and rule execution, PostgreSQL for persistent data, Elasticsearch for search and analytics, and Apache Spark for distributed computing. The core innovation is its ephemeral execution model—training and inference jobs run as isolated, temporary Kubernetes Jobs using framework-specific Docker images for scikit-learn, PyTorch, TensorFlow, and NetworkX, rather than maintaining long-running services. This provides security, isolation, and scalability while keeping infrastructure minimal.

Notable capabilities include a visual rule canvas for building detection logic without code, a community model marketplace where analysts can discover and install ready-made security models, managed JupyterLab workspaces for data scientists, and a Python SDK for programmatic access. The system supports role-based access control, case management, alert generation, and integration with multiple LLM providers for contextual analysis. It is designed to remain lightweight and flexible, requiring only Docker, Kubernetes, Node.js, and Python to run, and includes comprehensive development tooling via Make commands for local testing and deployment.