At their core, UEBA solutions aim to identify patterns in data, whether from real-time streams or historical datasets.
- Commercial UEBA tools are highly protective of their proprietary models and ML wizards embedded in their products. However, having access to these models allows analysts to extract relevant patterns from the data and refine anomaly detection processes.
- Open-source UEBA tools provide users full access to these models, allowing them to replicate pattern extraction for more effective anomaly detection.
Open source UEBA tools
After reviewing the documentation of each open-source UEBA frameworks/tool, I listed leading open-source behavior analytics technologies that provide standard SIEM-like capabilities (e.g., alerting, MITRE ATT&CK threat intelligence framework, API-based ingestion from data sources).
Based on whether they offer built-in UEBA features, I categorized these tools into:
- Core UEBA tools: OpenUBA and Graylog
- Complementary UEBA tools: Wazuh, Apache-Metron, HELK & Apache-Spot
Core UEBA tools: OpenUBA and Graylog
Core UEBA tools provide a repository of ready-to-use models, such as machine learning and behavioral profiling models, to identify and analyze anomalous user and entity behaviors.
These tools collect logs from various sources, store them in databases, and integrate with the Elastic Stack (Elasticsearch, Kibana, Logstash) for further processing and analysis.
At a glance:
- OpenUBA ingests logs from servers, third-party log ingestion agents. Once the server logs are ingested into OpenUBA, they can be analyzed for abnormal behaviors based on built-in machine learning or behavioral profiling models. It can also integrate with TensorFlow, Keras, Scikit-Learn, and ElasticSearch for visualization, and analytics. The project is still in its early development stages (pre-alpha).
- Graylog collects logs from various servers using third-party agents (e.g. Filebeat). It can configure these logs with its lightweight Graylog Sidecar agent from a central location. Once the logs are ingested, you can use built-in machine learning-based anomaly detection through the Graylog interface.
Complementary UEBA tools: Wazuh, Apache-Metron, HELK & Apache-Spot
Complementary UEBA tools use monitoring and data analytics to detect user and entity anomalies. By integrating big data technologies like Apache Spark with engines such as Elasticsearch, they enable centralized log analysis and anomaly detection.
In addition to UEBA, tools like Wazuh, Apache Metron, HELK, and Apache Spot offer features for SOC analysts, including:
- Packet replay utilities for full packet capture indexing to test and debug networks and firewalls.
- OpenTelemetry for collecting telemetry data (metrics, logs, traces), crucial for monitoring complex environments.
At a glance:
- wazuh can monitor telemetry data, including metrics, logs, and traces. You can leverage Wazuh’s monitoring capability for threat detection:
- Apache-Metron focuses on providing real-time insights into security telemetry by ingesting large datasets and applying behavioral analytics by leveraging big data platforms like Apache Kafka, Hadoop, and Apache Storm.
- HELK provides threat hunting using ELK stack, Apache Spark, and interactive SQL interfaces for real-time data analysis.
- Apache-Spot can complement other tools by providing insights into network traffic anomalies that indicate suspicious user behaviors or entity activities.
Compare free and open source UEBA tools
Agent-based log ingestion
| Tool | Built-in agent-based log ingestion | Best for |
|---|---|---|
OpenUBA | ❌ | Security analysts, data scientists |
Graylog | ❌ | Small-to-medium organizations needing SIEM |
| wazuh | ✅ | Enterprises needing XDR + SIEM |
| Apache-Metron | ✅ | Large organizations needing a scalable SIEM |
| HELK | ❌ | Small-to-medium organizations needing custom threat hunting |
| Apache-Spot | ❌ | Enterprises focusing on network security |
❌: Requires third-party agent integrations.
Built-in agent-based log ingestion allows a platform to collect log data directly from endpoints, servers, or devices using its own agents, without third-party tools, for centralized analysis and monitoring.
Pre-defined response actions and custom playbook patterns
The listed tools offer SOAR integrations (via API/custom integrations) to trigger workflows like sending alerts, creating tickets, or responding to incidents based on detected anomalies. Graylog and Wazuh provide pre-defined response actions, enabling workflow automation without the need for SOAR integrations.
| Tool | Pre-defined response actions | Custom playbook patterns |
|---|---|---|
OpenUBA | ❌ – Requires integration for automated response (typically SOAR) | Simple model configuration workflow |
Graylog | ✅ | ✅ |
| wazuh | With Active Response module | ✅ |
| Apache-Metron | ❌ – Requires integration for automated response (typically SOAR) | ✅ |
| HELK | ❌ – Requires integration for automated response (typically SOAR) | ❌ |
| Apache-Spot | ❌ – Requires integration for automated response (typically SOAR) | ❌ |
- Pre-defined response actions trigger automatically based on log data, enabling proactive threat detection and actions like alerting, blocking IPs, or quarantining systems.
- Custom playbook patterns allow security operators to trigger tailored responses, such as alerting teams or blocking access, when suspicious behavior is detected.
Security maintenance
| Tool | Security maintenance |
|---|---|
| OpenUBA | ❌ No direct maintenance; community updates |
| Wazuh | ✅ – Enterprise security maintenance |
| Graylog | ✅ – Enterprise security maintenance |
| Apache Metron | ❌ No direct maintenance; community updates |
| Apache Spot | ❌ No direct maintenance; community updates |
| HELK | ❌ No direct maintenance; community updates |
Enterprise security maintenance helps log collection by ensuring that security measures are actively enforced, monitored, and updated by ensuring:
- Centralized control and oversight
- Consistent logging configurations
- Regular updates and patches to log collection tools prevent vulnerabilities from being exploited
Out-of-the-box integrations
| Tool | Out-of-the-box integrations |
|---|---|
OpenUBA | ❌ |
Graylog | ✅ Limited – only with cloud solutions and common enterprise applications |
| wazuh | ✅ Extensive |
| Apache-Metron | ✅ Limited |
| HELK | ✅ Limited |
| Apache-Spot | ❌ |
OpenUBA
OpenUBA is a SIEM-agnostic UEBA framework that is used for security analytics. It operates independently of your SIEM and can pull data from data stores.
OpenUBA utilizes Spark and Elasticsearch engines to handle data processing and ingest data from multiple sources, all at scale.
Additionally, OpenUBA features a Model Library/Registry, similar to Docker Hub. This allows developers and security analysts to search a model repository and collaborate by sharing their models with the ecosystem.
Graylog
Graylog combines SIEM, UEBA, and anomaly detection capabilities in its platform to offer a comprehensive cybersecurity platform for detecting and mitigating security threats. Graylog Server includes:
- The Graylog application itself accepts logs in from various sources and stores them.
- Elasticsearch database
- MongoDB is also used by Graylog, but that handles the configuration stuff, like user accounts, saved searches, etc.
The solution includes over 50 pre-built security scenarios based on the MITRE ATT&CK framework and real-world adversarial examples, which help security teams detect user and entity anomalies.3
Graylog provides out-of-the-box integrations with Cloud solutions like: Office 365, Azure, Google Cloud Platform (GCP), Amazon Web Services (AWS), and common enterprise applications such as Okta, Palo Alto Networks, F5, Crowdstrike, and Salesforce.
Wazuh
Wazuh is a unified XDR and SIEM solution. It can help secure workloads in on-premises, virtualized, containerized, and cloud environments. Wazuh leverages an endpoint security agent placed on the monitored systems (e.g. servers, computers) that gathers and analyzes data.
The platform employs a broad-spectrum approach to detecting anomalous patterns that indicate potential intruders. Wazuh uses the Rootcheck module to detect rootkit behavior on monitored endpoints. Rootcheck continuously monitors endpoints and sends alerts when it detects an anomaly. Rootcheck also detects the presence of rootkits and trojans on monitored endpoints by checking for known signatures.
Wazuh can be integrated with the Elastic Stack, offering an open source search engine and data visualization tool to help users navigate their security alerts.
Visualizing Google Cloud events on the Wazuh dashboard:
Source: Wazuh4
Key features:
- Intrusion detection: Wazuh detects malware and hidden files in monitored systems. It uses a signature-based approach to analyze log data for indicators of compromise. For more see: IPS tools.
- Log data analysis: Wazuh reads operating system and application logs and forwards them to a central manager for rule-based analysis.
- File integrity monitoring: Wazuh monitors file systems for changes in content, permissions, ownership, and attributes. It tracks user and application actions, ensuring compliance with standards like PCI DSS.
- Incident response: Wazuh offers incident response capabilities, such as blocking threats and running system queries to identify compromise indicators (IOCs).
Apache-Metron
Apache Metron is a cyber security application that allows enterprises to ingest, process, and store data streams to detect and respond to cyber deviations (e.g., abnormal user behaviors) and respond to them.
Apache-Metron leverages big data technologies, integrating elements of the Hadoop ecosystem to provide security analytics. It is built on Apache Storm, Apache HBase, and Apache Kafka.
It supports integrating new enrichment services for additional context (e.g., providing pluggable extensions for threat intelligence feeds).
Apache-Metron’s features include:
- log aggregation from multiple sources (e.g. servers)
- behavioral analytics,
- threat intelligence
Analysts can leverage Apache-Metron for:
- Telemetry capture, storage, and normalization: Apache Metron can ingest and distribute it to multiple processing units for analytics.
- Threat enrichment: As telemetry is collected, Metron applies enrichments like threat intelligence, geolocation, and DNS information. This adds critical context (who, where, and what) for deeper investigation and situational awareness, helping analysts respond faster.
- Logs and telemetry storage for different uses:
- Data mining and analysis for security visibility.
- Machine learning for anomaly detection by scoring incoming data against previously stored models.
HELK
ELK (Hunting ELK) combines ML and analytics features that mimic commercial UEBA toolsets. It aims to offer a data science stack to improve the testing and development of threat-hunting cases.
Users can leverage Jupyter notebooks and Apache Spark on top of an ELK stack to identify unusual behavior patterns. For example, with HELK’s optional features like ElastAlert, users can build a framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch.
Additionally, HELK supports KSQL, an open-source streaming SQL engine for real-time data processing with Apache Kafka. With the KSQL engine, users can utilize an interactive SQL interface for stream processing on Kafka, without the need to write Java or Python code.
Apache-Spot
Apache-Spot is open source SIEM software for leveraging flow and packet analysis insights. The solution identifies suspicious network connections by analyzing large amounts of NetFlow, DNS, and proxy data. After identifying suspicious network connections, Apache-Spot uses big data analytics, such as machine learning, to detect anomalous network traffic.
Key features:
- Detect lateral movement, where attackers move through a network to escalate their privileges.
- Identify data leaks, where data is covertly transferred out of the organization.
- Uncover insider threats and other forms of abnormal behavior.
- Analyze network flows and DNS replies to help reduce security risks across various data channels.
Commercial UEBA tools
Commercial UEBA tools offer readily pluggable solutions that can be integrated into your environment. These solutions provide out-of-the-box capabilities and enterprise-grade features for user behavior analytics.
Leading UEBA vendors:
- ManageEngine Log360: Combines SIEM log ingestion with behavioral analytics.
- Exabeam: A SIEM and XDR platform with UEBA capabilities. Best for large, complex environments.
- IBM Security QRadar: Provides UBA with risk profiling, offering deeper context for threat detection.
- Teramind: Enhances UEBA with DLP for cloud data protection, focusing on data leakage prevention.
Open source UEBA tools vs commercial UEBA tools
Numerous commercial UEBA providers start with one or more open source technologies (e.g. pattern recognition, database updates to discover new anomaly patterns), then add features and their own specialized automation algorithms to add distinct capabilities (e.g. pre-configured anomaly detection models for real-time threat mitigation).
Here I listed the key differences between open-source UEBA tools and commercial UEBA tools:
1. Pre-configured anomaly detection models
- Commercial UEBA tools: Provide pre-configured anomaly detection models based on predefined patterns and historical data, designed to identify unusual user behaviors out-of-the-box.
- Open-Source UEBA Tools: Often require users to build and customize their own models for anomaly detection, although some tools (e.g., Graylog and Wazuh) may offer predefined capabilities with extra configuration.
2. Automated response workflows
- Commercial UEBA tools: Typically feature automated response workflows that trigger predefined actions (e.g., blocking access or alerting security teams) directly in response to detected anomalies.
- Open source UEBA tools: Open-source tools require SOAR integrations or custom scripts for automated workflows, though some (e.g., Wazuh, Graylog) provide pre-defined actions without additional integration.
3. Pattern recognition automation
- Commercial UEBA tools: Offer mostly automated pattern recognition, utilizing sophisticated algorithms and machine learning models for real-time anomaly detection.
- Open source UEBA tools: Often have less automated pattern recognition, with more emphasis on manual configuration and custom model building.
4. Data loss prevention (DLP)
- Commercial UEBA Tools: Incorporate data loss prevention (DLP) features that track and analyze user location, device type, and network activity, providing deeper context for user behavior and potential threats.
- Open source UEBA tools: Lack integrated DLP features, requiring additional tools or integrations for detailed context like device type or location tracking.
5. Compliance reporting
- Commercial UEBA tools: Often come with built-in compliance reporting capabilities, making it easier for organizations to meet regulatory requirements like GDPR, HIPAA, PCI-DSS, and SOX by monitoring user behavior and access patterns.
- Open source UEBA tools: Require custom development or third-party tools for compliance reporting, as they often do not offer out-of-the-box solutions for regulatory compliance.
6. Third-party integrations
- Open source UEBA tools: While they can integrate with third-party tools, integrations may require custom API connections.
- Commercial UEBA tools: Provide out-of-the-box integrations with other security tools, such as SIEM, SOAR, and antivirus software, enabling seamless incident response and security operations.
Conclusion
In conclusion, the choice between open-source and commercial UEBA tools depends on your organization’s size, security needs, and available resources.
Open-source tools like OpenUBA, Graylog, and Wazuh offer greater flexibility and cost-effectiveness but require more customization and integration effort.
On the other hand, commercial tools like Exabeam and IBM QRadar provide automated workflows and easier deployment, making them ideal for large enterprises with complex requirements and a higher budget for security solutions.
FAQ
What is UEBA?
UEBA detects unusual behavior by analyzing deviations from normal patterns. For example, if a user who doesn’t typically download files suddenly starts downloading large amounts, UEBA flags it as an anomaly. It can also monitor machine behavior, such as detecting a surge in server access requests from a company device.
Why do organizations use UEBA tools?
Organizations use UEBA tools because traditional security solutions, like firewalls and intrusion detection systems, are no longer sufficient to protect against modern threats. UEBA tools help by detecting anomalous user and entity behaviors that could indicate security breaches, such as insider threats or credential-based attacks, which are often missed by conventional defenses. These tools provide a more proactive approach to threat detection, especially for advanced persistent threats (APTs) and sophisticated attack methods.
Further reading
- Role-based Access Control (RBAC)
- Network Segmentation: 6 Benefits & 8 Best Practices
- 80+ Network Security Statistics
External Links
- 1. Log data collection - Capabilities · Wazuh documentation.
- 2. Supported services - Monitoring AWS based services.
- 3. GitHub - wazuh/wazuh: Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads..
- 4. GitHub - wazuh/wazuh: Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads..
Comments
Your email address will not be published. All fields are required.