Frequently asked questions

Common questions about the OpenALBA specification.

What is OpenALBA?

OpenALBA (Application-Layer Behavioral Analytics) is an open specification for detecting behavioral anomalies in distributed systems using observability data. It defines standardized methodologies for establishing baselines, calculating anomaly scores, and computing context-aware risk scores.

How does OpenALBA differ from traditional UEBA?

Traditional User and Entity Behavior Analytics (UEBA) tools are typically proprietary, focused primarily on security, and require dedicated data collection. OpenALBA builds on existing OpenTelemetry instrumentation, separates anomaly detection from risk interpretation, and serves multiple consumers (security, SRE, engineering) from the same signals.

What is the dual-score architecture?

OpenALBA separates detection from interpretation through two scores. The Anomaly Score (0-100) is an objective, mathematical measure of how unusual behavior is. The Risk Score (0-100) applies context like entity criticality, data sensitivity, and team-specific weights. The same anomaly may have different risk implications for different teams.

Does OpenALBA require specific infrastructure?

OpenALBA is specification-only and does not mandate specific technology choices. It works with any infrastructure that can collect OpenTelemetry signals and store time-series data. Reference architectures use ClickHouse for storage and Kubernetes for processing, but alternatives are supported.

How do I implement OpenALBA?

Start with the Getting Started guide which covers prerequisites, basic setup, and configuration. The full specification provides detailed methodology for each component. Reference implementations and examples are available on GitHub.

What OpenTelemetry signals are required?

At minimum: service.name, deployment.environment.name, http.route, http.request.method, http.response.status_code, and client.address. For enhanced detection, add user.id, session.id, and custom attributes for authentication, authorization, and data sensitivity.

How does cold start handling work?

New entities without sufficient baseline data use fallback baselines: first peer group baselines (users with same role, services of same type), then population baselines, then conservative defaults. Thresholds are widened and scores are confidence-adjusted until enough data accumulates.

Can I add custom detection patterns?

Yes. The specification defines a set of standard patterns but explicitly allows implementations to add additional patterns. Custom patterns should follow the same structure (signals, weights, thresholds, risk multipliers) for consistency.

How do I contribute to OpenALBA?

OpenALBA is developed in the open on GitHub. You can report issues, suggest enhancements, submit fixes, or propose RFCs for significant changes. See the Contributing guide for details.

What license is OpenALBA released under?

The OpenALBA specification is released under the Apache License 2.0.

Still have questions?

Open an issue on GitHub or email contact@openalba.org.

Last updated: 2026-01-31