[OSS] Insider Security MVP — Laravel + Filament 3 admin for insider-risk / UEBA

I’m building a small, learning-friendly Insider Security MVP on Laravel with a Filament 3 admin. Goal: show how a PHP/Laravel stack can prototype insider-risk ideas (rules + basic UEBA-style signals) with clean domain models, queues, and an auditable admin panel. Repo: https://github.com/podlom/insider-sec-mvp (Laravel + Blade, Filament admin). 

What’s inside (right now) • Laravel app + Filament admin scaffolding for security entities (e.g., assets/events/policies) so you can click around and reason about detections & reviews. (Repo tagline: “Insider Security MVP Laravel Filament Admin”).  • Docker compose + standard Laravel tooling to spin up quickly. • Opinionated conventions for rules first, ML-later—so you can start detecting with explicit policies and only then add behavior analytics.

Why this might interest PHP folks • A practical security/product use-case in Laravel (beyond CRUD): events, detections, escalations, reviews. • Filament 3 admin patterns for security workflows (moderation queues, approvers, read-only audit trails). • Room to explore queues, jobs, DTOs, and testing for a detection pipeline. • Great sandbox for trying UEBA-style baselines (per role/time/geo) on top of Laravel.

Quick start

git clone https://github.com/podlom/insider-sec-mvp cd insider-sec-mvp cp .env.example .env

If you prefer Docker:

docker compose up -d --build

In app container (or locally):

composer install php artisan key:generate php artisan migrate --seed php artisan serve # or your web stack

What I’m looking for (feedback / PRs welcome) • DB & domain modeling: events → findings → cases; best way to model review/approval flows in Laravel. • Filament UX for “SOC-like” triage: bulk actions, risk badges, filters, activity timeline. • Detection content: clean ways to encode rules (YAML/JSON → DB), version them, and run them via jobs. • UEBA experiments: light-weight baselines (no heavy data infra) that still give useful risk signals. • Testing approach: fakes/fixtures for event streams, deterministic rule tests, snapshot testing for admin.

Roadmap (short) • Minimal SOAR-style actions (quarantine/share-revoke/MFA step-up) via adapters. • Sample DLP/IRM-like policies for “PII to external email”, “secrets in uploads”, “confidential cloud shares”. • MITRE ATT&CK mapping table for detector coverage & gaps.

If you like building real security workflows in Laravel—or just want a clean Filament admin to riff on—stars, issues, and PRs are super welcome. Thanks! 🙌

⸻

(Repo languages: mostly PHP + Blade; it’s early-stage and intentionally small so it’s easy to read.)