Stream Alert
StreamAlert is a serverless, real-time data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using data sources and alerting logic you define. Computer security teams use StreamAlert to scan terabytes of log data every day for incident detection and response. (In Airbnb) It is an opensource project which can be customized for alerting mechanism in the AWS accounts.
StreamAlert is a serverless, real-time data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using data sources and alerting logic you define. Computer security teams use StreamAlert to scan terabytes of log data every day for incident detection and response. (In Airbnb) It is an opensource project which can be customized for alerting mechanism in the AWS accounts.
Here is the link of the documents.
Setting up
I had followed the Getting Started to set-up Stream Alert in the my AWS account in Sydney region. https://streamalert.readthedocs.io/en/stable/getting-started.html
A few changes that I have done so that I can run this in ap-southeast-2 (Sydney Region) in the following files.
/streamalert/conf/global.json changed
"region": "us-east-1" to "region": "ap-southeast-2"
/streamalert/conf/cluster/prod.json changed
"region": "us-east-1" to "region": "ap-southeast-2"
I have stimulated a cloud trail event of root login into an AWS account as per the documentation.
I got follow email on my inbox.
And after some interval (10 mins), the alert is also searchable in AWS Athena.
This can be made to work in AWS accounts for Enterprise but would like significant learning curve and customization efforts for various use cases that make Security analysis of an account.
But cost wise it is cheap as it is build on server less technologies from AWS.
I had only incurred $3 USD while running it for 7 days.
Comments
Post a Comment