Skip to content

v1.6.0

Compare
Choose a tag to compare
@ryandeivert ryandeivert released this 26 Jan 19:20
74ddbc6

New Features

Threat Intelligence

This release includes a new (beta) threat intelligence feature to enable analysis and identification of suspicious activity in your infrastructure based on IP address, domain and file hash indicators.
StreamAlert compares these indicators (stored in a DynamoDB table) to incoming data in real-time, and generates an alert if any matches are found.

To compliment this feature, it also includes a Threat Intel Downloader which is a Lambda function to collect and update the latest IP addresses, domains and file hashes mentioned above to the DynamoDB table. Currently, the Threat Intel Downloader supports fetching of data from Anomali’s ThreatStream API.

StreamAlert Apps

StreamAlert Apps enable you to easily retrieve data from any service with a RESTful API to send to StreamAlert for processing and alerting. The infrastructure is serverless, the configuration takes minutes, and the deployment is automated via Terraform.

Read more about this feature in our blog post, or learn how to get started with StreamAlert Apps in the documentation.

This release includes several apps, with more coming in future releases:

Historical Search of Data

As announced in the last release (v1.5.0), StreamAlert can be configured to search generated alerts with AWS Athena.

This feature has been extended to support delivery of all incoming logs into Amazon S3 via AWS Firehose, and to be searched by AWS Athena in the streamalert database. This allows users to query data for long periods of time, and perform statistics, joins, and other analysis.

The StreamAlert CLI also manages the setup, creation, and provisioning of data tables and required AWS infrastructure. To get started, check out our Athena setup instructions.

PagerDuty Events API v2 and Incidents API Output Support

StreamAlert now includes support for two new PagerDuty API outputs:

Improvements

Local Rule Testing Enhancements

Rule test events can now be configured to indicate which rules they will trigger, and includes the log schema that this event corresponds to. The CLI also now reports on hard-to-diagnose errors related to rule tests. See the documentation for more information on the new test event structure.

Rule Helpers for Finding Key Items

StreamAlert now includes rule helper functions which help you recursively find key-values in records without worrying about the schema or nesting.

Security Linting via Bandit

Bandit is a Python scanner which checks for common security issues in Python source code. The project has now been updated to run bandit on the StreamAlert source as part the CI pipeline.

User-configurable Kinesis Shard-Level Metrics

Kinesis shard-level metrics, via enhanced monitoring, will now be disabled by default with the optional ability to configure specific metrics to log. This will greatly reduce AWS costs for end-users.

Core Infrastructure Improvements

  • Global Alerts Firehose - Enables high throughput delivery of alerts to S3
  • Optional Kinesis Modules - Adds modularity to StreamAlert clusters, making Kinesis optional. This fully enables a purely S3 based cluster, where Kinesis is not necessary to deliver data into Lambda.
  • Cross-Account CloudTrail - Supports receiving CloudTrail data from multiple AWS accounts into the StreamAlert CloudTrail module.
  • S3 Event Filtering - Added support for suffix and prefix filtering of event notifications of objects in S3

Bug Fixes

  • #339 - Fix for nested data normalization
  • #361 - Classifier TypeError fix when casting to list/dict
  • #367, #381 - Fixed various bugs related to data normalization
  • #393 , #564 - Faster unit tests
  • #449, #431 - Fixing various CLI bugs
  • #453 - Fixed json parser bug related to json path
  • #456 - Fixed classifier type conversion of nested values
  • #548 - Fixed bug with total records metric
  • #578 - Athena Partition Refresh KeyError bug fix

Updates to various Carbon Black schemas fixes for Carbon Black and CloudTrail logs.

Shout-outs

Special thanks for the following external contributions from @armtash and @javefang:

  • #437 - JIRA as an alerting output
  • #568 - Recursive support when converting log schema to Athena schema
  • #580 - Allow kinesis write permission to be granted to other AWS accounts