Skip to content

v3.1.0
Compare
Choose a tag to compare
@ryandeivert ryandeivert released this 28 Mar 00:32
· 19 commits to master since this release
v3.1.0
fdb7b95
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

StreamAlert Release v3.1.0

New Features

Scheduled Queries

The concept of "stateful" alerting has always been a gap that StreamAlert has failed to bridge. We've introduced a feature we've dubbed Scheduled Queries as a way to help bridge that gap. Users can now write and deploy Athena queries that will run on a user-defined schedule. The results of these queries are then fed data back into StreamAlert's Rules Engine for further processing and alerting. See the documentation for more information on getting up and running with Scheduled Queries.

See also: #1209

Dynamic Outputs in Rules

It is now possible for rules to dynamically configure outputs based on information in a record. A new keyword argument of dynamic_outputs has been added to the @rule decorator to support this. For more information on how to leverage this for yourself, see the documentation. This is great addition that we've also wanted for a long time, so a huge thank you to @jack1902 for adding this!

AWS Simple Email Service Output

Support has been added for sending alerts to AWS Simple Email Service (SES). This enables sending richly formatted emails to recipients, as opposed to the previous method of using AWS SNS for sending only very simple emails. A huge thanks to @jack1902 for contributing this!

Microsoft Teams Output

Support has also been added for sending alerts to Microsoft Teams. A huge thanks (again!) to @jack1902 for contributing this!

Publisher Integration Tests

The Publishers testing implementation has been updated to support configuring tests for publishers directly within a test event file. For more information on how to add tests for Publishers, see the documentation.

See also: #1185

Improvements

Parquet for Data Retention

One of our biggest pain points in the StreamAlert ecosystem has been the speed of searches. This release adds support for Parquet as the storage format of data sent to S3 for historical data retention, and we're already seeing vast improvements in comparison to JSON. In addition to this, Athena tables are also now created and managed via Terraform, removing the need for users to reason about them during deployment time.

See also: #1202

Rule Integration Tests

In addition to the updates to integration tests made as part of #1181, a larger update to the framework has migrated tests out of the tests/integration directory. Integration test files for rules should now live beside the rule being tested. The documentation for tests includes more details.

New Rules

AWS Config Compliance and Remediation Rules

Thanks to @jack1902 for adding two new rules related to AWS Config!

SSH Activity via osquery

Thanks to @chunyong-lin for open-sourcing a rule to alert on SSH login activity captured by osquery.

Bug Fixes

To view the complete list of all of the bugs fixed in v3.1.0, including many not mentioned above, see here.

All Changes

To view the complete list of all changes included in v3.1.0, see here.

Assets 2
Loading