Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
62 lines (39 sloc) 2.48 KB

Alternatives

It should be noted that the correct choice depends on your use-cases, existing infrastructure, security requirements, available resources, core competencies and more. Details outlined below were considered notable differences and shouldn't constitute a complete, detailed comparison.

ElastAlert

Infrastructure

ElastAlert assumes you have an existing Elasticsearch cluster; it schedules queries against it

StreamAlert directly ingests data from S3 buckets or other sources like Fluentd, Logstash, Kinesis Agent, osquery, PHP, Java, Ruby, etc via Amazon Kinesis Data Streams

Rules/Queries

ElastAlert uses YAML files and Elasticsearch's Query DSL. It supports query types that StreamAlert currently does not, ex: Change, Frequency, Spike, Flatline, New Term, Cardinality

StreamAlert uses JSON files and queries are written in Python; they can utilize any Python libraries or functions

Security

In ElastAlert, TLS and authentication is optional (Elasticsearch). This can be enabled via Elastic Shield/X-Pack.

StreamAlert requires TLS for data transport (Kinesis requirement) and authentication is required (AWS Identity and Access Management (IAM))

Etsy's 411

Infrastructure

411 assumes you have an existing Elasticsearch cluster; it schedules queries against it

StreamAlert directly ingests data from S3 buckets or other sources like fluentd, logstash, kinesis-agent, osquery, PHP, Java, Ruby, etc via Amazon Kinesis Data Streams

Rules/Queries

411 uses a custom query language called ESQuery, "Pipelined Lucene shorthand", which is then translated to Elasticsearch's Query DSL

StreamAlert rules/queries are written in Python; they can utilize any Python libraries or functions.

Security

411:

  • Infrastructure: Apache (w/mod_rewrite, mod_headers), PHP, SQLite, & MySQL. You are responsible for hardening and vulnerability management of these applications and the underlying host / operating system.
  • AuthN/AuthZ: The UI is accessed via username/password over TLS. TLS and authentication is optional for Elasticsearch; it can be enabled via Elastic Shield/X-Pack

StreamAlert:

  • Infrastructure: Serverless; underlying operating system is hardened and updated by Amazon. Application is Python and runs in a short-lived container/sandbox.
  • Requires TLS for data transport (Kinesis requirement)
  • AuthN/AuthZ is required (AWS Identity and Access Management (IAM))
You can’t perform that action at this time.