Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
102 lines (69 sloc) 3.62 KB


Make sure you've completed the Getting Started instructions prior to continuing.

Initial Build

To initialize StreamAlert:

python init

This will perform the following:

  • Create S3 buckets and encryption keys.
  • Create AWS Lambda functions.
  • Build declared infrastructure in the Terraform files.
  • Deploy initial production AWS Lambda versions.

Type yes at each prompt.

Continuous Deployment

As new rules, sources, or outputs are added to StreamAlert, new versions of the AWS Lambda functions must be deployed for changes to become effective.

To accomplish this, contains a deploy command.

To deploy new changes for all AWS Lambda functions:

python deploy --function all

Optionally, to deploy changes for only a specific AWS Lambda function:

python deploy --function alert
python deploy --function alert_merger
python deploy --function apps
python deploy --function athena
python deploy --function classifier
python deploy --function rule
python deploy --function rule_promo
python deploy --function threat_intel_downloader

To apply infrastructure level changes (additional Kinesis Shards, new CloudTrails, etc), run:

python build

To apply specific changes to speed up terraform run, use the list-targets command and the build command with the --target option:

python list-targets

  Target                                                                                Type
  classifier_prod_iam                                                                   module
  classifier_prod_lambda                                                                module
  cloudwatch_monitoring_prod                                                            module
  kinesis_events_prod                                                                   module
  kinesis_prod                                                                          module
  metric_filters_Classifier_FailedParses_PROD                                           module
  metric_filters_Classifier_FirehoseFailedRecords_PROD                                  module
  metric_filters_Classifier_FirehoseRecordsSent_PROD                                    module

python build --target cloudwatch_monitoring_prod        # apply to single module
python build --target kinesis_prod classifier_prod_iam  # apply to two modules
python build --target metric_filters_Classifier_*_PROD  # apply to three modules

Monitoring Functions

StreamAlert clusters contain a module to create CloudWatch Alarms for monitoring AWS Lambda invocation errors.

These ensure that the currently running code is reliable. To access these monitors, login to AWS Console and go to CloudWatch, and then click Alarms.


StreamAlert Lambda functions are invoked via a production alias that can be easily rolled back to point to the previous version:

python rollback --function rule
python rollback --function alert
python rollback --function all

This is helpful to quickly revert changes to Lambda functions, e.g. if a bad rule was deployed.

You can’t perform that action at this time.