![Page 1: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/1.jpg)
StreamAlert
@jack_naglieri / Enigma 2017
Serverless, Real-Time Data Analysis
1
![Page 2: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/2.jpg)
Hypothetical: You just joined a new team, and need to collect, analyze, and alert on log
data.
2
● Two colleagues on your team● Thousands of laptops + production servers● Must keep up with growth
![Page 3: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/3.jpg)
Option 1: Develop and deploy your own tool
3
![Page 4: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/4.jpg)
Challenges
4
● Engineering time and resources● Responsible for:
○ Reliability○ Security○ Scalability
Option 1 - Develop and deploy your own tool
![Page 5: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/5.jpg)
Have you had to rebuild a toolthat you previously created?
5
![Page 6: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/6.jpg)
Option 2: Deploy an existing tool - open source or commercial
6
![Page 7: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/7.jpg)
● Customizations necessary
● Scaling and upgrading are non-trivial
● Deployment challenges:
○ Time
○ Skillset required
○ Reliance on other teams
7
ChallengesOption 2 - Deploy an existing tool
![Page 8: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/8.jpg)
Has cost, time, or staffing prevented you from deploying a tool you needed?
8
![Page 9: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/9.jpg)
9
Ideal Option
● Automated deployment
● Low operational overhead
● Built-in scalability and reliability
● Secure by default
![Page 10: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/10.jpg)
Infrastructure as code
Cloud Infrastructure
10
Getting There
![Page 11: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/11.jpg)
streamalert
11
![Page 12: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/12.jpg)
What is StreamAlert?
12
● Serverless, real-time data analysis
● Point-in-time alerting
● Customizable to meet your needs
![Page 13: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/13.jpg)
● Scalable to TBs/day
● Automated deployment
● Minimal system ownership
● Rules written in Python
● Low cost
Benefits of StreamAlert
13
![Page 14: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/14.jpg)
What type of data can StreamAlert analyze?
14
JSON
{"name":"logged_in_users", "host":"ubuntu", "calendarTime":"Jan 10
17:49:07","columns":{"host":"10.0.0.2","username":"vagrant"}}
Syslog
Jan 10 17:49:07 ubuntu sshd[9644]: Accepted publickey for vagrant from
10.0.2.2 port 56738 ssh2
![Page 15: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/15.jpg)
15
CSV
2,123456789010,eth0,10.0.0.1,10.0.0.2,56738,22,6,20,4249,ACCEPT,OK
Key Value
msg=audit(1364475353.159:24270): user pid=3280 uid=100 auid=500 ses=1
msg='op=PAM:authentication res=success
What type of data can StreamAlert analyze?
![Page 16: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/16.jpg)
Example Logs
16
Environment System Network [Web] Application
![Page 17: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/17.jpg)
streamalert
17
![Page 18: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/18.jpg)
Make the deployment of security tools simple.
18
![Page 19: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/19.jpg)
DesignData Analysis
Rules
Alerts
Deployment
19
![Page 20: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/20.jpg)
20
![Page 21: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/21.jpg)
Serverless - Focus on the application logic,not the servers
21
![Page 22: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/22.jpg)
Serverless Compute Model
1. Write Application
2. Upload to AWS Lambda
3. Run
22
![Page 23: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/23.jpg)
Serverless Compute Pricing Model
compute + # of requests = total cost
23
duration: 100ms
memory: 128MB
1,000,000 req/day
$5.80/month
![Page 24: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/24.jpg)
Built-in Security Benefits
1. Role Based Access Control via AWS IAM
2. Natural data segmentation
3. Isolated (containerized) log analysis
4. TLS
24
![Page 25: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/25.jpg)
Design
Data AnalysisRules
Alerts
Deployment
25
![Page 26: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/26.jpg)
High Level
26
Data is sent to a Kinesis Stream; Lambda polls the stream and analyzes the data
AWS Kinesis Stream AWS LambdaData
![Page 27: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/27.jpg)
27
![Page 28: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/28.jpg)
28
SELECT * FROM users;SELECT * FROM processes;SELECT * FROM syslog ...;SELECT * FROM process_open_sockets ...;
{ "hostIdentifier": "web01", "calendarTime": "Aug 10 10:13:54” "columns": { "remote_address": "51.32.104.190", "remote_port": "22", ...}...
AWS Kinesis StreamAWS Lambda
osquery queries run on hosts
resulting data
![Page 29: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/29.jpg)
Sending Data
● Configure Agent
● Send to Stream
● Analyze with Lambda
29
osquerykinesis agent logstash fluentd code
...
AWS LambdaAWS Kinesis Stream
![Page 30: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/30.jpg)
Sending Data with S3
● Put data in S3
● Analyze with Lambda
30
osquerykinesis agent logstash fluentd code
...
AWS LambdaAWS Kinesis Stream
![Page 31: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/31.jpg)
Kinesis or S3as a data source
● Records <= 1MB
● Performant push model
31
● Records > 1MB
● Less performant pull model
● Common datasource
![Page 32: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/32.jpg)
Design
Data Analysis
RulesAlerts
Deployment
32
![Page 33: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/33.jpg)
Rules are expressed as Python functions!
33
![Page 34: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/34.jpg)
Rule Layout
@rule(log_sources=[], match=[], outputs=[])def rule_func(rec): """Description""" return True
34
![Page 35: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/35.jpg)
Rule Processing Example
{ "name": "logged_in_users", "hostIdentifier": "host1", "calendarTime": "Sat Dec 10 22:45:52 2016", "columns": { "host": "10.0.2.2", "user": "mike" }}
35
![Page 36: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/36.jpg)
Example Rule #1
@rule(log_sources=['osquery'], match=[], outputs=['pagerduty'])
36
def invalid_user(rec): """Catch unauthorized user logins""" auth_users = {'alice', 'bob'} query = rec['name'] # logged_in_users user = rec['columns']['user'] # mike
return ( query == 'logged_in_users' and user not in auth_users )
![Page 37: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/37.jpg)
Example Rule #2
@rule(log_sources=['osquery'], match=[], outputs=['pagerduty'])def unauth_subnet(rec): """Catch logins from unauthorized subnets"""
query = rec['name'] ip = IPAddress(rec['columns']['host']) # 10.0.2.2
valid_cidr = IPNetwork('10.2.0.0/24')
37
from netaddr import IPAddress, IPNetwork
return ( query == 'logged_in_users' and ip not in valid_cidr )
![Page 38: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/38.jpg)
Let’s reduce some repeated code with a ‘matcher’
38
![Page 39: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/39.jpg)
Matcher
from netaddr import IPAddress, IPNetwork
@rule(log_sources=['osquery'], match=[‘logged_in_users’], outputs=['pagerduty'])def invalid_subnet(rec): """Catch logins from unauthorized subnets""" ip = IPAddress(rec['columns']['host'])
valid_cidr = IPNetwork('10.2.0.0/24')
return ip not in valid_cidr
@matcher()def logged_in_users(rec): query = rec['name'] return query == 'logged_in_users'
39
![Page 40: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/40.jpg)
Matchers can also be used for determining:
● Environments● Roles● System Platforms
40
![Page 41: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/41.jpg)
Design
Data Analysis
Rules
AlertsDeployment
41
![Page 42: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/42.jpg)
Alert Output Configuration
@rule(log_sources=['osquery'], match=[‘logged_in_users’], outputs=['pagerduty'])def invalid_subnet(rec): """Catch logins from unauthorized subnets""" ip = IPAddress(rec['columns']['host'])
valid_cidr = IPNetwork('10.2.0.0/24')
return ip not in valid_cidr
42
![Page 43: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/43.jpg)
43
Any API
StreamAlert OutputLamba
Amazon SNS
AWS Kinesis Stream(datasource)
StreamAlertProcessingLamba
S3 (datasource)
![Page 44: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/44.jpg)
44
![Page 45: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/45.jpg)
45
![Page 46: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/46.jpg)
Design
Data Analysis
Rules and Alerts
Deployment
46
![Page 47: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/47.jpg)
Goal: Make Deployment Simple
47
![Page 48: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/48.jpg)
48
![Page 49: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/49.jpg)
Assembly Line
● Time/Cost Savings
● Accessible
● Interchangeable
● Repeatable
49
![Page 50: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/50.jpg)
Building with Terraform
● Express complex infrastructure as code
● Interchangeable
● Consistent
● Abstracted with stream_alert_cli
50
![Page 51: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/51.jpg)
web : github.com/airbnb/streamalert
twitter: @streamalert_io
51
![Page 52: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/52.jpg)
Thank You!
● @enigmaconf, @usenix● @awscloud team (services and support)
● @mimeframe (concept, website, guides, review)
● @strcrzy (core rules logic)
● @zwass (osquery kinesis output plugins)
● @hackgnar (osquery kinesis bug fixes)
52
![Page 53: StreamAlert - USENIX · AWS Kinesis Stream AWS Lambda osquery queries run on hosts resulting data. Sending Data Configure Agent Send to Stream Analyze with Lambda 29 ... AWS Kinesis](https://reader034.vdocument.in/reader034/viewer/2022042317/5f0618a87e708231d4164544/html5/thumbnails/53.jpg)
53