finds.dev← search

// the find

airbnb/streamalert

★ 2,886 · Python · Apache-2.0 · updated Oct 2023

StreamAlert is a serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define.

StreamAlert is Airbnb's open-source SIEM-as-code platform: you define log schemas and detection rules in Python, and it deploys a Kinesis → Lambda → SQS pipeline on AWS via Terraform. Security teams use it to run real-time detection across CloudTrail, osquery, Duo, GSuite, and a dozen other log sources without managing servers.

The rule model is genuinely good — pure Python functions with access to lookup tables and threat intel, testable locally without AWS. The community rule library covers real attacker TTPs (root account usage, public S3 ACLs, MFA policy abuse) so you're not starting from zero. Terraform-managed deployment means infra is reproducible and auditable. The alert merger that deduplicates noisy rules before paging someone is a detail that shows operational experience.

Last commit was October 2023 and activity has been sparse for years — this project is effectively Airbnb-internal with a public mirror, not a living open-source community. The Terraform code targets older AWS patterns and will need work to fit a modern account setup. There's no support for AWS-native services that have matured since (Security Hub, Detective, EventBridge rules), so you'd be layering StreamAlert alongside rather than replacing them. Onboarding is steep: you need to understand Kinesis, Lambda concurrency, DynamoDB, and Firehose before writing your first rule, and the docs haven't kept pace.

View on GitHub → Homepage ↗

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →