Improvement: Publish the python library separate to the Reference Implementation
See original GitHub issueSo I tried to implement StreamAlert today. As someone with pretty good experience in AWS I felt like the “tools” used to make things easy hindered me rather than helped me. The python library is ideally all I need, I can build the rest and do it using the tools I prefer to use instead of trying to understand how the existing implementation is built.
Ideally the RuleHelper
, RuleEngine
and Classifier
are all that are required for the simplest python library. The rest (including the Sink
function) are more a Reference Implementation than a part of the core library, there are various ways to implement them depending on your requirements.
My strong but weakly held opinion is that this repository blurs the lines between the StreamAlert core rules engine and the infrastructure implementation; they are too tightly coupled. For example:
- The same configuration that feeds the Classifier is used to generate the Terraform manifest.
- The sink function is part of the same code base as the function that generates the alert.
- There’s a function that packages and deploys Lambda functions, when many tools already exist that do this (Apex and Serverless)
Don’t get me wrong, I 😍 that you’ve provided the automation example of how to implement this and I wish more OSS projects would do it too.
Issue Analytics
- State:
- Created 7 years ago
- Comments:5 (3 by maintainers)
Top GitHub Comments
Hey @patrobinson, we recently implemented the ability to return a list of alerts from rule processing instead of handling it with SNS. We have plans to work towards making the code a standalone Python package
@patrobinson we can definitely make that work! Can you make a new issue for this request? (or maybe send a PR which provides this functionality 😄 )