Improvement: Publish the python library separate to the Reference Implementation

So I tried to implement StreamAlert today. As someone with pretty good experience in AWS I felt like the “tools” used to make things easy hindered me rather than helped me. The python library is ideally all I need, I can build the rest and do it using the tools I prefer to use instead of trying to understand how the existing implementation is built.

Ideally the RuleHelper, RuleEngine and Classifier are all that are required for the simplest python library. The rest (including the Sink function) are more a Reference Implementation than a part of the core library, there are various ways to implement them depending on your requirements.

My strong but weakly held opinion is that this repository blurs the lines between the StreamAlert core rules engine and the infrastructure implementation; they are too tightly coupled. For example:

• The same configuration that feeds the Classifier is used to generate the Terraform manifest.
• The sink function is part of the same code base as the function that generates the alert.
• There’s a function that packages and deploys Lambda functions, when many tools already exist that do this (Apex and Serverless)

Don’t get me wrong, I 😍 that you’ve provided the automation example of how to implement this and I wish more OSS projects would do it too.