Alternatives

It should be noted that the correct choice depends on your use-cases, existing infrastructure, security requirements, available resources, core competencies and more. Details outlined below were considered notable differences and shouldn’t constitute a complete, detailed comparison.

ElastAlert

Infrastructure

ElastAlert assumes you have an existing Elasticsearch cluster; it schedules queries against it

StreamAlert directly ingests data from S3 buckets or other sources like Fluentd, Logstash, Kinesis Agent, osquery, PHP, Java, Ruby, etc via Amazon Kinesis Data Streams

Rules/Queries

ElastAlert uses YAML files and Elasticsearch’s Query DSL. It supports query types that StreamAlert currently does not, ex: Change, Frequency, Spike, Flatline, New Term, Cardinality

StreamAlert uses JSON files and queries are written in Python; they can utilize any Python libraries or functions

Security

In ElastAlert, TLS and authentication is optional (Elasticsearch). This can be enabled via Elastic Shield/X-Pack.

StreamAlert requires TLS for data transport (Kinesis requirement) and authentication is required (AWS Identity and Access Management (IAM))

Etsy’s 411

Infrastructure

411 assumes you have an existing Elasticsearch cluster; it schedules queries against it

StreamAlert directly ingests data from S3 buckets or other sources like fluentd, logstash, kinesis-agent, osquery, PHP, Java, Ruby, etc via Amazon Kinesis Data Streams

Rules/Queries

411 uses a custom query language called ESQuery, “Pipelined Lucene shorthand”, which is then translated to Elasticsearch’s Query DSL

StreamAlert rules/queries are written in Python; they can utilize any Python libraries or functions.

Security

411:

  • Infrastructure: Apache (w/mod_rewrite, mod_headers), PHP, SQLite, & MySQL. You are responsible for hardening and vulnerability management of these applications and the underlying host / operating system.

  • AuthN/AuthZ: The UI is accessed via username/password over TLS. TLS and authentication is optional for Elasticsearch; it can be enabled via Elastic Shield/X-Pack

StreamAlert:

  • Infrastructure: Serverless; underlying operating system is hardened and updated by Amazon. Application is Python and runs in a short-lived container/sandbox.

  • Requires TLS for data transport (Kinesis requirement)

  • AuthN/AuthZ is required (AWS Identity and Access Management (IAM))