Getting Started with StrIEM
Prerequisites
- Docker and Docker Compose installed
- Python 3.7 or higher
- A supported data source (e.g., AWS CloudTrail, Google Cloud, GitHub Enterprise, Okta)
Installation
Install the StrIEM configuration utility:
pip install striem-configure
Basic Setup
-
Run the configuration utility:
striem-configure
-
Follow the interactive prompts to:
- Select and configure your data sources
- Choose storage options
- Set up detection rules
- Configure authentication
-
Launch StrIEM:
docker-compose up -d
Understanding the Pipeline
StrIEM processes data through several stages:
- Data Collection: Source components (
source-*) ingest raw logs
- Metadata Tagging: Logsource components (
logsource-*) add metadata for
Sigma rule matching
- Normalization: OCSF components (
ocsf-*) standardize data format
- Actions: Action streams (
action-*) handle specific events like alerts
Example: Setting up CloudTrail Monitoring
- Run
striem-configure
- Select AWS CloudTrail as a source
- Provide your AWS credentials
- Choose detection rules
- Launch StrIEM
Your CloudTrail logs will be:
- Collected via Vector
- Normalized to OCSF format
- Matched against Sigma rules
- Stored in Parquet files
- Accessible for analysis via SQL
Next Steps
- Add custom detection rules in
assets/detections/
- Configure additional data sources
- Set up SOAR playbooks
- Explore your data using DuckDB or other SQL tools
