Stream Security

  • Updated on Oct 28, 2025
  • Published on Oct 28, 2025
Prev Next

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Stream Security Events Logs

stream_security_events_logs

NDJSON

WEBHOOK

Overview

Stream Security is a modern cloud-threat detection and response platform designed for dynamic, multi-cloud environments. It emphasizes real-time infrastructure modelling, high-context analytics, rapid detection and integration into existing security workflows. For organizations moving fast in the cloud and needing continuous visibility and response, it presents a compelling option.

Supported data types

Stream Security Events logs

Table name: stream_security_events_logs

Stream Security continuously ingests and correlates audit logs, configuration changes, network flows and identity activity across cloud environments into its live model  providing event-level visibility into every change and action.

Learn more here.

Send data to Hunters

Hunters supports the ingestion of Stream logs via a Webhook.

To connect Stream logs:

  1. Contact Hunters support and request assistance with providing a webhook url and a bearer token.

  2. Log in to StreamSecurity and select 'More' in the main navigation > Integrations.

  3. Select Add Integration > Webhook.

  4. Enter the details of the Webhook integration: Enter the Webhook URL that was obtained in step 1, You can also provide a Description of the integration for your records.

  5. JSON payload customization options, below are the default format sent as an alert payload and the payload vocabulary (Depending on the implementation needs of the subscribing webhook client, you can modify the default payload key and value pairs.)

  6. {{ "summary": "Event name: {eventName} | User/role: DENTITY", "source":"StreamSecurity configuration event on account {account} / {awsRegion}", "severity": "{severity}", "custom_details": {{ "resources": "Resources: {resources}", "violation": "Violations summary: {violation_summary}", "rules": "Rules: {rules}", "View Event Details": "{event_link}" }}

    Attribute

    Description

    eventName

    Include the event name (for example eventName: RunInstance)

    userIdentity

    Include the user/role who made the API call of the event (for example User/role: Root).

    account / awsRegion

    Include the AWS account and the region of the event API call.

    severity

    Show the severity of the event that is determined by the event-triggered violations.

    resources

    Include the AWS resources that have changed in the event API call.

    violation_summary

    Include the violations summary of the event.

    rules

    Include all the Architectural Standards rule that was violated, which includes the rule names, description, and labels.

    event_link

    Include a direct link to the event in the StreamSecurity console.

  8. Add custom HTTP Headers in the relevant input field of the integration, as key-value pairs.
    {"Authorization": "Bearer YOUR_TOKEN","Content-Type": "application/json"}

  9. When you are finished with the webhook details and JSON payload customization, Click "integrate webhook" on the integration wizard.

  10. In the "Manage notification" section, chose when to receive notifications to your webhook by selecting the event severity, and the violation category that will trigger an event notification to your webhook channel.

  11. Check that the webhook is working properly by clicking the "Test Connection"

Expected format

Logs are expected in JSON format.


   "summary":"Event name: RunInstances | User/role: arn:aws:iam::845940866252:root",
   "source":"StreamSecurity configuration event on account  / us-east-1",
   "severity":"Critical",
   "component":"i-07a715b8051e9f128 (Instance) + 2",
   "group":"StreamSecurity",
   "class":"event",
   "custom_details":{
      "resources":"Resources:\ni-07a715b8051e9f128 (Instance) + 2",
      "violation":"Violations summary:\nSecurity - 1 warning, 3 critical, 2 info\nOther - 1
info\n",
      "rules":"Rules: \nSecurity - 1 warning, 3 critical, 2 info\nOther - 1 info\nOther -
tal test new rule  info []\nSecurity - Ensure there is no unrestricted inbound access to
TCP port 80 (HTTP) Ensure your security groups don\u2019t allow inbound rules on TCP port
80 (HTTP) for unrestricted resources. critical ['AWS', 'Network', 'TCP', 'SG', 'EC2',
'HTTP'], Ensure there is no unrestricted inbound access to TCP port 22 (SSH) Ensure your
EC2 security groups allow inbound access to the TCP port 22 (SSH) to only IP addresses that
require it. critical ['AWS', 'Network', 'TCP', 'SSH', 'SG', 'EC2'], Ensure default security
groups are not in use by RDS Ensure that the RDS instances provisioned in your AWS account
are not associated with default security groups created alongside with your VPCs in order
to enforce using custom and unique security groups that exercise the principle of least
privilege. critical ['AWS', 'SG', 'RDS'], Resource is Internet facing Ensure that no
unintended resource is internet-facing to adhere to security best practices warning
['Network'], Resource has access to RDS database Ensure that no unintended resource has
access to your RDS database info ['AWS', 'RDS'], EC2 large instance create alarm (2.micro)
This alarm is triggered whenever an EC2 large instance is created. This alarm will notify
when a 4xlarge or 8xlarge EC2 instance is being provisioned. info ['AWS', 'EC2',
'Alarm']\n",
      "View Event
Details":"https://env.lightops.io/w/5063114bd386d8fadbd6b004/events/6315bf2cbd394a23fa50aea5"
} }