diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 0da9b68bc..4706e4c5a 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -3,6 +3,7 @@
 {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
 {%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '1') %}
 {%- set FLEETENABLED = salt['pillar.get']('static:fleet_enabled', '1') %}
+{%- set STRELKAENABLED = salt['pillar.get']('static:strelka_enabled', '1') %}
 
 name: {{ HOSTNAME }}
 
@@ -126,6 +127,19 @@ filebeat.prospectors:
     clean_removed: false
     close_removed: false
 
+{%- endif %}
+
+{%- if STRELKAENABLED == '1' %}
+
+  - type: log
+    paths:
+      - /opt/so/log/strelka/strelka.log
+    fields:
+      type: strelka
+    fields_under_root: true
+    clean_removed: false
+    close_removed: false
+
 {%- endif %}
 #----------------------------- Logstash output ---------------------------------
 output.logstash:
diff --git a/salt/strelka/files/backend/backend.yaml b/salt/strelka/files/backend/backend.yaml
new file mode 100644
index 000000000..40ea1b5b3
--- /dev/null
+++ b/salt/strelka/files/backend/backend.yaml
@@ -0,0 +1,423 @@
+{%- set ip = salt['pillar.get']('static:masterip', '') %}
+logging_cfg: '/etc/strelka/logging.yaml'
+limits:
+  max_files: 5000
+  time_to_live: 900
+  max_depth: 15
+  distribution: 600
+  scanner: 150
+coordinator:
+  addr: '{{ ip }}:6380'
+  db: 0
+tasting:
+  mime_db: null
+  yara_rules: '/etc/strelka/taste/'
+scanners:
+  'ScanBase64':
+    - positive:
+        filename: '^base64_'
+      priority: 5
+  'ScanBatch':
+    - positive:
+        flavors:
+          - 'text/x-msdos-batch'
+          - 'batch_file'
+      priority: 5
+  'ScanBzip2':
+    - positive:
+        flavors:
+          - 'application/x-bzip2'
+          - 'bzip2_file'
+      priority: 5
+  'ScanDocx':
+    - positive:
+        flavors:
+          - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
+      priority: 5
+      options:
+        extract_text: False
+  'ScanElf':
+    - positive:
+        flavors:
+          - 'application/x-object'
+          - 'application/x-executable'
+          - 'application/x-sharedlib'
+          - 'application/x-coredump'
+          - 'elf_file'
+      priority: 5
+  'ScanEmail':
+    - positive:
+        flavors:
+          - 'application/vnd.ms-outlook'
+          - 'message/rfc822'
+          - 'email_file'
+      priority: 5
+  'ScanEntropy':
+    - positive:
+        flavors:
+          - '*'
+      priority: 5
+  'ScanExiftool':
+    - positive:
+        flavors:
+          - 'application/msword'
+          - 'application/vnd.openxmlformats-officedocument'
+          - 'application/vnd.openxmlformats-officedocument.presentationml.presentation'
+          - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
+          - 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'
+          - 'olecf_file'
+          - 'ooxml_file'
+          - 'audio/mpeg'
+          - 'mp3_file'
+          - 'mhtml_file'
+          - 'application/pdf'
+          - 'pdf_file'
+          - 'text/rtf'
+          - 'rtf_file'
+          - 'wordml_file'
+          - 'application/x-dosexec'
+          - 'mz_file'
+          - 'application/x-object'
+          - 'application/x-executable'
+          - 'application/x-sharedlib'
+          - 'application/x-coredump'
+          - 'elf_file'
+          - 'lnk_file'
+          - 'application/x-mach-binary'
+          - 'macho_file'
+          - 'image/gif'
+          - 'gif_file'
+          - 'image/jpeg'
+          - 'jpeg_file'
+          - 'image/png'
+          - 'png_file'
+          - 'image/tiff'
+          - 'type_is_tiff'
+          - 'image/x-ms-bmp'
+          - 'bmp_file'
+          - 'application/x-shockwave-flash'
+          - 'fws_file'
+          - 'psd_file'
+          - 'video/mp4'
+          - 'video/quicktime'
+          - 'video/x-msvideo'
+          - 'avi_file'
+          - 'video/x-ms-wmv'
+          - 'wmv_file'
+      priority: 5
+      options:
+        tmp_directory: '/dev/shm/'
+  'ScanGif':
+    - positive:
+        flavors:
+          - 'image/gif'
+          - 'gif_file'
+      priority: 5
+  'ScanGzip':
+    - positive:
+        flavors:
+          - 'application/gzip'
+          - 'application/x-gzip'
+          - 'gzip_file'
+      priority: 5
+  'ScanHash':
+    - positive:
+        flavors:
+          - '*'
+      priority: 5
+  'ScanHeader':
+    - positive:
+        flavors:
+          - '*'
+      priority: 5
+      options:
+        length: 50
+  'ScanHtml':
+    - positive:
+        flavors:
+          - 'hta_file'
+          - 'text/html'
+          - 'html_file'
+      priority: 5
+      options:
+        parser: "html5lib"
+  'ScanIni':
+    - positive:
+        filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$'
+        flavors:
+          - 'ini_file'
+      priority: 5
+  'ScanJarManifest':
+    - positive:
+        flavors:
+          - 'jar_manifest_file'
+      priority: 5
+  'ScanJavascript':
+    - negative:
+        flavors:
+          - 'text/html'
+          - 'html_file'
+      positive:
+        flavors:
+          - 'javascript_file'
+          - 'text/javascript'
+      priority: 5
+      options:
+        beautify: True
+  'ScanJpeg':
+    - positive:
+        flavors:
+          - 'image/jpeg'
+          - 'jpeg_file'
+      priority: 5
+  'ScanJson':
+    - positive:
+        flavors:
+          - 'application/json'
+          - 'json_file'
+      priority: 5
+  'ScanLibarchive':
+    - positive:
+        flavors:
+          - 'application/vnd.ms-cab-compressed'
+          - 'cab_file'
+          - 'application/x-7z-compressed'
+          - '_7zip_file'
+          - 'application/x-cpio'
+          - 'cpio_file'
+          - 'application/x-xar'
+          - 'xar_file'
+          - 'arj_file'
+          - 'iso_file'
+          - 'application/x-debian-package'
+          - 'debian_package_file'
+      priority: 5
+      options:
+        limit: 1000
+  'ScanLzma':
+    - positive:
+        flavors:
+          - 'application/x-lzma'
+          - 'lzma_file'
+          - 'application/x-xz'
+          - 'xz_file'
+      priority: 5
+  'ScanMacho':
+    - positive:
+        flavors:
+          - 'application/x-mach-binary'
+          - 'macho_file'
+      priority: 5
+      options:
+        tmp_directory: '/dev/shm/'
+  'ScanMmbot':
+    - positive:
+        flavors:
+          - 'vb_file'
+          - 'vbscript'
+      priority: 5
+      options:
+        server: 'strelka_mmrpc_1:33907'
+  'ScanOcr':
+    - positive:
+        flavors:
+          - 'image/jpeg'
+          - 'jpeg_file'
+          - 'image/png'
+          - 'png_file'
+          - 'image/tiff'
+          - 'type_is_tiff'
+          - 'image/x-ms-bmp'
+          - 'bmp_file'
+      priority: 5
+      options:
+        extract_text: False
+        tmp_directory: '/dev/shm/'
+  'ScanOle':
+    - positive:
+        flavors:
+          - 'application/CDFV2'
+          - 'application/msword'
+          - 'olecf_file'
+      priority: 5
+  'ScanPdf':
+    - positive:
+        flavors:
+          - 'application/pdf'
+          - 'pdf_file'
+      priority: 5
+      options:
+        extract_text: False
+        limit: 2000
+  'ScanPe':
+    - positive:
+        flavors:
+          - 'application/x-dosexec'
+          - 'mz_file'
+      priority: 5
+  'ScanPgp':
+    - positive:
+        flavors:
+          - 'application/pgp-keys'
+          - 'pgp_file'
+      priority: 5
+  'ScanPhp':
+    - positive:
+        flavors:
+          - 'text/x-php'
+          - 'php_file'
+      priority: 5
+  'ScanPkcs7':
+    - positive:
+        flavors:
+          - 'pkcs7_file'
+      priority: 5
+      options:
+        tmp_directory: '/dev/shm/'
+  'ScanPlist':
+    - positive:
+        flavors:
+          - 'bplist_file'
+          - 'plist_file'
+      priority: 5
+      options:
+        keys:
+          - 'KeepAlive'
+          - 'Label'
+          - 'NetworkState'
+          - 'Program'
+          - 'ProgramArguments'
+          - 'RunAtLoad'
+          - 'StartInterval'
+  'ScanRar':
+    - positive:
+        flavors:
+          - 'application/x-rar'
+          - 'rar_file'
+      priority: 5
+      options:
+        limit: 1000
+  'ScanRpm':
+    - positive:
+        flavors:
+          - 'application/x-rpm'
+          - 'rpm_file'
+      priority: 5
+      options:
+        tmp_directory: '/dev/shm/'
+  'ScanRtf':
+    - positive:
+        flavors:
+          - 'text/rtf'
+          - 'rtf_file'
+      priority: 5
+      options:
+        limit: 1000
+  'ScanRuby':
+    - positive:
+        flavors:
+          - 'text/x-ruby'
+      priority: 5
+  'ScanSwf':
+    - positive:
+        flavors:
+          - 'application/x-shockwave-flash'
+          - 'fws_file'
+          - 'cws_file'
+          - 'zws_file'
+      priority: 5
+  'ScanTar':
+    - positive:
+        flavors:
+          - 'application/x-tar'
+          - 'tar_file'
+      priority: 5
+      options:
+        limit: 1000
+  'ScanTnef':
+    - positive:
+        flavors:
+          - 'application/vnd.ms-tnef'
+          - 'tnef_file'
+      priority: 5
+  'ScanUpx':
+    - positive:
+        flavors:
+          - 'upx_file'
+      priority: 5
+      options:
+        tmp_directory: '/dev/shm/'
+  'ScanUrl':
+    - negative:
+        flavors:
+          - 'javascript_file'
+      positive:
+        flavors:
+          - 'text/plain'
+      priority: 5
+  'ScanVb':
+    - positive:
+        flavors:
+          - 'vb_file'
+          - 'vbscript'
+      priority: 5
+  'ScanVba':
+    - positive:
+        flavors:
+          - 'mhtml_file'
+          - 'application/msword'
+          - 'olecf_file'
+          - 'wordml_file'
+      priority: 5
+      options:
+        analyze_macros: True
+  'ScanX509':
+    - positive:
+        flavors:
+          - 'x509_der_file'
+      priority: 5
+      options:
+        type: 'der'
+    - positive:
+        flavors:
+          - 'x509_pem_file'
+      priority: 5
+      options:
+        type: 'pem'
+  'ScanXml':
+    - positive:
+        flavors:
+          - 'application/xml'
+          - 'text/xml'
+          - 'xml_file'
+          - 'mso_file'
+          - 'soap_file'
+      priority: 5
+  'ScanYara':
+    - positive:
+        flavors:
+          - '*'
+      priority: 5
+      options:
+        location: '/etc/yara/'
+  'ScanZip':
+    - positive:
+        flavors:
+          - 'application/java-archive'
+          - 'application/zip'
+          - 'zip_file'
+          - 'application/vnd.openxmlformats-officedocument'
+          - 'application/vnd.openxmlformats-officedocument.presentationml.presentation'
+          - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
+          - 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'
+          - 'ooxml_file'
+      priority: 5
+      options:
+        limit: 1000
+        password_file: '/etc/strelka/passwords.dat'
+  'ScanZlib':
+    - positive:
+        flavors:
+          - 'application/zlib'
+          - 'zlib_file'
+      priority: 5
diff --git a/salt/strelka/files/backend/logging.yaml b/salt/strelka/files/backend/logging.yaml
new file mode 100644
index 000000000..b21d3c396
--- /dev/null
+++ b/salt/strelka/files/backend/logging.yaml
@@ -0,0 +1,78 @@
+version: 1
+formatters:
+  simple:
+    format: '%(asctime)s - [%(levelname)s] %(name)s [%(module)s.%(funcName)s]: %(message)s'
+    datefmt: '%Y-%m-%d %H:%M:%S'
+handlers:
+  console:
+    class: logging.StreamHandler
+    formatter: simple
+    stream: ext://sys.stdout
+root:
+  level: DEBUG
+  handlers: [console]
+loggers:
+  OpenSSL:
+    propagate: 0
+  bs4:
+    propagate: 0
+  bz2:
+    propagate: 0
+  chardet:
+    propagate: 0
+  docx:
+    propagate: 0
+  elftools:
+    propagate: 0
+  email:
+    propagate: 0
+  entropy:
+    propagate: 0
+  esprima:
+    propagate: 0
+  gzip:
+    propagate: 0
+  hashlib:
+    propagate: 0
+  json:
+    propagate: 0
+  libarchive:
+    propagate: 0
+  lxml:
+    propagate: 0
+  lzma:
+    propagate: 0
+  macholibre:
+    propagate: 0
+  olefile:
+    propagate: 0
+  oletools:
+    propagate: 0
+  pdfminer:
+    propagate: 0
+  pefile:
+    propagate: 0
+  pgpdump:
+    propagate: 0
+  pygments:
+    propagate: 0
+  pylzma:
+    propagate: 0
+  rarfile:
+    propagate: 0
+  requests:
+    propagate: 0
+  rpmfile:
+    propagate: 0
+  ssdeep:
+    propagate: 0
+  tarfile:
+    propagate: 0
+  tnefparse:
+    propagate: 0
+  yara:
+    propagate: 0
+  zipfile:
+    propagate: 0
+  zlib:
+    propagate: 0
diff --git a/salt/strelka/files/backend/passwords.dat b/salt/strelka/files/backend/passwords.dat
new file mode 100644
index 000000000..e9541f540
--- /dev/null
+++ b/salt/strelka/files/backend/passwords.dat
@@ -0,0 +1,2 @@
+infected
+password
diff --git a/salt/strelka/files/backend/taste/taste.yara b/salt/strelka/files/backend/taste/taste.yara
new file mode 100644
index 000000000..15d2dffbb
--- /dev/null
+++ b/salt/strelka/files/backend/taste/taste.yara
@@ -0,0 +1,748 @@
+// Archive Files
+
+rule _7zip_file
+{
+    meta:
+        type = "archive"
+    strings:
+        $a = { 37 7A BC AF 27 1C }
+    condition:
+        $a at 0
+}
+
+rule arj_file
+{
+    meta:
+        type = "archive"
+    condition:
+        uint16(0) == 0xEA60
+}
+
+rule cab_file
+{
+    meta:
+        type = "archive"
+    strings:
+        $a = { 4D 53 43 46 00 00 00 00 }
+    condition:
+        $a at 0 or
+        ( uint16(0) == 0x5A4D and $a )
+}
+
+rule cpio_file
+{
+    meta:
+        type = "archive"
+    strings:
+        $a = { 30 37 30 37 30 31 }
+    condition:
+        $a at 0
+}
+
+rule iso_file
+{
+    meta:
+        type = "archive"
+    strings:
+        $a = { 43 44 30 30 31 }
+    condition:
+        $a at 0x8001 and $a at 0x8801 and $a at 0x9001
+}
+
+rule mhtml_file
+{
+    meta:
+        type = "archive"
+    strings:
+        $a = "MIME-Version: 1.0"
+        $b = "This document is a Single File Web Page, also known as a Web Archive file"
+    condition:
+        $a at 0 and $b
+}
+
+rule rar_file
+{
+    meta:
+        type = "archive"
+    condition:
+        uint16(0) == 0x6152 and uint8(2) == 0x72 and uint16(3) == 0x1A21 and uint8(5) == 0x07
+}
+
+rule tar_file
+{
+    meta:
+        type = "archive"
+    strings:
+        $a = { 75 73 74 61 72 }
+    condition:
+        uint16(0) == 0x9D1F or
+        uint16(0) == 0xA01F or
+        $a at 257
+}
+
+rule xar_file
+{
+    meta:
+        type = "archive"
+    condition:
+        uint32(0) == 0x21726178
+}
+
+rule zip_file
+{
+    meta:
+        type = "archive"
+    condition:
+        ( uint32(0) == 0x04034B50 and not uint32(4) == 0x00060014 )
+}
+
+// Audio Files
+
+rule mp3_file
+{
+    meta:
+        type = "audio"
+    condition:
+        uint16(0) == 0x4449 and uint8(2) == 0x33
+}
+
+// Certificate Files
+
+rule pkcs7_file
+{
+    meta:
+        type = "certificate"
+    strings:
+        $a = "-----BEGIN PKCS7-----"
+    condition:
+        (uint16(0) == 0x8230 and uint16(4) == 0x0906) or
+        uint32(0) == 0x09068030 or
+        $a at 0
+}
+
+rule x509_der_file
+{
+    meta:
+        type = "certificate"
+    condition:
+        uint16(0) == 0x8230 and ( uint16(4) == 0x8230 or uint16(4) == 0x8130 )
+}
+
+rule x509_pem_file
+{
+    meta:
+        type = "certificate"
+    strings:
+        $a = "-----BEGIN CERTI"
+    condition:
+        $a at 0
+}
+
+// Compressed Files
+
+rule bzip2_file
+{
+    meta:
+        type = "compressed"
+    condition:
+        uint16(0) == 0x5A42 and uint8(2) == 0x68
+}
+
+rule gzip_file
+{
+    meta:
+        type = "compressed"
+    condition:
+        uint16(0) == 0x8B1F and uint8(2) == 0x08
+}
+
+rule lzma_file
+{
+    meta:
+        type = "compressed"
+    condition:
+        uint16(0) == 0x005D and uint8(2) == 0x00
+}
+
+rule xz_file
+{
+    meta:
+        type = "compressed"
+    condition:
+        uint32(0) == 0x587A37FD and uint16(4) == 0x005A
+}
+
+// Document Files
+
+rule doc_subheader_file
+{
+    meta:
+        type = "document"
+    condition:
+        uint32(0) == 0x00C1A5EC
+}
+
+rule mso_file
+{
+    meta:
+        type = "document"
+    strings:
+        $a = { 3C 3F 6D 73 6F 2D 61 70 70 6C 69 63 61 74 69 6F 6E 20 } // <?mso-application
+        $b = { 3C 3F 6D 73 6F 2D 63 6F 6E 74 65 6E 74 54 79 70 65 } // <?mso-contentType
+    condition:
+        $a at 0 or
+        $b at 0
+}
+
+rule olecf_file
+{
+    meta:
+        description = "Object Linking and Embedding (OLE) Compound File (CF)"
+        type = "document"
+    condition:
+        uint32(0) == 0xE011CFD0 and uint32(4) == 0xE11AB1A1
+}
+
+rule ooxml_file
+{
+    meta:
+        description = "Microsoft Office Open XML Format"
+        type  = "document"
+    condition:
+        uint32(0) == 0x04034B50 and uint32(4) == 0x00060014
+}
+
+rule pdf_file
+{
+    meta:
+        description = "Portable Document Format"
+        type = "document"
+    condition:
+        uint32(0) == 0x46445025
+}
+
+rule poi_hpbf_file
+{
+    meta:
+        description = "https://poi.apache.org/components/hpbf/file-format.html"
+        type = "document"
+    strings:
+        $a = { 43 48 4E 4B 49 4E 4B } // CHNKINK
+    condition:
+        $a at 0
+}
+
+rule rtf_file
+{
+    meta:
+        type = "document"
+    condition:
+        uint32(0) == 0x74725C7B
+}
+
+rule vbframe_file
+{
+    meta:
+        type = "document"
+    strings:
+        $a = { 56 45 52 53 49 4F 4E 20 35 2E 30 30 0D 0A 42 65 67 69 6E } // VERSION 5.00\r\nBegin
+    condition:
+        $a at 0
+}
+
+rule wordml_file
+{
+    meta:
+        description = "Microsoft Office Word 2003 XML format"
+        type = "document"
+    strings:
+       $a = { 3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D } // <?xml version=
+       $b = "http://schemas.microsoft.com/office/word/2003/wordml"
+    condition:
+        $a at 0 and $b
+}
+
+rule xfdf_file
+{
+    meta:
+        description = "XML Forms Data Format"
+        type = "document"
+    strings:
+        $a = { 3C 78 66 64 66 20 78 6D 6C 6E 73 3D } // <xfdf xmlns=
+    condition:
+        $a at 0
+}
+
+// Email Files
+
+rule email_file
+{
+    meta:
+        type = "email"
+    strings:
+        $a = "\x0aReceived:" nocase fullword
+        $b = "\x0AReturn-Path:" nocase fullword
+        $c = "\x0aMessage-ID:" nocase fullword
+        $d = "\x0aReply-To:" nocase fullword
+        $e = "\x0aX-Mailer:" nocase fullword
+    condition:
+        $a in (0..2048) or
+        $b in (0..2048) or
+        $c in (0..2048) or
+        $d in (0..2048) or
+        $e in (0..2048)
+}
+
+rule tnef_file
+{
+    meta:
+        description = "Transport Neutral Encapsulation Format"
+        type = "email"
+    condition:
+        uint32(0) == 0x223E9F78
+}
+
+// Encryption Files
+
+rule pgp_file
+{
+    meta:
+        type = "encryption"
+    strings:
+        $a = { ?? ?? 2D 2D 2D 42 45 47 49 4E 20 50 47 50 20 50 55 42 4C 49 43 20 4B 45 59 20 42 4C 4F 43 4B 2D } // (.{2})(\x2D\x2D\x2DBEGIN PGP PUBLIC KEY BLOCK\x2D)
+        $b = { ?? ?? 2D 2D 2D 42 45 47 49 4E 20 50 47 50 20 53 49 47 4E 41 54 55 52 45 2D } // (\x2D\x2D\x2D\x2D\x2DBEGIN PGP SIGNATURE\x2D)
+        $c = { ?? ?? 2D 2D 2D 42 45 47 49 4E 20 50 47 50 20 4D 45 53 53 41 47 45 2D } // (\x2D\x2D\x2D\x2D\x2DBEGIN PGP MESSAGE\x2D)
+    condition:
+        $a at 0 or
+        $b at 0 or
+        $c at 0
+}
+
+// Executable Files
+
+rule elf_file
+{
+    meta:
+        description = "Executable and Linkable Format"
+        type = "executable"
+    condition:
+        uint32(0) == 0x464C457F
+}
+
+rule lnk_file
+{
+    meta:
+        description = "Windows Shortcut file"
+        type = "executable"
+    condition:
+        uint32(0) == 0x0000004C
+}
+
+rule macho_file
+{
+    meta:
+        description = "Mach object"
+        type = "executable"
+    condition:
+        uint32(0) == 0xCEFAEDFE or
+        uint32(0) == 0xCFFAEDFE or
+        uint32(0) == 0xFEEDFACE or
+        uint32(0) == 0xFEEDFACF
+}
+
+rule mz_file
+{
+    meta:
+        description = "DOS MZ executable"
+        type = "executable"
+    condition:
+        uint16(0) == 0x5A4D
+}
+
+// Image Files
+
+rule bmp_file
+{
+    meta:
+        type = "image"
+    strings:
+        $a = { 42 4D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ( 0C | 28 | 40 | 6C | 7C | 80 ) 00 } // BM
+    condition:
+        $a at 0
+}
+
+rule cmap_file
+{
+    meta:
+        type = "image"
+    strings:
+        $a = { 62 65 67 69 6E 63 6D 61 70 } // begincmap
+    condition:
+        $a at 0
+}
+
+rule gif_file
+{
+    meta:
+        description = "Graphics Interchange Format"
+        type = "image"
+    condition:
+        uint32(0) == 0x38464947 and ( uint16(4) == 0x6137 or uint16(4) == 0x6139 )
+}
+
+rule jpeg_file
+{
+    meta:
+        type = "image"
+    condition:
+        uint32(0) == 0xE0FFD8FF or
+        uint32(0) == 0xE1FFD8FF or
+        uint32(0) == 0xE2FFD8FF or
+        uint32(0) == 0xE8FFD8FF
+}
+
+rule postscript_file
+{
+    meta:
+        type = "image"
+    strings:
+        $a = { 25 21 50 53 2D 41 64 6F 62 65 2D 33 2E 30 } // %!PS-Adobe-3.0
+    condition:
+        $a at 0
+}
+
+rule png_file
+{
+    meta:
+        type = "image"
+    condition:
+        uint32(0) == 0x474E5089
+}
+
+rule psd_file
+{
+    meta:
+        description = "Photoshop Document"
+        type = "image"
+    condition:
+        uint32(0) == 0x53504238
+}
+
+rule psd_image_file
+{
+    meta:
+        description = "Photoshop Document image resource block"
+        type = "image"
+    condition:
+        uint32(0) == 0x4D494238
+}
+
+rule svg_file
+{
+    meta:
+        type = "image"
+    strings:
+        $a = { 3C 73 76 67 20 } // <svg
+    condition:
+        $a at 0
+}
+
+rule xicc_file
+{
+    meta:
+        type = "image"
+    strings:
+        $a = { 58 49 43 43 5F 50 52 4F 46 49 4C 45 } // XICC_PROFILE
+    condition:
+        $a at 0
+}
+
+rule xmp_file
+{
+    meta:
+        type = "image"
+    strings:
+        $a = { 3C 3F 78 70 61 63 6B 65 74 20 62 65 67 69 6E 3D } // <?xpacket begin=
+        $b = { 3C 78 3A 78 6D 70 6D 65 74 61 20 78 6D 6C 6E 73 3A 78 3D } // <x:xmpmeta xmlns:x=
+    condition:
+        $a at 0 or $b at 0
+}
+
+// Metadata Files
+
+rule jar_manifest_file
+{
+    meta:
+        type = "metadata"
+    condition:
+        uint32(0) == 0x696E614D and uint32(4) == 0x74736566
+}
+
+rule bplist_file
+{
+    meta:
+        description = "Binary Property List"
+        type = "metadata"
+    condition:
+        uint32(0) == 0x696C7062 and uint32(4) == 0x30307473
+}
+
+// Multimedia Files
+
+rule fws_file
+{
+    meta:
+        type =  "multimedia"
+    condition:
+        uint16(0) == 0x5746 and uint8(2) == 0x53
+}
+
+rule cws_file
+{
+    meta:
+        description = "zlib compressed Flash file"
+        type = "multimedia"
+    condition:
+        uint16(0) == 0x5743 and uint8(2) == 0x53
+}
+
+
+rule zws_file
+{
+    meta:
+        description = "LZMA compressed Flash file"
+        type =  "multimedia"
+    condition:
+        uint16(0) == 0x575A and uint8(2) == 0x53
+}
+
+// Package Files
+
+rule debian_package_file
+{
+    meta:
+        type = "package"
+    strings:
+        $a = { 21 3C 61 72 63 68 3E 0A 64 65 62 69 61 6E } // \x21\x3Carch\x3E\x0Adebian
+    condition:
+        $a at 0
+}
+
+rule rpm_file
+{
+    meta:
+        type = "package"
+    condition:
+        uint32(0) == 0x6D707264 or uint32(0) == 0xDBEEABED
+}
+
+// Packer Files
+
+rule upx_file
+{
+    meta:
+        description = "Ultimate Packer for Executables"
+        type = "packer"
+    strings:
+        $a = {55505830000000}
+        $b = {55505831000000}
+        $c = "UPX!"
+    condition:
+        uint16(0) == 0x5A4D and
+        $a in (0..1024) and
+        $b in (0..1024) and
+        $c in (0..1024)
+}
+
+// Script Files
+
+rule batch_file
+{
+    meta:
+        type = "script"
+    strings:
+        $a = { ( 45 | 65 ) ( 43 | 63 ) ( 48 | 68 ) ( 4F | 6F ) 20 ( 4F | 6F) ( 46 | 66 ) ( 46 | 66 ) } // [Ee][Cc][Hh][Oo] [Oo][Ff][Ff]
+    condition:
+        $a at 0
+}
+
+rule javascript_file
+{
+    meta:
+        type = "script"
+    strings:
+        $var = { 76 61 72 20 } // var
+        $function1 = { 66 75 6E 63 74 69 6F 6E } // function
+        $function2 = { 28 66 75 6E 63 74 69 6F 6E } // (function
+        $function3 = { 66 75 6E 63 74 69 6F 6E [0-1] 28 } // function[0-1](
+        $if = { 69 66 [0-1] 28 } // if[0-1](
+        $misc1 = { 24 28 } // $(
+        $misc2 = { 2F ( 2A | 2F ) } // \/(\/|\*)
+        $jquery = { 6A 51 75 65 72 79 } // jQuery
+        $try = { 74 72 79 [0-1] 7B } // try[0-1]{
+        $catch = { 63 61 74 63 68 28 } // catch(
+        $push = { 2E 70 75 73 68 28 } // .push(
+        $array = { 6E 65 77 20 41 72 72 61 79 28 } // new Array(
+        $document1 = { 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 } // document.create
+        $document2 = { 64 6F 63 75 6D 65 6E 74 2E 77 72 69 74 65 } // document.write
+        $window = { 77 69 6E 64 6F 77 ( 2E | 5B ) } // window[.\[]
+        $define = { 64 65 66 69 6E 65 28 } // define(
+        $eval = { 65 76 61 6C 28 } // eval(
+        $unescape = { 75 6E 65 73 63 61 70 65 28 } // unescape(
+    condition:
+        $var at 0 or
+        $function1 at 0 or
+        $function2 at 0 or
+        $if at 0 or
+        $jquery at 0 or
+        $function3 in (0..30) or
+        $push in (0..30) or
+        $array in (0..30) or
+        ( $try at 0 and $catch in (5..5000) ) or
+        $document1 in (0..100) or
+        $document2 in (0..100) or
+        $window in (0..100) or
+        $define in (0..100) or
+        $eval in (0..100) or
+        $unescape in (0..100) or
+        ( ( $misc1 at 0 or $misc2 at 0 ) and $var and $function1 and $if )
+}
+
+rule vb_file
+{
+    meta:
+        type = "script"
+    strings:
+        $a = { 41 74 74 72 69 62 75 74 65 20 56 42 5F 4E 61 6D 65 20 3D } // Attribute VB_Name =
+        $b = { 4F 70 74 69 6F 6E 20 45 78 70 6C 69 63 69 74 } // Option Explicit
+        $c = { 44 69 6D 20 } // Dim
+        $d = { 50 75 62 6C 69 63 20 53 75 62 20 } // Public Sub
+        $e = { 50 72 69 76 61 74 65 20 53 75 62 20 } // Private Sub
+    condition:
+        $a at 0 or
+        $b at 0 or
+        $c at 0 or
+        $d at 0 or
+        $e at 0
+}
+
+// Text Files
+
+rule hta_file
+{
+    meta:
+        type = "text"
+    strings:
+        $a = { 3C 48 54 41 3A 41 50 50 4C 49 43 41 54 49 4F 4E 20 } // <HTA:APPLICATION
+    condition:
+        $a in (0..2000)
+}
+
+rule html_file
+{
+    meta:
+        type = "text"
+    strings:
+        $a = { 3C 21 ( 64 | 44 ) ( 6F | 4F ) ( 63 |43 ) ( 74 | 54 ) ( 79 | 59 ) ( 70 | 50 ) ( 65 | 45 )  20 ( 68 | 48 ) ( 74 | 54 ) ( 6D | 4D ) ( 6C | 4C )  } // <![Dd][Oo][Cc][Tt][Yy][Pp][Ee] [Hh][Tt][Mm][Ll]
+        $b = { 3C ( 68 | 48 ) ( 74 | 54 ) ( 6D | 4D ) ( 6C | 4C ) } // <[Hh][Tt][Mm][Ll]
+        $c = { 3C ( 62 | 42 ) ( 72 | 52 ) } // <br
+        $d = { 3C ( 44 | 64 ) ( 49 | 69 ) ( 56 | 76 ) } // <[Dd][Ii][Vv]
+        $e = { 3C ( 41 | 61 ) 20 ( 48 |68 ) ( 52 | 72 ) ( 45 | 65 ) ( 46 | 66 ) 3D } // <[Aa] [Hh][Rr][Ee][Ff]=
+        $f = { 3C ( 48 | 68 ) ( 45 | 65 ) ( 41 | 61 ) ( 44 | 64 ) } // <[Hh][Ee][Aa][Dd]
+        $g = { 3C ( 53 | 73 ) ( 43 | 63 ) ( 52 | 72 ) ( 49 | 69 ) ( 50 | 70 ) ( 54 | 74 ) } // <[Ss][Cc][Rr][Ii][Pp][Tt]
+        $h = { 3C ( 53 | 73 ) ( 54 | 74 ) ( 59 | 79 ) ( 4C | 6C ) ( 45 | 65 ) } // <[Ss][Tt][Yy][Ll][Ee]
+        $i = { 3C ( 54 | 74 ) ( 41 | 61 ) ( 42 | 62 ) ( 4C | 6C ) ( 45 | 65 ) } // <[Tt][Aa][Bb][Ll][Ee]
+        $j = { 3C ( 50 | 70 ) } // <[Pp]
+        $k = { 3C ( 49 | 69 ) ( 4D | 6D ) ( 47 | 67 ) } // <[Ii][Mm][Gg]
+        $l = { 3C ( 53 | 73 ) ( 50 |70 ) ( 41 | 61 ) ( 4E | 6E ) } // <[Ss][Pp][Aa][Nn]
+        $m = { 3C ( 48 | 68 ) ( 52 | 72 | 31 | 32 | 33 | 34 | 35 | 36 ) } // <[Hh][Rr] <[Hh][1-6]
+        $n = { 3C ( 54 | 74) ( 49 | 69 ) ( 54 | 74 ) ( 4C | 6C ) ( 45 | 65 ) 3E } // <[Tt][Ii][Tt][Ll][Ee]>
+    condition:
+        $a at 0 or
+        $b at 0 or
+        $c at 0 or
+        $d at 0 or
+        $e at 0 or
+        $f at 0 or
+        $g at 0 or
+        $h at 0 or
+        $i at 0 or
+        $j at 0 or
+        $k at 0 or
+        $l at 0 or
+        $m at 0 or
+        $n at 0
+}
+
+rule json_file
+{
+    meta:
+        type = "text"
+    strings:
+        $a = { 7B [0-5] 22 }
+    condition:
+        $a at 0
+}
+
+rule php_file
+{
+    meta:
+        type = "text"
+    strings:
+        $a = { 3c 3f 70 68 70 }
+    condition:
+        $a at 0
+}
+
+rule soap_file
+{
+    meta:
+        description = "Simple Object Access Protocol"
+        type = "text"
+    strings:
+        $a = { 3C 73 6F 61 70 65 6E 76 3A 45 6E 76 65 6C 6F 70 65 } // <soapenv:Envelope xmlns
+        $b = { 3C 73 3A 45 6E 76 65 6C 6F 70 65 } // <s:Envelope
+    condition:
+        $a at 0 or
+        $b at 0
+}
+
+rule xml_file
+{
+    meta:
+        type = "text"
+    strings:
+        $a = { 3C 3F ( 58 | 78) ( 4D | 6D ) ( 4C | 6C ) 20 76 65 72 73 69 6F 6E 3D } // <?[Xx][Mm][Ll] version=
+        $b = { 3C 3F 78 6D 6C 3F 3E } // <?xml?>
+        $c = { 3C 73 74 79 6C 65 53 68 65 65 74 20 78 6D 6C 6E 73 3D } // <styleSheet xmlns=
+        $d = { 3C 77 6F 72 6B 62 6F 6F 6B 20 78 6D 6C 6E 73 } // <workbook xmlns
+        $e = { 3C 78 6D 6C 20 78 6D 6C 6E 73 } // <xml xmlns
+        $f = { 3C 69 6E 74 20 78 6D 6C 6E 73 } // <int xmlns
+    condition:
+        $a at 0 or
+        $b at 0 or
+        $c at 0 or
+        $d at 0 or
+        $e at 0 or
+        $f at 0
+}
+
+// Video Files
+
+rule avi_file
+{
+    meta:
+        type = "video"
+    strings:
+        $a = { 52 49 46 46 ?? ?? ?? ?? 41 56 49 20 4C 49 53 54 }
+    condition:
+        $a at 0
+}
+
+rule wmv_file
+{
+    meta:
+        type = "video"
+    condition:
+        uint32(0) == 0x75B22630 and uint32(4) == 0x11CF668E and uint32(8) == 0xAA00D9A6 and uint32(12) == 0x6CCE6200
+}
diff --git a/salt/strelka/files/filestream/filestream.yaml b/salt/strelka/files/filestream/filestream.yaml
new file mode 100644
index 000000000..0475840c9
--- /dev/null
+++ b/salt/strelka/files/filestream/filestream.yaml
@@ -0,0 +1,20 @@
+{%- set ip = salt['pillar.get']('static:masterip', '') %}
+conn:
+  server: '{{ ip }}:57314'
+  cert: ''
+  timeout:
+    dial: 5s
+    file: 1m
+throughput:
+  concurrency: 8
+  chunk: 32768
+  delay: 0s
+files:
+  patterns:
+    - '/nsm/strelka/*'
+  delete: false
+  gatekeeper: true
+response:
+  report: 5s
+delta: 5s
+staging: '/nsm/strelka/processed'
diff --git a/salt/strelka/files/frontend/frontend.yaml b/salt/strelka/files/frontend/frontend.yaml
new file mode 100644
index 000000000..1c7b15175
--- /dev/null
+++ b/salt/strelka/files/frontend/frontend.yaml
@@ -0,0 +1,11 @@
+{%- set ip = salt['pillar.get']('static:masterip', '') %}
+server: ":57314"
+coordinator:
+  addr: '{{ ip }}:6380'
+  db: 0
+gatekeeper:
+  addr: '{{ ip }}:6381'
+  db: 0
+  ttl: 1h
+response:
+  log: "/var/log/strelka/strelka.log"
diff --git a/salt/strelka/files/manager/manager.yaml b/salt/strelka/files/manager/manager.yaml
new file mode 100644
index 000000000..16a4c697b
--- /dev/null
+++ b/salt/strelka/files/manager/manager.yaml
@@ -0,0 +1,4 @@
+{%- set ip = salt['pillar.get']('static:masterip', '') %}
+coordinator:
+  addr: '{{ ip }}:6380'
+  db: 0
diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls
new file mode 100644
index 000000000..803886d2b
--- /dev/null
+++ b/salt/strelka/init.sls
@@ -0,0 +1,149 @@
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+{%- set MASTER = grains['master'] %}
+{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
+
+# Strelka config
+strelkaconfdir:
+  file.directory:
+    - name: /opt/so/conf/strelka
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+# Strelka logs 
+strelkalogdir:
+  file.directory:
+    - name: /opt/so/log/strelka
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+# Sync dynamic config to conf dir
+strelkasync:
+  file.recurse:
+    - name: /opt/so/conf/strelka/
+    - source: salt://strelka/files
+    - user: 939
+    - group: 939
+    - template: jinja
+
+strelkadatadir:
+   file.directory:
+    - name: /nsm/strelka
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+strelkastagedir:
+   file.directory:
+    - name: /nsm/strelka/processed
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+
+so-strelka-frontendimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-frontend:HH1.1.5
+
+so-strelka-coordinatorimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false docker.io/redis:5.0.5-alpine3.10
+
+so-strelka-gatekeeperimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false docker.io/redis:5.0.5-alpine3.10
+
+so-strelka-backendimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-backend:HH1.1.5
+
+so-strelka-managerimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-manager:HH1.1.5
+
+so-strelka-backendimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-backend:HH1.1.5
+
+
+strelka_coordinator:
+  docker_container.running:
+    - require:
+      - so-strelka-coordinatorimage
+    - image: docker.io/redis:5.0.5-alpine3.10
+    - name: so-strelka-coordinator
+    - command: redis-server --save "" --appendonly no
+    - port_bindings:
+      - 0.0.0.0:6380:6379
+
+strelka_gatekeeper:
+  docker_container.running:
+    - require:
+      - so-strelka-gatekeeperimage
+    - image: docker.io/redis:5.0.5-alpine3.10
+    - name: so-strelka-gatekeeper
+    - command: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
+    - port_bindings:
+      - 0.0.0.0:6381:6379
+   
+strelka_frontend:
+  docker_container.running:
+    - require:
+      - so-strelka-frontendimage
+    - image: docker.io/soshybridhunter/so-strelka-frontend:HH1.1.5 
+    - binds:
+      - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro
+      - /opt/so/log/strelka/:/var/log/strelka/:rw
+    - privileged: True
+    - name: so-strelka-frontend
+    - command: strelka-frontend
+    - port_bindings:
+      - 0.0.0.0:57314:57314
+
+strelka_backend:
+  docker_container.running:
+    - require:
+      - so-strelka-backendimage
+    - image: docker.io/soshybridhunter/so-strelka-backend:HH1.1.5
+    - restart_policy: unless-stopped
+    - binds:
+      - /opt/so/conf/strelka/backend/:/etc/strelka/:ro
+      - /opt/so/conf/strelka/backend/yara:/etc/yara/:ro
+    - name: so-strelka-backend
+    - command: strelka-backend
+
+strelka_manager:
+  docker_container.running:
+    - require:
+      - so-strelka-managerimage
+    - image: docker.io/soshybridhunter/so-strelka-manager:HH1.1.5
+    - binds:
+      - /opt/so/conf/strelka/manager/:/etc/strelka/:ro
+    - name: so-strelka-manager
+    - command: strelka-manager
+
+strelka_filestream:
+  docker_container.running:
+    - require:
+      - so-strelka-filestreamimage
+    - image: docker.io/soshybridhunter/so-strelka-filestream:HH1.1.5   
+    - image: docker.io/wlambert/sfilestream:grpc
+    - binds:
+      - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro
+      - /nsm/strelka:/nsm/strelka
+    - name: so-strelka-filestream
+    - command: strelka-filestream