Data Processing Built for Security Teams

Normalize to Any Schema

Substation adopts a "bring your own schema" mentality -- use transform functions to normalize event logs to the Elastic Common Schema (ECS), Open Cybersecurity Schema Framework (OCSF), or any other schema.

Real-Time Validation

Use Substation condition functions to validate data, then apply a transform function to reshape events, filter data, or return errors.

Use APIs & Services for Enrichment

APIs and services used in existing tools, such as SIEM and SOAR, can be integrated directly into Substation's enrichment transform functions. Combine APIs calls with a database cache to achieve massive data throughput.

Consume & Produce Intelligence

Adding infrastructure, user, and threat intelligence to event logs at scale is a challenge, but Substation's key-value store feature makes it simple. Key-Value Stores can also be used to produce intelligence based on observed activity.

Route Data Across the Enterprise

Forward to Many Destinations

Can't decide if data should be sent to the SIEM, data warehouse, or long-term storage? Substation can conditionally forward data to all three, and many more destinations, simultaneously.

To, Across, and From the Cloud

Substation specializes in evaluating and transforming event logs, but it's also an excellent log shipping tool: use it to send data into the cloud, across cloud services, and from the cloud to external systems.

Apps for Any Environment

Anyone can build new Substation applications (Go programs that are typically <200 lines of code) to meet the needs of their environment. Build a new application and deploy it to AWS Fargate, GCP Cloud Functions, or on-prem in a data center.

Reduce Spend in Cloud & Security Platforms

SIEM Routing & Filtering

Substation's ability to conditionally forward data means that it can be used to reduce spend in costly SIEM solutions by routing data into lower cost systems or filtering it entirely.

AWS Services

Substation is built upon several AWS services to drive down cloud costs. This includes:

• Up to 70% reduction in cost by supporting the Kinesis Producer Library (compared to non-aggregated data)
• Up to 80% reduction in cost by using the Kinesis Data Stream autoscaler (compared to Kinesis Data Streams On-Demand and Kinesis Data Firehose)
• Substation's AWS S3 send transform function can dynamically partition data similar to Firehose for no additional cost (saves $0.02/GB)

Security APIs

Reduce the size and cost of security APIs by deploying Substation as a microservice -- instead of sending every request directly to an API, which can result in wasted spend due to duplicate requests, the microservice will cache results in a cloud database and only query the API if necessary.