Use Cases
Substation supports 100s of use cases, but these are the most common.
Data Processing Built for Security Teams
Normalize to Any Schema
Substation adopts a "bring your own schema" mentality -- use transform functions to normalize event logs to the Elastic Common Schema (ECS), Open Cybersecurity Schema Framework (OCSF), or any other schema.
Real-Time Validation
Use Substation condition functions to validate data, then apply a transform function to reshape events, filter data, or return errors.
Use APIs & Services for Enrichment
APIs and services used in existing tools, such as SIEM and SOAR, can be integrated directly into Substation's enrichment transform functions. Combine APIs calls with a database cache to achieve massive data throughput.
Consume & Produce Intelligence
Adding infrastructure, user, and threat intelligence to event logs at scale is a challenge, but Substation's key-value store feature makes it simple. Key-Value Stores can also be used to produce intelligence based on observed activity.
Route Data Across the Enterprise
Forward to Many Destinations
Can't decide if data should be sent to the SIEM, data warehouse, or long-term storage? Substation can conditionally forward data to all three, and many more destinations, simultaneously.
To, Across, and From the Cloud
Substation specializes in evaluating and transforming event logs, but it's also an excellent log shipping tool: use it to send data into the cloud, across cloud services, and from the cloud to external systems.
Apps for Any Environment
Anyone can build new Substation applications (Go programs that are typically <200 lines of code) to meet the needs of their environment. Build a new application and deploy it to AWS Fargate, GCP Cloud Functions, or on-prem in a data center.
Reduce Spend in Cloud & Security Platforms
SIEM Routing & Filtering
Substation's ability to conditionally forward data means that it can be used to reduce spend in costly SIEM solutions by routing data into lower cost systems or filtering it entirely.
AWS Services
Substation is built upon several AWS services to drive down cloud costs. This includes:
- Up to 70% reduction in cost by supporting the Kinesis Producer Library (compared to non-aggregated data)
- Up to 80% reduction in cost by using the Kinesis Data Stream autoscaler (compared to Kinesis Data Streams On-Demand and Kinesis Data Firehose)
- Substation's AWS S3 send transform function can dynamically partition data similar to Firehose for no additional cost (saves $0.02/GB)
Security APIs
Reduce the size and cost of security APIs by deploying Substation as a microservice -- instead of sending every request directly to an API, which can result in wasted spend due to duplicate requests, the microservice will cache results in a cloud database and only query the API if necessary.
Updated about 1 year ago