Once the data arrives at the Avalanchio platform from various data sources, it follows a simple dataflow pipeline as shown in the diagram below. We take a great degree of care to keep simplicity or data flow while retaining the flexibility of controlling the data flow for various security analytics needs. The data flow is configurable to allow integration with upstream and downstream applications. The platform has three key pillars that are used to create security use cases.
Parser: Security analytics requires data from hundreds of sources ranging from proxy server logs, application logs, AD server logs, even, HR data. The Avalanchio platform allows you to define a data model and extract the relevant data points from the raw data format. The data models
Rule Engine: The rule engine allows you to trigger certain actions such as sending out an email notification or creating a case if a condition is met as the data arrives. Rules can be a simple conditional check on the event data, or it can be complex behavioral or anomaly detection techniques or a combination of both.
Search: The Avalanchio platform provides a powerful search platform that every SOC (Security Operation Center) team requires – threat hunting and scheduled reports. The platform supports two search query languages – a DSL that we call AQL (Avalanchio Query Language) and SQL. AQL provides 100+ operators for a wide range of security-specific use cases. SQL is widely used in the industry for general purpose analytics and its adoption is growing among SOC analysts as well. You can store data for a long time ranges for compliance needs and query the data without complex SOP of hot/cold data swapping.
Look at the out of the box solutions available on the platform out of the box usecases