There are two main databases that messages (logs) are stored in:
- Event Database: Contains the incoming message and how it got there (its metadata)
- Flow Database: Contains merged messages that share a common tuple along with enhanced data.
Both databases are useful and serve different purposes. Where in the processing of data the database is populated changes what is in the databases.
overview->charts->sankey diagram shows an active sankey diagram of information flowing through the system.
On the left side of the diagram is information entering the system.
Metaflow Engine data is the Fluency protocol analyzer adding flow data to fill in the gaps that are missed by the security tools.
- The boxes below that are data sources provide messages. The information is forwarded to the stream INPUT.
- The message collector (stream INPUT) examines the message and sends it to the correct parser.
- The parsers
- normalize the data into key-value fields producing a JSON document
- define fields that are sensitive and have the value replaced with a Pseudonym.
- The record and how the data is collected is
- placed in the Event Database
- sent to the Fusion engine.
- The fusion engine
- enhances the record with table and third party lookups
- merges the record with other records that share the same network tuple.
- Before the record is stored, the RiskScore processor provides a confidence score and saved that data in the Flow Database.