Skip to content

Commit

Permalink
docs: v1.3.0 Updates (#182)
Browse files Browse the repository at this point in the history
* docs(examples): Bump Latest Version

* docs: Update README

* docs: Update README
  • Loading branch information
jshlbrd authored Jun 17, 2024
1 parent ab1a4ff commit 788b294
Show file tree
Hide file tree
Showing 31 changed files with 93 additions and 99 deletions.
124 changes: 59 additions & 65 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,11 @@

![Substation Banner](.github/media/substation_banner.png)

<p align="center">Substation is a cloud-native, event-driven data pipeline toolkit built for security teams.</p>
<p align="center">Substation is a toolkit for routing, normalizing, and enriching security event and audit logs.</p>

<div align="center">

[Releases][releases]&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;[Docs][docs]&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;[Quickstart][quickstart]&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;[Announcement Post (2022)][announcement]
[Releases][releases]&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;[Docs][docs]&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;[Quickstart][quickstart]&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;[Announcement (2022)][announcement]&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;[v1.0 Release (2024)][v1_release]

</div>

Expand All @@ -26,59 +26,13 @@ All of these data pipeline and microservice systems, and many more, can be built

![Example Substation architectures](.github/media/substation_architecture.png)

## Getting Started

You can run Substation on these platforms:

- [Docker](https://substation.readme.io/v1.0.0/docs/try-substation-on-docker)
- [macOS / Linux](https://substation.readme.io/v1.0.0/docs/try-substation-on-macos-linux)
- [AWS](https://substation.readme.io/v1.0.0/docs/try-substation-on-aws)

### Development

[VS Code](https://code.visualstudio.com/docs/devcontainers/containers) is the recommended development environment for Substation. The project includes a [development container](.devcontainer/Dockerfile) that can be used to develop and test the system. Refer to the [development guide](CONTRIBUTING.md) for more information.

### Testing

The development container can be used to test the system locally and in the cloud. If you're not using VS Code, then you should run the development container from the command line:

```sh
git clone https://github.com/brexhq/substation.git && cd substation && \
docker build -t substation-dev .devcontainer/ && \
docker run -v $(pwd):/workspaces/substation/ -w /workspaces/substation -v /var/run/docker.sock:/var/run/docker.sock -it substation-dev
```

To try the system locally, run this from the [examples](examples) directory:
```sh
sh .devcontainer/post_start.sh && \
cd examples && \
make -s quickstart
```

To try the system in the cloud, choose an [AWS example](examples/terraform/aws) to deploy:
```sh
sh .devcontainer/post_start.sh && \
cd examples && \
aws configure && \
make -s check && \
make -s build && \
make -s deploy EXAMPLE=terraform/aws/dynamodb/cdc
```

After testing is complete, the cloud deployment should be destroyed:
```sh
make -s destroy EXAMPLE=terraform/aws/dynamodb/cdc
```

**We do not recommend managing cloud deployments from a local machine using the examples Makefile. Production deployments should use a CI/CD pipeline with a remote state backend to manage infrastructure.**

## Transforming Event Logs

Substation excels at formatting, normalizing, and enriching event logs. For example, Zeek connection logs can be transformed to comply with the Elastic Common Schema:

<table>
<tr>
<th><code>Raw Event</code></th>
<th><code>Original Event</code></th>
<th><code>Transformed Event</code></th>
</tr>
<tr>
Expand Down Expand Up @@ -212,20 +166,20 @@ In this configuration, data is:
local sub = import 'substation.libsonnet';
// This filters events based on the value of field3.
local is_false = sub.cnd.str.eq(settings={ object: { source_key: 'field3' }, value: 'false' });
local is_false = sub.cnd.str.eq({ object: { source_key: 'field3' }, value: 'false' });
{
transforms: [
// Pre-transformed data is written to an object in AWS S3 for long-term storage.
sub.tf.send.aws.s3(settings={ bucket_name: 'example-bucket-name' }),
sub.tf.send.aws.s3({ bucket_name: 'example-bucket-name' }),
// The JSON array is split into individual events that go through
// the remaining transforms. Each event is printed to stdout.
sub.tf.agg.from.array(),
sub.tf.send.stdout(),
// Events where field3 is false are removed from the pipeline.
sub.pattern.tf.conditional(condition=is_false, transform=sub.tf.util.drop()),
// The remaining events are sent to an HTTPS endpoint.
sub.tf.send.http.post(settings={ url: 'https://example-http-endpoint.com' }),
sub.tf.send.http.post({ url: 'https://example-http-endpoint.com' }),
],
}
```
Expand All @@ -239,13 +193,13 @@ local sub = import 'substation.libsonnet';
transforms: [
// If field3 is false, then the event is sent to an HTTPS endpoint; otherwise,
// the event is written to an object in AWS S3.
sub.tf.meta.switch(settings={ cases: [
sub.tf.meta.switch({ cases: [
{
condition: sub.cnd.any(sub.cnd.str.eq(settings={ object: { source_key: 'field3' }, value: 'false' })),
transform: sub.tf.send.http.post(settings={ url: 'https://example-http-endpoint.com' }),
condition: sub.cnd.any(sub.cnd.str.eq({ object: { source_key: 'field3' }, value: 'false' })),
transform: sub.tf.send.http.post({ url: 'https://example-http-endpoint.com' }),
},
{
transform: sub.tf.send.aws.s3(settings={ bucket_name: 'example-bucket-name' }),
transform: sub.tf.send.aws.s3({ bucket_name: 'example-bucket-name' }),
},
] }),
// The event is always available to any remaining transforms.
Expand Down Expand Up @@ -274,14 +228,10 @@ local sub = import 'substation.libsonnet';
{
transforms: [
sub.tf.obj.cp(
settings={ object: { source_key: 'src_field_1', target_key: 'dest_field_1' } }
),
sub.tf.obj.cp({ object: { source_key: 'src_field_1', target_key: 'dest_field_1' } }),
sub.tf.obj.cp({ obj: { src: 'src_field_2', trg: 'dest_field_2' } }),
sub.tf.send.stdout(),
sub.tf.send.http.post(
settings={ url: 'https://example-http-endpoint.com' }
),
sub.tf.send.http.post({ url: 'https://example-http-endpoint.com' }),
],
}
```
Expand Down Expand Up @@ -392,9 +342,7 @@ module "appconfig" {
config = {
name = "substation"
environments = [{
name = "example"
}]
environments = [{ name = "example" }]
}
}
Expand Down Expand Up @@ -477,6 +425,51 @@ module "node" {
</tr>
</table>

## Getting Started

You can run Substation on:

- [Docker](https://substation.readme.io/docs/try-substation-on-docker)
- [macOS / Linux](https://substation.readme.io/docs/try-substation-on-macos-linux)
- [AWS](https://substation.readme.io/docs/try-substation-on-aws)

### Development

[VS Code](https://code.visualstudio.com/docs/devcontainers/containers) is the recommended development environment for Substation. The project includes a [development container](.devcontainer/Dockerfile) that should be used to develop and test the system. Refer to the [development guide](CONTRIBUTING.md) for more information.

### Testing

The development container is used to test the system locally and in the cloud. If don't use VS Code, then you should run the development container from the command line:

```sh
git clone https://github.com/brexhq/substation.git && cd substation && \
docker build -t substation-dev .devcontainer/ && \
docker run -v $(pwd):/workspaces/substation/ -w /workspaces/substation -v /var/run/docker.sock:/var/run/docker.sock -it substation-dev
```

To try the system locally, run this from the [examples](examples) directory:
```sh
sh .devcontainer/post_start.sh && \
cd examples && \
make -s quickstart
```

To try the system in the cloud, choose an [AWS example](examples/terraform/aws) to deploy:
```sh
sh .devcontainer/post_start.sh && \
cd examples && \
aws configure && \
make -s check && \
make -s build && \
make -s deploy EXAMPLE=terraform/aws/dynamodb/cdc
```

After testing is complete, the cloud deployment should be destroyed:
```sh
make -s destroy EXAMPLE=terraform/aws/dynamodb/cdc
```

**We do not recommend managing cloud deployments from a local machine using the examples Makefile. Production deployments should use a CI/CD pipeline with a remote state backend, such as Terraform, to manage infrastructure.**

## Licensing

Expand All @@ -487,3 +480,4 @@ Substation and its associated code is released under the terms of the [MIT Licen
[docs]:https://substation.readme.io/docs "Substation Documentation"
[quickstart]:https://substation.readme.io/recipes/1-minute-quickstart "Substation Quickstart"
[announcement]:https://medium.com/brexeng/announcing-substation-188d049d979b "Substation Announcement Post"
[v1_release]:https://medium.com/brexeng/releasing-substation-v1-0-4d0314cbc45b "Substation v1.0 Release Post"
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ module "lambda_autoscaling" {
config = {
name = "autoscale"
description = "Autoscaler for Kinesis Data Streams"
image_uri = "${module.ecr_autoscale.url}:v1.2.0"
image_uri = "${module.ecr_autoscale.url}:v1.3.0"
image_arm = true
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ module "lambda_consumer" {
config = {
name = "consumer"
description = "Substation node that consumes from Kinesis"
image_uri = "${module.ecr.url}:v1.2.0"
image_uri = "${module.ecr.url}:v1.3.0"
image_arm = true

env = {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ module "lambda_consumer" {
config = {
name = "consumer"
description = "Substation node that is invoked by CloudWatch"
image_uri = "${module.ecr.url}:v1.2.0"
image_uri = "${module.ecr.url}:v1.3.0"
image_arm = true

env = {
Expand Down
2 changes: 1 addition & 1 deletion examples/terraform/aws/dynamodb/cdc/terraform/node.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ module "node" {
config = {
name = "node"
description = "Substation node that receives CDC events"
image_uri = "${module.ecr.url}:v1.2.0"
image_uri = "${module.ecr.url}:v1.3.0"
image_arm = true
env = {
"SUBSTATION_CONFIG" : "http://localhost:2772/applications/substation/environments/example/configurations/node"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ module "lambda_autoscaling" {
config = {
name = "autoscale"
description = "Autoscaler for Kinesis Data Streams"
image_uri = "${module.ecr_autoscale.url}:v1.2.0"
image_uri = "${module.ecr_autoscale.url}:v1.3.0"
image_arm = true
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ module "dvc_mgmt_enrichment" {
config = {
name = "dvc_mgmt_enrichment"
description = "Substation node that enriches device management data."
image_uri = "${module.ecr.url}:v1.2.0"
image_uri = "${module.ecr.url}:v1.3.0"
image_arm = true
env = {
"SUBSTATION_CONFIG" : "http://localhost:2772/applications/substation/environments/example/configurations/dvc_mgmt_enrichment"
Expand Down
4 changes: 2 additions & 2 deletions examples/terraform/aws/dynamodb/telephone/terraform/edr.tf
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ module "edr_transform" {
config = {
name = "edr_transform"
description = "Substation node that transforms EDR data."
image_uri = "${module.ecr.url}:v1.2.0"
image_uri = "${module.ecr.url}:v1.3.0"
image_arm = true
env = {
"SUBSTATION_CONFIG" : "http://localhost:2772/applications/substation/environments/example/configurations/edr_transform"
Expand Down Expand Up @@ -55,7 +55,7 @@ module "edr_enrichment" {
config = {
name = "edr_enrichment"
description = "Substation node that enriches EDR data."
image_uri = "${module.ecr.url}:v1.2.0"
image_uri = "${module.ecr.url}:v1.3.0"
image_arm = true
env = {
"SUBSTATION_CONFIG" : "http://localhost:2772/applications/substation/environments/example/configurations/edr_enrichment"
Expand Down
2 changes: 1 addition & 1 deletion examples/terraform/aws/dynamodb/telephone/terraform/idp.tf
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ module "idp_enrichment" {
config = {
name = "idp_enrichment"
description = "Substation node that enriches IdP data."
image_uri = "${module.ecr.url}:v1.2.0"
image_uri = "${module.ecr.url}:v1.3.0"
image_arm = true
env = {
"SUBSTATION_CONFIG" : "http://localhost:2772/applications/substation/environments/example/configurations/idp_enrichment"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,7 @@ module "transform" {
config = {
name = "transform_node"
description = "Transforms Kinesis Data Firehose records."
image_uri = "${module.ecr.url}:v1.2.0"
image_uri = "${module.ecr.url}:v1.3.0"
image_arm = true

memory = 128
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ module "lambda_autoscale" {
config = {
name = "autoscale"
description = "Autoscaler for Kinesis Data Streams."
image_uri = "${module.ecr.url}:v1.2.0" # This should use the project's release tags.
image_uri = "${module.ecr.url}:v1.3.0" # This should use the project's release tags.
image_arm = true

# Override the default Autoscale configuration using environment variables.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ module "lambda_autoscaling" {
config = {
name = "autoscale"
description = "Autoscaler for Kinesis Data Streams"
image_uri = "${module.ecr_autoscale.url}:v1.2.0"
image_uri = "${module.ecr_autoscale.url}:v1.3.0"
image_arm = true
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ module "lambda_publisher" {
config = {
name = "publisher"
description = "Substation node that publishes to Kinesis"
image_uri = "${module.ecr.url}:v1.2.0"
image_uri = "${module.ecr.url}:v1.3.0"
image_arm = true

env = {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ module "lambda_subscriber" {
config = {
name = "subscriber"
description = "Substation node subscribes to Kinesis"
image_uri = "${module.ecr.url}:v1.2.0"
image_uri = "${module.ecr.url}:v1.3.0"
image_arm = true

env = {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ module "lambda_autoscale" {
config = {
name = "autoscale"
description = "Autoscaler for Kinesis Data Streams"
image_uri = "${module.ecr_autoscale.url}:v1.2.0"
image_uri = "${module.ecr_autoscale.url}:v1.3.0"
image_arm = true
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ module "lambda_enrichment" {
config = {
name = "enrichment"
description = "Substation enrichment node that writes threat signals to DynamoDB."
image_uri = "${module.ecr.url}:v1.2.0"
image_uri = "${module.ecr.url}:v1.3.0"
image_arm = true

env = {
Expand Down
2 changes: 1 addition & 1 deletion examples/terraform/aws/kinesis/nxdr/terraform/transform.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ module "lambda_transform" {
config = {
name = "transform"
description = "Substation transform node that enriches events with threat information."
image_uri = "${module.ecr.url}:v1.2.0"
image_uri = "${module.ecr.url}:v1.3.0"
image_arm = true

env = {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ module "lambda_autoscaling" {
config = {
name = "autoscale"
description = "Autoscaler for Kinesis Data Streams"
image_uri = "${module.ecr_autoscale.url}:v1.2.0"
image_uri = "${module.ecr_autoscale.url}:v1.3.0"
image_arm = true
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ module "lambda_enrichment" {
config = {
name = "enrichment"
description = "Substation node that enriches data from Kinesis and writes it to DynamoDB"
image_uri = "${module.ecr.url}:v1.2.0"
image_uri = "${module.ecr.url}:v1.3.0"
image_arm = true

env = {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ module "lambda_transform" {
config = {
name = "transform"
description = "Substation node that reads from Kinesis with a delay to support enrichment"
image_uri = "${module.ecr.url}:v1.2.0"
image_uri = "${module.ecr.url}:v1.3.0"
image_arm = true

env = {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ module "validate" {
config = {
name = "validate"
description = "Substation configuration validator that is executed by AppConfig."
image_uri = "${module.ecr_validate.url}:v1.2.0"
image_uri = "${module.ecr_validate.url}:v1.3.0"
image_arm = true

memory = 128
Expand Down
2 changes: 1 addition & 1 deletion examples/terraform/aws/lambda/appconfig/terraform/node.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ module "node" {
config = {
name = "node"
description = "Substation node that never receives a configuration."
image_uri = "${module.ecr.url}:v1.2.0"
image_uri = "${module.ecr.url}:v1.3.0"
image_arm = true

memory = 128
Expand Down
Loading

0 comments on commit 788b294

Please sign in to comment.