VAST is the open-source pipeline and storage engine for security.
VAST offers dataflow pipelines for data acquisition, reshaping, routing, and integration of security tools. Pipelines transport richly typed data frames to enable efficient analytical high-bandwidth streaming workloads. VAST's open storage engine uses the same dataflow language to deliver a unified abstraction for batch and stream processing to drive a wide variety of security use cases.
A VAST node provides managed pipelines and storage as a continuously running service. You can run pipelines across multiple nodes to create a distributed security data architecture.
Consider VAST if you want to:
- Filter, shape, aggregate, and enrich security events before they hit your SIEM or data lake
- Normalize, enrich, and deduplicate events prior to passing them downstream
- Store, compact, and search event data in an open storage format (Apache Parquet & Feather)
- Perform high-bandwidth analytics with any data tool powered by Apache Arrow
- Operationalize threat intelligence for live and retrospective detection
- Build your own security data lake or federated XDR architecture
Our quickstart guide showcases how you can start exploring Zeek and Suricata data with VAST. Start here to get a first impression of VAST.
To get hands-on with VAST, follow these steps:
If you have any questions when reading our docs, feel free to start a GitHub discussion or swing by our Discord chat—we're here to help!
VAST comes with a 3-clause BSD license.
When referring to VAST in a scientific context, please use the following citation:
@InProceedings{nsdi16:vast,
author = {Matthias Vallentin and Vern Paxson and Robin Sommer},
title = {{VAST: A Unified Platform for Interactive Network Forensics}},
booktitle = {Proceedings of the USENIX Symposium on Networked Systems
Design and Implementation (NSDI)},
month = {March},
year = {2016}
}
You can download the paper from the NSDI'16 proceedings website.
Developed with ❤️ by Tenzir