Introduction

VAST is a network telemetry engine for data-driven security investigations. It ingests high-volume streams of network and log data, indexes it for later retrieval, and offers several ways to access the data efficiently. The goal is to make network forensics more productive and enable data scientist to tap into the rich world of network event data.

Architecture

Features

  • Built for network forensics: VAST is purpose-built for SecOps (incident responders, threat hunters) at the intersection of data science. Security investigations are data investigations, and VAST puts the analyst back in charge, helping to get to the right subset of telemetry for the problem at hand.

  • Interactive queries: VAST's multi-level indexing delivers sub-second response times over the entire telemetry set—perfect for explorative threat-hunting workflows.

  • High-throughput streaming: VAST relies on end-to-end streaming to ingest massive amounts of data. Dynamic backpressure ensures that the system does not keel over when stuffing too much data into it.

  • Rich Data Model: VAST's type-rich data model helps to retain domain semantics with a flexible schema and query language. All types support meaningful operations, e.g., IP address support top-k prefix search and containers membership queries. Moreover, VAST's typed expression syntax allows you to search over fields having a particular type or attribute.

  • Unfederated data access: VAST defines a portable framing for messages and files to enable access to the data from various platforms. The zero-copy export mechanism makes data sharing with downstream analytics applications incredibly efficient. This empowers data scientist to work on their analytics, as opposed to building tools for parsing and plumbing.

VAST stands for Visibility Across Space and Time to reflect the key benefit for users: make it easy to express temporal and spatial event relationships to illuminate your network analysis.