Skip to main content

Multi-Input Use Cases

Multi-Input Use Cases and Data Segregation with Storage Tags

Arcanna.ai now supports use cases with multiple input sources, allowing you to ingest and correlate data (alerts, logs, etc.) from various systems into a single, unified analysis pipeline. This multi-input functionality is tightly integrated with the concept of storage tags, which provide a robust mechanism for data segregation and management.


[Use Case with Multiple Inputs]

[Adding Multiple Inputs to a Use Case]

Understanding Storage Tags

Storage tags uniquely identify and organize data originating from different customers or multiple sources within the same customer account. This isolation is crucial for maintaining data privacy, security, and compliance, as well as streamlining data management tasks.

With multi-input use cases, each input source is automatically assigned a unique storage tag. This ensures that data from different sources remains logically separated throughout the Arcanna.ai platform.

How Multi-Input and Storage Tags Work Together

Adding Input Integrations: When you create a new use case or modify an existing one to include multiple input integrations, Arcanna.ai automatically generates a unique storage tag for each input.

[Choosing between Input Integrations]

Storage Tag Generation and Customization: These storage tags are displayed at the bottom of the input integration drawer within the Arcanna.ai interface. By default, Arcanna.ai generates a unique name and ID for each storage tag. However, you have the flexibility to customize the display name to better reflect the data source or your specific organizational needs.

[Adding/Modifying Storage Tags in Input Integration Drawer]

Example

Let's say you are building a security monitoring use case. Your events reside in multiple places and data sources. You need to ingest alerts from Elasticsearch, QRadar and Splunk. Instead of configuring 3 different use cases to satisfy our needs, we can have only one. When you configure these 3 input integrations in Arcanna.ai, the system will:

  1. Create a storage tag for the Elasticsearch input (e.g., elasticsearch-alerts-123).
  2. Create a separate storage tag for the Splunk input (e.g., splunk-alerts-456).
  3. Create another storage tag for the QRadar input (e.g., qradar-alerts-789).


[Example Use Case with 3 Inputs with 3 Storage Tags]

All alerts ingested from Elasticsearch will be tagged with elasticsearch-storage-alerts-123, while all alerts from Splunk will be tagged with splunk-storage-alerts-456 and the ones ingested from QRadar with qradar-storage-alerts-789. This allows you to easily filter, analyze, and manage alerts from each source independently.

Benefits of Multi-Input and Storage Tags

  • Data Isolation: Ensures data from different sources or customers remains completely isolated.
  • Scalable Data Ingestion: Easily add new data sources to your use cases.
  • Simplified Data Management: Makes it easier to manage and analyze data from various sources independently.
  • Improved Compliance: Helps meet regulatory requirements related to data privacy and security.

Managing Storage Tags

You can manage all storage tags associated with a specific use case through the Storage Tags Management drawer. To access it, navigate to the Use Case Settings -> Edit an Input Integration -> Scroll to the bottom of the drawer -> click Manage storage tags.


[Storage tag card]

The Storage Tags Management drawer will open. Here you can:

View Statistics: See the number of events, size in MB/GB, and associated input for each storage tag.

[Storage Tag Management Drawer - Statistics and Actions]

Change Display Name: Modify the display name of the storage tag. This allows you to create more descriptive or meaningful tag names that align with your organization's naming conventions. You can modify display names directly in the input integration drawer or in the Storage Tags Management drawer.

[Storage Tag Display Name Update]

Soft Delete: "Soft delete" a storage tag, which prevents new data from being written to it but retains the existing data. Data will be soft deleted for 30 days before permanent removal. Input integrations using it will be suspended and deleted from the use case after this period. You can undo this action anytime before then.

[Soft Delete Storage Tag]


[Soft Deleted Storage Tag]

Permanently Delete: Permanently delete a storage tag and all associated data. Warning: This action is irreversible. Events and the input integration using it will be deleted and cannot be restored.


[Permanently Deleting a Storage Tag]

Enabling/Disabling Inputs

You can enable or disable individual input integrations within a use case using the switch. If an input is disabled, data ingestion is paused for that specific input.

Important: Data ingestion requires both the use case and the input to be enabled. Even if an input is enabled, it will not ingest data if the use case itself is disabled.


[Enabling/Disabling an Input Integration]

Filtering Events in the Explorer using Storage Tags

Arcanna.ai's Explorer allows you to filter events based on their storage tag. This enables you to view events originating from specific data sources.

To filter events by storage tag:

  1. Navigate to the Explorer.
  2. Locate the filter options.
  3. Choose the arcanna.storage_tag field.
  4. Select from the dropdown list the storage tag you want to filter by.

[Filtering Events in the Explorer by Storage Tag]

By using storage tag filters, you can easily isolate and analyze data from individual input sources within your multi-input use cases.

Removing Inputs

You can remove input integrations from a use case if they are no longer needed. There are two ways to remove an input:

  1. Direct Removal:
    1. Navigate to the use case settings.
    2. Locate the input integration you want to remove.
    3. Click the "Remove" button (or equivalent).

[Removing an Input from a Use Case]

  1. Via Storage Tag Deletion:
    1. Soft Deletion: Soft deleting the storage tag associated with the input integration will suspend the input and prevent new data ingestion. The input integration will be fully removed after 30 days, unless the soft deletion is undone.
    2. Permanent Deletion: Permanently deleting the storage tag associated with the input integration will immediately remove the input integration from the use case, along with all associated data.

Important: A use case must have at least one input source. You cannot remove all inputs from a use case.

Conclusion

With Arcanna.ai's multi-input functionality and storage tags, you're not only expanding your security data lake, but also fueling a powerful AI engine with enriched, well-governed data. This translates directly to accelerated threat hunting, improved detection accuracy, and more effective incident response workflows. By centralizing and isolating your data streams, Arcanna.ai empowers you to proactively defend against evolving threats and maintain a robust security posture across your entire organization.