Monad Components Reference

Four core components form every Monad pipeline: Inputs, Transforms, Enrichments, and Outputs.

Component Roles by Position

Position	Allowed Types	Purpose
Root	Input only	Single entry point - one per pipeline
Middle	Transform, Enrichment	Intermediate processing (0-50 nodes)
Leaf	Output only	Terminal delivery points (1+ required)

Position

Allowed Types

Purpose

Root

Input only

Single entry point - one per pipeline

Middle

Transform, Enrichment

Intermediate processing (0-50 nodes)

Leaf

Output only

Terminal delivery points (1+ required)

Inputs

Inputs ingest security data from upstream sources.

Input Categories

Category	Examples
Cloud Platforms	AWS, Google Cloud, Microsoft Azure
Identity & Access	Okta, OneLogin, JumpCloud, Google Workspace
Security Tools	CrowdStrike, Wiz, Snyk, Tenable, Palo Alto
Collaboration	Slack, Jira, Confluence, GitHub, GitLab
SaaS	Salesforce, ServiceNow, Zendesk, Zoom
Syslog	Generic syslog receiver for on-prem devices

Key Input Configuration

Setting	Description
Backfill Start Time	ISO 8601 timestamp for historical data collection (initial sync only)
Checkpointing	Saves state after each page - minimizes duplication on failure

Setting

Description

Backfill Start Time

ISO 8601 timestamp for historical data collection (initial sync only)

Checkpointing

Saves state after each page - minimizes duplication on failure

CHLA-Relevant Inputs

Source	Input Type	Notes
ISE RADIUS/TACACS	Syslog	Custom parsing required
FTD/FMC	Syslog	No native eStreamer connector
Network Devices	Syslog	Switches, routers, APs
Microsoft 365	Native API connector	Azure AD app registration required
Microsoft Defender	Native API connector	EDR, XDR, Cloud
Meraki	Native API connector	Dashboard API

Source

Input Type

Notes

ISE RADIUS/TACACS

Syslog

Custom parsing required

FTD/FMC

Syslog

No native eStreamer connector

Network Devices

Syslog

Switches, routers, APs

Microsoft 365

Native API connector

Azure AD app registration required

Microsoft Defender

Native API connector

EDR, XDR, Cloud

Meraki

Native API connector

Dashboard API

Monad has 75+ built-in input types, but Cisco on-prem devices (ISE, FTD, ASA) require syslog input with custom parsing - no native connectors.

Outputs

Outputs deliver processed data to external repositories.

Output Categories

Category	Examples
SIEM Platforms	Microsoft Sentinel, Splunk, Datadog, CrowdStrike NG-SIEM, Panther
Cloud Storage	Amazon S3, Google Cloud Storage, Azure Blob, Backblaze B2
Databases	BigQuery, PostgreSQL, Elasticsearch, OpenSearch
Messaging	Amazon SQS, Slack, PagerDuty
Custom	HTTP Output, Cribl HTTP Source, Dev Null

CHLA Target Output

Microsoft Sentinel - Primary destination for QRadar replacement

Authentication via Azure AD
DCR/DCE configuration required
Multiple log tiers available (Analytics, Basic, Archive)

Transforms

Transforms process data between input and output.

See Transforms Reference for complete details.

Transform Categories

Category	Transforms	Use Case
Field Addition	Add, Add Identifier, Timestamp	Add metadata, timestamps, UUIDs
Field Removal	Drop Key, Drop Key Where Value Equal	Remove sensitive/unnecessary fields
Field Modification	Rename Key, Mutate Value, Mutate Type	Normalize field names and values
Structure	Flatten, Flatten All, For	Flatten nested JSON, iterate arrays
Filtering	Drop Record Where Value Equal	Remove unwanted records
Advanced	JQ	Full jq query syntax for complex transforms

Enrichments

Enrichments add contextual information to records.

Enrichment Types

Type	Source	Data Added
Geolocation	External IP database	Country, region, city, ISP, ASN
Threat Intelligence	External threat feeds	Reputation scores, IOC correlation
Asset Correlation	Internal asset database	Device info, owner, criticality
User Correlation	Internal user database	User details, department, role

Type

Source

Data Added

Geolocation

External IP database

Country, region, city, ISP, ASN

Threat Intelligence

External threat feeds

Reputation scores, IOC correlation

Asset Correlation

Internal asset database

Device info, owner, criticality

User Correlation

Internal user database

User details, department, role

Enrichment Workflow

Extract - Pull value from record using join key (e.g., source.ip)
Lookup - Query external/internal source
Append - Add results at destination path (e.g., enrichment.geo)
Handle Errors - Continue processing on failure

Response Structure

{
  "enrichment.geo": {
    "join_key": "192.168.1.1",
    "message": "Geolocation found",
    "code": "success",
    "data": {
      "country": "US",
      "region": "California",
      "city": "Los Angeles"
    }
  }
}

Status Codes: success, no_match, error

Pipeline Nodes and Edges

Node Definition

{
  "slug": "normalize-timestamp",
  "component_type": "transform",
  "component_id": "uuid-of-transform-config",
  "enabled": true
}

Edge Definition

{
  "from": "input-syslog",
  "to": "transform-normalize",
  "conditions": {
    "operator": "always",
    "conditions": []
  }
}

See Routing Reference for condition syntax.