Monad Security Pipeline Training

Master Monad for security data pipeline orchestration. Build pipelines that ingest, transform, and route security logs to Microsoft Sentinel.

What is Monad?

Monad is a security data pipeline platform that enables:

  • Ingest - Collect logs from security platforms (syslog, APIs, cloud services)

  • Transform - Filter, normalize, enrich, and reshape data

  • Route - Conditionally deliver to different outputs based on content

  • Output - Send to SIEMs, cloud storage, databases, or custom destinations

This is personal learning documentation for CHLA’s QRadar → Sentinel migration evaluation. Not for external distribution until I have hands-on experience.

Core Architecture

Monad Pipeline Architecture

Constraints:

  • Single root input per pipeline

  • Maximum 50 nodes per pipeline

  • No circular paths (DAG only)

  • All branches must terminate at outputs

  • Single incoming edge per node (fan-out allowed)

Reference Documentation

Document Focus

Components

Inputs, outputs, transforms, enrichments overview

Transforms

All transform types with syntax and examples

Routing

Conditional routing operators and condition types

Pipeline Patterns (Source-Specific)

Pipeline Log Source Status

ISE Pipeline

RADIUS (distributed), TACACS+ (standalone x2)

[x] Documented

FTD Pipeline

FMC syslog (connection, intrusion, malware)

[x] Documented

Network Pipeline

Switches, routers, wireless, Meraki

[x] Documented

Evaluation Context

Project: QRadar → Microsoft Sentinel migration

My Role: Evaluate Monad’s capabilities for CHLA log sources

Key Questions:

  1. Can Monad ingest CHLA’s log sources? (ISE, FTD, network, Microsoft)

  2. Can transforms normalize/filter effectively? (jq, GJSON, conditions)

  3. Can routing split critical vs bulk logs? (Sentinel Analytics vs Basic)

  4. What’s the learning curve for building custom pipelines?

Trial Limitations

Trial license restrictions:

  • GJSON transforms only (no jq)

  • Limited input/output types

  • API access may be restricted

Full license unlocks jq transforms for complex manipulation.

Related