Realm Data Model Overview

Sources and Input Feeds

Source:

• A reusable object defined by a specific product format (e.g., Palo Alto PAN-OS Firewall).
• The Source represents a logical grouping of data from a common technology.
• Routing Flexibility: A Source can be configured to route data to any defined Destination, streamlining the fabric configuration by decoupling the data origin from the data target. Reconfiguring routing for all associated feeds only requires updating the Destination.
• Structure: A Source is a group of Input Feeds.

Input Feed:

• An individual data collection point within Realm. This is the physical collection pipeline.
• The Input Feeds grouped under a Source must match the Source’s defined product format.
• Collection Flexibility: Input Feeds support different collection methods (e.g., Syslog, API polling, specific vendor agents) to ensure data ingress flexibility.
• On-Premise Integration: Any data streams configured via the On-Premise Collector appear in the pipeline as a distinct Input Feed.

Destinations and Output Feeds

Destination:

• A reusable object representing a common destination type (e.g., SIEM, Archive Storage, Analytics Platform).
• The Destination represents a logical grouping of output configurations for a common type of service.
• Routing Configuration: Any defined Source can point to a Destination, completing the routing pipeline without requiring re-configuration of the individual Feeds for every Source/Destination.
• Structure: A Destination is a group of Output Feeds.

Output Feed:

• The product-specific output configuration tailored to the service receiving the data.
• Cross-Vendor Support: The Output Feeds within a single Destination can be for different products or vendors (e.g., a "SIEM" Destination can have one Output Feed for Splunk and one for SumoLogic), enabling the same Source data to be delivered to multiple services simultaneously.
• Storage Configuration: This is the point of configuration where users specify the target storage parameters (e.g., tables, indexes, buckets) where data from specific Sources will be stored within the Output Feed product.

On-Premise Collectors and Streams

On-Premise Collector:

• A general purpose data receiver designed for on-premise deployment.
• Versatility: The Collector is format-agnostic at the point of ingestion, meaning a single collector can receive raw data from multiple product formats (e.g., firewall logs, endpoint telemetry, server events).

Stream:

• The Stream is the defined data flow carrying collected data from the On-Premise Collector to the Realm Platform.
• Mapping and Structure: Each Stream is explicitly tied to a specific product format and an existing Source object within the Realm fabric. This ensures data is correctly classified and attributed upon arrival.
• Integration with the Fabric: Streams are logically represented in the Realm Fabric as an Input Feed for the associated Source. This seamlessly integrates on-premise collection into the existing routing model, allowing data to be treated uniformly regardless of its collection method.

Next: Review the Integration Guide

Now that you understand the foundational components of the Realm data fabric: Sources and Destinations for logical routing, and Input/Output Feeds for physical configuration. Review our Integration Guide to see how to define your first Source and connect it to a Destination.