Normalizers

Normalizers in Astral are responsible for parsing and structuring raw data collected from different ingestion sources. Their primary role is to transform unstructured or semi-structured log data into a normalized and consistent format that can be analyzed, correlated, and processed by the SIEM. This step is essential to ensure that events originating from diverse technologies can be interpreted uniformly within the platform.

Astral normalizers are implemented using PCRE2-compatible regular expressions, allowing precise extraction of relevant fields from unstructured logs regardless of their origin. By applying pattern-based parsing, normalizers convert free-form text, custom log formats, and non-standard data into structured events that align with Astral’s internal data model.

In addition to native normalizers, Astral supports the creation of custom normalizers. This capability enables organizations to onboard data sources that are not natively supported by the platform, ensuring broad compatibility and flexibility. Custom normalizers allow security teams to define parsing logic tailored to proprietary applications, legacy systems, or specialized technologies, without requiring changes to the source systems.

Once applied, normalized events flow through Astral’s standard analysis and correlation pipeline. By ensuring consistent field mapping and data structure, normalizers enable effective correlation across logs, network events, API data, and other telemetry sources. This guarantees that all ingested data, regardless of its original format, can contribute meaningfully to detection, investigation, and response within the Inopli ecosystem.