This global airline’s operations generate one of the largest and most complex data environments in the industry, spanning flight operations, customer systems, maintenance, and security infrastructure.

To strengthen visibility and detection, the airline adopted Microsoft Sentinel as its new SIEM, alongside Azure Blob for scalable data storage. But migrating from their legacy SIEM proved difficult. With over 150 log sources and 20 TB of daily data, the migration risked lengthy downtime and significant operational disruption. One of their main challenges was setting up ingestion of flight logs into their data architecture – which was a unique use case and lacked easy solutions.

“We started off looking for a tool to help us manage and optimize data volumes so we could focus on migrating to a new SIEM and improve our threat detection and response. We built a comprehensive 300+ evaluation criteria for which tool to use; Databahn was the only vendor that scored 97% on the evaluation exercise.”

- Cybersecurity Engineering Lead

Managing one of the largest data ecosystems in the aviation industry, the airline’s SOC handled 150+ sources and over 20 TB of telemetry every day. Their legacy setup strained under growing data volumes and rising compliance needs, and the upcoming SIEM migration made modernization urgent.

They faced key challenges across four areas:

• Complex Data Collection
  Each environment, from cloud to OT (and including a constant stream of flight logs), required its own custom connectors. Every new source involved manual parsing, normalization, and transformation, creating delays and increasing operational load.

• SIEM Migration Complexity
  Migrating over 150 data sources to Microsoft Sentinel and Azure Blob meant rebuilding large parts of the existing pipeline. Without automation, the effort would be slow, error-prone, and risk gaps in visibility across global operations.

• Compliance and Audit Readiness
  The team lacked unified visibility into logging health, asset tagging, and sensitive data coverage. Manual checks limited insight into compliance posture and slowed audit reporting.

• Monitoring and Threat Visibility
  The SOC needed faster, bi-directional data flow to improve threat detection and hunting. They wanted deeper visibility across tools and quicker data movement to enable proactive security operations.

“When we did a migration a few years ago, it took us over a year and had many layers of operational impact. With 150+ sources and ~20 TB/day ingestion, we were prepared for it to be more difficult.”

- Cybersecurity Engineering Lead

The airline set out to migrate from its legacy SIEM to Microsoft Sentinel and Azure Blob while maintaining uninterrupted visibility, compliance, and operational continuity. They needed a platform that could automate migration at scale, simplify data control, and deliver measurable improvements in reliability and efficiency.

They needed a solution that could:

• Automate Migration at Scale: Streamline the movement of 150+ data sources to Sentinel and Blob without manual reconfiguration or downtime.

• Standardize and Normalize Data: Align schemas and field mappings across diverse log types to improve consistency and downstream analytics.

• Optimize Data Routing and Cost Efficiency: Route high-value data to Sentinel while archiving full-fidelity logs to Blob to reduce ingestion costs.

• Ensure Continuous Monitoring and Reliability: Maintain end-to-end visibility, schema validation, and ingestion health throughout the migration.

• Enhance Detection and Threat Visibility: Accelerate threat hunting and detection accuracy with unified data flow and centralized control.

“We needed a tool that could manage 20 Tb/day ingestion while being flexible and scalable, power our CIRT with real-time and reliable data flow, and enable the migration of 150+ data sources to Sentinel and Blob Storage. Ingestion of flight logs into our new setup was a major challenge.”

- Cybersecurity Engineering Lead

Databahn served as the airline’s centralized security data fabric, delivering a programmable pipeline layer over their telemetry ecosystem. It handled ingestion, transformation, routing, and control logic, enabling continuous operations and seamless migration to Microsoft Sentinel and Azure Blob.

• Connector Ecosystem & Native Parsers
  With 550+ built-in connectors, Databahn ingested data across cloud, on-prem, and OT systems. Native parsers standardized fields into a unified schema, eliminating the need for custom transformations for unique log formats including flight logs.

• Edge-based Ingestion Fabric
  Distributed Edge nodes enabled lossless log collection and automatic failover, isolating downstream dependencies and ensuring data continuity under load.

• Volume Control & Smart Filtering Layer
  Rule-based suppression and filtering with a library of 900+ pre-built rules reduced redundant telemetry, improving efficiency and data fidelity.

• Orchestration and Multi-Destination Routing
  Databahn’s routing policies directed enriched security data to Sentinel for analytics and full-fidelity archives to Azure Blob, optimizing cost and ensuring governance.

• Telemetry Posture, Health, and Insights
  Databahn’s insight layer provides real-time observability into coverage, schema drift, and pipeline health. It also supported data classification, sensitive data identification, and audit traceability across the telemetry stack.

“We are working with Databahn to use Databahn as a data broker and get our systems and SOC AI-ready. Our team has been very satisfied with Databahn and their willingness to partner with us on this journey.”

- Cybersecurity Engineering Lead

Within six weeks, the airline completed a full migration from its legacy SIEM to Microsoft Sentinel and Azure Blob, without disruption or loss of visibility. Databahn’s control fabric delivered measurable improvements across scale, efficiency, and compliance.

• Seamless Source Migration
  150+ log sources, including 120+ custom sources and critical feeds from AWS, Azure, OT environments (including flight logs), were migrated to Sentinel and Blob without code rewrites or agent conflicts.

• 85% Faster SIEM Migration
  The full transition was completed 85% faster compared to traditional manual approaches.

• Operational Efficiency
  SOC teams eliminated manual ingestion management, reducing engineering overhead, and accelerating onboarding of new data sources.

• 70% Data Volume Reduction
  Using Databahn’s volume control and suppression rules; redundant logs were filtered out, cutting Sentinel-bound ingestion while improving signal quality.

• Improved Data Quality and Reliability
  Databahn’s automated parsing and normalization ensured schema consistency and reduced false positives across correlated detections.

• Enhanced Visibility and Compliance
  Real-time telemetry insights provided end-to-end visibility into ingestion health, coverage, and schema drift, with automatic detection and quarantine of sensitive data.

Conclusion

By centralizing control of its security data through Databahn, the airline eliminated fragmentation across ingestion, normalization, and routing. What began as a complex SIEM migration evolved into a broader transformation of how data moved through the security stack.

The SOC now operates with complete visibility, cleaner data, and lower costs, with telemetry posture, PII detection, and compliance insights built directly into the pipeline. With Databahn in place, the airline has a resilient, scalable foundation ready to support future growth and security modernization.