A global medical technology company with dozens of OT-heavy manufacturing sites was struggling to make sense of inconsistent telemetry, rising SIEM costs, and limited visibility into its operational environments. Each site had different levels of digital maturity, uneven bandwidth, and minimal local infrastructure, making it difficult to apply a consistent approach to security data collection.

OT logs such as heartbeats, system pings, and repetitive updates were being sent to Splunk in bulk. This drove up licensing and storage costs and made it harder for analysts to find meaningful security signals quickly.

As the organization prepared to shift OT telemetry to Microsoft Sentinel, the security team needed a way to cut ingestion volume, improve clarity around OT data, and unify telemetry across environments, without writing new pipelines or deploying additional infrastructure.

DataBahn was deployed as a centralized telemetry control layer across both corporate and plant networks. Its Smart Edge nodes filtered and enriched data at the source, while the Highway platform compressed and routed telemetry to Splunk, Sentinel, and cold storage in vendor-neutral formats like OCSF. Within weeks, the company reduced SIEM load, improved detection speed through micro-indexing, and took full control of its security data pipeline.

The organization faced a range of operational and architectural barriers across both corporate and manufacturing environments. Security data was often inconsistent, siloed, and out of sync with what was actually needed for effective threat detection, especially in OT-intensive sites.

• Overcollection of high-volume telemetry like heartbeats and sensor pings
  Plants continuously generated logs from OT systems like heartbeats, pings, and sensor data. While most of this had no security value, it was ingested into Splunk, driving up costs and overwhelming analysts.

• Isolated SIEM environments
  With no unified telemetry layer in place, the team operated across multiple SIEMs with segmented data. IT and OT systems produced logs in isolation, preventing centralized correlation, detection, or governance.

• Delayed inclusion of OT systems in SOC workflows
  OT environments were deprioritized in earlier phases of SIEM deployment. As a result, many ICS systems were never integrated or were only partially onboarded, leaving major gaps in visibility and threat response.

• Inconsistent infrastructure across plants
  Several remote sites lacked the bandwidth or local compute resources required for reliable log forwarding. Others used legacy sensors or outdated log formats, making centralized data collection more difficult.

• No capacity for custom ingestion workflows
  Custom tuning, rule creation, and ongoing pipeline maintenance were required at each site. With over ten sites to support, the team lacked the resources to manage ingestion manually.

• No framework for identifying security-relevant data
  The team had no clear model for deciding which telemetry streams were useful. As a result, large volumes of unfiltered, irrelevant data were being ingested into Splunk, driving up license usage and obscuring real security signals.

A flexible, low-maintenance solution to reduce OT data overload, lower SIEM costs, and modernize telemetry without deploying new infrastructure

The team needed a platform that could manage the scale and complexity of a hybrid IT and OT environment. Manufacturing plants varied in network stability, sensor maturity, and telemetry readiness. They were under pressure to reduce Splunk license usage, address siloed visibility, and support a phased move to Microsoft Sentinel. Critically, they lacked the engineering capacity to redesign ingestion workflows or manage site-by-site pipelines.

To succeed, they required the ability to:

• Reduce Splunk ingestion at the edge
  Filter and compress noisy OT events before they reached Splunk, preserving only logs with security relevance.

• Create a unified control plane for telemetry
  Standardize routing for IT and OT data across both corporate systems and remote manufacturing plants.

• Support low-bandwidth and infrastructure-light sites
  Collect and forward data from sites with limited connectivity or without local infrastructure.

• Enable routing to multiple destinations
  Send enriched logs to Splunk, Microsoft Sentinel, and long-term storage in parallel.

• Avoid custom pipeline engineering
  Onboard sources like Tenable, Palo Alto, and BeyondTrust using prebuilt transformations and routing logic.

• Maintain ownership in open formats
  Store all logs in vendor-agnostic formats such as OCSF to ensure long-term accessibility and avoid lock-in.

The team also required a solution that would not disrupt existing SOC workflows handled by their MSSP.

To help the team reduce SIEM overload and improve OT visibility, DataBahn deployed a centralized telemetry control layer that handled ingestion, filtering, enrichment, and routing across all sites, without requiring new infrastructure or manual engineering effort.

Smart Edge Deployment

Lightweight Smart Edge nodes were installed across remote and bandwidth-constrained plants to locally process OT telemetry. These nodes:

• Removed low-value logs like sensor pings and agent heartbeats

• Flagged and retained events tied to suspicious activity or policy violations

• Enriched and compressed data before forwarding to downstream destinations

• Operated reliably in low-connectivity environments with minimal resource use

Volume Reduction and Enrichment

Using built-in filtering logic, the platform:

• Applied volume suppression to reduce duplicate or irrelevant logs

• Enriched logs with contextual metadata for better downstream correlation

• Normalized incoming logs to a consistent structure to enable consistent downstream correlation and alerting

• Supported micro-indexing, enabling fast, lightweight search in Splunk

• Preserved data in vendor-neutral formats (e.g., OCSF) for long-term reuse

Multi-Destination Routing

Filtered telemetry was routed to multiple systems simultaneously:

• Splunk, for active SOC workflows

• Microsoft Sentinel, as part of long-term SIEM transition

• Cold storage, for compliance and investigation archive

No new SIEM connectors were needed, and routing rules could be centrally managed.

Out-of-the-Box Source Integration

DataBahn provided prebuilt connectors and transformations for common security tools. The team onboarded Tenable, Palo Alto, and BeyondTrust without field mapping or external engineering.

Unified Telemetry Management

With a single interface, the security team could:

• Monitor data flows across both OT and IT environments

• Apply consistent filtering, enrichment, and routing logic

• Reduce dependency on MSSPs for pipeline updates and visibility

Optimized for SOC and MSSP Workflows

Because the organization’s SOC was externally managed, DataBahn ensured clean, enriched telemetry was ready for Level 1 and Level 2 analysts. This reduced triage effort, improved alert fidelity, and enhanced overall detection speed.

Key Achievements

• Reduced Splunk ingestion of OT logs by more than 50 percent

• Integrated telemetry from multiple OT-enabled manufacturing sites

• Accelerated incident investigation through micro-indexing and faster search

• Maintained full data ownership with OCSF-formatted, vendor-neutral archives

Operational Impact

• Analysts now work with cleaner, more relevant log streams, enabling quicker threat detection

• Centralized telemetry management reduced manual pipeline maintenance and aligned with MSSP-managed SOC workflows

• Prepared the team for a smooth transition from Splunk to Microsoft Sentinel without disrupting ongoing operations