Sunrun is the largest residential solar and battery provider in the U.S., supporting a rapidly expanding energy and technology footprint. As scale increased, security teams grappled with rising telemetry across distributed systems, apps, and cloud environments. Even after migrating from Splunk to a modern SIEM, onboarding new data sources was slow, and periodic data spikes drove up ingestion and licensing costs, making the environment harder to predict, maintain, and scale.

“We faced the same problem despite a SIEM migration: getting logs in quickly or affordably. Licensing was a big challenge. We wanted to filter heavily and only send security-relevant data.”

— Varun Singhal, Senior Manager, Security Operations

Sunrun’s migration to a next-gen SIEM exposed three operational limits: incomplete coverage from an onboarding backlog, monthly telemetry spikes that created license overages, and high engineering effort required to parse and normalize new sources.

• Managing source backlog: Numerous applications, including custom systems, remained un-onboarded because of onboarding complexity and poor noise-to-signal ratios.

• Telemetry spikes: Cyclical log bursts caused ingestion delays and license threshold breaches.

• Engineering overhead: Many sources needed manual parsers and ongoing scripting, slowing onboarding and diverting engineers from detection work.

Sunrun needed a way to expand visibility without expanding cost and complexity. The goal wasn’t just reducing volume; it was establishing a repeatable and scalable way to onboard new sources, manage telemetry at the edge, and route the right data to the right systems based on purpose and relevance.  

They needed a solution that could:

• Reduce SIEM ingestion and licensing costs.
  ‍
• Onboard backlog sources quickly, including custom applications.
  ‍
• Minimize manual parsing and engineering for new feeds.  
  ‍
• Maintain continuous visibility and data governance.  
  ‍
• Free security engineers to focus on detections and investigations.

Databahn was deployed as Sunrun’s security data pipeline to centralize ingestion, enforce schema normalization, apply upstream volume control, and orchestrate routing to analytic and archive targets. The platform was delivered SaaS-first with no-code configuration for pipelines and rules.

• Connector-driven ingestion. Over 500 plug-and-play connectors collected telemetry from cloud, on-prem, and application sources, removing most custom parsing work.

• Upstream volume control. Rule-based suppression with a library of pre-built filters removed low-value telemetry before it reached the SIEM.

• Native normalization. Auto-parsing and native data model transformation aligned events to target schemas on ingestion, reducing schema drift.

• Purpose-driven routing. Policies routed security-relevant events to the SIEM and archived full-fidelity logs to cheaper storage for replay and audit.

• Real-time visibility and controls. Teams could observe flows, tune rules, and map destinations without writing custom code.

“Unlike the other vendors, Databahn was security-first and came with content that helped us immediately separate and tier security data by relevance. This enabled us to optimize SIEM ingestion and cost without sacrificing security.”

— Varun Singhal, Senior Manager, Security Operations

Sunrun moved from POC to real impact quickly. The platform reduced noisy telemetry, unlocked backlog onboarding, and lowered operational load on engineers.

• 70% reduction in ingestion. Rule-based suppression and pre-built filters removed redundant telemetry, improving signal quality and cutting volume.

• $200K annual savings. Lower SIEM licensing and storage costs from reduced ingestion and tiered routing.

• Faster onboarding. Engineers set up ingestion pipelines in minutes instead of days. Dozens of previously un-routed sources, including Tier 2 and Tier 3 apps, were onboarded within weeks.

• Lower engineering effort. The team no longer needed to write custom parsers or continuously maintain collectors, freeing engineers for higher-value detection and automation tasks.

• Platform-ready roadmap. The data control layer now supports Sunrun’s next steps: a security data lake and future SIEM migrations with minimal rework.

“We were up and running almost instantly, and the impact was immediate. Databahn gave us control, clarity, and the ability to scale without friction.”

‍— Varun Singhal, Senior Manager, Security Operations

‍

Conclusion

Sunrun centralized control of security telemetry with Databahn, removing a backlog of integrations and avoiding recurring license overages. The SOC now operates with cleaner data, consistent schemas, and faster onboarding, while engineers focus on detection rather than parsers. With Databahn in place, Sunrun is positioned to add a security data lake and scale its analytics and automation capabilities without repeating previous integration pain.