Overview
Wortell is a Netherlands-based managed security services provider and one of Europe’s leading Microsoft partners. Its Enterprise Security division operates a next-generation Cyber Defense Center, delivering a 24/7 Managed eXtended Detection and Response (MxDR) service built entirely on Microsoft Sentinel, Defender XDR, Entra ID, and Purview. The service protects more than one million assets across the Netherlands and Belgium. In 2024, Wortell was named Microsoft Security MSSP of the Year globally, and in 2025, won Microsoft Enterprise Security Partner of the Year in the Netherlands.
Delivering complete security visibility means covering more than just Microsoft telemetry. To bring third-party log sources – firewalls, network appliances, security tools, OT, and IoT – into the service at scale, Wortell needed a pipeline solution that didn’t require hands-on engineering for every onboarding.
VirtualMetric DataStream became that solution.
Today, Wortell delivers broader visibility, faster onboarding, and better detection without the overhead that once made it impossible. What previously required tens of hours of consultancy work is now a few clicks in the portal.
Challenges
The limits of manual log onboarding at scale
1. Every onboarding was a project
Onboarding a customer’s third-party logs required a block of consultancy hours (sometimes as many as 40) covering infrastructure setup, syslog configuration, and log transformation. Each customer’s environment was different, and every change required going through the customer’s change process.
2. No centralized control
Log forwarders sat at the customer edge, on-premises or in isolated Azure environments, outside Wortell’s security operations reach. When something needed to change, the process was: reach out to the customer, request access, make the change manually. There was no way to push updates across the estate from a single location.
3. Parsing and filtering happened after the fact
Filtering was done on query, not at ingestion. There was no mechanism to drop noise before it hit Sentinel, which made cost a real concern when onboarding third-party log sources at scale.
4. Scaling required a different approach
The existing model, manual labor per customer, wasn’t compatible with Wortell’s growth. Bringing third-party log ingestion into the standard service offering required something that could be templated, reused, and managed centrally across all customers at once.
Solution
DataStream: a unified security data pipeline
Wortell adopted VirtualMetric DataStream after evaluating several alternatives. The decision came down to a combination of pricing fit for high-volume MSSP operations, the responsiveness of the VirtualMetric team during the proof of concept, and the product’s architecture.
Koos Goossens, Security Architect at Wortell, describes the shift:
“Now we have more like a one-click onboard solution. The agent onboarding is a PowerShell one-liner. They can run it on Linux, but also on Windows. Customers are really happy with that.”
Implementation highlights
Streamlined onboarding
A PowerShell one-liner installs the DataStream agent on both Linux and Windows, eliminating the Linux dependency that was a friction point for many customers. Pipeline configurations built for one customer’s vendor can be reused directly for the next, so repeat vendors require minimal setup.
Real-time filtering and parsing
DataStream processes logs before they reach Sentinel: dropping noise, compressing data, stripping null-valued fields, and parsing XML on the fly. This means only the events that matter get ingested into expensive storage, and the transformation happens at the pipeline level rather than at query time.
Centralized pipeline management
DataStream’s management portal gives Wortell full visibility and control across all customer deployments from a single location. Pipelines, filtering rules, parsing logic, and routing configurations can be updated once and pushed out to every Director instance across the estate, no customer involvement required.
Intelligent log routing
DataStream lets Wortell route data to the right destination at ingestion time: high-value alerts go directly into Sentinel, while bulk or verbose logs are sent to the Sentinel data lake for long-term storage at lower cost. This avoids the need to stream everything through Sentinel first, and makes it practical to retain more raw data for forensic use without inflating SIEM spend.
Results
Simplified onboarding. Detection with more context.
✔ 10x faster onboarding
What used to require up to 40 hours of consultancy work – setting up infrastructure, configuring syslog, coordinating with the customer – is now a short instruction to the customer and a few steps in the portal. The onboarding fee has been removed from every new proposal.
✔ Third-party log ingestion is now a default feature
DataStream changed the commercial conversation. Previously, when a prospect asked whether Wortell could onboard a third-party log source, the answer was “it depends”. Now the answer is “yes”. This has removed friction in RFPs and tenders where competitors offering traditional Managed Detection and Response service were less focused on controlled ingestion.
✔ Better detection through broader correlation
More customer environments now have their firewall telemetry flowing into Sentinel. This means Wortell’s analysts can correlate Microsoft Defender signals (suspicious sign-ons, PowerShell activity) with network-layer observations from Palo Alto or other firewalls. Incidents carry more context, and detection quality improves as a result.
✔ Full visibility across the estate from one location
Wortell can now monitor ingestion metrics, pipeline health, and configuration state across all customers from the DataStream management portal – something that wasn’t possible when each customer’s log forwarder was an independent, remotely managed instance.
Talk to our experts
Schedule a technical session with our engineering team to explore DataStream’s architecture, deployment options, and integration capabilities.
Try DataStream
Test DataStream with your environment: see automated data processing, high-throughput performance, and up to 90% reduction in ingestion costs firsthand.
Try now