Key Capabilities
Everything you need to make Sentinel sing
Six capabilities that turn raw telemetry into Sentinel-ready, cost-optimized, Security-Copilot-activated data without custom development.
Wide source coverage
On-premises, cloud, legacy systems, OT/ICS networks, IoT devices, and custom applications – all widely used sources supported out of the box, no custom development required.
ASIM normalization engine
Automated mapping and validation to Advanced Security Information Model schemas. All ingested data is immediately usable by Security Copilot and analytics rules.
Intelligent cost optimization
Filtering, deduplication, sampling, and field extraction reduce log volume by 50–90% before transmission without losing security-relevant information.
Multi-stage routing architecture
Intelligent routing to Sentinel Analytics Workspace, Sentinel data lake, Azure Blob (Parquet), and Azure Data Explorer – all configurable from a single pipeline.
Schema drift detection
Automatic validation prevents schema changes from breaking analytics rules or disrupting compliance audits. Proactive alerting on data quality issues.
Security Copilot ready
ASIM-compliant output unlocks Microsoft Security Copilot’s full potential: more accurate AI-driven threat detection, natural language queries, and automated response.
ARCHITECTURE
How DataStream works
A multi-stage pipeline that processes raw logs before they reach Sentinel: each step adds value and reduces cost.
Ingest
Logs from wide range of sources via agents, syslog, APIs, and direct connectors
Parse & normalize
KQL parsers and ASIM schema mapping – CommonSecurityLog, Syslog, custom formats
Enrich & validate
Contextual metadata enrichment + schema validation via Data Collection Rules
Filter & optimize
Deduplication, sampling, and field extraction reduce volume by 50-90%
Route & deliver
Multi-stage routing: security-relevant → Sentinel Analytics, full data → Sentinel data lake, raw → Azure Blob, analytics → Azure Data Explorer
API & authentication
- Azure Monitor Logs Ingestion API
- Azure AD OAuth 2.0 – client credentials flow
- Data Collection Rules (DCR) + Data Collection Endpoints (DCE)
- High-throughput batching with retry logic
- Rate limiting & throttle prevention built-in
ASIM components
- Pre-built analytics rules for common security scenarios
- KQL functions for custom log → ASIM transformation
- Anomaly detection on schema drift
- Workbooks & Playbooks included
- Security Copilot-optimized data structures
Deployment options
- Sentinel Content Hub – 1-click deployment
- Microsoft Security Store
- Azure Marketplace SaaS
- On-premises agent deployment
- Multi-tenant MSSP configurations
Built for enterprise challenges
Sentinel cost reduction
Sentinel’s consumption-based pricing makes costs unpredictable as log coverage expands. DataStream acts as an intelligent optimization layer that reduces log volume by 50–90% through ASIM-aware filtering, deduplication, and field extraction without creating security blind spots.
Legacy & OT integration
Legacy systems, OT networks, IoT devices, and custom applications lack native Sentinel connectors. DataStream provides ready-made connectors for all widely used sources and flexible transformation pipelines, reducing time-to-value from months to weeks.
Security Copilot activation
Security Copilot delivers significantly better results with ASIM-compliant data: more accurate detections, richer natural language queries, and faster automated investigations. DataStream’s automated ASIM mapping unlocks the full potential of Security Copilot across all ingested data.
MSSP customer onboarding
MSSPs and security integrators onboard new customers to Sentinel dramatically faster. Pre-built connectors, automated ASIM normalization, and cost optimization out of the box – standard deployment in two weeks instead of three months of custom development.
Customer Story
How Wortell gets more out of Microsoft Sentinel
See how a leading Microsoft managed security services provider uses DataStream to enrich Sentinel with third-party telemetry, optimize ingestion volumes, and onboard new customers in minutes.
COMPARISON
VirtualMetric vs. Alternatives
How does DataStream compare to other data pipeline solutions for Microsoft Sentinel?
|
Cribl Stream
|
Logstash
|
VirtualMetric DataStream
|
Native Sentinel
|
|
|---|---|---|---|---|
| Native Microsoft Sentinel integration | Manual setup | Plugin required | Microsoft Security Store | |
| Automated ASIM normalization | Manual | Manual | Fully automated | Per connector |
| Security Copilot ready | Fully optimized | Connector dependent | ||
| OT / Legacy / IoT connectors | Add-ons req. | Custom config | All widely used sources built-in | |
| Multi-stage routing architecture | Basic routing | Pipeline only | Sentinel + Data Lake + Blob + ADX | |
| Raw data → Azure Blob (Parquet) | Manual setup | |||
| Azure Data Explorer support | Manual setup | Plugin required | Native | |
| Ingestion cost reduction | Generic | 50–90% ASIM-aware | ||
| MSSP multi-tenant support | ||||
| Schema drift detection | Real-time | |||
| Deploy from Sentinel portal | 1-click Security Store |
Frequently asked questions
How can I reduce Sentinel ingestion costs without creating security blind spots?
DataStream reduces log volume through a layered approach. By default, field-level optimization removes empty values, placeholder fields, and operational metadata that Sentinel analytics rules never reference, achieving 55–60% reduction with zero security risk. For higher savings, optional event-level filtering and statistical sampling can bring total reduction to 70–90%, with security-critical events always protected. Full raw logs are simultaneously routed to low-cost storage (Azure Blob, ADX, Sentinel Data Lake) with a Correlation ID, so analysts can retrieve complete records for forensic investigations when needed.
Read more: How to Reduce SIEM Costs Without Losing Security Visibility
Why do I need a pipeline tool if Sentinel already has DCRs and AMA?
DCRs and AMA handle ingestion and basic KQL-based transformations within Azure, but they have significant limitations. They can’t collect from agentless sources or systems without AMA support, they don’t normalize data to ASIM across diverse source types, and they send everything to a single destination. DataStream operates before data reaches Azure: it collects from any source via agentless WinRM/SSH or standard protocols, applies vendor-specific ASIM normalization with 170+ processors, optimizes volume before it ever hits Sentinel’s billing meter, and routes different data types to the right destination based on security value.
How does ASIM normalization work, and do I need to set it up manually?
DataStream handles ASIM mapping automatically: when logs arrive from a supported source, the multi-schema processing engine applies vendor-specific field mappings, validates the output against ASIM schema requirements, and routes the normalized data to the correct Sentinel tables. No manual parser writing or field mapping is required for supported sources.
How do I connect sources that don’t have native Sentinel connectors?
DataStream supports both agentless and agent-based collection. Agentless collection connects directly via WinRM (Windows) or SSH (Linux, macOS, Solaris, AIX) with no software installation. For network devices, OT/ICS systems, and security appliances, it supports Syslog, CEF, LEEF, and REST APIs. Pre-built content packs cover widely used vendors – Fortinet, Palo Alto, Check Point, CrowdStrike, CyberArk, Zscaler, and more – each activating automatically when logs from that vendor are detected.
How does DataStream handle sensitive data before it reaches Sentinel?
DataStream applies policy-based redaction and masking directly in the pipeline, before data leaves your environment. You define rules through a no-code UI to automatically remove or obfuscate sensitive fields: usernames, passwords, tokens, PII such as email addresses and phone numbers, or any custom field. Redaction is applied consistently across all incoming data, eliminating the risk of uneven coverage from manual processes. The structure and security context of each log remain intact, so detection rules and correlations in Sentinel continue to work accurately. Policies are designed to support GDPR, HIPAA, and PCI DSS requirements, and redacted data streams are audit-ready.
What do I need to get the most out of Microsoft Security Copilot?
Security Copilot unlocks its full potential when your Sentinel data is ASIM-compliant, normalized to a consistent schema that Copilot’s AI can query across all sources using natural language. Without ASIM, Copilot works with fragmented, inconsistently structured data, limiting the accuracy of detections, investigations, and automated responses. DataStream automatically maps all ingested data to ASIM before it reaches Sentinel, so every source from legacy on-prem systems to cloud services is immediately ready for Copilot’s AI-driven workflows without any additional setup.
How long does it take to deploy DataStream?
Initial deployment takes under 30 minutes. DataStream’s guided setup automatically handles Azure authentication, Log Analytics workspace creation, and DCR/DCE configuration, no manual Azure setup required. A live demo by our solution engineer shows a complete Sentinel integration in 13 minutes. Watch it on YouTube.
Talk to our experts
Schedule a technical session with our engineering team to see how DataStream compares to what you’re running today.
Try DataStream
Route data to your SIEM in the correct schema, with automatic normalization and up to 90% data volume reduction.
Try now