Operations | Monitoring | ITSM | DevOps | Cloud

Security operations teams depend on telemetry from everywhere: endpoints, identity systems, cloud platforms, networks, applications, and security tools. This data underpins detection, investigation, compliance, and response.

Microsoft Sentinel adoption often introduces unexpected complexity. While the platform delivers powerful SIEM and XDR capabilities, organizations frequently struggle with manual DCR configuration, inconsistent data quality, rising ingestion costs, and security risks associated with credential-based integrations. VirtualMetric DataStream is now available in the Microsoft Sentinel Content Hub, reducing the effort required to deploy normalized and cost-optimized data ingestion.

Elasticsearch has long been the backbone of security analytics for organizations that need fast search, flexible dashboards, and scalable visibility across massive datasets. It powers everything from threat hunting to compliance reporting and real-time investigation. But anyone who has operated Elasticsearch at scale also knows a quiet truth: Elasticsearch is only as strong as the data you feed it. And getting clean, consistent, usable telemetry into Elastic is often the hardest part.

This month’s DataStream update brings meaningful improvements across pipeline management, MSSP workflows, and endpoint visibility. We’ve focused on giving security teams more control over how data moves through their environment, expanding coverage for both Windows and Linux, and strengthening governance for multi-tenant deployments. Let’s walk through what’s new.

As security data volumes grow, so do the costs of processing and storing them. Microsoft Sentinel and other SIEM platforms charge based on data ingestion, which makes every decision about normalization rules critical and every duplicate log a direct expense. Enterprise-scale security data pipelines face a persistent problem: data duplication across normalization tiers. As logs move through multiple transformation stages, it’s often impossible to know in advance which version will succeed.

This update delivers significant advances in operational flexibility and security monitoring capabilities. It addresses the evolving needs of security teams across diverse deployment environments, from air-gapped networks to those prioritizing automation and simplicity, while expanding integration options and improving visibility into data flows.

Modern security operations teams face an overwhelming challenge: a rapidly growing volume of logs, alerts, and telemetry from cloud services, on-premises infrastructure, and third-party security tools. Traditional SIEM platforms often struggle to scale cost-effectively and provide the agility needed for advanced analytics and threat hunting.

Logstash has been a workhorse in data processing pipelines for years, but it was not designed with today’s security operations in mind. Security teams now deal with massive telemetry volumes, rising SIEM costs, and diverse log formats that require constant normalization. In this environment, Logstash shows its age: manual configuration, outdated parsing, and scalability bottlenecks introduce fragility instead of efficiency.

This month we’re rolling out several new capabilities designed to simplify daily work for SOC teams, MSSPs, and enterprise security operations. The focus is on easier access control, streamlined log management, and faster vendor onboarding.