SIEM Integration: Overview
Security Information and Event Management (SIEM) platforms serve as the central nervous system for security operations, aggregating and analyzing telemetry from across the enterprise. However, as organizations scale, telemetry volumes grow exponentially while per-GB ingestion costs remain fixed. DataStream provides an intelligent preprocessing layer that optimizes data before it reaches your SIEM, reducing costs while improving data quality.
The Cost Challenge
SIEM platforms typically charge based on ingestion volume, whether measured in GB/day or events/second. As infrastructure grows and compliance requirements expand, organizations face a difficult choice: ingest everything and exceed budget, or sample data and risk missing critical security events.
The reality is that most ingested telemetry provides minimal security value. Verbose debug logs, redundant heartbeat messages, and low-fidelity events consume budget without improving detection capabilities. Security teams need the signal, not the noise.
Organizations typically achieve 40-60% reduction in SIEM ingestion costs by filtering low-value telemetry before it reaches the platform. DataStream's field-level optimization removes unnecessary fields while preserving all security-critical data required for detection and response.
DataStream's Role
DataStream sits between your telemetry sources and SIEM platform, processing data in transit to maximize security value per dollar spent:
| Capability | Benefit |
|---|---|
| Filter | Remove noise before it reaches SIEM, reducing volume and cost |
| Normalize | Convert to platform-native formats (UDM, CEF) for immediate query readiness |
| Enrich | Add context (GeoIP, threat intel, asset data) during transit |
| Route | Direct different log types to appropriate destinations for hot/cold tiering |
This approach preserves security visibility while dramatically reducing ingestion costs. High-value security events reach your SIEM in normalized format, ready for detection rules and hunting queries. Low-value telemetry can be filtered, sampled, or routed to cost-effective storage for compliance retention.
DataStream can simultaneously send optimized data to multiple SIEM platforms. A single processing pipeline can output to both Microsoft Sentinel and Google SecOps, each receiving data in its native format (ASIM/CEF for Sentinel, UDM for SecOps).
Supported Platforms
DataStream provides native integration with leading SIEM platforms:
Microsoft Sentinel
Microsoft Sentinel is Azure's cloud-native SIEM platform for security analysis and monitoring. DataStream forwards structured fields directly to Sentinel, automatically converting data to ASIM-compatible formats. The integration supports Log Analytics workspaces, custom tables, and Data Collection Rule (DCR) based ingestion for flexible data routing.
Google Security Operations
Google Security Operations (formerly Chronicle) provides Google Cloud's security analytics capabilities. DataStream sends processed telemetry using V1 or V2 ingestion APIs with support for both unstructured log data and pre-normalized UDM payloads. The integration includes 22 regional endpoints for data residency compliance.
Each integration includes pre-built pipeline templates optimized for common log sources, automatic format conversion, and secure authentication options.