Content Packs
The Content Hub is stocked with content packs—pre-built, professionally-developed pipeline configurations that handle parsing, normalization, and enrichment for a specific data source or schema transformation. More than 80 packs are available, spanning Microsoft Sentinel parsers, third-party SIEM normalization, cloud security analytics, and schema/format converters. Each pack is built and maintained by VirtualMetric's engineering team and tested against real-world log samples, so it can be installed and put into production without writing pipeline logic from scratch.
In the Content Hub interface, a content pack is presented as a template. The two terms refer to the same artifact—every template in the library is a content pack. A pack that additionally bundles a ready-made route becomes a complete data-flow solution; see Content Routing for how routing is packaged and installed.
What Content Packs Deliver
Building a pipeline for a complex source—field extraction, normalization to a target schema, enrichment, output formatting—can take hours or days. A content pack delivers that work pre-built, tested, and maintained. The primary purpose of the provision is to spare users from designing frequently-used telemetry pipelines from the ground up: install a purpose-built pack, then customize it for the specific use case instead of starting with an empty pipeline.
| Without content packs | With a content pack |
|---|---|
| Hand-write parsers and field mappings for every vendor | Install a pre-built, source-specific pipeline |
| Manually normalize each source to your target schema | Vendor logs land in a consistent schema (ASIM, OCSF, UDM, CIM, ECS, CSL) |
| Build and run your own test fixtures | Each pack ships sample logs and expected output, validated before release |
| Track and rework pipelines as vendor log formats change | Receive versioned updates that preserve your customizations |
| Tune storage and ingestion cost yourself | Sampling, filtering, and field cleanup are built into the pack |
Tested Before Release
A content pack is not just pre-written—it is validated. Every pack ships with sample input logs and the expected normalized output, exercised by automated tests, so the parsing and schema mapping are verified against real vendor data before the pack reaches the library.
Cost Optimization Built In
Packs are designed for the high-volume, cost-sensitive environments DataStream targets. Source-specific packs include data optimization—sampling and filtering options that reduce storage cost while maintaining security visibility—and the Microsoft Sentinel normalization packs apply recursive cleanup of empty and null values to shrink the storage footprint and improve ingestion performance at the destination.
Versioned, Non-Destructive Updates
Each pack carries a version, a last-updated date, and release notes. When VirtualMetric updates a pack, the merge workflow lets you review and selectively accept changes while keeping organization-specific modifications intact—so you inherit ongoing vendor-format upkeep without re-doing or re-testing your customizations. See Content Hub Overview for the update workflow.
Yours to Customize
An installed pack is not an opaque connector. It becomes a fully editable pipeline in your environment: an expert-built starting point you own outright, free to adapt to specific requirements rather than work around.
A Sample of the Catalog
The library spans Microsoft Sentinel parsers, third-party SIEM normalization, cloud security analytics, and schema/format converters. The following is a representative selection—not the full catalog—to illustrate the range.
Microsoft Sentinel
| Pack | Purpose |
|---|---|
| Microsoft Sentinel Advanced Security Information Model (ASIM) Normalization Pack | Multi-source event normalization and automation for Microsoft Sentinel with comprehensive ASIM transformation support. |
| Microsoft Sentinel Common Security Log (CSL) Normalization Pack | Multi-source event normalization and automation for Microsoft Sentinel with comprehensive CSL transformation support. |
| Check Point Firewall Pack for Microsoft Sentinel | ASIM parser for Check Point VPN-1 & FireWall-1 logs with network session normalization. |
| Palo Alto Networks PAN-OS Pack for Microsoft Sentinel | ASIM parser for Palo Alto Networks PAN-OS logs with network session and web session normalization. |
Third-Party SIEM
| Pack | Purpose |
|---|---|
| IBM QRadar Automation and Normalization Pack | Data processing pipeline for IBM QRadar SIEM with multiple log sources and LEEF normalization. |
| ArcSight SIEM Automation and Normalization Pack | Data processing pipeline for ArcSight SIEM with multiple log sources and CEF normalization. |
| CrowdStrike Falcon Next-Gen SIEM Automation Pack | Data processing pipeline for CrowdStrike Falcon Next-Gen SIEM with multi-format log support and intelligent routing. |
| Sumo Logic Cloud SIEM Automation and Normalization Pack | Data processing pipeline for Sumo Logic Cloud SIEM with multiple log sources and JSON normalization. |
Cloud Security Analytics
| Pack | Purpose |
|---|---|
| Amazon Security Lake Automation and Normalization Pack | Multi-source normalization for Amazon Security Lake with comprehensive OCSF (Open Cybersecurity Schema Framework) transformation support. |
| Google Security Operations Automation and Normalization Pack | Data processing pipeline for Google Security Operations with multiple log sources and UDM normalization. |
| Google Security Operations Unified Data Model (UDM) Normalization Pack | Multi-source normalization for Google SecOps with comprehensive UDM transformation support. |
| Splunk Automation and Normalization Pack | Data processing pipeline for Splunk with multiple log sources and CIM normalization. |
Schema and Format Converters
| Pack | Purpose |
|---|---|
| CEF to CSL Parser Pack for Microsoft Sentinel | Common Event Format to Common Security Log parser with comprehensive field mapping and schema normalization. |
| LEEF to CSL Parser Pack for Microsoft Sentinel | Log Event Extended Format to Common Security Log parser with comprehensive field mapping and schema normalization. |
| OCSF to ASIM Transformation Pack | Post-processor that converts OCSF-formatted logs to Microsoft Sentinel's ASIM format. |
| Syslog Vendor Autodiscovery Pack | Intelligent syslog vendor detection and routing with multi-format support for automated security log processing. |
Elastic Common Schema
| Pack | Purpose |
|---|---|
| ECS to ASIM Transformation Pack for Microsoft Sentinel | Post-processor that converts Elastic Common Schema logs to Microsoft Sentinel's ASIM format. |
| Check Point Firewall Pack for Elasticsearch | Elastic Common Schema parser for Check Point firewall logs with security event normalization and threat analysis. |
Combining Packs
Packs are designed for separate concerns and can be combined into a single processing chain. Source-specific parser packs normalize raw vendor logs to an intermediate schema, and format-converter packs then transform that intermediate schema to the destination format.
For example, the Microsoft Sentinel ASIM pack routes syslog through CEF/LEEF detection, hands CEF messages to the CEF→CSL pack and LEEF messages to the LEEF→CSL pack, runs native syslog through the Syslog Vendor Autodiscovery pack, and converges all paths on ASIM transformation. Required and optional dependencies between packs are resolved at install time—see Content Hub Integration.
Because conversion is packaged separately from parsing, the same normalized stream can be directed to more than one analytics platform. Converter packs translate a normalized stream toward Microsoft Sentinel (ASIM), Amazon Security Lake (OCSF), Google SecOps (UDM), and Splunk (CIM), so a single source pipeline is not locked to one destination.
Microsoft Sentinel Integration
Microsoft Sentinel integration is a central aspect of the offering. The Microsoft Sentinel ASIM and CSL normalization packs transform diverse sources—syslog (native, CEF, LEEF), Windows Security, Firewall, and DNS events, and more—into ASIM- or CSL-compliant output, with automatic source detection and vendor-specific normalization for 30+ security platforms.
Source-specific packs in the Microsoft Sentinel family—for example, the Check Point and Palo Alto Networks packs—map vendor logs directly to ASIM schemas such as NetworkSession. Because every vendor lands in the same ASIM schema, detection rules, hunting queries, and workbooks are written against the schema rather than each vendor's log format, and continue to work when sources are added or swapped.
Vendor detection and routing run through a centralized vendor pack family, so the normalization packs automatically pick up newly supported vendors without requiring the installed pack itself to be changed.
Learning Pipeline Configuration
Content packs double as a working reference for configuring multi-processor pipelines. Each pack's full pipeline definition is available read-only in the Pipeline Overview tab of the Content Hub detail view, including parent and child pipeline relationships, so users can study how processors are combined for parsing, conditional routing, and normalization before adapting the same patterns to their own pipelines. See Content Hub Overview for the detail-view tabs.
Routes In Content Packs
A pack can bundle a ready-made route alongside its pipeline. Installing the route lets users forward processed data to multiple destinations without manually building routing rules, and a single route can be combined with multiple installed pipelines. The route target types defined by the pack are mapped to configured target instances at install time. The full mechanism—target mapping, route-only installation, and managing installed content routes—is documented in Content Routing.
Licensing
Content packs ship with explicit license terms. Original VirtualMetric pipelines, configurations, and integrations are licensed under the Elastic License 2.0. Packs that derive from Microsoft Sentinel content carry a dual license: the original Microsoft Sentinel content under the MIT License, and VirtualMetric's modifications and configurations under the Elastic License 2.0. Packs derived from Elastic Integrations are likewise licensed under the Elastic License 2.0. Each pack's complete license text is shown in the License Details tab of its detail view. For the full licensing framework, see Content Hub Licensing.
Content Pack Vendors
The content packs cover a broad set of security and infrastructure vendors and platforms:
| Vendor | |
|---|---|
| A | Akamai, Amazon, ArcSight, Arista, Aruba |
| B | Barracuda |
| C | Check Point, Cisco, Citrix, Corelight, CrowdStrike, CyberArk |
| D | Darktrace, Databricks, Datadog |
| E | Elastic, ESET, ExtraHop |
| F | F5, Forcepoint, Fortinet |
| G | Google, Graylog |
| H | Hillstone |
| I | IBM, Infoblox |
| J | Juniper |
| L | Linux, LogPoint |
| M | Microsoft |
| N | Netgate, Nozomi Networks |
| O | OCSF, OpenText, OVHcloud |
| P | Palo Alto Networks, Proofpoint |
| R | Rapid7 |
| S | SentinelOne, SNARE, SonicWall, Sophos, Splunk, Squid, Sumo Logic, Symantec |
| T | Trellix |
| U | Ubiquiti |
| V | Vectra, VirtualMetric |
| W | WatchGuard |
| Z | Zscaler |