Security teams face an impossible choice: send all their data to their SIEM and watch costs skyrocket or risk missing the critical signals that indicate a breach. This dilemma forces enterprises to make trade-offs that can weaken visibility or drain security budgets.
To eliminate that trade-off, we introduced Federated Search, giving customers flexibility in where their data lives. Teams can store all security-relevant data in Cortex XSIAM® for AI-driven detection, investigation, and response, while still querying additional sources like high-volume application logs in external data stores. You get the insights you need, without being forced to centralize everything.
But that flexibility raises a new question: how do you intelligently ingest, route, and optimize data in the first place? How do you control what belongs in Cortex XSIAM, what can stay in an external data lake, and what doesn’t need to be kept at all?
That’s why we’re excited about our acquisition of Chronosphere. By bringing powerful telemetry pipeline capabilities into our product portfolio, we’re delivering what security teams have long needed: fine-grained control over data to help prevent runaway costs without sacrificing security visibility.
Simplifying Data Onboarding and Management
The Chronosphere Telemetry Pipeline gives teams a better way to bring in and manage security and observability data. Built on the Fluent Bit engine, it collects telemetry from hundreds of sources, including cloud services and Kubernetes as well as legacy on-prem systems and third-party APIs. The data is filtered, normalized, enriched, and sent to where it is most useful.
Unlike managing a patchwork of open source agents individually, Chronosphere Telemetry Pipeline provides a control plane to manage hundreds of collectors from a single user interface. This means IT and security teams can work more efficiently, reducing tool sprawl while security context enriches every log, metric, and trace. You maintain flexibility to route data to XSIAM, cloud service providers, or multiple destinations based on your operational needs.
The Power of Control at the Edge
Traditional logging forces a "send everything" approach, with potentially higher costs where critical threats drown in noise. Chronosphere Telemetry Pipeline flips this model by providing control at the edge. Because it’s built on Fluent Bit, it offers a lightweight, high-throughput engine that sits directly in your environment, whether that’s a Kubernetes cluster, a cloud instance, or an on-prem server.
Consider a web server generating millions of "200 OK" logs. While valuable for observability, they create noise for security analysts. With Telemetry Pipeline, you set rules to sample just 1% of those logs for trend analysis while sending 100% of "403 Forbidden" or "500 Error" logs directly to XSIAM for immediate threat detection. This signal-to-noise optimization accelerates investigation times and reduces costs.
Chronosphere Telemetry Pipeline also enables you to drop low-value debug logs at the source, compress and truncate bulky files to lower cloud egress fees, and mask sensitive data like emails or SSNs before it reaches the cloud, ensuring strict GDPR and CCPA compliance.
Native Cortex XSIAM Integration: Get Going in Minutes
Cortex XSIAM is now available as a destination in the Telemetry Pipeline user interface. Data from hundreds of sources can be sent to Cortex XSIAM in a few clicks, without the complexity of custom APIs. It pre-formats logs to match Cortex XSIAM requirements, enabling data to hit the Cortex XSIAM data lake already parsed and ready for the XQL engine.
You can also enrich data on the fly, adding context like GeoIP, user roles, or environment tags during transit. Security analysts receive full context immediately, eliminating the need to pivot between tools to piece together the story.
Built to Scale, With Up to 95% Less Infrastructure
Chronosphere was built for the data demands of the AI era. Its next-generation architecture is designed to scale across massive cloud data volumes, with efficiency and reliability built in from day one. The result is a telemetry pipeline that delivers the scale modern security teams need—without the infrastructure drag.
In practice, Chronosphere has been shown to require up to 20x less infrastructure than alternative pipelines, allowing teams to process far more data at a fraction of the cost. That efficiency directly translates into lower SOC spend, often reducing data volumes by up to 30%, without introducing another expensive layer into the stack.
Chronosphere has already proven its capabilities with category-defining companies leading the AI revolution and is recognized as a Leader in the 2025 Gartner Magic Quadrant for Observability Platforms.
For Cortex XSIAM users, this means faster mean time to remediation, lower operational costs, and the flexibility to scale security operations without the typical "data tax". You get the right data, in the right format, fueling the AI that protects your organization, all while maintaining complete control over your telemetry pipeline.
Cortex XSIAM lets teams focus on detection and response, while telemetry is managed efficiently in the background by Chronosphere.
See Cortex XSIAM in action by requesting a live demo.