Content Packs

Overview

Cloud SIEM Content Packs provide out-of-the box content for key security integrations. Depending on the integration, a Content Pack can include the following:

  • Detection Rules to provide comprehensive coverage of your environment
  • An interactive dashboard with detailed insights into the state of logs and security signals for the Content Pack
  • Investigator, an interactive graphical interface for investigating suspicious activity by a user or resource
  • Workflow Automation, to automate actions and accelerate investigation and remediation of issues
  • Configuration guides

Content Packs are grouped into the following categories:


Cloud Audit Content Packs

AWS CloudTrail

Monitor the security and compliance levels of your AWS operations.

The AWS CloudTrail Content Pack includes:

Azure Security

Protect your Azure environment by tracking attacker activity.

The Azure Security Content Pack includes:

GCP Audit Logs

Protect your GCP environment by monitoring audit logs.

The GCP Audit Logs Content Pack includes:

Kubernetes Audit Logs

Gain coverage by monitoring audit logs in your Kubernetes control plane.

The Kubernetes Audit Logs Content Pack includes:

Cloud Security Content Packs

Google Security Command Center

Track and analyze Google Security Command Center findings.

The Google Security Command Center Content Pack includes:

Wiz

View and monitor Wiz audit logs and issues, including toxic combinations.

The Wix Content Pack includes:

  • An interactive dashboard

Authentication Content Packs

1Password

Monitor account activity with 1Password Events Reporting.

The 1Password Content Pack includes:

Auth0

Monitor and generate signals around Auth0 user activity.

The Auth0 Content Pack includes:

Cisco DUO

Monitor and analyze MFA and secure access logs from Cisco DUO.

The Cisco DUO Content Pack includes:

JumpCloud

Tracks user activity by monitoring JumpCloud audit logs.

The JumpCloud Content Pack includes:

Okta

Track user activity by monitoring Okta audit logs.

The Okta Content Pack includes:

Collaboration Content Packs

Google Workspace

Optimize your security monitoring within Google Workspace.

The Google Workspace Content Pack includes:

Microsoft 365

Monitor key security events from Microsoft 365 logs.

The Microsoft 365 Content Pack includes:

Slack Audit Logs

View, analyze, and monitor Slack audit logs.

The Slack Content Pack includes:

Network Content Packs

Check Point Quantum Firewall

Monitor and alert on your network’s Check Point Quantum firewalls.

The Check Point Quantum Firewall Content Pack includes:

Cisco Meraki

Monitor Cisco Meraki logs and identify attacker activity.

The Cisco Meraki Content Pack includes:

Cisco Secure Firewall

Gain insights into Cisco Secure Firewall logs.

The Cisco Secure Firewall Content Pack includes:

  • An interactive dashboard

Cisco Umbrella DNS

Collect and monitor logs from Cisco Umbrella to gain insights into DNS and Proxy logs.

The Cisco Umbrella Content Pack includes:

Cloudflare

Enhance security for your web applications.

The Cloudflare Content Pack includes:

Palo Alto Networks Firewall

Analyze traffic and detect threats with Palo Alto Networks Firewall.

The Palo Alto Networks Firewall Content Pack includes:

Palo Alto Panorama

Monitor and detect your Palo Alto Panorama firewalls.

The Palo Alto Panorama Content Pack includes:

  • An interactive dashboard

Zeek

Analyze and store Corelight / Zeek logs to gain insights into network threats.

The Zeek Content Pack includes:

Web Security Content Packs

NGINX

Monitor and respond to web-based risks with NGINX.

The NGINX Content Pack includes:

Cloud developer tools Content Packs

Atlassian Jira and Confluence Audit Records

Monitor, secure, and optimize your Atlassian’s Jira and Confluence environments.

The Atlassian Jira and Confluence Audit Records Content Pack includes:

  • An interactive dashboard

GitHub

Track user activity and code change history by monitoring GitHub audit logs.

The GitHub Content Pack includes:

Snowflake

Collect Snowflake logs to monitor for threats, conduct hunts, and perform investigations.

The Snowflake Content Pack includes:

Endpoint Content Packs

CrowdStrike

Improve the security posture of your endpoints with CrowdStrike.

The CrowdStrike Content Pack includes:

Jamf Protect

Endpoint security and mobile threat defense (MTD) for Mac and mobile devices.

The Jamf Protect Content Pack includes:

SentinelOne

Integrate SentinelOne Singularity Endpoint alerts and threats into Cloud SIEM.

The SentinelOne Content Pack includes:

Windows Event Logs

Monitor and analyze your Windows system for potential threats with Windows Event Logs.

The Windows Event Logs Content Pack includes:

Further reading

Additional helpful documentation, links, and articles:

Create log detection rulesDOCUMENTATION more more Learn more about the InvestigatorDOCUMENTATION more more Investigate security signalsDOCUMENTATION more more What's new in Cloud SIEM Content Packs: September 2024BLOG more more How attackers take advantage of Microsoft 365 servicesBLOG more more Detect malicious activity in Google Workspace apps with Datadog Cloud SIEMBLOG more more