Overview
Cloud SIEM Content Packs provide out-of-the box content for key security integrations. Depending on the integration, a Content Pack can include the following:
- Detection Rules to provide comprehensive coverage of your environment
- An interactive dashboard with detailed insights into the state of logs and security signals for the Content Pack
- Investigator, an interactive graphical interface for investigating suspicious activity by a user or resource
- Workflow Automation, to automate actions and accelerate investigation and remediation of issues
- Configuration guides
Content Packs are grouped into the following categories:
Authentication: 1Password, Auth0, Cisco DUO, Delinea Privilege Manager, Delinea Secret Server, Jumpcloud, Keycloak, LastPass, Okta, Ping Federate, PingOne
Cloud Audit: AWS CloudTrail, Azure Security, GCP Audit Logs, Kubernetes Audit Logs, Linux Audit Logs
Cloud Developer Tools: Atlassian Jira & Confluence Audit Records, Atlassian Organization Event Logs, Confluent Cloud Audit Logs, GitHub, GitLab Audit Events, HCP Terraform, Snowflake, Twilio
Cloud Security: Google Security Command Center, Microsoft Graph, Wiz
Collaboration: Asana, Google Workspace, Microsoft 365, Salesforce, Slack, Zendesk, Zoom Activity Logs
Email Security: Abnormal Security, Cisco Secure Email Threat Defense, Mimecast, Trend Micro Email Security
Endpoint: Cisco Secure Endpoint, Crowdstrike, ESET Protect, Jamf Protect, Microsoft Sysmon, OSSEC, SentinelOne, Sophos Central Cloud, Trend Micro Vision One Endpoint Security, Trend Micro Vision One XDR, Windows Event Logs
Network: Bind9, Checkpoint Quantum Firewall, Cisco Secure Firewall, Cisco Umbrella DNS, Cloudflare, ExtraHop, Fortinet FortiManager, Imperva, Ivanti Connect Secure, Juniper SRX Firewall, Cisco Meraki, Microsoft DNS, Palo Alto Cortex XDR, Palo Alto Networks Firewall, Palo Alto Panorama, Suricata, WatchGuard Firebox, Zeek
Web Security: Apache, Fastly, Forcepoint Security Service Edge, NGINX
1Password
Monitor account activity with 1Password Events Reporting.
1Password Content Pack includes:
Auth0
Monitor and generate signals around Auth0 user activity.
Auth0 Content Pack includes:
Cisco DUO
Monitor and analyze MFA and secure access logs from Cisco DUO.
Cisco DUO Content Pack includes:
Delinea Privilege Manager
Gain insights into Delinea Privilege Manager events.
Delinea Privilege Manager Content Pack includes:
Delinea Secret Server
Track privileged credential usage and user activity from Delinea Secret Server to monitor authentication events and secure access to sensitive systems.
Delinea Secret Server Content Pack includes:
Jumpcloud
Track user activity by monitoring Jumpcloud audit Logs.
Jumpcloud Content Pack includes:
Keycloak
Gain insights into user and administrative activity from Keycloak.
Keycloak Content Pack includes:
LastPass
Monitor LastPass activity and analyze with detection rules
LastPass Content Pack includes:
Okta
Track user activity by monitoring Okta audit logs.
Okta Content Pack includes:
Ping Federate
Collect and analyze Ping Federate admin and audit logs
Ping Federate Content Pack includes:
PingOne
Analyze PingOne audit events
PingOne Content Pack includes:
AWS CloudTrail
Monitor security and compliance levels of your AWS operations.
AWS CloudTrail Content Pack includes:
Azure Security
Protect your Azure environment by tracking attacker activity.
Azure Security Content Pack includes:
GCP Audit Logs
Protect your GCP environment by monitoring audit logs.
GCP Audit Logs Content Pack includes:
Kubernetes Audit Logs
Monitor open source Kubernetes and Amazon Elastic Kubernetes Service (EKS) audit logs for threats.
Kubernetes Audit Logs Content Pack includes:
Linux Audit Logs
Monitor user activity, authentication events, and policy changes with enriched Linux audit logs across Red Hat, Ubuntu, and CentOS.
Linux Audit Logs Content Pack includes:
Atlassian Jira & Confluence Audit Records
Monitor, secure, and optimize your Atlassian's Jira & Confluence environments.
Atlassian Jira & Confluence Audit Records Content Pack includes:
Atlassian Organization Event Logs
Monitor admin activity from your organization's Atlassian Org including your Atlassian Guard subscription, Jira, and Confluence
Atlassian Organization Event Logs Content Pack includes:
Confluent Cloud Audit Logs
Monitor Confluent Cloud audit logs
Confluent Cloud Audit Logs Content Pack includes:
GitHub
Track user activity and code change history by monitoring GitHub audit logs.
GitHub Content Pack includes:
GitLab Audit Events
Collect GitLab Audit Events to assess risk, security, and compliance
GitLab Audit Events Content Pack includes:
HCP Terraform
Collect activity and audit logs from Terraform
HCP Terraform Content Pack includes:
Snowflake
Collect snowflake logs to monitor for threats, conduct hunts, and perform investigations.
Snowflake Content Pack includes:
Twilio
Collect and analyze Twilio message, call summary, and event logs
Twilio Content Pack includes:
Google Security Command Center
Track and analyze Google Security Command Center findings.
Google Security Command Center Content Pack includes:
Microsoft Graph
Collect security logs and alerts from Defender, Purview, Entra ID, and Sentinel
Microsoft Graph Content Pack includes:
Wiz
View and monitor Wiz audit logs and issues, including toxic combinations.
Wiz Content Pack includes:
Asana
Explore and analyze Asana audit logs
Asana Content Pack includes:
Google Workspace
Optimize your security monitoring within Google Workspace.
Google Workspace Content Pack includes:
Microsoft 365
Monitor key security events from Microsoft 365 logs.
Microsoft 365 Content Pack includes:
Salesforce
Collect Salesforce real-time platform events as Datadog logs.
Salesforce Content Pack includes:
Slack
View, analyze, and monitor Slack audit logs.
Slack Content Pack includes:
Zendesk
Ingest Zendesk audit and access logs to monitor user and admin activity.
Zendesk Content Pack includes:
Zoom Activity Logs
Collect and monitor Zoom activity
Zoom Activity Logs Content Pack includes:
Abnormal Security
Monitor threat events, cases, and audit logs for Abnormal Security
Abnormal Security Content Pack includes:
Cisco Secure Email Threat Defense
Gain insights into Cisco Secure Email Threat Defense message logs.
Cisco Secure Email Threat Defense Content Pack includes:
Mimecast
Analyze logs and generate signals from Mimecast email security solutions
Mimecast Content Pack includes:
Trend Micro Email Security
Analyze email policy events and track mail flows for Trend Micro Email Security
Trend Micro Email Security Content Pack includes:
Cisco Secure Endpoint
Collect Cisco Secure Endpoint alerts and audit logs
Cisco Secure Endpoint Content Pack includes:
Crowdstrike
Improve the security posture of your endpoints with Crowdstrike.
Crowdstrike Content Pack includes:
ESET Protect
Monitor endpoint threats, firewall activity, and web filtering logs from ESET Protect.
ESET Protect Content Pack includes:
Jamf Protect
Endpoint security and mobile threat defense (MTD) for Mac and mobile devices.
Jamf Protect Content Pack includes:
Microsoft Sysmon
Gain insights into Windows system activity events.
Microsoft Sysmon Content Pack includes:
OSSEC
Ingest OSSEC alerts from monitored hosts
OSSEC Content Pack includes:
SentinelOne
Integrate SentinelOne Singularlity Endpoint alerts and threats into Cloud SIEM.
SentinelOne Content Pack includes:
Sophos Central Cloud
Monitor and analyze Sophos Central Cloud events and alerts
Sophos Central Cloud Content Pack includes:
Trend Micro Vision One Endpoint Security
Collect and analyze extensive logs from Trend Micro Vision One Endpoint Security
Trend Micro Vision One Endpoint Security Content Pack includes:
Trend Micro Vision One XDR
Gain insights into Trend Micro Vision One XDR logs.
Trend Micro Vision One XDR Content Pack includes:
Windows Event Logs
Monitor and analyze your Windows system for potential threats with Windows Event Logs.
Windows Event Logs Content Pack includes:
Bind9
Collect Bind9 DNS server logs
Bind9 Content Pack includes:
Checkpoint Quantum Firewall
Monitor and alert on your network's Check Point Quantum firewalls.
Checkpoint Quantum Firewall Content Pack includes:
Cisco Secure Firewall
Gain insights into Cisco Secure Firewall logs.
Cisco Secure Firewall Content Pack includes:
Cisco Umbrella DNS
Collect and monitor logs from Cisco Umbrella to gain insights into DNS and Proxy logs.
Cisco Umbrella DNS Content Pack includes:
Cloudflare
Enhance security for your web applications.
Cloudflare Content Pack includes:
ExtraHop
Gain insights into ExtraHop detection and investigation logs.
ExtraHop Content Pack includes:
Fortinet FortiManager
Monitor device health, security telemetry, and more across your networks managed by Fortinet, including FortiGate Next Generation Firewalls (NGFW).
Fortinet FortiManager Content Pack includes:
Imperva
Collect and analyze Imperva web application firewall logs, audit logs, and attack analytics
Imperva Content Pack includes:
Ivanti Connect Secure
Monitor Ivanti Connect Secure logs to gain visibility into authentication activity, system changes, and security events.
Ivanti Connect Secure Content Pack includes:
Juniper SRX Firewall
Monitor session activity, security threats, and authentication events from Juniper SRX Firewall logs.
Juniper SRX Firewall Content Pack includes:
Cisco Meraki
Monitor Cisco Meraki logs and identify attacker activity.
Cisco Meraki Content Pack includes:
Microsoft DNS
Gain insights into Microsoft DNS Server audit events.
Microsoft DNS Content Pack includes:
Palo Alto Cortex XDR
Collect and analyze Palo Alto Cortex XDR logs
Palo Alto Cortex XDR Content Pack includes:
Palo Alto Networks Firewall
Analyze traffic and detect threats with Palo Alto Networks Firewall.
Palo Alto Networks Firewall Content Pack includes:
Palo Alto Panorama
Monitor and detect your Palo Alto Panorama firewalls.
Palo Alto Panorama Content Pack includes:
Suricata
Gain insights into Suricata logs.
Suricata Content Pack includes:
WatchGuard Firebox
Analyze firewall, VPN, proxy, and system events from WatchGuard Firebox logs.
WatchGuard Firebox Content Pack includes:
Zeek
Analyze and store Corelight / Zeek logs to gain insights into network threats.
Zeek Content Pack includes:
Apache
Collect and analyze Apache logs and metrics
Apache Content Pack includes:
Fastly
Monitor HTTP server performance, traffic, and uptime metrics.
Fastly Content Pack includes:
Forcepoint Security Service Edge
Collect and analyze cloud activity, access, admin, and health logs from Forcepoint Security Service Edge
Forcepoint Security Service Edge Content Pack includes:
NGINX
Monitor and respond to web-based risks with Nginx.
NGINX Content Pack includes:
Further reading
Additional helpful documentation, links, and articles:
