Overview
Cloud SIEM Content Packs provide out-of-the box content for key security integrations. Depending on the integration, a Content Pack can include the following:
- Detection Rules to provide comprehensive coverage of your environment
- An interactive dashboard with detailed insights into the state of logs and security signals for the Content Pack
- Investigator, an interactive graphical interface for investigating suspicious activity by a user or resource
- Workflow Automation, to automate actions and accelerate investigation and remediation of issues
- Configuration guides
Content Packs are grouped into the following categories:
Authentication: LastPass, 1Password, PingOne, Auth0, Ping Federate, Jumpcloud, Cisco DUO, Okta
Cloud Audit: Kubernetes Audit Logs, GCP Audit Logs, AWS CloudTrail, Azure Security
Cloud Developer Tools: Atlassian Organization Event Logs, GitHub, Snowflake, Confluent Cloud Audit Logs, Twilio, Gitlab Audit Events, Atlassian Jira & Confluence Audit Records, HCP Terraform
Cloud Security: Microsoft Graph, Google Security Command Center, Wiz
Collaboration: Zoom Activity Logs, Microsoft 365, Slack, Google Workspace
Email Security: Abnormal Security, Trend Micro Email Security, Mimecast
Endpoint: Jamf Protect, Sophos Central Cloud, Cisco Secure Endpoint, SentinelOne, Windows Event Logs, Crowdstrike
Network: Cloudflare, Imperva, Checkpoint Quantum Firewall, Zeek, Bind9, Palo Alto Panorama, Cisco Umbrella DNS, Palo Alto Networks Firewall, Cisco Meraki, Cisco Secure Firewall
Web Security: NGINX
LastPass
Monitor LastPass activity and analyze with detection rules
LastPass Content Pack includes:
1Password
Monitor account activity with 1Password Events Reporting.
1Password Content Pack includes:
PingOne
Analyze PingOne audit events
PingOne Content Pack includes:
Auth0
Monitor and generate signals around Auth0 user activity.
Auth0 Content Pack includes:
Ping Federate
Collect and analyze Ping Federate admin and audit logs
Ping Federate Content Pack includes:
Jumpcloud
Track user activity by monitoring Jumpcloud audit Logs.
Jumpcloud Content Pack includes:
Cisco DUO
Monitor and analyze MFA and secure access logs from Cisco DUO.
Cisco DUO Content Pack includes:
Okta
Track user activity by monitoring Okta audit logs.
Okta Content Pack includes:
Kubernetes Audit Logs
Monitor open source Kubernetes and Amazon Elastic Kubernetes Service (EKS) audit logs for threats.
Kubernetes Audit Logs Content Pack includes:
GCP Audit Logs
Protect your GCP environment by monitoring audit logs.
GCP Audit Logs Content Pack includes:
AWS CloudTrail
Monitor security and compliance levels of your AWS operations.
AWS CloudTrail Content Pack includes:
Azure Security
Protect your Azure environment by tracking attacker activity.
Azure Security Content Pack includes:
Atlassian Organization Event Logs
Monitor admin activity from your organization's Atlassian Org including your Atlassian Guard subscription, Jira, and Confluence
Atlassian Organization Event Logs Content Pack includes:
GitHub
Track user activity and code change history by monitoring Github audit logs.
GitHub Content Pack includes:
Snowflake
Collect snowflake logs to monitor for threats, conduct hunts, and perform investigations.
Snowflake Content Pack includes:
Confluent Cloud Audit Logs
Monitor Confluent Cloud audit logs
Confluent Cloud Audit Logs Content Pack includes:
Twilio
Collect and analyze Twilio message, call summary, and event logs
Twilio Content Pack includes:
Gitlab Audit Events
Collect GitLab Audit Events to assess risk, security, and compliance
Gitlab Audit Events Content Pack includes:
Atlassian Jira & Confluence Audit Records
Monitor, secure, and optimize your Atlassian's Jira & Confluence environments.
Atlassian Jira & Confluence Audit Records Content Pack includes:
HCP Terraform
Collect activity and audit logs from Terraform
HCP Terraform Content Pack includes:
Microsoft Graph
Collect security logs and alerts from Defender, Purview, Entra ID, and Sentinel
Microsoft Graph Content Pack includes:
Google Security Command Center
Track and analyze Google Security Command Center findings.
Google Security Command Center Content Pack includes:
Wiz
View and monitor Wiz audit logs and issues, including toxic combinations.
Wiz Content Pack includes:
Zoom Activity Logs
Collect and monitor Zoom activity
Zoom Activity Logs Content Pack includes:
Microsoft 365
Monitor key security events from Microsoft 365 logs.
Microsoft 365 Content Pack includes:
Slack
View, analyze, and monitor Slack audit logs.
Slack Content Pack includes:
Google Workspace
Optimize your security monitoring within Google Workspace.
Google Workspace Content Pack includes:
Abnormal Security
Monitor threat events, cases, and audit logs for Abnormal Security
Abnormal Security Content Pack includes:
Trend Micro Email Security
Analyze email policy events and track mail flows for Trend Micro Email Security
Trend Micro Email Security Content Pack includes:
Mimecast
Analyze logs and generate signals from Mimecast email security solutions
Mimecast Content Pack includes:
Jamf Protect
Endpoint security and mobile threat defense (MTD) for Mac and mobile devices.
Jamf Protect Content Pack includes:
Sophos Central Cloud
Monitor and analyze Sophos Central Cloud events and alerts
Sophos Central Cloud Content Pack includes:
Cisco Secure Endpoint
Collect Cisco Secure Endpoint alerts and audit logs
Cisco Secure Endpoint Content Pack includes:
SentinelOne
Integrate SentinelOne Singularlity Endpoint alerts and threats into Cloud SIEM.
SentinelOne Content Pack includes:
Windows Event Logs
Monitor and analyze your Windows system for potential threats with Windows Event Logs.
Windows Event Logs Content Pack includes:
Crowdstrike
Improve the security posture of your endpoints with Crowdstrike.
Crowdstrike Content Pack includes:
Cloudflare
Enhance security for your web applications.
Cloudflare Content Pack includes:
Imperva
Collect and analyze Imperva web application firewall logs, audit logs, and attack analytics
Imperva Content Pack includes:
Checkpoint Quantum Firewall
Monitor and alert on your network's Check Point Quantum firewalls.
Checkpoint Quantum Firewall Content Pack includes:
Zeek
Analyze and store Corelight / Zeek logs to gain insights into network threats.
Zeek Content Pack includes:
Bind9
Collect Bind9 DNS server logs
Bind9 Content Pack includes:
Palo Alto Panorama
Monitor and detect your Palo Alto Panorama firewalls.
Palo Alto Panorama Content Pack includes:
Cisco Umbrella DNS
Collect and monitor logs from Cisco Umbrella to gain insights into DNS and Proxy logs.
Cisco Umbrella DNS Content Pack includes:
Palo Alto Networks Firewall
Analyze traffic and detect threats with Palo Alto Networks Firewall.
Palo Alto Networks Firewall Content Pack includes:
Cisco Meraki
Monitor Cisco Meraki logs and identify attacker activity.
Cisco Meraki Content Pack includes:
Cisco Secure Firewall
Gain insights into Cisco Secure Firewall logs.
Cisco Secure Firewall Content Pack includes:
NGINX
Monitor and respond to web-based risks with Nginx.
NGINX Content Pack includes:
Further reading
Additional helpful documentation, links, and articles:
