A single, scalable experience that surfaces the true value of Cloud SIEM integrations — from day one and beyond.
Cloud SIEM's value lives inside its integrations. Each one comes bundled with detection rules, dashboards, and pre-built workflows — but getting any of it required navigating across four separate surfaces, including a product most customers had never opened.
To activate a single integration, a customer had to locate detection rules inside SIEM, find dashboards in a separate product area, read configuration guides on a docs site, then set up the right log sources inside Logs — a completely different product with its own interface. Miss any step and the integration looked active but was silently broken.
The result was a quiet crisis: customers who believed they were protected, but weren't. Signals weren't firing. Dashboards sat empty. Support tickets kept tracing back to the same root cause — invisible prerequisites the product never explained.
Customers were paying for Cloud SIEM coverage they weren't getting — because the activation path was fragmented across products they didn't know they had to use.
Log sources in Logs. Detection rules in SIEM. Dashboards elsewhere. Docs on a separate site. Get them in the wrong order and the integration appeared active — while silently failing to generate any signals.
There was no way to see what an integration actually offered before setup. Customers chose which integrations to prioritize based on name alone — and discovered the value, or lack of it, only after hours of configuration work.
Thirty-plus integrations, thirty-plus different layouts. No consistent way to surface content, monitor health, or show activation status. Making sense of one didn't help you understand the next — and adding new integrations compounded the problem.
Three months from blank canvas to GA — designing a system structured enough to launch with 53 integrations and flexible enough that the architecture never needed revisiting.
Ran heuristic reviews across every SIEM setup flow. The critical drop-off wasn't at discovery — it was between "I found an integration" and "I have it working." Catalogued everything customers needed across product UI, docs, and GTM materials, then mapped it against where it actually lived.
Defined a three-level IA: Gallery (browse) → Content Pack (understand) → Activation Panel (configure). The key decision was introducing explicit pre-activation and post-activation states — so the UI reflects where a customer actually is in the journey, not just what's theoretically available.
Explored three directions in parallel: tile-based grid, side panel drill-in, and accordion expand. Tile grid won for discoverability; detail panel won for depth. Combined, they became the gallery + content pack pattern. Validated with detection PMs and GTM before engineering handoff.
One reusable pattern. Five decisions that made integration value visible, activation guided, and misconfiguration impossible to miss.
Each Content Pack bundles everything for a single integration — detection rules, dashboards, workflows, documentation — into one scrollable page. No more jumping between four different product areas to understand what an integration offers.
Users can browse every detection rule, dashboard, and workflow before they configure anything. An "Activate This Content Pack" CTA makes the commitment clear. Empty states explain exactly what log sources to configure — making invisible prerequisites visible.
After activation, status indicators show whether log sources are actually flowing. "Broken Configuration" banners surface problems before they cause missed signals. Newly added content — like a dashboard update — appears instantly instead of getting buried in a changelog.
A single browsable index of all available integrations — what is activated, what is available, what is partially configured. The top 5 integrations are surfaced on the Cloud SIEM Overview page. This became the starting point for every security onboarding flow.
The architecture was scoped for 30 integrations. We shipped 53. The content pack pattern now runs across Cloud SIEM, CSM, and ASM without modification — and engineering reused the layout for Marketplace rule publishing. Designing for extensibility from day one meant the system never needed rethinking, just more content.
53 Content Packs at launch. No rearchitecting since. Now the default onboarding surface for every security product at Datadog.
Dropped from 2.5 days to 1.4 days. 22% more orgs enabled at least one integration in their first week.
Content Pack Gallery visits increased 2.7× after launch. Top integrations now visible directly on the Cloud SIEM Overview.
Audit Logs misconfiguration tickets dropped 38%. Empty state nudges drove a 48% increase in proper log ingestion.
Up from 3.9 to 4.3 out of 5. Global source enablements increased 35% across the platform.
20+ more in the roadmap. The pattern now powers all Security Onboarding and Setup flows.
The content pack architecture runs unchanged across Cloud SIEM, CSM, and ASM. Engineering reused the layout for Marketplace publishing — a pattern designed for one product became the foundation for the security product line.