Case Study 04 — Cloud SIEM
Enter password
Carlos Diaz
Senior Product Designer
Work About
Case Study 04 — Cloud SIEM

Content Packs

A single, scalable experience that surfaces the true value of Cloud SIEM integrations — from day one and beyond.

42%Faster time-to-signal
2.7×Gallery visits
53Packs shipped
38%Fewer tickets
Project overview video
01Context

Cloud SIEM's value lives inside its integrations. Each one comes bundled with detection rules, dashboards, and pre-built workflows — but getting any of it required navigating across four separate surfaces, including a product most customers had never opened.

To activate a single integration, a customer had to locate detection rules inside SIEM, find dashboards in a separate product area, read configuration guides on a docs site, then set up the right log sources inside Logs — a completely different product with its own interface. Miss any step and the integration looked active but was silently broken.

The result was a quiet crisis: customers who believed they were protected, but weren't. Signals weren't firing. Dashboards sat empty. Support tickets kept tracing back to the same root cause — invisible prerequisites the product never explained.

RoleDesign Lead
TimelineQ1–Q2 2023 (3 months)
Shipped toCloud SIEM, CSM, ASM
TeamsPMs, Eng, Detection, GTM
Add image
02The Problem

Customers were paying for Cloud SIEM coverage they weren't getting — because the activation path was fragmented across products they didn't know they had to use.

4

Surfaces just to activate one integration

Log sources in Logs. Detection rules in SIEM. Dashboards elsewhere. Docs on a separate site. Get them in the wrong order and the integration appeared active — while silently failing to generate any signals.

0

Zero preview before committing

There was no way to see what an integration actually offered before setup. Customers chose which integrations to prioritize based on name alone — and discovered the value, or lack of it, only after hours of configuration work.

30+

Unique patterns, no shared structure

Thirty-plus integrations, thirty-plus different layouts. No consistent way to surface content, monitor health, or show activation status. Making sense of one didn't help you understand the next — and adding new integrations compounded the problem.

Add image
03Process

Three months from blank canvas to GA — designing a system structured enough to launch with 53 integrations and flexible enough that the architecture never needed revisiting.

Month 1

Research + Audit

Ran heuristic reviews across every SIEM setup flow. The critical drop-off wasn't at discovery — it was between "I found an integration" and "I have it working." Catalogued everything customers needed across product UI, docs, and GTM materials, then mapped it against where it actually lived.

Month 2

Architecture

Defined a three-level IA: Gallery (browse) → Content Pack (understand) → Activation Panel (configure). The key decision was introducing explicit pre-activation and post-activation states — so the UI reflects where a customer actually is in the journey, not just what's theoretically available.

Month 3

Test + Ship

Explored three directions in parallel: tile-based grid, side panel drill-in, and accordion expand. Tile grid won for discoverability; detail panel won for depth. Combined, they became the gallery + content pack pattern. Validated with detection PMs and GTM before engineering handoff.

Add image
04Solution

One reusable pattern. Five decisions that made integration value visible, activation guided, and misconfiguration impossible to miss.

Modular Content Packs

Each Content Pack bundles everything for a single integration — detection rules, dashboards, workflows, documentation — into one scrollable page. No more jumping between four different product areas to understand what an integration offers.

Content pack detail

Preview Before Activation

Users can browse every detection rule, dashboard, and workflow before they configure anything. An "Activate This Content Pack" CTA makes the commitment clear. Empty states explain exactly what log sources to configure — making invisible prerequisites visible.

Pre-activation

Post-Activation Transparency

After activation, status indicators show whether log sources are actually flowing. "Broken Configuration" banners surface problems before they cause missed signals. Newly added content — like a dashboard update — appears instantly instead of getting buried in a changelog.

Post-activation

Gallery for Discovery

A single browsable index of all available integrations — what is activated, what is available, what is partially configured. The top 5 integrations are surfaced on the Cloud SIEM Overview page. This became the starting point for every security onboarding flow.

Gallery

Designed to Outlast the Project

The architecture was scoped for 30 integrations. We shipped 53. The content pack pattern now runs across Cloud SIEM, CSM, and ASM without modification — and engineering reused the layout for Marketplace rule publishing. Designing for extensibility from day one meant the system never needed rethinking, just more content.

Cross-product
05Outcomes

53 Content Packs at launch. No rearchitecting since. Now the default onboarding surface for every security product at Datadog.

42%

Faster Time-to-Signal

Dropped from 2.5 days to 1.4 days. 22% more orgs enabled at least one integration in their first week.

2.7×

Better Discoverability

Content Pack Gallery visits increased 2.7× after launch. Top integrations now visible directly on the Cloud SIEM Overview.

38%

Fewer Support Tickets

Audit Logs misconfiguration tickets dropped 38%. Empty state nudges drove a 48% increase in proper log ingestion.

4.3/5

Onboarding Satisfaction

Up from 3.9 to 4.3 out of 5. Global source enablements increased 35% across the platform.

53

Packs at Launch

20+ more in the roadmap. The pattern now powers all Security Onboarding and Setup flows.

3 products

Platform System

The content pack architecture runs unchanged across Cloud SIEM, CSM, and ASM. Engineering reused the layout for Marketplace publishing — a pattern designed for one product became the foundation for the security product line.

Add image
← Signal Side Panel NextNatural Language Queries →